From c8ada707470897a8e9178191c075f8f662633126 Mon Sep 17 00:00:00 2001
From: zhangmeng <zhangmeng9502@gmail.com>
Date: Tue, 25 Feb 2020 13:35:51 +0800
Subject: [PATCH] Add support for encrypting cinder api.

Change-Id: I4673f436d8943e6fce7e579446c27ec8215b7346
---
 ansible/roles/cinder/defaults/main.yml           |  7 +++++++
 .../roles/cinder/templates/cinder-api.json.j2    | 16 ++++++++++++++--
 .../roles/cinder/templates/cinder-wsgi.conf.j2   | 12 ++++++++++++
 ...ackend-haproxy-keystone-fb96285d74fb464c.yaml |  6 +++---
 4 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
index 8723f58ab2..703272c040 100644
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@@ -16,12 +16,14 @@ cinder_services:
         external: false
         port: "{{ cinder_api_port }}"
         listen_port: "{{ cinder_api_listen_port }}"
+        tls_backend: "{{ cinder_enable_tls_backend }}"
       cinder_api_external:
         enabled: "{{ enable_cinder }}"
         mode: "http"
         external: true
         port: "{{ cinder_api_port }}"
         listen_port: "{{ cinder_api_listen_port }}"
+        tls_backend: "{{ cinder_enable_tls_backend }}"
   cinder-scheduler:
     container_name: cinder_scheduler
     group: cinder-scheduler
@@ -233,3 +235,8 @@ cinder_ks_users:
     user: "{{ cinder_keystone_user }}"
     password: "{{ cinder_keystone_password }}"
     role: "admin"
+
+####################
+# TLS
+####################
+cinder_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/cinder/templates/cinder-api.json.j2 b/ansible/roles/cinder/templates/cinder-api.json.j2
index 54b557902c..bf79435c3f 100644
--- a/ansible/roles/cinder/templates/cinder-api.json.j2
+++ b/ansible/roles/cinder/templates/cinder-api.json.j2
@@ -20,8 +20,20 @@
             "dest": "/etc/cinder/{{ cinder_policy_file }}",
             "owner": "cinder",
             "perm": "0600"
-        }{% endif %}
-    ],
+        }{% endif %}{% if cinder_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/cinder-cert.pem",
+            "dest": "/etc/cinder/certs/cinder-cert.pem",
+            "owner": "cinder",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/cinder-key.pem",
+            "dest": "/etc/cinder/certs/cinder-key.pem",
+            "owner": "cinder",
+            "perm": "0600"
+        }
+    {% endif %}],
     "permissions": [
         {
             "path": "/var/lib/cinder",
diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
index cc426028ab..2d98e73a7e 100644
--- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
+++ b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
@@ -3,6 +3,13 @@
 {% else %}
     {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
 {% endif %}
+{% if cinder_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
 Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cinder_api_listen_port }}
 
 ServerSignature Off
@@ -25,4 +32,9 @@ LogLevel info
     ErrorLog /var/log/kolla/cinder/cinder-api.log
     LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
     CustomLog /var/log/kolla/cinder/cinder-api-access.log logformat
+{% if cinder_enable_tls_backend | bool %}
+    SSLEngine On
+    SSLCertificateFile /etc/cinder/certs/cinder-cert.pem
+    SSLCertificateKeyFile /etc/cinder/certs/cinder-key.pem
+{% endif %}
 </VirtualHost>
diff --git a/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
index 1b78072702..2a778e9e72 100644
--- a/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
@@ -2,6 +2,6 @@
 features:
   - |
     Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone service. When used in conjunction with enabling TLS for
-    service API endpoints, network communcation will be encrypted end to end,
-    from client through HAProxy to the Keystone service.
+    to the Keystone and cinder service. When used in conjunction with enabling
+    TLS for service API endpoints, network communcation will be encrypted end
+    to end, from client through HAProxy to the backend service.