TLS support for Glance services
Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
This commit is contained in:
parent
6200b8743f
commit
7d867188d8
|
@ -0,0 +1 @@
|
|||
{{ security.tls.ca_cert }}
|
|
@ -1,5 +1,8 @@
|
|||
configs:
|
||||
glance:
|
||||
tls:
|
||||
api_port: 9334
|
||||
registry_port: 9233
|
||||
api_port:
|
||||
cont: 9292
|
||||
ingress: image
|
||||
|
|
|
@ -5,8 +5,15 @@ use_syslog = false
|
|||
use_stderr = true
|
||||
use_forwarded_for = true
|
||||
|
||||
{% if security.tls.enabled %}
|
||||
registry_client_protocol = https
|
||||
bind_host = 127.0.0.1
|
||||
bind_port = {{ glance.tls.api_port }}
|
||||
#http_proxy_information = 127.0.0.1:{{ glance.api_port.cont }}
|
||||
{% else %}
|
||||
bind_host = {{ network_topology["private"]["address"] }}
|
||||
bind_port = {{ glance.api_port.cont }}
|
||||
{% endif %}
|
||||
|
||||
registry_host = glance-registry
|
||||
{% if glance.ceph.enable %}
|
||||
|
@ -20,8 +27,8 @@ connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{
|
|||
max_retries = -1
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
|
||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
user_domain_id = default
|
||||
|
|
|
@ -5,16 +5,22 @@ use_syslog = false
|
|||
use_stderr = true
|
||||
use_forwarded_for = true
|
||||
|
||||
{% if security.tls.enabled %}
|
||||
bind_host = 127.0.0.1
|
||||
bind_port = {{ glance.tls.registry_port }}
|
||||
#http_proxy_information = 127.0.0.1:{{ glance.api_port.cont }}
|
||||
{% else %}
|
||||
bind_host = {{ network_topology["private"]["address"] }}
|
||||
bind_port = {{ glance.registry_port.cont }}
|
||||
{% endif %}
|
||||
|
||||
[database]
|
||||
connection = mysql+pymysql://{{ glance.db.username }}:{{ glance.db.password }}@{{ address(service.database) }}/{{ glance.db.name }}
|
||||
max_retries = -1
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}
|
||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True, tls=True) }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
user_domain_id = default
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
{% if security.tls.enabled %}
|
||||
daemon off;
|
||||
|
||||
events {
|
||||
}
|
||||
|
||||
http {
|
||||
upstream glance_api {
|
||||
server 127.0.0.1:{{ glance.tls.api_port }};
|
||||
}
|
||||
upstream glance_registry {
|
||||
server 127.0.0.1:{{ glance.tls.registry_port }};
|
||||
}
|
||||
|
||||
|
||||
server {
|
||||
listen {{ glance.api_port.cont }};
|
||||
ssl on;
|
||||
ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
|
||||
ssl_trusted_certificate /etc/nginx/ssl/certs/ca-cert.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://glance_api;
|
||||
proxy_set_header Host $host:$server_port;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen {{ glance.registry_port.cont }};
|
||||
ssl on;
|
||||
ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
|
||||
ssl_trusted_certificate /etc/nginx/ssl/certs/ca-cert.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://glance_registry;
|
||||
proxy_set_header Host $host:$server_port;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
{% endif %}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_cert }}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_key }}
|
|
@ -44,17 +44,17 @@ service:
|
|||
dependencies:
|
||||
- glance-service-create
|
||||
type: single
|
||||
command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True) }}
|
||||
command: openstack endpoint create --region RegionOne image public {{ address('glance-api', glance.api_port, external=True, with_scheme=True, tls=True) }}
|
||||
- name: glance-internal-endpoint-create
|
||||
dependencies:
|
||||
- glance-service-create
|
||||
type: single
|
||||
command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True) }}
|
||||
command: openstack endpoint create --region RegionOne image internal {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
|
||||
- name: glance-admin-endpoint-create
|
||||
dependencies:
|
||||
- glance-service-create
|
||||
type: single
|
||||
command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True) }}
|
||||
command: openstack endpoint create --region RegionOne image admin {{ address('glance-api', glance.api_port, with_scheme=True, tls=True) }}
|
||||
daemon:
|
||||
files:
|
||||
- glance-api
|
||||
|
@ -74,6 +74,17 @@ service:
|
|||
files:
|
||||
- glance-cirros-image-upload.sh
|
||||
# {% endif %}
|
||||
# {% if security.tls.enabled %}
|
||||
- name: nginx
|
||||
image: nginx
|
||||
daemon:
|
||||
files:
|
||||
- nginx
|
||||
- ca_cert
|
||||
- server-cert
|
||||
- server-key
|
||||
command: nginx
|
||||
# {% endif %}
|
||||
|
||||
files:
|
||||
glance-api:
|
||||
|
@ -92,3 +103,21 @@ files:
|
|||
path: /opt/ccp/bin/glance-cirros-image-upload.sh
|
||||
content: glance-cirros-image-upload.sh.j2
|
||||
perm: "500"
|
||||
# {% if security.tls.enabled %}
|
||||
nginx:
|
||||
path: /etc/nginx/nginx.conf
|
||||
content: nginx.conf.j2
|
||||
perm: "0400"
|
||||
ca_cert:
|
||||
path: /etc/nginx/ssl/certs/ca-cert.pem
|
||||
content: ca-cert.pem.j2
|
||||
perm: "0400"
|
||||
server-cert:
|
||||
path: /etc/nginx/ssl/certs/server-cert.pem
|
||||
content: server-cert.pem.j2
|
||||
perm: "0400"
|
||||
server-key:
|
||||
path: /etc/nginx/ssl/private/server-key.pem
|
||||
content: server-key.pem.j2
|
||||
perm: "0400"
|
||||
# {% endif %}
|
||||
|
|
|
@ -16,8 +16,37 @@ service:
|
|||
dependencies:
|
||||
- glance-api
|
||||
command: glance-registry
|
||||
# {% if security.tls.enabled %}
|
||||
- name: nginx
|
||||
image: nginx
|
||||
daemon:
|
||||
files:
|
||||
- nginx
|
||||
- ca_cert
|
||||
- server-cert
|
||||
- server-key
|
||||
command: nginx
|
||||
# {% endif %}
|
||||
|
||||
files:
|
||||
glance-registry-conf:
|
||||
path: /etc/glance/glance-registry.conf
|
||||
content: glance-registry.conf.j2
|
||||
# {% if security.tls.enabled %}
|
||||
nginx:
|
||||
path: /etc/nginx/nginx.conf
|
||||
content: nginx.conf.j2
|
||||
perm: "0400"
|
||||
ca_cert:
|
||||
path: /etc/nginx/ssl/certs/ca-cert.pem
|
||||
content: ca-cert.pem.j2
|
||||
perm: "0400"
|
||||
server-cert:
|
||||
path: /etc/nginx/ssl/certs/server-cert.pem
|
||||
content: server-cert.pem.j2
|
||||
perm: "0400"
|
||||
server-key:
|
||||
path: /etc/nginx/ssl/private/server-key.pem
|
||||
content: server-key.pem.j2
|
||||
perm: "0400"
|
||||
# {% endif %}
|
||||
|
|
Loading…
Reference in New Issue