Browse Source

Enable TLS by default

This enables TLS by defalut in the undercloud. This is done by setting
the generate_service_certificate option to True by default, although,
the deployer can turn it off if needed.

Change-Id: Id329081c06343373309d6880d464ba99aba0c7be
tags/9.0.0
Juan Antonio Osorio Robles 1 year ago
parent
commit
41f2694d13

+ 18
- 12
instack_undercloud/tests/test_undercloud.py View File

@@ -213,10 +213,10 @@ class TestUndercloud(BaseTestCase):
213 213
     def test_extract_from_stackrc(self):
214 214
         with open(os.path.expanduser('~/stackrc'), 'w') as f:
215 215
             f.write('OS_USERNAME=aturing\n')
216
-            f.write('OS_AUTH_URL=http://bletchley:5000/\n')
216
+            f.write('OS_AUTH_URL=https://bletchley:5000/\n')
217 217
         self.assertEqual('aturing',
218 218
                          undercloud._extract_from_stackrc('OS_USERNAME'))
219
-        self.assertEqual('http://bletchley:5000/',
219
+        self.assertEqual('https://bletchley:5000/',
220 220
                          undercloud._extract_from_stackrc('OS_AUTH_URL'))
221 221
 
222 222
     @mock.patch('instack_undercloud.undercloud._check_hostname')
@@ -589,14 +589,14 @@ class TestGenerateEnvironment(BaseTestCase):
589 589
                          if k.startswith('UNDERCLOUD_ENDPOINT')}
590 590
         self.assertEqual(90, len(endpoint_vars))
591 591
         # Spot check one service
592
-        self.assertEqual('http://192.168.24.1:5000',
592
+        self.assertEqual('https://192.168.24.2:13000',
593 593
                          env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
594
-        self.assertEqual('http://192.168.24.1:5000',
594
+        self.assertEqual('http://192.168.24.3:5000',
595 595
                          env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
596
-        self.assertEqual('http://192.168.24.1:35357',
596
+        self.assertEqual('http://192.168.24.3:35357',
597 597
                          env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
598 598
         # Also check that the tenant id part is preserved
599
-        self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s',
599
+        self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
600 600
                          env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
601 601
 
602 602
     def test_generate_endpoints_ssl_manual(self):
@@ -615,18 +615,18 @@ class TestGenerateEnvironment(BaseTestCase):
615 615
         self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
616 616
                          env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
617 617
 
618
-    def test_generate_endpoints_ssl_auto(self):
619
-        self.conf.config(generate_service_certificate=True)
618
+    def test_generate_endpoints_ssl_off(self):
619
+        self.conf.config(generate_service_certificate=False)
620 620
         env = undercloud._generate_environment('.')
621 621
         # Spot check one service
622
-        self.assertEqual('https://192.168.24.2:13000',
622
+        self.assertEqual('http://192.168.24.1:5000',
623 623
                          env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
624
-        self.assertEqual('http://192.168.24.3:5000',
624
+        self.assertEqual('http://192.168.24.1:5000',
625 625
                          env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
626
-        self.assertEqual('http://192.168.24.3:35357',
626
+        self.assertEqual('http://192.168.24.1:35357',
627 627
                          env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
628 628
         # Also check that the tenant id part is preserved
629
-        self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
629
+        self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s',
630 630
                          env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
631 631
 
632 632
     def test_absolute_cert_path(self):
@@ -650,6 +650,12 @@ class TestGenerateEnvironment(BaseTestCase):
650 650
             os.chdir(cur_dir)
651 651
 
652 652
     def test_no_cert_path(self):
653
+        env = undercloud._generate_environment('.')
654
+        self.assertEqual('/etc/pki/tls/certs/undercloud-192.168.24.2.pem',
655
+                         env['UNDERCLOUD_SERVICE_CERTIFICATE'])
656
+
657
+    def test_no_ssl(self):
658
+        self.conf.config(generate_service_certificate=False)
653 659
         env = undercloud._generate_environment('.')
654 660
         self.assertEqual('', env['UNDERCLOUD_SERVICE_CERTIFICATE'])
655 661
 

+ 1
- 1
instack_undercloud/undercloud.py View File

@@ -210,7 +210,7 @@ _opts = [
210 210
                      'OpenStack API endpoints, leaving it unset disables SSL.')
211 211
                ),
212 212
     cfg.BoolOpt('generate_service_certificate',
213
-                default=False,
213
+                default=True,
214 214
                 help=('When set to True, an SSL certificate will be generated '
215 215
                       'as part of the undercloud install and this certificate '
216 216
                       'will be used in place of the value for '

+ 5
- 0
releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml View File

@@ -0,0 +1,5 @@
1
+---
2
+security:
3
+  - |
4
+    TLS is now used by default for the public endpoints. This is done through
5
+    the generate_service_certificates option, which now defaults to 'True'.

+ 1
- 1
undercloud.conf.sample View File

@@ -81,7 +81,7 @@
81 81
 # /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem.  This
82 82
 # certificate is signed by CA selected by the
83 83
 # "certificate_generation_ca" option. (boolean value)
84
-#generate_service_certificate = false
84
+#generate_service_certificate = true
85 85
 
86 86
 # The certmonger nickname of the CA from which the certificate will be
87 87
 # requested. This is used only if the generate_service_certificate

Loading…
Cancel
Save