openstack/openstack-helm
Code Issues Proposed changes

Ingress: Add initial TLS Support for core service public endpoints

Browse Source 
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.

Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2018-06-18 16:16:06 -05:00
parent 9cc33a87f2
commit e19be77f08
20 changed files with 730 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
barbican/templates/ingress-api.yaml
View File

@ -15,6 +15,6 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" -}}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "key_manager" "backendPort" "b-api" -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

19
barbican/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key_manager" ) }}
{{- end }}

5
barbican/values.yaml
View File

@ -438,6 +438,10 @@ secrets:
oslo_messaging:
admin: barbican-rabbitmq-admin
barbican: barbican-rabbitmq-user
tls:
key_manager:
api:
public: barbican-tls-public
endpoints:
cluster_domain_suffix: cluster.local
@ -569,6 +573,7 @@ manifests:
pdb_api: true
pod_test: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_api: true

19
ceph-client/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.secret_ingress_tls ( and .Values.deployment.ceph .Values.conf.features.rgw ) }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "object_store" ) }}
{{- end }}

12
ceph-client/values.yaml
View File

@ -160,6 +160,10 @@ secrets:
admin: ceph-keystone-admin
swift: ceph-keystone-user
user_rgw: ceph-keystone-user-rgw
tls:
object_store:
api:
public: ceph-tls-public
network:
api:
@ -505,6 +509,13 @@ endpoints:
public: radosgw
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /swift/v1/KEY_$(tenant_id)s
scheme:
@ -564,6 +575,7 @@ manifests:
job_namespace_client_key_cleaner: true
job_namespace_client_key: true
job_rbd_pool: true
secret_ingress_tls: true
secret_keystone_rgw: true
secret_keystone: true
service_ingress_rgw: true

19
cinder/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volume" ) }}
{{- end }}

26
cinder/values.yaml
View File

@ -934,6 +934,10 @@ secrets:
oslo_messaging:
admin: cinder-rabbitmq-admin
cinder: cinder-rabbitmq-user
tls:
volume:
api:
public: cinder-tls-public
# We use a different layout of the endpoints here to account for versioning
# this swaps the service name and type, and should be rolled out to other
@ -1029,6 +1033,13 @@ endpoints:
public: cinder
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: '/v1/%(tenant_id)s'
scheme:
@ -1044,6 +1055,13 @@ endpoints:
public: cinder
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: '/v2/%(tenant_id)s'
scheme:
@ -1059,6 +1077,13 @@ endpoints:
public: cinder
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: '/v3/%(tenant_id)s'
scheme:
@ -1144,6 +1169,7 @@ manifests:
pod_rally_test: true
pvc_backup: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_api: true

19
glance/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "image" ) }}
{{- end }}

12
glance/values.yaml
View File

@ -441,6 +441,10 @@ secrets:
oslo_messaging:
admin: glance-rabbitmq-admin
glance: glance-rabbitmq-user
tls:
image:
api:
public: glance-tls-public
# typically overridden by environmental
@ -507,6 +511,13 @@ endpoints:
public: glance
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -781,6 +792,7 @@ manifests:
pod_rally_test: true
pvc_images: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_api: true

20
heat/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "orchestration" ) }}
{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" ) }}
{{- end }}

22
heat/values.yaml
View File

@ -664,6 +664,13 @@ secrets:
oslo_messaging:
admin: heat-rabbitmq-admin
heat: heat-rabbitmq-user
tls:
orchestration:
api:
public: heat-tls-public
cloudformation:
cfn:
public: cloudformation-tls-public
# typically overridden by environmental
# values, but should include all endpoints
@ -745,6 +752,13 @@ endpoints:
public: heat
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: '/v1/%(project_id)s'
scheme:
@ -760,6 +774,13 @@ endpoints:
public: cloudformation
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /v1
scheme:
@ -1044,6 +1065,7 @@ manifests:
pdb_cloudwatch: false
pod_rally_test: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_api: true

19
horizon/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" ) }}
{{- end }}

