Add support for encrypting cinder api.

Change-Id: I4673f436d8943e6fce7e579446c27ec8215b7346
2020-02-25 13:35:51 +08:00 · 2020-02-25 13:35:51 +08:00 · c8ada70747
commit c8ada70747
parent 4d155d69cd
4 changed files with 36 additions and 5 deletions
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@ -16,12 +16,14 @@ cinder_services:
        external: false
        port: "{{ cinder_api_port }}"
        listen_port: "{{ cinder_api_listen_port }}"
+        tls_backend: "{{ cinder_enable_tls_backend }}"
      cinder_api_external:
        enabled: "{{ enable_cinder }}"
        mode: "http"
        external: true
        port: "{{ cinder_api_port }}"
        listen_port: "{{ cinder_api_listen_port }}"
+        tls_backend: "{{ cinder_enable_tls_backend }}"
  cinder-scheduler:
    container_name: cinder_scheduler
    group: cinder-scheduler
@ -233,3 +235,8 @@ cinder_ks_users:
    user: "{{ cinder_keystone_user }}"
    password: "{{ cinder_keystone_password }}"
    role: "admin"
+
+####################
+# TLS
+####################
+cinder_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
--- a/ansible/roles/cinder/templates/cinder-api.json.j2
+++ b/ansible/roles/cinder/templates/cinder-api.json.j2
@ -20,8 +20,20 @@
            "dest": "/etc/cinder/{{ cinder_policy_file }}",
            "owner": "cinder",
            "perm": "0600"
-        }{% endif %}
-    ],
+        }{% endif %}{% if cinder_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/cinder-cert.pem",
+            "dest": "/etc/cinder/certs/cinder-cert.pem",
+            "owner": "cinder",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/cinder-key.pem",
+            "dest": "/etc/cinder/certs/cinder-key.pem",
+            "owner": "cinder",
+            "perm": "0600"
+        }
+    {% endif %}],
    "permissions": [
        {
            "path": "/var/lib/cinder",
--- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
+++ b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
@ -3,6 +3,13 @@
 {% else %}
    {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
 {% endif %}
+{% if cinder_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
 Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cinder_api_listen_port }}

 ServerSignature Off
@ -25,4 +32,9 @@ LogLevel info
    ErrorLog /var/log/kolla/cinder/cinder-api.log
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
    CustomLog /var/log/kolla/cinder/cinder-api-access.log logformat
+{% if cinder_enable_tls_backend | bool %}
+    SSLEngine On
+    SSLCertificateFile /etc/cinder/certs/cinder-cert.pem
+    SSLCertificateKeyFile /etc/cinder/certs/cinder-key.pem
+{% endif %}
 </VirtualHost>
--- a/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
@ -2,6 +2,6 @@
 features:
  - |
    Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone service. When used in conjunction with enabling TLS for
-    service API endpoints, network communcation will be encrypted end to end,
-    from client through HAProxy to the Keystone service.
+    to the Keystone and cinder service. When used in conjunction with enabling
+    TLS for service API endpoints, network communcation will be encrypted end
+    to end, from client through HAProxy to the backend service.