TLS support for Glance services

List of changes in the current patch:
- Add files for certificates
- Updated configuration files for services to use mapped ports and
  'https' url scheme. Also ca_cert was provided for keystonemiddleware.
- Updated bootstrap script to use 'https' scheme with insecure flag,
  when it create image in glance.
- Update jobs for creation endpoints, now address function use 'tls'
  parameter.
- Add files for nginx configurations.

Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
This commit is contained in:
Sergey Kraynev 2017-01-30 09:16:15 +00:00
parent 6200b8743f
commit 6c27061d4e
12 changed files with 150 additions and 9 deletions

View File

@ -0,0 +1 @@
{{ security.tls.ca_cert }}

View File

@ -1,5 +1,8 @@
configs:
glance:
tls:
api_port: 10292
registry_port: 10191
api_port:
cont: 9292
ingress: image

View File

@ -5,8 +5,14 @@ use_syslog = false
use_stderr = true
use_forwarded_for = true
{% if security.tls.enabled %}
registry_client_protocol = https
bind_host = 127.0.0.1
bind_port = {{ glance.tls.api_port }}
{% else %}
bind_host = {{ network_topology["private"]["address"] }}
bind_port = {{ glance.api_port.cont }}
{% endif %}
registry_host = glance-registry
{% if glance.ceph.enable %}
@ -20,8 +26,9 @@ connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{
max_retries = -1
[keystone_authtoken]
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
cafile = /etc/glance/certs/ca-cert.pem
auth_type = password
project_domain_id = default
user_domain_id = default

View File

@ -8,10 +8,10 @@ export OS_USER_DOMAIN_NAME=default
export OS_PASSWORD={{ openstack.user_password }}
export OS_USERNAME={{ openstack.user_name }}
export OS_PROJECT_NAME={{ openstack.project_name }}
export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"
export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}/v3"
{% set image = glance.bootstrap.image %}
FILE="$(mktemp)"
curl {{ image.url }} -o "${FILE}"
openstack image create --public --disk-format {{ image.disk_format }} --file "${FILE}" {{ image.name }}
openstack image create --public --disk-format {{ image.disk_format }} --file "${FILE}" {{ image.name }} --insecure
rm "${FILE}"

View File

@ -5,16 +5,24 @@ use_syslog = false
use_stderr = true
use_forwarded_for = true
{% if security.tls.enabled %}
bind_host = 127.0.0.1
bind_port = {{ glance.tls.registry_port }}
{% else %}
bind_host = {{ network_topology["private"]["address"] }}
bind_port = {{ glance.registry_port.cont }}
{% endif %}
[database]
connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{{ address(service.database) }}/{{ glance.db.name }}
max_retries = -1
[keystone_authtoken]
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
{% if security.tls.enabled %}
cafile = /etc/glance/certs/ca-cert.pem
{% endif %}
auth_type = password
project_domain_id = default
user_domain_id = default

View File

@ -0,0 +1,20 @@
server {
listen {{ glance.api_port.cont }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers {{ security.tls.ciphers }};
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
# allows to upload images without being cut off at some low size
client_max_body_size 0;
location / {
proxy_pass http://glance_api;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -0,0 +1,20 @@
server {
listen {{ glance.registry_port.cont }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers {{ security.tls.ciphers }};
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
# allows to upload images without being cut off at some low size
client_max_body_size 0;
location / {
proxy_pass http://glance_registry;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1,10 @@
{% if security.tls.enabled %}
upstream glance_api {
server 127.0.0.1:{{ glance.tls.api_port }};
}
upstream glance_registry {
server 127.0.0.1:{{ glance.tls.registry_port }};
}
{% endif %}

View File

@ -44,20 +44,23 @@ service:
dependencies:
- glance-service-create
type: single
command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True) }}
command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True, tls=True) }}
- name: glance-internal-endpoint-create
dependencies:
- glance-service-create
type: single
command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True) }}
command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
- name: glance-admin-endpoint-create
dependencies:
- glance-service-create
type: single
command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True) }}
command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
daemon:
files:
- glance-api
# {% if security.tls.enabled %}
- ca_cert_client
# {% endif %}
# {% if glance.ceph.enable %}
- ceph-conf
- glance-ceph-key
@ -74,6 +77,17 @@ service:
files:
- glance-cirros-image-upload.sh
# {% endif %}
# {% if security.tls.enabled %}
- name: nginx
image: nginx
daemon:
files:
- upstreams
- servers
- server-cert
- server-key
command: nginx
# {% endif %}
files:
glance-api:
@ -92,3 +106,24 @@ files:
path: /opt/ccp/bin/glance-cirros-image-upload.sh
content: glance-cirros-image-upload.sh.j2
perm: "500"
# {% if security.tls.enabled %}
ca_cert_client:
path: /etc/glance/certs/ca-cert.pem
content: ca-cert.pem.j2
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
servers:
path: /etc/nginx/conf.d/servers.conf
content: nginx-api.conf.j2
perm: "0400"
server-cert:
path: /etc/nginx/ssl/certs/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /etc/nginx/ssl/private/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}

View File

@ -13,11 +13,46 @@ service:
daemon:
files:
- glance-registry-conf
# {% if security.tls.enabled %}
- ca_cert_client
# {% endif %}
dependencies:
- glance-api
command: glance-registry
# {% if security.tls.enabled %}
- name: nginx
image: nginx
daemon:
files:
- upstreams
- servers
- server-cert
- server-key
command: nginx
# {% endif %}
files:
glance-registry-conf:
path: /etc/glance/glance-registry.conf
content: glance-registry.conf.j2
# {% if security.tls.enabled %}
ca_cert_client:
path: /etc/glance/certs/ca-cert.pem
content: ca-cert.pem.j2
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
servers:
path: /etc/nginx/conf.d/servers.conf
content: nginx-registry.conf.j2
perm: "0400"
server-cert:
path: /etc/nginx/ssl/certs/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /etc/nginx/ssl/private/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}