TLS support for Glance services
List of changes in the current patch: - Add files for certificates - Updated configuration files for services to use mapped ports and 'https' url scheme. Also ca_cert was provided for keystonemiddleware. - Updated bootstrap script to use 'https' scheme with insecure flag, when it create image in glance. - Update jobs for creation endpoints, now address function use 'tls' parameter. - Add files for nginx configurations. Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
This commit is contained in:
parent
6200b8743f
commit
9e562cc44f
|
@ -0,0 +1 @@
|
|||
{{ security.tls.ca_cert }}
|
|
@ -5,7 +5,12 @@ use_syslog = false
|
|||
use_stderr = true
|
||||
use_forwarded_for = true
|
||||
|
||||
{% if security.tls.enabled %}
|
||||
registry_client_protocol = https
|
||||
bind_host = 127.0.0.1
|
||||
{% else %}
|
||||
bind_host = {{ network_topology["private"]["address"] }}
|
||||
{% endif %}
|
||||
bind_port = {{ glance.api_port.cont }}
|
||||
|
||||
registry_host = glance-registry
|
||||
|
@ -22,6 +27,9 @@ max_retries = -1
|
|||
[keystone_authtoken]
|
||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
||||
{% if security.tls.enabled %}
|
||||
cafile = /opt/ccp/etc/tls/ca.pem
|
||||
{% endif %}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
user_domain_id = default
|
||||
|
@ -71,3 +79,11 @@ driver = {{ searchlight.notification_driver }}
|
|||
{# rpc config is required for notifications in stable/mitaka #}
|
||||
{{ oslo_messaging[messaging.backend.rpc]('rpc_config') }}
|
||||
{{ oslo_messaging[messaging.backend.notifications]('notifications_config') }}
|
||||
|
||||
{% if security.tls.enabled %}
|
||||
[oslo_messaging_rabbit]
|
||||
rpc_backend = neutron.openstack.common.rpc.impl_kombu
|
||||
kombu_ssl_version="TLSv1_2"
|
||||
rabbit_use_ssl = true
|
||||
kombu_ssl_ca_certs = /opt/ccp/etc/tls/ca.pem
|
||||
{% endif %}
|
||||
|
|
|
@ -8,10 +8,10 @@ export OS_USER_DOMAIN_NAME=default
|
|||
export OS_PASSWORD={{ openstack.user_password }}
|
||||
export OS_USERNAME={{ openstack.user_name }}
|
||||
export OS_PROJECT_NAME={{ openstack.project_name }}
|
||||
export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"
|
||||
export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3"
|
||||
|
||||
{% set image = glance.bootstrap.image %}
|
||||
FILE="$(mktemp)"
|
||||
curl {{ image.url }} -o "${FILE}"
|
||||
openstack image create --public --disk-format {{ image.disk_format }} --file "${FILE}" {{ image.name }}
|
||||
openstack image create --public --disk-format {{ image.disk_format }} --file "${FILE}" {{ image.name }} --insecure
|
||||
rm "${FILE}"
|
||||
|
|
|
@ -5,7 +5,11 @@ use_syslog = false
|
|||
use_stderr = true
|
||||
use_forwarded_for = true
|
||||
|
||||
{% if security.tls.enabled %}
|
||||
bind_host = 127.0.0.1
|
||||
{% else %}
|
||||
bind_host = {{ network_topology["private"]["address"] }}
|
||||
{% endif %}
|
||||
bind_port = {{ glance.registry_port.cont }}
|
||||
|
||||
[database]
|
||||
|
@ -15,6 +19,9 @@ max_retries = -1
|
|||
[keystone_authtoken]
|
||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
||||
{% if security.tls.enabled %}
|
||||
cafile = /opt/ccp/etc/tls/ca.pem
|
||||
{% endif %}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
user_domain_id = default
|
||||
|
@ -34,3 +41,11 @@ driver = {{ searchlight.notification_driver }}
|
|||
{# rpc config is required for notifications in stable/mitaka #}
|
||||
{{ oslo_messaging[messaging.backend.rpc]('rpc_config') }}
|
||||
{{ oslo_messaging[messaging.backend.notifications]('notifications_config') }}
|
||||
|
||||
{% if security.tls.enabled %}
|
||||
[oslo_messaging_rabbit]
|
||||
rpc_backend = neutron.openstack.common.rpc.impl_kombu
|
||||
kombu_ssl_version="TLSv1_2"
|
||||
rabbit_use_ssl = true
|
||||
kombu_ssl_ca_certs = /opt/ccp/etc/tls/ca.pem
|
||||
{% endif %}
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
server {
|
||||
listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }};
|
||||
