SSL implementation for horizon

- Updated Docker file for gorizon, which remove list of ports to listen.
- Add certificates
- Update service definition by extra nginx container and all necessary
  files.

Change-Id: If0be618c4fd584941e21bba44e62cb9b96cc1647

docker/horizon/Dockerfile.j2

@@ -5,6 +5,7 @@ RUN apt-get update \
     && apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
         apache2 \
         libapache2-mod-wsgi \
+    && echo > /etc/apache2/ports.conf \
     && ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load
 
 {{ copy_sources("openstack/horizon", "/horizon") }}

service/files/ca-cert.pem.j2

@@ -0,0 +1 @@
+{{ security.tls.ca_cert }}

service/files/local_settings.j2

@@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 #OPENSTACK_SSL_NO_VERIFY = True
 
 # The CA certificate to use to verify SSL connections
-#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
+OPENSTACK_SSL_CACERT = '/opt/ccp/etc/tls/ca.pem'
 
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.

service/files/openstack-dashboard.conf.j2

@@ -1,6 +1,14 @@
 {% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
 
+{% if security.tls.enabled %}
+Listen 127.0.0.1:{{ horizon.port.cont }}
+
+<VirtualHost 127.0.0.1:{{ horizon.port.cont }}>
+{% else %}
+Listen {{ horizon.port.cont }}
+
 <VirtualHost *:{{ horizon.port.cont }}>
+{% endif %}
     WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
     WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
     WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }}

service/files/server-cert.pem.j2

@@ -0,0 +1 @@
+{{ security.tls.server_cert }}

service/files/server-key.pem.j2

@@ -0,0 +1 @@
+{{ security.tls.server_key }}

service/files/servers.conf.j2

@@ -0,0 +1,18 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }};
+    ssl on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache shared:SSL:10m;
+    ssl_ciphers {{ nginx.ciphers }};
+    ssl_prefer_server_ciphers on;
+    ssl_certificate /opt/ccp/etc/tls/server-cert.pem;
+    ssl_certificate_key /opt/ccp/etc/tls/server-key.pem;
+
+    location / {
+        proxy_pass http://horizon;
+        proxy_set_header Host $host:$server_port;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

service/files/upstreams.conf.j2

@@ -0,0 +1,3 @@
+upstream horizon {
+    server 127.0.0.1:{{ horizon.port.cont }};
+}

service/horizon.yaml

@@ -26,7 +26,21 @@ service:
         files:
           - horizon-local-settings
           - openstack-dashboard-conf
+          # {% if security.tls.enabled %}
+          - ca_cert
+          # {% endif %}
         command: daemon.sh
+    # {% if security.tls.enabled %}
+    - name: nginx
+      image: nginx
+      daemon:
+        files:
+          - servers
+          - upstreams
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 
 files:
   horizon-local-settings:
@@ -35,3 +49,24 @@ files:
   openstack-dashboard-conf:
     path: /etc/apache2/conf-enabled/openstack-dashboard.conf
     content: openstack-dashboard.conf.j2
+  # {% if security.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: servers.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}