Add TLS support for Heat component
Change-Id: Ifbfe3d0fa85d3a7f28586d3b82e309f49698479f
This commit is contained in:
parent
1f528ff41b
commit
35356f52a2
@ -1,5 +1,7 @@
|
|||||||
configs:
|
configs:
|
||||||
heat:
|
heat:
|
||||||
|
tls:
|
||||||
|
enabled: true
|
||||||
api_port:
|
api_port:
|
||||||
cont: 8004
|
cont: 8004
|
||||||
ingress: orchestration
|
ingress: orchestration
|
||||||
|
@ -30,18 +30,42 @@ auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
|
|||||||
auth_plugin = password
|
auth_plugin = password
|
||||||
auth_type = password
|
auth_type = password
|
||||||
|
|
||||||
|
{% if heat.tls.enabled %}
|
||||||
|
[oslo_middleware]
|
||||||
|
enable_proxy_headers_parsing = true
|
||||||
|
|
||||||
|
[ec2authtoken]
|
||||||
|
ca_file = /opt/ccp/etc/tls/ca.pem
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[clients_keystone]
|
[clients_keystone]
|
||||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
|
||||||
|
{% if security.tls.create_certificates %}
|
||||||
|
# Add this option independently from all services components, because
|
||||||
|
# Heat uses certificates only from Keystone section and then passes this
|
||||||
|
# session as argument for other clients. So it's not possible to have separate
|
||||||
|
# certificates for each client. There is a corresponding bug in upstream:
|
||||||
|
# https://bugs.launchpad.net/heat/+bug/1669367
|
||||||
|
ca_file = /opt/ccp/etc/tls/ca.pem
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[clients_heat]
|
[clients_heat]
|
||||||
endpoint_type = {{ heat.heat_endpoint_type }}
|
endpoint_type = {{ heat.heat_endpoint_type }}
|
||||||
|
|
||||||
[heat_api]
|
[heat_api]
|
||||||
|
{% if heat.tls.enabled %}
|
||||||
|
bind_host = 127.0.0.1
|
||||||
|
{% else %}
|
||||||
bind_host = {{ network_topology["private"]["address"] }}
|
bind_host = {{ network_topology["private"]["address"] }}
|
||||||
|
{% endif %}
|
||||||
bind_port = {{ heat.api_port.cont }}
|
bind_port = {{ heat.api_port.cont }}
|
||||||
|
|
||||||
[heat_api_cfn]
|
[heat_api_cfn]
|
||||||
|
{% if heat.tls.enabled %}
|
||||||
|
bind_host = 127.0.0.1
|
||||||
|
{% else %}
|
||||||
bind_host = {{ network_topology["private"]["address"] }}
|
bind_host = {{ network_topology["private"]["address"] }}
|
||||||
|
{% endif %}
|
||||||
bind_port = {{ heat.api_cfn_port.cont }}
|
bind_port = {{ heat.api_cfn_port.cont }}
|
||||||
|
|
||||||
[cache]
|
[cache]
|
||||||
|
9
service/files/nginx-api-cfn.conf.j2
Normal file
9
service/files/nginx-api-cfn.conf.j2
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
server {
|
||||||
|
listen {{ network_topology["private"]["address"] }}:{{ heat.api_cfn_port.cont }} ssl;
|
||||||
|
include common/ssl.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://heat_api_cfn;
|
||||||
|
include common/proxy-headers.conf;
|
||||||
|
}
|
||||||
|
}
|
9
service/files/nginx-api.conf.j2
Normal file
9
service/files/nginx-api.conf.j2
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
server {
|
||||||
|
listen {{ network_topology["private"]["address"] }}:{{ heat.api_port.cont }} ssl;
|
||||||
|
include common/ssl.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://heat_api;
|
||||||
|
include common/proxy-headers.conf;
|
||||||
|
}
|
||||||
|
}
|
1
service/files/server-cert.pem.j2
