TLS support for Glance services

List of changes in the current patch:
- Add files for certificates
- Updated configuration files for services to use mapped ports and
  'https' url scheme. Also ca_cert was provided for keystonemiddleware.
- Updated bootstrap script to use 'https' scheme with insecure flag,
  when it create image in glance.
- Update jobs for creation endpoints, now address function use 'tls'
  parameter.
- Add files for nginx configurations.

Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
This commit is contained in:
Sergey Kraynev 2017-01-30 09:16:15 +00:00
parent 6200b8743f
commit 47592297b2
11 changed files with 151 additions and 1 deletions

View File

@ -0,0 +1 @@
{{ security.tls.ca_cert }}

View File

@ -5,7 +5,13 @@ use_syslog = false
use_stderr = true
use_forwarded_for = true
{% if security.tls.enabled %}
registry_client_protocol = https
registry_client_ca_file = /opt/ccp/etc/tls/ca.pem
bind_host = 127.0.0.1
{% else %}
bind_host = {{ network_topology["private"]["address"] }}
{% endif %}
bind_port = {{ glance.api_port.cont }}
registry_host = glance-registry
@ -22,6 +28,9 @@ max_retries = -1
[keystone_authtoken]
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
{% if security.tls.enabled %}
cafile = /opt/ccp/etc/tls/ca.pem
{% endif %}
auth_type = password
project_domain_id = default
user_domain_id = default
@ -71,3 +80,10 @@ driver = {{ searchlight.notification_driver }}
{# rpc config is required for notifications in stable/mitaka #}
{{ oslo_messaging[messaging.backend.rpc]('rpc_config') }}
{{ oslo_messaging[messaging.backend.notifications]('notifications_config') }}
{% if security.tls.enabled %}
[oslo_messaging_rabbit]
kombu_ssl_version="TLSv1_2"
rabbit_use_ssl = true
kombu_ssl_ca_certs = /opt/ccp/etc/tls/ca.pem
{% endif %}

View File

@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default
export OS_PASSWORD={{ openstack.user_password }}
export OS_USERNAME={{ openstack.user_name }}
export OS_PROJECT_NAME={{ openstack.project_name }}
export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"
export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3"
export OS_CACERT="/opt/ccp/etc/tls/ca.pem"
{% set image = glance.bootstrap.image %}
FILE="$(mktemp)"

View File

@ -5,7 +5,11 @@ use_syslog = false
use_stderr = true
use_forwarded_for = true
{% if security.tls.enabled %}
bind_host = 127.0.0.1
{% else %}
bind_host = {{ network_topology["private"]["address"] }}
{% endif %}
bind_port = {{ glance.registry_port.cont }}
[database]
@ -15,6 +19,9 @@ max_retries = -1
[keystone_authtoken]
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
{% if security.tls.enabled %}
cafile = /opt/ccp/etc/tls/ca.pem
{% endif %}
auth_type = password
project_domain_id = default
user_domain_id = default
@ -34,3 +41,10 @@ driver = {{ searchlight.notification_driver }}
{# rpc config is required for notifications in stable/mitaka #}
{{ oslo_messaging[messaging.backend.rpc]('rpc_config') }}
{{ oslo_messaging[messaging.backend.notifications]('notifications_config') }}
{% if security.tls.enabled %}
[oslo_messaging_rabbit]
kombu_ssl_version="TLSv1_2"
rabbit_use_ssl = true
kombu_ssl_ca_certs = /opt/ccp/etc/tls/ca.pem
{% endif %}

View File

@ -0,0 +1,20 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers {{ nginx.ciphers }};
ssl_prefer_server_ciphers on;
ssl_certificate /opt/ccp/etc/tls/server-cert.pem;
ssl_certificate_key /opt/ccp/etc/tls/server-key.pem;
# allows to upload images without being cut off at some low size
client_max_body_size 0;
location / {
proxy_pass http://glance_api;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -0,0 +1,20 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers {{ nginx.ciphers }};
ssl_prefer_server_ciphers on;
ssl_certificate /opt/ccp/etc/tls/server-cert.pem;
ssl_certificate_key /opt/ccp/etc/tls/server-key.pem;
# allows to upload images without being cut off at some low size
client_max_body_size 0;
location / {
proxy_pass http://glance_registry;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1,6 @@
upstream glance_api {
server 127.0.0.1:{{ glance.api_port.cont }};
}
upstream glance_registry {
server 127.0.0.1:{{ glance.registry_port.cont }};
}

View File

@ -58,6 +58,9 @@ service:
daemon:
files:
- glance-api
# {% if security.tls.enabled %}
- ca_cert
# {% endif %}
# {% if glance.ceph.enable %}
- ceph-conf
- glance-ceph-key
@ -74,6 +77,17 @@ service:
files:
- glance-cirros-image-upload.sh
# {% endif %}
# {% if security.tls.enabled %}
- name: nginx
image: nginx
daemon:
files:
- upstreams
- servers
- server-cert
- server-key
command: nginx
# {% endif %}
files:
glance-api:
@ -92,3 +106,24 @@ files:
path: /opt/ccp/bin/glance-cirros-image-upload.sh
content: glance-cirros-image-upload.sh.j2
perm: "500"
# {% if security.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: nginx-api.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
ca_cert:
path: /opt/ccp/etc/tls/ca.pem
content: ca-cert.pem.j2
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}

View File

@ -13,11 +13,46 @@ service:
daemon:
files:
- glance-registry-conf
# {% if security.tls.enabled %}
- ca_cert
# {% endif %}
dependencies:
- glance-api
command: glance-registry
# {% if security.tls.enabled %}
- name: nginx
image: nginx
daemon:
files:
- upstreams
- servers
- server-cert
- server-key
command: nginx
# {% endif %}
files:
glance-registry-conf:
path: /etc/glance/glance-registry.conf
content: glance-registry.conf.j2
# {% if security.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: nginx-registry.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
ca_cert:
path: /opt/ccp/etc/tls/ca.pem
content: ca-cert.pem.j2
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}