ssl on;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_ciphers {{ nginx.ciphers }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_certificate /opt/ccp/etc/tls/server-cert.pem;
|
||||
ssl_certificate_key /opt/ccp/etc/tls/server-key.pem;
|
||||
# allows to upload images without being cut off at some low size
|
||||
client_max_body_size 0;
|
||||
|
||||
location / {
|
||||
proxy_pass http://glance_api;
|
||||
proxy_set_header Host $host:$server_port;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
server {
|
||||
listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }};
|
||||
ssl on;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_ciphers {{ nginx.ciphers }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_certificate /opt/ccp/etc/tls/server-cert.pem;
|
||||
ssl_certificate_key /opt/ccp/etc/tls/server-key.pem;
|
||||
# allows to upload images without being cut off at some low size
|
||||
client_max_body_size 0;
|
||||
|
||||
location / {
|
||||
proxy_pass http://glance_registry;
|
||||
proxy_set_header Host $host:$server_port;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_cert }}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_key }}
|
|
@ -0,0 +1,6 @@
|
|||
upstream glance_api {
|
||||
server 127.0.0.1:{{ glance.api_port.cont }};
|
||||
}
|
||||
upstream glance_registry {
|
||||
server 127.0.0.1:{{ glance.registry_port.cont }};
|
||||
}
|
|
@ -58,6 +58,9 @@ service:
|
|||
daemon:
|
||||
files:
|
||||
- glance-api
|
||||
# {% if security.tls.enabled %}
|
||||
- ca_cert
|
||||
# {% endif %}
|
||||
# {% if glance.ceph.enable %}
|
||||
- ceph-conf
|
||||
- glance-ceph-key
|
||||
|
@ -74,6 +77,17 @@ service:
|
|||
files:
|
||||
- glance-cirros-image-upload.sh
|
||||
# {% endif %}
|
||||
# {% if security.tls.enabled %}
|
||||
- name: nginx
|
||||
image: nginx
|
||||
daemon:
|
||||
files:
|
||||
- upstreams
|
||||
- servers
|
||||
- server-cert
|
||||
- server-key
|
||||
command: nginx
|
||||
# {% endif %}
|
||||
|
||||
files:
|
||||
glance-api:
|
||||
|
@ -92,3 +106,24 @@ files:
|
|||
path: /opt/ccp/bin/glance-cirros-image-upload.sh
|
||||
content: glance-cirros-image-upload.sh.j2
|
||||
perm: "500"
|
||||
# {% if security.tls.enabled %}
|
||||
servers:
|
||||
path: /etc/nginx/conf.d/servers.conf
|
||||
content: nginx-api.conf.j2
|
||||
perm: "0400"
|
||||
upstreams:
|
||||
path: /etc/nginx/conf.d/upstreams.conf
|
||||
content: upstreams.conf.j2
|
||||
perm: "0400"
|
||||
ca_cert:
|
||||
path: /opt/ccp/etc/tls/ca.pem
|
||||
content: ca-cert.pem.j2
|
||||
server-cert:
|
||||
path: /opt/ccp/etc/tls/server-cert.pem
|
||||
content: server-cert.pem.j2
|
||||
perm: "0400"
|
||||
server-key:
|
||||
path: /opt/ccp/etc/tls/server-key.pem
|
||||
content: server-key.pem.j2
|
||||
perm: "0400"
|
||||
# {% endif %}
|
||||
|
|
|
@ -13,11 +13,46 @@ service:
|
|||
daemon:
|
||||
files:
|
||||
- glance-registry-conf
|
||||
# {% if security.tls.enabled %}
|
||||
- ca_cert
|
||||
# {% endif %}
|
||||
dependencies:
|
||||
- glance-api
|
||||
command: glance-registry
|
||||
# {% if security.tls.enabled %}
|
||||
- name: nginx
|
||||
image: nginx
|
||||
daemon:
|
||||
files:
|
||||
- upstreams
|
||||
- servers
|
||||
- server-cert
|
||||
- server-key
|
||||
command: nginx
|
||||
# {% endif %}
|
||||
|
||||
files:
|
||||
glance-registry-conf:
|
||||
path: /etc/glance/glance-registry.conf
|
||||
content: glance-registry.conf.j2
|
||||
# {% if security.tls.enabled %}
|
||||
servers:
|
||||
path: /etc/nginx/conf.d/servers.conf
|
||||
content: nginx-registry.conf.j2
|
||||
perm: "0400"
|
||||
upstreams:
|
||||
path: /etc/nginx/conf.d/upstreams.conf
|
||||
content: upstreams.conf.j2
|
||||
perm: "0400"
|
||||
ca_cert:
|
||||
path: /opt/ccp/etc/tls/ca.pem
|
||||
content: ca-cert.pem.j2
|
||||
server-cert:
|
||||
path: /opt/ccp/etc/tls/server-cert.pem
|
||||
content: server-cert.pem.j2
|
||||
perm: "0400"
|
||||
server-key:
|
||||
path: /opt/ccp/etc/tls/server-key.pem
|
||||
content: server-key.pem.j2
|
||||
perm: "0400"
|
||||
# {% endif %}
|
||||
|
|
Loading…
Reference in New Issue