12
horizon/values.yaml
View File

@ -1974,6 +1974,10 @@ secrets:
oslo_db:
admin: horizon-db-admin
horizon: horizon-db-user
tls:
dashboard:
dashboard:
public: horizon-tls-public
# typically overridden by environmental
# values, but should include all endpoints
@ -2023,6 +2027,13 @@ endpoints:
public: horizon
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -2059,5 +2070,6 @@ manifests:
job_image_repo_sync: true
pdb: true
secret_db: true
secret_ingress_tls: true
service_ingress: true
service: true

19
keystone/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "identity" ) }}
{{- end }}

12
keystone/values.yaml
View File

@ -789,6 +789,10 @@ secrets:
keystone: keystone-rabbitmq-user
ldap:
tls: keystone-ldap-tls
tls:
identity:
api:
public: keystone-tls-public
# typically overridden by environmental
# values, but should include all endpoints
@ -831,6 +835,13 @@ endpoints:
public: keystone
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /v3
scheme:
@ -922,6 +933,7 @@ manifests:
secret_credential_keys: true
secret_db: true
secret_fernet_keys: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_api: true

19
neutron/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "server" "backendServiceType" "network" ) }}
{{- end }}

12
neutron/values.yaml
View File

@ -1557,6 +1557,10 @@ secrets:
oslo_messaging:
admin: neutron-rabbitmq-admin
neutron: neutron-rabbitmq-user
tls:
network:
server:
public: neutron-tls-public
# typically overridden by environmental
# values, but should include all endpoints
@ -1712,6 +1716,13 @@ endpoints:
public: neutron
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -1744,6 +1755,7 @@ manifests:
pdb_server: true
pod_rally_test: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
service_ingress_server: true

21
nova/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,21 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" ) }}
{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" ) }}
{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "placement" "backendServiceType" "placement" ) }}
{{- end }}

25
nova/values.yaml
View File

@ -1121,6 +1121,16 @@ secrets:
oslo_messaging:
admin: nova-rabbitmq-admin
nova: nova-rabbitmq-user
tls:
compute:
osapi:
public: nova-tls-public
compute_novnc_proxy:
novncproxy:
public: nova-novncproxy-tls-public
placement:
placement:
public: placement-tls-public
# typically overridden by environmental
# values, but should include all endpoints
@ -1314,6 +1324,13 @@ endpoints:
public: nova
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: "/v2.1/%(tenant_id)s"
scheme:
@ -1349,6 +1366,13 @@ endpoints:
public: novncproxy
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: /vnc_auto.html
scheme:
@ -1697,6 +1721,7 @@ manifests:
pod_rally_test: true
secret_db_api: true
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_keystone_placement: true
secret_rabbitmq: true

