Browse Source

Implement TLS support for Designate

- Add certificates
- Add new nginx container for termintating ssl
- Add Config options for binding service to localhost, when SSL is
  enabled.

Co-authored-by: Peter Razumovsky <prazumovsky@mirantis.com>
Change-Id: I5ab74606d8d2004b52d9d1061bf4fb7d9896de0a
Sergey Kraynev 2 years ago
parent
commit
89ad4dd4f0

+ 29
- 0
service/designate-api.yaml View File

@@ -62,6 +62,17 @@ service:
62 62
           - designate-conf
63 63
           - api-paste
64 64
         command: designate-api --config-file /etc/designate/designate.conf
65
+    # {% if designate.tls.enabled %}
66
+    - name: nginx-designate-api
67
+      image: nginx
68
+      daemon:
69
+        files:
70
+          - upstreams
71
+          - servers
72
+          - server-cert
73
+          - server-key
74
+        command: nginx
75
+    # {% endif %}
65 76
 
66 77
 files:
67 78
   designate-conf:
@@ -70,3 +81,21 @@ files:
70 81
   api-paste:
71 82
     path: /etc/designate/api-paste.ini
72 83
     content: api-paste.ini.j2
84
+  # {% if designate.tls.enabled %}
85
+  servers:
86
+    path: /etc/nginx/conf.d/servers.conf
87
+    content: nginx-api.conf.j2
88
+    perm: "0400"
89
+  upstreams:
90
+    path: /etc/nginx/conf.d/upstreams.conf
91
+    content: upstreams.conf.j2
92
+    perm: "0400"
93
+  server-cert:
94
+    path: /opt/ccp/etc/tls/server-cert.pem
95
+    content: server-cert.pem.j2
96
+    perm: "0400"
97
+  server-key:
98
+    path: /opt/ccp/etc/tls/server-key.pem
99
+    content: server-key.pem.j2
100
+    perm: "0400"
101
+  # {% endif %}

+ 2
- 0
service/files/defaults.yaml View File

@@ -1,5 +1,7 @@
1 1
 configs:
2 2
   designate:
3
+    tls:
4
+      enabled: true
3 5
     api_port:
4 6
       cont: 9001
5 7
       ingress: dns

+ 11
- 1
service/files/designate.conf.j2 View File

@@ -47,8 +47,13 @@ threads = {{ designate.service.central.threads }}
47 47
 [service:api]
48 48
 workers = {{ designate.service.api.workers }}
49 49
 threads = {{ designate.service.api.threads }}
50
+{% if designate.tls.enabled %}
51
+api_base_uri = {{ address('designate-api', designate.api_port, with_scheme=True) }}
52
+api_host = 127.0.0.1
53
+{% else %}
50 54
 api_base_uri = http://{{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}/
51 55
 api_host = {{ network_topology["private"]["address"] }}
56
+{% endif %}
52 57
 api_port = {{ designate.api_port.cont }}
53 58
 auth_strategy = keystone
54 59
 enable_api_v1 = True
@@ -56,7 +61,12 @@ enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch
56 61
 enable_api_v2 = True
57 62
 enabled_extensions_v2 = quotas, reports
58 63
 enable_api_admin = True
59
-listen = {{ address("designate-api", designate.api_port) }}
64
+#listen = {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}
65
+
66
+{% if designate.tls.enabled %}
67
+[network_api:neutron]
68
+ca_certificates_file = /opt/ccp/etc/tls/ca.pem
69
+{% endif %}
60 70
 
61 71
 #-------------
62 72
 # Sink Service

+ 9
- 0
service/files/nginx-api.conf.j2 View File

@@ -0,0 +1,9 @@
1
+server {
2
+    listen {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }} ssl;
3
+    include common/ssl.conf;
4
+
5
+    location / {
6
+        proxy_pass http://designate_api;
7
+        include common/proxy-headers.conf;
8
+    }
9
+}

+ 1
- 0
service/files/server-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_cert }}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_key }}

+ 3
- 0
service/files/upstreams.conf.j2 View File

@@ -0,0 +1,3 @@
1
+upstream designate_api {
2
+    server 127.0.0.1:{{ designate.api_port.cont }};
3
+}

Loading…
Cancel
Save