Merge "Add SSL support to the Ironic API"

2015-11-25 10:25:00 +00:00 · 2015-11-25 10:25:00 +00:00 · 506fd793ba
parent 8f6add2843 564f5f7cd7
commit 506fd793ba
6 changed files with 56 additions and 4 deletions
--- a/etc/ironic/ironic.conf.sample
+++ b/etc/ironic/ironic.conf.sample
@ -504,6 +504,14 @@
 # (integer value)
 #api_workers=<None>

+# Enable the integrated stand-alone API to service requests
+# via HTTPS instead of HTTP. If there is a front-end service
+# performing HTTPS offloading from the service, this option
+# should be False; note, you will want to change public API
+# endpoint to represent SSL termination URL with
+# 'public_endpoint' option. (boolean value)
+#enable_ssl_api=false
+

 [cimc]

@ -1897,6 +1905,27 @@
 #get_vm_name_retry_interval=3


+[ssl]
+
+#
+# Options defined in oslo.service.sslutils
+#
+
+# CA certificate file to use to verify connecting clients.
+# (string value)
+#ca_file=<None>
+
+# Certificate file to use when starting the server securely.
+# (string value)
+#cert_file=<None>
+
+# Private key file to use when starting the server securely.
+# (string value)
+#key_file=<None>
+
+
+
+
 [swift]

 #
--- a/ironic/api/init.py
+++ b/ironic/api/init.py
@ -41,6 +41,14 @@ API_SERVICE_OPTS = [
                      'The default is equal to the number of CPUs available '
                      'if that can be determined, else a default worker '
                      'count of 1 is returned.')),
+    cfg.BoolOpt('enable_ssl_api',
+                default=False,
+                help=_("Enable the integrated stand-alone API to service "
+                       "requests via HTTPS instead of HTTP. If there is a "
+                       "front-end service performing HTTPS offloading from "
+                       "the service, this option should be False; note, you "
+                       "will want to change public API endpoint to represent "
+                       "SSL termination URL with 'public_endpoint' option.")),
 ]

 CONF = cfg.CONF
--- a/ironic/cmd/api.py
+++ b/ironic/cmd/api.py
@ -36,7 +36,7 @@ def main():

    # Build and start the WSGI app
    launcher = ironic_service.process_launcher()
-    server = ironic_service.WSGIService('ironic_api')
+    server = ironic_service.WSGIService('ironic_api', CONF.api.enable_ssl_api)
    launcher.launch_service(server, workers=server.workers)
    launcher.wait()

--- a/ironic/common/service.py
+++ b/ironic/common/service.py
@ -150,10 +150,11 @@ def process_launcher():
 class WSGIService(service.ServiceBase):
    """Provides ability to launch ironic API from wsgi app."""

-    def __init__(self, name):
+    def __init__(self, name, use_ssl=False):
        """Initialize, but do not start the WSGI server.

        :param name: The name of the WSGI server given to the loader.
+        :param use_ssl: Wraps the socket in an SSL context if True.
        :returns: None
        """
        self.name = name
@ -167,7 +168,8 @@ class WSGIService(service.ServiceBase):

        self.server = wsgi.Server(CONF, name, self.app,
                                  host=CONF.api.host_ip,
-                                  port=CONF.api.port)
+                                  port=CONF.api.port,
+                                  use_ssl=use_ssl)

    def start(self):
        """Start serving this service using loaded configuration.
--- a/ironic/tests/unit/common/test_service.py
+++ b/ironic/tests/unit/common/test_service.py
@ -12,11 +12,14 @@

 import mock
 from oslo_concurrency import processutils
+from oslo_config import cfg

 from ironic.common import exception
 from ironic.common import service
 from ironic.tests import base

+CONF = cfg.CONF
+

 class TestWSGIService(base.TestCase):

@ -60,3 +63,13 @@ class TestWSGIService(base.TestCase):
                          service.WSGIService,
                          'ironic_api')
        self.assertFalse(wsgi_server.called)
+
+    @mock.patch.object(service.wsgi, 'Server')
+    def test_wsgi_service_with_ssl_enabled(self, wsgi_server):
+        self.config(enable_ssl_api=True, group='api')
+        srv = service.WSGIService('ironic_api', CONF.api.enable_ssl_api)
+        wsgi_server.assert_called_once_with(CONF, 'ironic_api',
+                                            srv.app,
+                                            host='0.0.0.0',
+                                            port=6385,
+                                            use_ssl=True)
--- a/tools/config/oslo.config.generator.rc
+++ b/tools/config/oslo.config.generator.rc
@ -1,2 +1,2 @@
-export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging oslo.middleware.cors keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task'
+export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging oslo.middleware.cors keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task oslo.service.sslutils'
 export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=