Browse Source

TLS support for Glance services

List of changes in the current patch:
- Add files for certificates
- Updated configuration files for services to use mapped ports and
  'https' url scheme. Also ca_cert was provided for keystonemiddleware.
- Updated bootstrap script to use 'https' scheme with insecure flag,
  when it create image in glance.
- Update jobs for creation endpoints, now address function use 'tls'
  parameter.
- Add files for nginx configurations.

Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
Sergey Kraynev 2 years ago
parent
commit
b368e4833e

+ 1
- 0
service/files/ca-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.ca_cert }}

+ 2
- 0
service/files/defaults.yaml View File

@@ -1,5 +1,7 @@
1 1
 configs:
2 2
   glance:
3
+    tls:
4
+      enabled: true
3 5
     api_port:
4 6
       cont: 9292
5 7
       ingress: image

+ 6
- 0
service/files/glance-api.conf.j2 View File

@@ -5,7 +5,13 @@ use_syslog = false
5 5
 use_stderr = true
6 6
 use_forwarded_for = true
7 7
 
8
+{% if glance.tls.enabled %}
9
+registry_client_protocol = https
10
+registry_client_ca_file = /opt/ccp/etc/tls/ca.pem
11
+bind_host = 127.0.0.1
12
+{% else %}
8 13
 bind_host = {{ network_topology["private"]["address"] }}
14
+{% endif %}
9 15
 bind_port = {{ glance.api_port.cont }}
10 16
 
11 17
 registry_host = glance-registry

+ 2
- 1
service/files/glance-cirros-image-upload.sh.j2 View File

@@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default
8 8
 export OS_PASSWORD={{ openstack.user_password }}
9 9
 export OS_USERNAME={{ openstack.user_name }}
10 10
 export OS_PROJECT_NAME={{ openstack.project_name }}
11
-export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"
11
+export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3"
12
+export OS_CACERT="/opt/ccp/etc/tls/ca.pem"
12 13
 
13 14
 {% set image = glance.bootstrap.image %}
14 15
 FILE="$(mktemp)"

+ 4
- 0
service/files/glance-registry.conf.j2 View File

@@ -5,7 +5,11 @@ use_syslog = false
5 5
 use_stderr = true
6 6
 use_forwarded_for = true
7 7
 
8
+{% if glance.tls.enabled %}
9
+bind_host = 127.0.0.1
10
+{% else %}
8 11
 bind_host = {{ network_topology["private"]["address"] }}
12
+{% endif %}
9 13
 bind_port = {{ glance.registry_port.cont }}
10 14
 
11 15
 [database]

+ 11
- 0
service/files/nginx-api.conf.j2 View File

@@ -0,0 +1,11 @@
1
+server {
2
+    listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }} ssl;
3
+    include common/ssl.conf;
4
+    # allows to upload images without being cut off at some low size
5
+    client_max_body_size 0;
6
+
7
+    location / {
8
+        proxy_pass http://glance_api;
9
+        include common/proxy-headers.conf;
10
+    }
11
+}

+ 11
- 0
service/files/nginx-registry.conf.j2 View File

@@ -0,0 +1,11 @@
1
+server {
2
+    listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }} ssl;
3
+    include common/ssl.conf;
4
+    # allows to upload images without being cut off at some low size
5
+    client_max_body_size 0;
6
+
7
+    location / {
8
+        proxy_pass http://glance_registry;
9
+        include common/proxy-headers.conf;
10
+    }
11
+}

+ 1
- 0
service/files/server-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_cert }}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_key }}

+ 6
- 0
service/files/upstreams.conf.j2 View File

@@ -0,0 +1,6 @@
1
+upstream glance_api {
2
+    server 127.0.0.1:{{ glance.api_port.cont }};
3
+}
4
+upstream glance_registry {
5
+    server 127.0.0.1:{{ glance.registry_port.cont }};
6
+}

+ 35
- 0
service/glance-api.yaml View File

@@ -61,6 +61,9 @@ service:
61 61
       daemon:
62 62
         files:
63 63
           - glance-api
64
+          # {% if glance.tls.enabled %}
65
+          - ca_cert
66
+          # {% endif %}
64 67
           # {% if glance.ceph.enable %}
65 68
           - ceph-conf
66 69
           - glance-ceph-key
@@ -79,6 +82,17 @@ service:
79 82
           files:
80 83
             - glance-cirros-image-upload.sh
81 84
       # {% endif %}
85
+    # {% if glance.tls.enabled %}
86
+    - name: nginx-glance-api
87
+      image: nginx
88
+      daemon:
89
+        files:
90
+          - upstreams
91
+          - servers
92
+          - server-cert
93
+          - server-key
94
+        command: nginx
95
+    # {% endif %}
82 96
 
83 97
 files:
84 98
   glance-api:
@@ -97,3 +111,24 @@ files:
97 111
     path: /opt/ccp/bin/glance-cirros-image-upload.sh
98 112
     content: glance-cirros-image-upload.sh.j2
99 113
     perm: "500"
114
+  # {% if glance.tls.enabled %}
115
+  servers:
116
+    path: /etc/nginx/conf.d/servers.conf
117
+    content: nginx-api.conf.j2
118
+    perm: "0400"
119
+  upstreams:
120
+    path: /etc/nginx/conf.d/upstreams.conf
121
+    content: upstreams.conf.j2
122
+    perm: "0400"
123
+  ca_cert:
124
+    path: /opt/ccp/etc/tls/ca.pem
125
+    content: ca-cert.pem.j2
126
+  server-cert:
127
+    path: /opt/ccp/etc/tls/server-cert.pem
128
+    content: server-cert.pem.j2
129
+    perm: "0400"
130
+  server-key:
131
+    path: /opt/ccp/etc/tls/server-key.pem
132
+    content: server-key.pem.j2
133
+    perm: "0400"
134
+  # {% endif %}

+ 35
- 0
service/glance-registry.yaml View File

@@ -13,11 +13,46 @@ service:
13 13
       daemon:
14 14
         files:
15 15
           - glance-registry-conf
16
+          # {% if glance.tls.enabled %}
17
+          - ca_cert
18
+          # {% endif %}
16 19
         dependencies:
17 20
           - glance-api
18 21
         command: glance-registry
22
+    # {% if glance.tls.enabled %}
23
+    - name: nginx-glance-registry
24
+      image: nginx
25
+      daemon:
26
+        files:
27
+          - upstreams
28
+          - servers
29
+          - server-cert
30
+          - server-key
31
+        command: nginx
32
+    # {% endif %}
19 33
 
20 34
 files:
21 35
   glance-registry-conf:
22 36
     path: /etc/glance/glance-registry.conf
23 37
     content: glance-registry.conf.j2
38
+  # {% if glance.tls.enabled %}
39
+  servers:
40
+    path: /etc/nginx/conf.d/servers.conf
41
+    content: nginx-registry.conf.j2
42
+    perm: "0400"
43
+  upstreams:
44
+    path: /etc/nginx/conf.d/upstreams.conf
45
+    content: upstreams.conf.j2
46
+    perm: "0400"
47
+  ca_cert:
48
+    path: /opt/ccp/etc/tls/ca.pem
49
+    content: ca-cert.pem.j2
50
+  server-cert:
51
+    path: /opt/ccp/etc/tls/server-cert.pem
52
+    content: server-cert.pem.j2
53
+    perm: "0400"
54
+  server-key:
55
+    path: /opt/ccp/etc/tls/server-key.pem
56
+    content: server-key.pem.j2
57
+    perm: "0400"
58
+  # {% endif %}

Loading…
Cancel
Save