417
tools/deployment/common/setup-certificates.sh Executable file
View File

@ -0,0 +1,417 @@
#!/bin/bash
# Copyright 2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
CURRENT_DIR=$(pwd)
CFSSLURL=https://pkg.cfssl.org/R1.2
TDIR=/tmp/certs
rm -rf $TDIR
mkdir -p $TDIR/bin
cd $TDIR
curl -sSL -o bin/cfssl $CFSSLURL/cfssl_linux-amd64
curl -sSL -o bin/cfssljson $CFSSLURL/cfssljson_linux-amd64
chmod +x bin/{cfssl,cfssljson}
export PATH=$PATH:./bin
OSH_CONFIG_ROOT="/etc/openstack-helm"
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
sudo mkdir -p ${OSH_CONFIG_ROOT}
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
mkdir -p "${OSH_CA_ROOT}"
tee ${OSH_CA_ROOT}/ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "24h"
},
"profiles": {
"server": {
"expiry": "24h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
EOF
tee ${OSH_CA_ROOT}/ca-csr.json << EOF
{
"CN": "ACME Company",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "SomeState",
"ST": "SomeCity",
"O": "SomeOrg",
"OU": "SomeUnit"
}
]
}
EOF
cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
function check_cert_and_key () {
TLS_CERT=$1
TLS_KEY=$2
openssl x509 -inform pem -in ${TLS_CERT} -noout -text
CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
echo "Failure: TLS private key does not match this certificate."
exit 1
else
CERT_MOD=""
KEY_MOD=""
echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
fi
}
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
DOMAIN=openstackhelm.test
for HOSTNAME in "swift" "keystone" "heat" "cloudformation" "horizon" "glance" "cinder" "nova" "placement" "novnc" "metadata" "neutron" "barbican"; do
FQDN="${HOSTNAME}.${DOMAIN}"
OSH_SERVER_CERTS="${OSH_SERVER_TLS_ROOT}/${HOSTNAME}"
mkdir -p "${OSH_SERVER_CERTS}"
tee ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json <<EOF
{
"CN": "${FQDN}",
"hosts": [
"${FQDN}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "SomeState",
"ST": "SomeCity",
"O": "SomeOrg",
"OU": "SomeUnit"
}
]
}
EOF
cfssl gencert \
-hostname="${FQDN}" \
-ca=${OSH_CA_ROOT}/ca.pem \
-ca-key=${OSH_CA_ROOT}/ca-key.pem \
-config=${OSH_CA_ROOT}/ca-config.json \
-profile=server \
${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json | cfssljson -bare ${OSH_SERVER_CERTS}/server
check_cert_and_key ${OSH_SERVER_CERTS}/server.pem ${OSH_SERVER_CERTS}/server-key.pem
done
cd $CURRENT_DIR
KEYSTONE_CRT=${OSH_SERVER_TLS_ROOT}/keystone/server.pem
KEYSTONE_KEY=${OSH_SERVER_TLS_ROOT}/keystone/server-key.pem
KEYSTONE_CSR=${OSH_SERVER_TLS_ROOT}/keystone/server-csr-keystone.json
SWIFT_CRT=${OSH_SERVER_TLS_ROOT}/swift/server.pem
SWIFT_KEY=${OSH_SERVER_TLS_ROOT}/swift/server-key.pem
SWIFT_CSR=${OSH_SERVER_TLS_ROOT}/swift/server-csr-swift.json
BARBICAN_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
BARBICAN_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
BARBICAN_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
HEAT_API_CRT=${OSH_SERVER_TLS_ROOT}/heat/server.pem
HEAT_API_KEY=${OSH_SERVER_TLS_ROOT}/heat/server-key.pem
HEAT_API_CSR=${OSH_SERVER_TLS_ROOT}/heat/server-csr-heat.json
HEAT_CFN_CRT=${OSH_SERVER_TLS_ROOT}/cloudformation/server.pem
HEAT_CFN_KEY=${OSH_SERVER_TLS_ROOT}/cloudformation/server-key.pem
HEAT_CFN_CSR=${OSH_SERVER_TLS_ROOT}/cloudformation/server-csr-cloudformation.json
HORIZON_CRT=${OSH_SERVER_TLS_ROOT}/horizon/server.pem
HORIZON_KEY=${OSH_SERVER_TLS_ROOT}/horizon/server-key.pem
HORIZON_CSR=${OSH_SERVER_TLS_ROOT}/horizon/server-csr-horizon.json
GLANCE_API_CRT=${OSH_SERVER_TLS_ROOT}/glance/server.pem
GLANCE_API_KEY=${OSH_SERVER_TLS_ROOT}/glance/server-key.pem
GLANCE_API_CSR=${OSH_SERVER_TLS_ROOT}/glance/server-csr-glance.json
CINDER_CRT=${OSH_SERVER_TLS_ROOT}/cinder/server.pem
CINDER_KEY=${OSH_SERVER_TLS_ROOT}/cinder/server-key.pem
CINDER_CSR=${OSH_SERVER_TLS_ROOT}/cinder/server-csr-cinder.json
NOVA_API_CRT=${OSH_SERVER_TLS_ROOT}/nova/server.pem
NOVA_API_KEY=${OSH_SERVER_TLS_ROOT}/nova/server-key.pem
NOVA_API_CSR=${OSH_SERVER_TLS_ROOT}/nova/server-csr-nova.json
NOVA_NOVNC_CRT=${OSH_SERVER_TLS_ROOT}/novnc/server.pem
