TLS support for Glance services
List of changes in the current patch: - Add files for certificates - Updated configuration files for services to use mapped ports and 'https' url scheme. Also ca_cert was provided for keystonemiddleware. - Updated bootstrap script to use 'https' scheme with insecure flag, when it create image in glance. - Update jobs for creation endpoints, now address function use 'tls' parameter. - Add files for nginx configurations. Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
This commit is contained in:
parent
6200b8743f
commit
7c3913ce5e
1
service/files/ca-cert.pem.j2
Normal file
1
service/files/ca-cert.pem.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
{{ security.tls.ca_cert }}
|
@ -1,5 +1,8 @@
|
|||||||
configs:
|
configs:
|
||||||
glance:
|
glance:
|
||||||
|
tls:
|
||||||
|
api_port: 10292
|
||||||
|
registry_port: 10191
|
||||||
api_port:
|
api_port:
|
||||||
cont: 9292
|
cont: 9292
|
||||||
ingress: image
|
ingress: image
|
||||||
|
@ -5,8 +5,14 @@ use_syslog = false
|
|||||||
use_stderr = true
|
use_stderr = true
|
||||||
use_forwarded_for = true
|
use_forwarded_for = true
|
||||||
|
|
||||||
|
{% if security.tls.enabled %}
|
||||||
|
registry_client_protocol = https
|
||||||
|
bind_host = 127.0.0.1
|
||||||
|
bind_port = {{ glance.tls.api_port }}
|
||||||
|
{% else %}
|
||||||
bind_host = {{ network_topology["private"]["address"] }}
|
bind_host = {{ network_topology["private"]["address"] }}
|
||||||
bind_port = {{ glance.api_port.cont }}
|
bind_port = {{ glance.api_port.cont }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
registry_host = glance-registry
|
registry_host = glance-registry
|
||||||
{% if glance.ceph.enable %}
|
{% if glance.ceph.enable %}
|
||||||
@ -20,8 +26,9 @@ connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{
|
|||||||
max_retries = -1
|
max_retries = -1
|
||||||
|
|
||||||
[keystone_authtoken]
|
[keystone_authtoken]
|
||||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
|
||||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
|
||||||
|
cafile = /etc/glance/certs/ca-cert.pem
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = default
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
|
@ -8,10 +8,10 @@ export OS_USER_DOMAIN_NAME=default
|
|||||||
export OS_PASSWORD={{ openstack.user_password }}
|
export OS_PASSWORD={{ openstack.user_password }}
|
||||||
export OS_USERNAME={{ openstack.user_name }}
|
export OS_USERNAME={{ openstack.user_name }}
|
||||||
export OS_PROJECT_NAME={{ openstack.project_name }}
|
export OS_PROJECT_NAME={{ openstack.project_name }}
|
||||||
export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"
|
export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}/v3"
|
||||||
|
|
||||||
{% set image = glance.bootstrap.image %}
|
{% set image = glance.bootstrap.image %}
|
||||||
FILE="$(mktemp)"
|
FILE="$(mktemp)"
|
||||||
curl {{ image.url }} -o "${FILE}"
|
curl {{ image.url }} -o "${FILE}"
|
||||||
openstack image create --public --disk-format {{ image.disk_format }} --file "${FILE}" {{ image.name }}
|
openstack image create --public --disk-format {{ image.disk_format }} --file "${FILE}" {{ image.name }} --insecure
|
||||||
rm "${FILE}"
|
rm "${FILE}"
|
||||||
|
@ -5,16 +5,24 @@ use_syslog = false
|
|||||||
use_stderr = true
|
use_stderr = true
|
||||||
use_forwarded_for = true
|
use_forwarded_for = true
|
||||||
|
|
||||||
|
{% if security.tls.enabled %}
|
||||||
|
bind_host = 127.0.0.1
|
||||||
|
bind_port = {{ glance.tls.registry_port }}
|
||||||
|
{% else %}
|
||||||
bind_host = {{ network_topology["private"]["address"] }}
|
bind_host = {{ network_topology["private"]["address"] }}
|
||||||
bind_port = {{ glance.registry_port.cont }}
|
bind_port = {{ glance.registry_port.cont }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{{ address(service.database) }}/{{ glance.db.name }}
|
connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{{ address(service.database) }}/{{ glance.db.name }}
|
||||||
max_retries = -1
|
max_retries = -1
|
||||||
|
|
||||||
[keystone_authtoken]
|
[keystone_authtoken]
|
||||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
|
||||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
|
||||||
|
{% if security.tls.enabled %}
|
||||||
|
cafile = /etc/glance/certs/ca-cert.pem
|
||||||
|
{% endif %}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = default
|
||||||
user_domain_id = default
|
user_domain_id = default
|
||||||
|
22
service/files/nginx-api.conf.j2
Normal file
22
service/files/nginx-api.conf.j2
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
{% if security.tls.enabled %}
|
||||||
|
server {
|
||||||
|
listen {{ glance.api_port.cont }};
|
||||||
|
ssl on;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_ciphers {{ security.tls.ciphers }};
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
|
||||||
|
# allows to upload images without being cut off at some low size
|
||||||
|
client_max_body_size 0;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://glance_api;
|
||||||
|
proxy_set_header Host $host:$server_port;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif %}
|
22
service/files/nginx-registry.conf.j2
Normal file
22
service/files/nginx-registry.conf.j2
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
{% if security.tls.enabled %}
|
||||||
|
server {
|
||||||
|
listen {{ glance.registry_port.cont }};
|
||||||
|
ssl on;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_ciphers {{ security.tls.ciphers }};
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
|
||||||
|
# allows to upload images without being cut off at some low size
|
