SSL implementation for horizon

- Updated Docker file for gorizon, which remove list of ports to listen.
- Add certificates
- Update service definition by extra nginx container and all necessary
  files.

Change-Id: If0be618c4fd584941e21bba44e62cb9b96cc1647
This commit is contained in:
Sergey Kraynev 2017-02-02 14:56:24 +00:00
parent 889fbf490d
commit e26e52e2a8
10 changed files with 65 additions and 1 deletions

View File

@ -5,6 +5,7 @@ RUN apt-get update \
&& apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
apache2 \
libapache2-mod-wsgi \
&& echo > /etc/apache2/ports.conf \
&& ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load
{{ copy_sources("openstack/horizon", "/horizon") }}

View File

@ -0,0 +1 @@
{{ security.tls.ca_cert }}

View File

@ -1,5 +1,7 @@
configs:
horizon:
tls:
enabled: true
port:
cont: 80
ingress: horizon

View File

@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
#OPENSTACK_SSL_NO_VERIFY = True
# The CA certificate to use to verify SSL connections
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
OPENSTACK_SSL_CACERT = '/opt/ccp/etc/tls/ca.pem'
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone.

View File

@ -1,6 +1,14 @@
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
{% if horizon.tls.enabled %}
Listen 127.0.0.1:{{ horizon.port.cont }}
<VirtualHost 127.0.0.1:{{ horizon.port.cont }}>
{% else %}
Listen {{ horizon.port.cont }}
<VirtualHost *:{{ horizon.port.cont }}>
{% endif %}
WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }}

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1,9 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }} ssl;
include common/ssl.conf;
location / {
proxy_pass http://horizon;
include common/proxy-headers.conf;
}
}

View File

@ -0,0 +1,3 @@
upstream horizon {
server 127.0.0.1:{{ horizon.port.cont }};
}

View File

@ -11,6 +11,9 @@ service:
type: "httpGet"
port: {{ horizon.port.cont }}
path: "/"
# {% if horizon.tls.enabled %}
scheme: "https"
# {% endif %}
volumes:
- name: horizon-logs
path: "/var/log/ccp/horizon"
@ -28,7 +31,21 @@ service:
files:
- horizon-local-settings
- openstack-dashboard-conf
# {% if horizon.tls.enabled %}
- ca_cert
# {% endif %}
command: daemon.sh
# {% if horizon.tls.enabled %}
- name: nginx-horizon
image: nginx
daemon:
files:
- servers
- upstreams
- server-cert
- server-key
command: nginx
# {% endif %}
files:
horizon-local-settings:
@ -37,3 +54,24 @@ files:
openstack-dashboard-conf:
path: /etc/apache2/conf-enabled/openstack-dashboard.conf
content: openstack-dashboard.conf.j2
# {% if horizon.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: servers.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
ca_cert:
path: /opt/ccp/etc/tls/ca.pem
content: ca-cert.pem.j2
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}