Normal file
1
service/files/server-cert.pem.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
{{ security.tls.server_cert }}
|
1
service/files/server-key.pem.j2
Normal file
1
service/files/server-key.pem.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
{{ security.tls.server_key }}
|
6
service/files/upstreams.conf.j2
Normal file
6
service/files/upstreams.conf.j2
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
upstream heat_api {
|
||||||
|
server 127.0.0.1:{{ heat.api_port.cont }};
|
||||||
|
}
|
||||||
|
upstream heat_api_cfn {
|
||||||
|
server 127.0.0.1:{{ heat.api_cfn_port.cont }};
|
||||||
|
}
|
@ -39,8 +39,37 @@ service:
|
|||||||
files:
|
files:
|
||||||
- heat-conf
|
- heat-conf
|
||||||
command: heat-api-cfn --config-file /etc/heat/heat.conf
|
command: heat-api-cfn --config-file /etc/heat/heat.conf
|
||||||
|
# {% if heat.tls.enabled %}
|
||||||
|
- name: nginx-heat-api-cfn
|
||||||
|
image: nginx
|
||||||
|
daemon:
|
||||||
|
files:
|
||||||
|
- upstreams
|
||||||
|
- servers
|
||||||
|
- server-cert
|
||||||
|
- server-key
|
||||||
|
command: nginx
|
||||||
|
# {% endif %}
|
||||||
|
|
||||||
files:
|
files:
|
||||||
heat-conf:
|
heat-conf:
|
||||||
path: /etc/heat/heat.conf
|
path: /etc/heat/heat.conf
|
||||||
content: heat.conf.j2
|
content: heat.conf.j2
|
||||||
|
# {% if heat.tls.enabled %}
|
||||||
|
servers:
|
||||||
|
path: /etc/nginx/conf.d/servers.conf
|
||||||
|
content: nginx-api-cfn.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
upstreams:
|
||||||
|
path: /etc/nginx/conf.d/upstreams.conf
|
||||||
|
content: upstreams.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-cert:
|
||||||
|
path: /opt/ccp/etc/tls/server-cert.pem
|
||||||
|
content: server-cert.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-key:
|
||||||
|
path: /opt/ccp/etc/tls/server-key.pem
|
||||||
|
content: server-key.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
# {% endif %}
|
||||||
|
@ -100,8 +100,37 @@ service:
|
|||||||
files:
|
files:
|
||||||
- heat-conf
|
- heat-conf
|
||||||
command: heat-api --config-file /etc/heat/heat.conf
|
command: heat-api --config-file /etc/heat/heat.conf
|
||||||
|
# {% if heat.tls.enabled %}
|
||||||
|
- name: nginx-heat-api
|
||||||
|
image: nginx
|
||||||
|
daemon:
|
||||||
|
files:
|
||||||
|
- upstreams
|
||||||
|
- servers
|
||||||
|
- server-cert
|
||||||
|
- server-key
|
||||||
|
command: nginx
|
||||||
|
# {% endif %}
|
||||||
|
|
||||||
files:
|
files:
|
||||||
heat-conf:
|
heat-conf:
|
||||||
path: /etc/heat/heat.conf
|
path: /etc/heat/heat.conf
|
||||||
content: heat.conf.j2
|
content: heat.conf.j2
|
||||||
|
# {% if heat.tls.enabled %}
|
||||||
|
servers:
|
||||||
|
path: /etc/nginx/conf.d/servers.conf
|
||||||
|
content: nginx-api.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
upstreams:
|
||||||
|
path: /etc/nginx/conf.d/upstreams.conf
|
||||||
|
content: upstreams.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-cert:
|
||||||
|
path: /opt/ccp/etc/tls/server-cert.pem
|
||||||
|
content: server-cert.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-key:
|
||||||
|
path: /opt/ccp/etc/tls/server-key.pem
|
||||||
|
content: server-key.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
# {% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user