Browse Source

Add TLS support for Heat component

Change-Id: Ifbfe3d0fa85d3a7f28586d3b82e309f49698479f
Sergey Kraynev 2 years ago
parent
commit
e5ed7fe74f

+ 2
- 0
service/files/defaults.yaml View File

@@ -1,5 +1,7 @@
1 1
 configs:
2 2
   heat:
3
+    tls:
4
+      enabled: true
3 5
     api_port:
4 6
       cont: 8004
5 7
       ingress: orchestration

+ 24
- 0
service/files/heat.conf.j2 View File

@@ -30,18 +30,42 @@ auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
30 30
 auth_plugin = password
31 31
 auth_type = password
32 32
 
33
+{% if heat.tls.enabled %}
34
+[oslo_middleware]
35
+enable_proxy_headers_parsing = true
36
+
37
+[ec2authtoken]
38
+ca_file = /opt/ccp/etc/tls/ca.pem
39
+{% endif %}
40
+
33 41
 [clients_keystone]
34 42
 auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
43
+{% if security.tls.create_certificates %}
44
+# Add this option independently from all services components, because
45
+# Heat uses certificates only from Keystone section and then passes this
46
+# session as argument for other clients. So it's not possible to have separate
47
+# certificates for each client. There is a corresponding bug in upstream:
48
+# https://bugs.launchpad.net/heat/+bug/1669367
49
+ca_file = /opt/ccp/etc/tls/ca.pem
50
+{% endif %}
35 51
 
36 52
 [clients_heat]
37 53
 endpoint_type = {{ heat.heat_endpoint_type }}
38 54
 
39 55
 [heat_api]
56
+{% if heat.tls.enabled %}
57
+bind_host = 127.0.0.1
58
+{% else %}
40 59
 bind_host = {{ network_topology["private"]["address"] }}
60
+{% endif %}
41 61
 bind_port = {{ heat.api_port.cont }}
42 62
 
43 63
 [heat_api_cfn]
64
+{% if heat.tls.enabled %}
65
+bind_host = 127.0.0.1
66
+{% else %}
44 67
 bind_host = {{ network_topology["private"]["address"] }}
68
+{% endif %}
45 69
 bind_port = {{ heat.api_cfn_port.cont }}
46 70
 
47 71
 [cache]

+ 9
- 0
service/files/nginx-api-cfn.conf.j2 View File

@@ -0,0 +1,9 @@
1
+server {
2
+    listen {{ network_topology["private"]["address"] }}:{{ heat.api_cfn_port.cont }} ssl;
3
+    include common/ssl.conf;
4
+
5
+    location / {
6
+        proxy_pass http://heat_api_cfn;
7
+        include common/proxy-headers.conf;
8
+    }
9
+}

+ 9
- 0
service/files/nginx-api.conf.j2 View File

@@ -0,0 +1,9 @@
1
+server {
2
+    listen {{ network_topology["private"]["address"] }}:{{ heat.api_port.cont }} ssl;
3
+    include common/ssl.conf;
4
+
5
+    location / {
6
+        proxy_pass http://heat_api;
7
+        include common/proxy-headers.conf;
8
+    }
9
+}

+ 1
- 0
service/files/server-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_cert }}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_key }}

+ 6
- 0
service/files/upstreams.conf.j2 View File

@@ -0,0 +1,6 @@
1
+upstream heat_api {
2
+    server 127.0.0.1:{{ heat.api_port.cont }};
3
+}
4
+upstream heat_api_cfn {
5
+    server 127.0.0.1:{{ heat.api_cfn_port.cont }};
6
+}

+ 29
- 0
service/heat-api-cfn.yaml View File

@@ -39,8 +39,37 @@ service:
39 39
         files:
40 40
           - heat-conf
41 41
         command: heat-api-cfn --config-file /etc/heat/heat.conf
42
+    # {% if heat.tls.enabled %}
43
+    - name: nginx-heat-api-cfn
44
+      image: nginx
45
+      daemon:
46
+        files:
47
+          - upstreams
48
+          - servers
49
+          - server-cert
50
+          - server-key
51
+        command: nginx
52
+    # {% endif %}
42 53
 
43 54
 files:
44 55
   heat-conf:
45 56
     path: /etc/heat/heat.conf
46 57
     content: heat.conf.j2
58
+  # {% if heat.tls.enabled %}
59
+  servers:
60
+    path: /etc/nginx/conf.d/servers.conf
61
+    content: nginx-api-cfn.conf.j2
62
+    perm: "0400"
63
+  upstreams:
64
+    path: /etc/nginx/conf.d/upstreams.conf
65
+    content: upstreams.conf.j2
66
+    perm: "0400"
67
+  server-cert:
68
+    path: /opt/ccp/etc/tls/server-cert.pem
69
+    content: server-cert.pem.j2
70
+    perm: "0400"
71
+  server-key:
72
+    path: /opt/ccp/etc/tls/server-key.pem
73
+    content: server-key.pem.j2
74
+    perm: "0400"
75
+  # {% endif %}

+ 29
- 0
service/heat-api.yaml View File

@@ -100,8 +100,37 @@ service:
100 100
         files:
101 101
           - heat-conf
102 102
         command: heat-api --config-file /etc/heat/heat.conf
103
+    # {% if heat.tls.enabled %}
104
+    - name: nginx-heat-api
105
+      image: nginx
106
+      daemon:
107
+        files:
108
+          - upstreams
109
+          - servers
110
+          - server-cert
111
+          - server-key
112
+        command: nginx
113
+    # {% endif %}
103 114
 
104 115
 files:
105 116
   heat-conf:
106 117
     path: /etc/heat/heat.conf
107 118
     content: heat.conf.j2
119
+  # {% if heat.tls.enabled %}
120
+  servers:
121
+    path: /etc/nginx/conf.d/servers.conf
122
+    content: nginx-api.conf.j2
123
+    perm: "0400"
124
+  upstreams:
125
+    path: /etc/nginx/conf.d/upstreams.conf
126
+    content: upstreams.conf.j2
127
+    perm: "0400"
128
+  server-cert:
129
+    path: /opt/ccp/etc/tls/server-cert.pem
130
+    content: server-cert.pem.j2
131
+    perm: "0400"
132
+  server-key:
133
+    path: /opt/ccp/etc/tls/server-key.pem
134
+    content: server-key.pem.j2
135
+    perm: "0400"
136
+  # {% endif %}

Loading…
Cancel
Save