diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml index 17c9d8f8a9..757d5e8e6b 100644 --- a/ansible/roles/horizon/defaults/main.yml +++ b/ansible/roles/horizon/defaults/main.yml @@ -47,6 +47,7 @@ horizon_services: listen_port: "{{ horizon_listen_port }}" backend_http_extra: - "balance source" + tls_backend: "{{ horizon_enable_tls_backend }}" horizon_redirect: enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}" mode: "redirect" @@ -61,6 +62,7 @@ horizon_services: listen_port: "{{ horizon_listen_port }}" backend_http_extra: - "balance source" + tls_backend: "{{ horizon_enable_tls_backend }}" horizon_external_redirect: enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}" mode: "redirect" @@ -124,3 +126,8 @@ horizon_dev_mode: "{{ kolla_dev_mode }}" horizon_murano_dev_mode: "{{ kolla_dev_mode }}" horizon_source_version: "{{ kolla_source_version }}" horizon_murano_source_version: "{{ kolla_source_version }}" + +#################### +# TLS +#################### +horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}" diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml index 9a49e329f9..051b1e38af 100644 --- a/ansible/roles/horizon/tasks/config.yml +++ b/ansible/roles/horizon/tasks/config.yml @@ -135,7 +135,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool + - kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool - include_tasks: check-containers.yml when: kolla_action != "config" diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2 index 7c509676ab..b8f3763e0d 100644 --- a/ansible/roles/horizon/templates/horizon.conf.j2 +++ b/ansible/roles/horizon/templates/horizon.conf.j2 @@ -1,5 +1,12 @@ {% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %} +{% if horizon_enable_tls_backend | bool %} +{% if kolla_base_distro in ['centos'] %} +LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so +{% else %} +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +{% endif %} +{% endif %} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }} ServerSignature Off @@ -35,6 +42,12 @@ TraceEnable off SetHandler None + +{% if horizon_enable_tls_backend | bool %} + SSLEngine On + SSLCertificateFile /etc/horizon/certs/horizon-cert.pem + SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem +{% endif %} {# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #} diff --git a/ansible/roles/horizon/templates/horizon.json.j2 b/ansible/roles/horizon/templates/horizon.json.j2 index 0446423f42..bc2eb6843e 100644 --- a/ansible/roles/horizon/templates/horizon.json.j2 +++ b/ansible/roles/horizon/templates/horizon.json.j2 @@ -29,6 +29,18 @@ "dest": "/etc/openstack-dashboard/custom_local_settings", "owner": "horizon", "perm": "0600" - } + }{% if horizon_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/horizon-cert.pem", + "dest": "/etc/horizon/certs/horizon-cert.pem", + "owner": "horizon", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/horizon-key.pem", + "dest": "/etc/horizon/certs/horizon-key.pem", + "owner": "horizon", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/placement/defaults/main.yml b/ansible/roles/placement/defaults/main.yml index f7c47ef206..6cdf7fa4fb 100644 --- a/ansible/roles/placement/defaults/main.yml +++ b/ansible/roles/placement/defaults/main.yml @@ -16,12 +16,14 @@ placement_services: external: false port: "{{ placement_api_port }}" listen_port: "{{ placement_api_listen_port }}" + tls_backend: "{{ placement_enable_tls_backend }}" placement_api_external: enabled: "{{ enable_placement }}" mode: "http" external: true port: "{{ placement_api_port }}" listen_port: "{{ placement_api_listen_port }}" + tls_backend: "{{ placement_enable_tls_backend }}" #################### # Database @@ -108,3 +110,8 @@ placement_ks_users: user: "{{ placement_keystone_user }}" password: "{{ placement_keystone_password }}" role: "admin" + +#################### +# TLS +#################### +placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}" diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml index 2f42c13c72..39d7be080b 100644 --- a/ansible/roles/placement/tasks/config.yml +++ b/ansible/roles/placement/tasks/config.yml @@ -33,7 +33,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool + - kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool - name: Copying over config.json files for services become: true diff --git a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 index ee8261f277..26d68199cf 100644 --- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 +++ b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 @@ -5,7 +5,13 @@ {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %} {% endif %} {% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %} - +{% if placement_enable_tls_backend | bool %} +{% if kolla_base_distro in ['centos'] %} +LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so +{% else %} +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +{% endif %} +{% endif %} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }} ServerSignature Off @@ -33,4 +39,9 @@ LogLevel info Require all granted +{% if placement_enable_tls_backend | bool %} + SSLEngine on + SSLCertificateFile /etc/placement/certs/placement-cert.pem + SSLCertificateKeyFile /etc/placement/certs/placement-key.pem +{% endif %} diff --git a/ansible/roles/placement/templates/placement-api.json.j2 b/ansible/roles/placement/templates/placement-api.json.j2 index 7bec6e74e5..e489cec5af 100644 --- a/ansible/roles/placement/templates/placement-api.json.j2 +++ b/ansible/roles/placement/templates/placement-api.json.j2 @@ -26,7 +26,19 @@ "dest": "/etc/placement/migrate-db.rc", "owner": "placement", "perm": "0600" - } + }{% if placement_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/placement-cert.pem", + "dest": "/etc/placement/certs/placement-cert.pem", + "owner": "placement", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/placement-key.pem", + "dest": "/etc/placement/certs/placement-key.pem", + "owner": "placement", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml index 7385b29302..bfe710a8b1 100644 --- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml +++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml @@ -2,7 +2,7 @@ features: - | Added configuration options to enable backend TLS encryption from HAProxy - to the Keystone, Glance, Heat, and Cinder services. When used in - conjunction with enabling TLS for service API endpoints, network - communcation will be encrypted end to end, from client through HAProxy to - the backend service. + to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services. + When used in conjunction with enabling TLS for service API endpoints, + network communcation will be encrypted end to end, from client through + HAProxy to the backend service.