Browse Source

SSL implementation for horizon

- Updated Docker file for gorizon, which remove list of ports to listen.
- Add certificates
- Update service definition by extra nginx container and all necessary
  files.

Change-Id: If0be618c4fd584941e21bba44e62cb9b96cc1647
Sergey Kraynev 2 years ago
parent
commit
e26e52e2a8

+ 1
- 0
docker/horizon/Dockerfile.j2 View File

@@ -5,6 +5,7 @@ RUN apt-get update \
5 5
     && apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
6 6
         apache2 \
7 7
         libapache2-mod-wsgi \
8
+    && echo > /etc/apache2/ports.conf \
8 9
     && ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load
9 10
 
10 11
 {{ copy_sources("openstack/horizon", "/horizon") }}

+ 1
- 0
service/files/ca-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.ca_cert }}

+ 2
- 0
service/files/defaults.yaml View File

@@ -1,5 +1,7 @@
1 1
 configs:
2 2
   horizon:
3
+    tls:
4
+      enabled: true
3 5
     port:
4 6
       cont: 80
5 7
       ingress: horizon

+ 1
- 1
service/files/local_settings.j2 View File

@@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
190 190
 #OPENSTACK_SSL_NO_VERIFY = True
191 191
 
192 192
 # The CA certificate to use to verify SSL connections
193
-#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
193
+OPENSTACK_SSL_CACERT = '/opt/ccp/etc/tls/ca.pem'
194 194
 
195 195
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
196 196
 # capabilities of the auth backend for Keystone.

+ 8
- 0
service/files/openstack-dashboard.conf.j2 View File

@@ -1,6 +1,14 @@
1 1
 {% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
2 2
 
3
+{% if horizon.tls.enabled %}
4
+Listen 127.0.0.1:{{ horizon.port.cont }}
5
+
6
+<VirtualHost 127.0.0.1:{{ horizon.port.cont }}>
7
+{% else %}
8
+Listen {{ horizon.port.cont }}
9
+
3 10
 <VirtualHost *:{{ horizon.port.cont }}>
11
+{% endif %}
4 12
     WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
5 13
     WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
6 14
     WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }}

+ 1
- 0
service/files/server-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_cert }}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_key }}

+ 9
- 0
service/files/servers.conf.j2 View File

@@ -0,0 +1,9 @@
1
+server {
2
+    listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }} ssl;
3
+    include common/ssl.conf;
4
+
5
+    location / {
6
+        proxy_pass http://horizon;
7
+        include common/proxy-headers.conf;
8
+    }
9
+}

+ 3
- 0
service/files/upstreams.conf.j2 View File

@@ -0,0 +1,3 @@
1
+upstream horizon {
2
+    server 127.0.0.1:{{ horizon.port.cont }};
3
+}

+ 38
- 0
service/horizon.yaml View File

@@ -11,6 +11,9 @@ service:
11 11
           type: "httpGet"
12 12
           port: {{ horizon.port.cont }}
13 13
           path: "/"
14
+          # {% if horizon.tls.enabled %}
15
+          scheme: "https"
16
+          # {% endif %}
14 17
       volumes:
15 18
         - name: horizon-logs
16 19
           path: "/var/log/ccp/horizon"
@@ -28,7 +31,21 @@ service:
28 31
         files:
29 32
           - horizon-local-settings
30 33
           - openstack-dashboard-conf
34
+          # {% if horizon.tls.enabled %}
35
+          - ca_cert
36
+          # {% endif %}
31 37
         command: daemon.sh
38
+    # {% if horizon.tls.enabled %}
39
+    - name: nginx-horizon
40
+      image: nginx
41
+      daemon:
42
+        files:
43
+          - servers
44
+          - upstreams
45
+          - server-cert
46
+          - server-key
47
+        command: nginx
48
+    # {% endif %}
32 49
 
33 50
 files:
34 51
   horizon-local-settings:
@@ -37,3 +54,24 @@ files:
37 54
   openstack-dashboard-conf:
38 55
     path: /etc/apache2/conf-enabled/openstack-dashboard.conf
39 56
     content: openstack-dashboard.conf.j2
57
+  # {% if horizon.tls.enabled %}
58
+  servers:
59
+    path: /etc/nginx/conf.d/servers.conf
60
+    content: servers.conf.j2
61
+    perm: "0400"
62
+  upstreams:
63
+    path: /etc/nginx/conf.d/upstreams.conf
64
+    content: upstreams.conf.j2
65
+    perm: "0400"
66
+  ca_cert:
67
+    path: /opt/ccp/etc/tls/ca.pem
68
+    content: ca-cert.pem.j2
69
+  server-cert:
70
+    path: /opt/ccp/etc/tls/server-cert.pem
71
+    content: server-cert.pem.j2
72
+    perm: "0400"
73
+  server-key:
74
+    path: /opt/ccp/etc/tls/server-key.pem
75
+    content: server-key.pem.j2
76
+    perm: "0400"
77
+  # {% endif %}

Loading…
Cancel
Save