||||||
|
client_max_body_size 0;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://glance_registry;
|
||||||
|
proxy_set_header Host $host:$server_port;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif %}
|
1
service/files/server-cert.pem.j2
Normal file
1
service/files/server-cert.pem.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
{{ security.tls.server_cert }}
|
1
service/files/server-key.pem.j2
Normal file
1
service/files/server-key.pem.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
{{ security.tls.server_key }}
|
10
service/files/upstreams.conf.j2
Normal file
10
service/files/upstreams.conf.j2
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
{% if security.tls.enabled %}
|
||||||
|
|
||||||
|
upstream glance_api {
|
||||||
|
server 127.0.0.1:{{ glance.tls.api_port }};
|
||||||
|
}
|
||||||
|
upstream glance_registry {
|
||||||
|
server 127.0.0.1:{{ glance.tls.registry_port }};
|
||||||
|
}
|
||||||
|
|
||||||
|
{% endif %}
|
@ -44,20 +44,23 @@ service:
|
|||||||
dependencies:
|
dependencies:
|
||||||
- glance-service-create
|
- glance-service-create
|
||||||
type: single
|
type: single
|
||||||
command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True) }}
|
command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True, tls=True) }}
|
||||||
- name: glance-internal-endpoint-create
|
- name: glance-internal-endpoint-create
|
||||||
dependencies:
|
dependencies:
|
||||||
- glance-service-create
|
- glance-service-create
|
||||||
type: single
|
type: single
|
||||||
command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True) }}
|
command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
|
||||||
- name: glance-admin-endpoint-create
|
- name: glance-admin-endpoint-create
|
||||||
dependencies:
|
dependencies:
|
||||||
- glance-service-create
|
- glance-service-create
|
||||||
type: single
|
type: single
|
||||||
command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True) }}
|
command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
|
||||||
daemon:
|
daemon:
|
||||||
files:
|
files:
|
||||||
- glance-api
|
- glance-api
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
- ca_cert_client
|
||||||
|
# {% endif %}
|
||||||
# {% if glance.ceph.enable %}
|
# {% if glance.ceph.enable %}
|
||||||
- ceph-conf
|
- ceph-conf
|
||||||
- glance-ceph-key
|
- glance-ceph-key
|
||||||
@ -74,6 +77,17 @@ service:
|
|||||||
files:
|
files:
|
||||||
- glance-cirros-image-upload.sh
|
- glance-cirros-image-upload.sh
|
||||||
# {% endif %}
|
# {% endif %}
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
- name: nginx
|
||||||
|
image: nginx
|
||||||
|
daemon:
|
||||||
|
files:
|
||||||
|
- upstreams
|
||||||
|
- servers
|
||||||
|
- server-cert
|
||||||
|
- server-key
|
||||||
|
command: nginx
|
||||||
|
# {% endif %}
|
||||||
|
|
||||||
files:
|
files:
|
||||||
glance-api:
|
glance-api:
|
||||||
@ -92,3 +106,24 @@ files:
|
|||||||
path: /opt/ccp/bin/glance-cirros-image-upload.sh
|
path: /opt/ccp/bin/glance-cirros-image-upload.sh
|
||||||
content: glance-cirros-image-upload.sh.j2
|
content: glance-cirros-image-upload.sh.j2
|
||||||
perm: "500"
|
perm: "500"
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
ca_cert_client:
|
||||||
|
path: /etc/glance/certs/ca-cert.pem
|
||||||
|
content: ca-cert.pem.j2
|
||||||
|
upstreams:
|
||||||
|
path: /etc/nginx/conf.d/upstreams.conf
|
||||||
|
content: upstreams.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
servers:
|
||||||
|
path: /etc/nginx/conf.d/servers.conf
|
||||||
|
content: nginx-api.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-cert:
|
||||||
|
path: /etc/nginx/ssl/certs/server-cert.pem
|
||||||
|
content: server-cert.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-key:
|
||||||
|
path: /etc/nginx/ssl/private/server-key.pem
|
||||||
|
content: server-key.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
# {% endif %}
|
||||||
|
@ -13,11 +13,46 @@ service:
|
|||||||
daemon:
|
daemon:
|
||||||
files:
|
files:
|
||||||
- glance-registry-conf
|
- glance-registry-conf
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
- ca_cert_client
|
||||||
|
# {% endif %}
|
||||||
dependencies:
|
dependencies:
|
||||||
- glance-api
|
- glance-api
|
||||||
command: glance-registry
|
command: glance-registry
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
- name: nginx
|
||||||
|
image: nginx
|
||||||
|
daemon:
|
||||||
|
files:
|
||||||
|
- upstreams
|
||||||
|
- servers
|
||||||
|
- server-cert
|
||||||
|
- server-key
|
||||||
|
command: nginx
|
||||||
|
# {% endif %}
|
||||||
|
|
||||||
files:
|
files:
|
||||||
glance-registry-conf:
|
glance-registry-conf:
|
||||||
path: /etc/glance/glance-registry.conf
|
path: /etc/glance/glance-registry.conf
|
||||||
content: glance-registry.conf.j2
|
content: glance-registry.conf.j2
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
ca_cert_client:
|
||||||
|
path: /etc/glance/certs/ca-cert.pem
|
||||||
|
content: ca-cert.pem.j2
|
||||||
|
upstreams:
|
||||||
|
path: /etc/nginx/conf.d/upstreams.conf
|
||||||
|
content: upstreams.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
servers:
|
||||||
|
path: /etc/nginx/conf.d/servers.conf
|
||||||
|
content: nginx-registry.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-cert:
|
||||||
|
path: /etc/nginx/ssl/certs/server-cert.pem
|
||||||
|
content: server-cert.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-key:
|
||||||
|
path: /etc/nginx/ssl/private/server-key.pem
|
||||||
|
content: server-key.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
# {% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user