TLS support for Glance services

Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
2017-01-30 09:16:15 +00:00 · 2017-01-30 09:16:15 +00:00 · 7d867188d8
parent 6200b8743f
commit 7d867188d8
9 changed files with 132 additions and 7 deletions
--- a/service/files/ca-cert.pem.j2
+++ b/service/files/ca-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -1,5 +1,8 @@
 configs:
  glance:
+    tls:
+      api_port: 9334
+      registry_port: 9233
    api_port:
      cont: 9292
      ingress: image
--- a/service/files/glance-api.conf.j2
+++ b/service/files/glance-api.conf.j2
@ -5,8 +5,15 @@ use_syslog = false
 use_stderr = true
 use_forwarded_for = true

+{% if security.tls.enabled %}
+registry_client_protocol = https
+bind_host = 127.0.0.1
+bind_port = {{ glance.tls.api_port }}
+#http_proxy_information = 127.0.0.1:{{ glance.api_port.cont }}
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
 bind_port = {{ glance.api_port.cont }}
+{% endif %}

 registry_host = glance-registry
 {% if glance.ceph.enable %}
@ -20,8 +27,8 @@ connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{
 max_retries = -1

 [keystone_authtoken]
-auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
-auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
+auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
+auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
 auth_type = password
 project_domain_id = default
 user_domain_id = default
--- a/service/files/glance-registry.conf.j2
+++ b/service/files/glance-registry.conf.j2
@ -5,16 +5,22 @@ use_syslog = false
 use_stderr = true
 use_forwarded_for = true

+{% if security.tls.enabled %}
+bind_host = 127.0.0.1
+bind_port = {{ glance.tls.registry_port }}
+#http_proxy_information = 127.0.0.1:{{ glance.api_port.cont }}
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
 bind_port = {{ glance.registry_port.cont }}
+{% endif %}

 [database]
 connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{{ address(service.database) }}/{{ glance.db.name }}
 max_retries = -1

 [keystone_authtoken]
-auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
-auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
+auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
+auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
 auth_type = password
 project_domain_id = default
 user_domain_id = default
--- a/service/files/nginx.conf.j2
+++ b/service/files/nginx.conf.j2
@ -0,0 +1,48 @@
+{% if security.tls.enabled %}
+daemon off;
+
+events {
+}
+
+http {
+   upstream glance_api {
+       server 127.0.0.1:{{ glance.tls.api_port }};
+   }
+   upstream glance_registry {
+       server 127.0.0.1:{{ glance.tls.registry_port }};
+   }
+
+
+   server {
+           listen {{ glance.api_port.cont }};
+           ssl on;
+           ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
+           ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
+           ssl_trusted_certificate /etc/nginx/ssl/certs/ca-cert.pem;
+
+           location / {
+                   proxy_pass http://glance_api;
+                   proxy_set_header Host $host:$server_port;
+                   proxy_set_header X-Real-IP $remote_addr;
+                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                   proxy_set_header X-Forwarded-Proto $scheme;
+           }
+   }
+   server {
+           listen {{ glance.registry_port.cont }};
+           ssl on;
+           ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
+           ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
+           ssl_trusted_certificate /etc/nginx/ssl/certs/ca-cert.pem;
+
+           location / {
+                   proxy_pass http://glance_registry;
+                   proxy_set_header Host $host:$server_port;
+                   proxy_set_header X-Real-IP $remote_addr;
+                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                   proxy_set_header X-Forwarded-Proto $scheme;
+           }
+   }
+
+}
+{% endif %}
--- a/service/files/server-cert.pem.j2
+++ b/service/files/server-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_cert }}
--- a/service/files/server-key.pem.j2
+++ b/service/files/server-key.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_key }}
--- a/service/glance-api.yaml
+++ b/service/glance-api.yaml
@ -44,17 +44,17 @@ service:
          dependencies:
            - glance-service-create
          type: single
-          command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True) }}
+          command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True, tls=True) }}
        - name: glance-internal-endpoint-create
          dependencies:
            - glance-service-create
          type: single
-          command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True) }}
+          command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
        - name: glance-admin-endpoint-create
          dependencies:
            - glance-service-create
          type: single
-          command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True) }}
+          command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
      daemon:
        files:
          - glance-api
@ -74,6 +74,17 @@ service:
          files:
            - glance-cirros-image-upload.sh
      # {% endif %}
+    # {% if security.tls.enabled %}
+    - name: nginx
+      image: nginx
+      daemon:
+        files:
+          - nginx
+          - ca_cert
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}

 files:
  glance-api:
@ -92,3 +103,21 @@ files:
    path: /opt/ccp/bin/glance-cirros-image-upload.sh
    content: glance-cirros-image-upload.sh.j2
    perm: "500"
+  # {% if security.tls.enabled %}
+  nginx:
+    path: /etc/nginx/nginx.conf
+    content: nginx.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /etc/nginx/ssl/certs/ca-cert.pem
+    content: ca-cert.pem.j2
+    perm: "0400"
+  server-cert:
+    path: /etc/nginx/ssl/certs/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /etc/nginx/ssl/private/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}
--- a/service/glance-registry.yaml
+++ b/service/glance-registry.yaml
@ -16,8 +16,37 @@ service:
        dependencies:
          - glance-api
        command: glance-registry
+    # {% if security.tls.enabled %}
+    - name: nginx
+      image: nginx
+      daemon:
+        files:
+          - nginx
+          - ca_cert
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}

 files:
  glance-registry-conf:
    path: /etc/glance/glance-registry.conf
    content: glance-registry.conf.j2
+  # {% if security.tls.enabled %}
+  nginx:
+    path: /etc/nginx/nginx.conf
+    content: nginx.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /etc/nginx/ssl/certs/ca-cert.pem
+    content: ca-cert.pem.j2
+    perm: "0400"
+  server-cert:
+    path: /etc/nginx/ssl/certs/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /etc/nginx/ssl/private/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}