NOVA_NOVNC_KEY=${OSH_SERVER_TLS_ROOT}/novnc/server-key.pem
NOVA_NOVNC_CSR=${OSH_SERVER_TLS_ROOT}/novnc/server-csr-novnc.json
PLACEMENT_CRT=${OSH_SERVER_TLS_ROOT}/placement/server.pem
PLACEMENT_KEY=${OSH_SERVER_TLS_ROOT}/placement/server-key.pem
PLACEMENT_CSR=${OSH_SERVER_TLS_ROOT}/placement/server-csr-placement.json
NEUTRON_SERVER_CRT=${OSH_SERVER_TLS_ROOT}/neutron/server.pem
NEUTRON_SERVER_KEY=${OSH_SERVER_TLS_ROOT}/neutron/server-key.pem
NEUTRON_SERVER_CSR=${OSH_SERVER_TLS_ROOT}/neutron/server-csr-neutron.json
BARBICAN_API_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
BARBICAN_API_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
BARBICAN_API_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
tee /tmp/tls-endpoints.yaml << EOF
endpoints:
object_store:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${SWIFT_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${SWIFT_CRT} | sed 's/^/ /')
key: |
$(cat ${SWIFT_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
identity:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${KEYSTONE_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${KEYSTONE_CRT} | sed 's/^/ /')
key: |
$(cat ${KEYSTONE_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
orchestration:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${HEAT_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${HEAT_API_CRT} | sed 's/^/ /')
key: |
$(cat ${HEAT_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
cloudformation:
scheme:
public: https
port:
cfn:
public: 443
host_fqdn_override:
public:
host: "$(cat "${HEAT_CFN_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${HEAT_CFN_CRT} | sed 's/^/ /')
key: |
$(cat ${HEAT_CFN_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
dashboard:
scheme:
public: https
port:
web:
public: 443
host_fqdn_override:
public:
host: "$(cat "${HORIZON_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${HORIZON_CRT} | sed 's/^/ /')
key: |
$(cat ${HORIZON_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
image:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${GLANCE_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${GLANCE_API_CRT} | sed 's/^/ /')
key: |
$(cat ${GLANCE_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
volume:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${CINDER_CRT} | sed 's/^/ /')
key: |
$(cat ${CINDER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
volumev2:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${CINDER_CRT} | sed 's/^/ /')
key: |
$(cat ${CINDER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
volumev3:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${CINDER_CRT} | sed 's/^/ /')
key: |
$(cat ${CINDER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
compute:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${NOVA_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${NOVA_API_CRT} | sed 's/^/ /')
key: |
$(cat ${NOVA_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
compute_novnc_proxy:
scheme:
public: https
port:
novnc_proxy:
public: 443
host_fqdn_override:
public:
host: "$(cat "${NOVA_NOVNC_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${NOVA_NOVNC_CRT} | sed 's/^/ /')
key: |
$(cat ${NOVA_NOVNC_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
placement:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${PLACEMENT_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${PLACEMENT_CRT} | sed 's/^/ /')
key: |
$(cat ${PLACEMENT_KEY} | sed 's/^/ /')
ca: |
$(cat ${PLACEMENT_ROOT}/ca.pem | sed 's/^/ /')
network:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${NEUTRON_SERVER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${NEUTRON_SERVER_CRT} | sed 's/^/ /')
key: |
$(cat ${NEUTRON_SERVER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
key_manager:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${BARBICAN_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${BARBICAN_API_CRT} | sed 's/^/ /')
key: |
$(cat ${BARBICAN_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
EOF
export OSH_EXTRA_HELM_ARGS="--values=/tmp/tls-endpoints.yaml"