From 47592297b2f9064592bc8b43fbf424ccb11bb45a Mon Sep 17 00:00:00 2001 From: Sergey Kraynev Date: Mon, 30 Jan 2017 09:16:15 +0000 Subject: [PATCH] TLS support for Glance services List of changes in the current patch: - Add files for certificates - Updated configuration files for services to use mapped ports and 'https' url scheme. Also ca_cert was provided for keystonemiddleware. - Updated bootstrap script to use 'https' scheme with insecure flag, when it create image in glance. - Update jobs for creation endpoints, now address function use 'tls' parameter. - Add files for nginx configurations. Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412 --- service/files/ca-cert.pem.j2 | 1 + service/files/glance-api.conf.j2 | 16 +++++++++ .../files/glance-cirros-image-upload.sh.j2 | 3 +- service/files/glance-registry.conf.j2 | 14 ++++++++ service/files/nginx-api.conf.j2 | 20 +++++++++++ service/files/nginx-registry.conf.j2 | 20 +++++++++++ service/files/server-cert.pem.j2 | 1 + service/files/server-key.pem.j2 | 1 + service/files/upstreams.conf.j2 | 6 ++++ service/glance-api.yaml | 35 +++++++++++++++++++ service/glance-registry.yaml | 35 +++++++++++++++++++ 11 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 service/files/ca-cert.pem.j2 create mode 100644 service/files/nginx-api.conf.j2 create mode 100644 service/files/nginx-registry.conf.j2 create mode 100644 service/files/server-cert.pem.j2 create mode 100644 service/files/server-key.pem.j2 create mode 100644 service/files/upstreams.conf.j2 diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2 new file mode 100644 index 0000000..d52069b --- /dev/null +++ b/service/files/ca-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.ca_cert }} diff --git a/service/files/glance-api.conf.j2 b/service/files/glance-api.conf.j2 index 971b59a..06f8fb6 100644 --- a/service/files/glance-api.conf.j2 +++ b/service/files/glance-api.conf.j2 @@ -5,7 +5,13 @@ use_syslog = false use_stderr = true use_forwarded_for = true +{% if security.tls.enabled %} +registry_client_protocol = https +registry_client_ca_file = /opt/ccp/etc/tls/ca.pem +bind_host = 127.0.0.1 +{% else %} bind_host = {{ network_topology["private"]["address"] }} +{% endif %} bind_port = {{ glance.api_port.cont }} registry_host = glance-registry @@ -22,6 +28,9 @@ max_retries = -1 [keystone_authtoken] auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }} auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }} +{% if security.tls.enabled %} +cafile = /opt/ccp/etc/tls/ca.pem +{% endif %} auth_type = password project_domain_id = default user_domain_id = default @@ -71,3 +80,10 @@ driver = {{ searchlight.notification_driver }} {# rpc config is required for notifications in stable/mitaka #} {{ oslo_messaging[messaging.backend.rpc]('rpc_config') }} {{ oslo_messaging[messaging.backend.notifications]('notifications_config') }} + +{% if security.tls.enabled %} +[oslo_messaging_rabbit] +kombu_ssl_version="TLSv1_2" +rabbit_use_ssl = true +kombu_ssl_ca_certs = /opt/ccp/etc/tls/ca.pem +{% endif %} diff --git a/service/files/glance-cirros-image-upload.sh.j2 b/service/files/glance-cirros-image-upload.sh.j2 index b3a5610..d195a69 100644 --- a/service/files/glance-cirros-image-upload.sh.j2 +++ b/service/files/glance-cirros-image-upload.sh.j2 @@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default export OS_PASSWORD={{ openstack.user_password }} export OS_USERNAME={{ openstack.user_name }} export OS_PROJECT_NAME={{ openstack.project_name }} -export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3" +export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3" +export OS_CACERT="/opt/ccp/etc/tls/ca.pem" {% set image = glance.bootstrap.image %} FILE="$(mktemp)" diff --git a/service/files/glance-registry.conf.j2 b/service/files/glance-registry.conf.j2 index 8a2a9e0..674c3a1 100644 --- a/service/files/glance-registry.conf.j2 +++ b/service/files/glance-registry.conf.j2 @@ -5,7 +5,11 @@ use_syslog = false use_stderr = true use_forwarded_for = true +{% if security.tls.enabled %} +bind_host = 127.0.0.1 +{% else %} bind_host = {{ network_topology["private"]["address"] }} +{% endif %} bind_port = {{ glance.registry_port.cont }} [database] @@ -15,6 +19,9 @@ max_retries = -1 [keystone_authtoken] auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }} auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }} +{% if security.tls.enabled %} +cafile = /opt/ccp/etc/tls/ca.pem +{% endif %} auth_type = password project_domain_id = default user_domain_id = default @@ -34,3 +41,10 @@ driver = {{ searchlight.notification_driver }} {# rpc config is required for notifications in stable/mitaka #} {{ oslo_messaging[messaging.backend.rpc]('rpc_config') }} {{ oslo_messaging[messaging.backend.notifications]('notifications_config') }} + +{% if security.tls.enabled %} +[oslo_messaging_rabbit] +kombu_ssl_version="TLSv1_2" +rabbit_use_ssl = true +kombu_ssl_ca_certs = /opt/ccp/etc/tls/ca.pem +{% endif %} diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2 new file mode 100644 index 0000000..de69998 --- /dev/null +++ b/service/files/nginx-api.conf.j2 @@ -0,0 +1,20 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }}; + ssl on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_ciphers {{ nginx.ciphers }}; + ssl_prefer_server_ciphers on; + ssl_certificate /opt/ccp/etc/tls/server-cert.pem; + ssl_certificate_key /opt/ccp/etc/tls/server-key.pem; + # allows to upload images without being cut off at some low size + client_max_body_size 0; + + location / { + proxy_pass http://glance_api; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/service/files/nginx-registry.conf.j2 b/service/files/nginx-registry.conf.j2 new file mode 100644 index 0000000..087b3cd --- /dev/null +++ b/service/files/nginx-registry.conf.j2 @@ -0,0 +1,20 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }}; + ssl on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_ciphers {{ nginx.ciphers }}; + ssl_prefer_server_ciphers on; + ssl_certificate /opt/ccp/etc/tls/server-cert.pem; + ssl_certificate_key /opt/ccp/etc/tls/server-key.pem; + # allows to upload images without being cut off at some low size + client_max_body_size 0; + + location / { + proxy_pass http://glance_registry; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2 new file mode 100644 index 0000000..8abc152 --- /dev/null +++ b/service/files/server-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_cert }} diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2 new file mode 100644 index 0000000..70cf751 --- /dev/null +++ b/service/files/server-key.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_key }} diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2 new file mode 100644 index 0000000..716a515 --- /dev/null +++ b/service/files/upstreams.conf.j2 @@ -0,0 +1,6 @@ +upstream glance_api { + server 127.0.0.1:{{ glance.api_port.cont }}; +} +upstream glance_registry { + server 127.0.0.1:{{ glance.registry_port.cont }}; +} diff --git a/service/glance-api.yaml b/service/glance-api.yaml index 6ffe151..58e89a3 100644 --- a/service/glance-api.yaml +++ b/service/glance-api.yaml @@ -58,6 +58,9 @@ service: daemon: files: - glance-api + # {% if security.tls.enabled %} + - ca_cert + # {% endif %} # {% if glance.ceph.enable %} - ceph-conf - glance-ceph-key @@ -74,6 +77,17 @@ service: files: - glance-cirros-image-upload.sh # {% endif %} + # {% if security.tls.enabled %} + - name: nginx + image: nginx + daemon: + files: + - upstreams + - servers + - server-cert + - server-key + command: nginx + # {% endif %} files: glance-api: @@ -92,3 +106,24 @@ files: path: /opt/ccp/bin/glance-cirros-image-upload.sh content: glance-cirros-image-upload.sh.j2 perm: "500" + # {% if security.tls.enabled %} + servers: + path: /etc/nginx/conf.d/servers.conf + content: nginx-api.conf.j2 + perm: "0400" + upstreams: + path: /etc/nginx/conf.d/upstreams.conf + content: upstreams.conf.j2 + perm: "0400" + ca_cert: + path: /opt/ccp/etc/tls/ca.pem + content: ca-cert.pem.j2 + server-cert: + path: /opt/ccp/etc/tls/server-cert.pem + content: server-cert.pem.j2 + perm: "0400" + server-key: + path: /opt/ccp/etc/tls/server-key.pem + content: server-key.pem.j2 + perm: "0400" + # {% endif %} diff --git a/service/glance-registry.yaml b/service/glance-registry.yaml index cf68b93..6396305 100644 --- a/service/glance-registry.yaml +++ b/service/glance-registry.yaml @@ -13,11 +13,46 @@ service: daemon: files: - glance-registry-conf + # {% if security.tls.enabled %} + - ca_cert + # {% endif %} dependencies: - glance-api command: glance-registry + # {% if security.tls.enabled %} + - name: nginx + image: nginx + daemon: + files: + - upstreams + - servers + - server-cert + - server-key + command: nginx + # {% endif %} files: glance-registry-conf: path: /etc/glance/glance-registry.conf content: glance-registry.conf.j2 + # {% if security.tls.enabled %} + servers: + path: /etc/nginx/conf.d/servers.conf + content: nginx-registry.conf.j2 + perm: "0400" + upstreams: + path: /etc/nginx/conf.d/upstreams.conf + content: upstreams.conf.j2 + perm: "0400" + ca_cert: + path: /opt/ccp/etc/tls/ca.pem + content: ca-cert.pem.j2 + server-cert: + path: /opt/ccp/etc/tls/server-cert.pem + content: server-cert.pem.j2 + perm: "0400" + server-key: + path: /opt/ccp/etc/tls/server-key.pem + content: server-key.pem.j2 + perm: "0400" + # {% endif %}