Browse Source

Add TLS support for Keystone

- Add files for certificates
- Add config file for nginx service
- Update service definition by adding new container for nginx
- Update wsgi to use localhost

This patch requires patches in other repos:
 - fuel-ccp
 - fuel-ccp-entrypoint
 - fuel-ccp-nginx

Co-Authored-By: Artur Zarzycki <azarzycki@mirantis.com>

Depends-On: I65002b7ff9cfa2faf9d5bce470334aae95334d00
Depends-On: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
Depends-On: I0660cc3ca2723bc06871b61f859adfed42c0d807

Change-Id: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2
changes/33/425733/21
Sergey Kraynev 2 years ago
parent
commit
0a9850e1d4

+ 3
- 0
exports/keystone_authtoken.j2 View File

@@ -9,4 +9,7 @@ project_name = {{ service_account.project }}
9 9
 username = {{ username }}
10 10
 password = {{ password }}
11 11
 memcached_servers = {{ address("memcached", memcached.port) }}
12
+{% if keystone.tls.enabled %}
13
+cafile = /opt/ccp/etc/tls/ca.pem
14
+{% endif %}
12 15
 {%- endmacro %}

+ 1
- 0
service/files/ca-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.ca_cert }}

+ 2
- 1
service/files/defaults.yaml View File

@@ -1,7 +1,8 @@
1 1
 configs:
2 2
   keystone:
3 3
     debug: false
4
-
4
+    tls:
5
+      enabled: true
5 6
     public_port:
6 7
       cont: 5000
7 8
       ingress: identity

+ 1
- 0
service/files/server-cert.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_cert }}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_key }}

+ 18
- 0
service/files/servers.conf.j2 View File

@@ -0,0 +1,18 @@
1
+server {
2
+    listen {{ network_topology["private"]["address"] }}:{{ keystone.admin_port.cont }} ssl;
3
+    include common/ssl.conf;
4
+
5
+    location / {
6
+        proxy_pass http://keystone_admin;
7
+        include common/proxy-headers.conf;
8
+    }
9
+}
10
+server {
11
+    listen {{ network_topology["private"]["address"] }}:{{ keystone.public_port.cont }} ssl;
12
+    include common/ssl.conf;
13
+
14
+    location / {
15
+        proxy_pass http://keystone_public;
16
+        include common/proxy-headers.conf;
17
+    }
18
+}

+ 6
- 0
service/files/upstreams.conf.j2 View File

@@ -0,0 +1,6 @@
1
+upstream keystone_admin {
2
+    server 127.0.0.1:{{ keystone.admin_port.cont }};
3
+}
4
+upstream keystone_public {
5
+    server 127.0.0.1:{{ keystone.public_port.cont }};
6
+}

+ 14
- 0
service/files/wsgi-keystone.conf.j2 View File

@@ -1,8 +1,18 @@
1 1
 {% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
2
+
3
+{% if keystone.tls.enabled %}
4
+Listen 127.0.0.1:{{ keystone.public_port.cont }}
5
+Listen 127.0.0.1:{{ keystone.admin_port.cont }}
6
+{% else %}
2 7
 Listen {{ keystone.public_port.cont }}
3 8
 Listen {{ keystone.admin_port.cont }}
9
+{% endif %}
4 10
 
11
+{% if keystone.tls.enabled %}
12
+<VirtualHost 127.0.0.1:{{ keystone.public_port.cont }}>
13
+{% else %}
5 14
 <VirtualHost *:{{ keystone.public_port.cont }}>
15
+{% endif %}
6 16
     WSGIDaemonProcess keystone-public processes={{ keystone.wsgi.processes }} threads={{ keystone.wsgi.threads }} user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
7 17
     WSGIProcessGroup keystone-public
8 18
     WSGIScriptAlias / /var/www/cgi-bin/keystone/public
@@ -17,7 +27,11 @@ Listen {{ keystone.admin_port.cont }}
17 27
     CustomLog "/var/log/ccp/keystone/keystone-access.log" access
18 28
 </VirtualHost>
19 29
 
30
+{% if keystone.tls.enabled %}
31
+<VirtualHost 127.0.0.1:{{ keystone.admin_port.cont }}>
32
+{% else %}
20 33
 <VirtualHost *:{{ keystone.admin_port.cont }}>
34
+{% endif %}
21 35
     WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
22 36
     WSGIProcessGroup keystone-admin
23 37
     WSGIScriptAlias / /var/www/cgi-bin/keystone/admin

+ 38
- 0
service/keystone.yaml View File

@@ -16,6 +16,9 @@ service:
16 16
           type: "httpGet"
17 17
           port: {{ keystone.admin_port.cont }}
18 18
           path: "/"
19
+          # {% if keystone.tls.enabled %}
20
+          scheme: "https"
21
+          # {% endif %}
19 22
       volumes:
20 23
         - name: keystone-logs
21 24
           path: "/var/log/ccp/keystone"
@@ -78,6 +81,9 @@ service:
78 81
           - keystone-conf
79 82
           - wsgi-keystone-conf
80 83
           - credential-key
84
+          # {% if keystone.tls.enabled %}
85
+          - ca_cert
86
+          # {% endif %}
81 87
         secrets:
82 88
           - keystone-fernet
83 89
         command: daemon.sh
@@ -90,6 +96,17 @@ service:
90 96
           dependencies:
91 97
             - keystone-create-domain
92 98
           command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }}
99
+    # {% if keystone.tls.enabled %}
100
+    - name: nginx
101
+      image: nginx
102
+      daemon:
103
+        files:
104
+          - upstreams
105
+          - servers
106
+          - server-cert
107
+          - server-key
108
+        command: nginx
109
+    # {% endif %}
93 110
 
94 111
 files:
95 112
   keystone-conf:
@@ -108,6 +125,27 @@ files:
108 125
     content: fernet-manage.py
109 126
     perm: "0400"
110 127
     user: keystone
128
+  # {% if keystone.tls.enabled %}
129
+  servers:
130
+    path: /etc/nginx/conf.d/servers.conf
131
+    content: servers.conf.j2
132
+    perm: "0400"
133
+  upstreams:
134
+    path: /etc/nginx/conf.d/upstreams.conf
135
+    content: upstreams.conf.j2
136
+    perm: "0400"
137
+  ca_cert:
138
+    path: /opt/ccp/etc/tls/ca.pem
139
+    content: ca-cert.pem.j2
140
+  server-cert:
141
+    path: /opt/ccp/etc/tls/server-cert.pem
142
+    content: server-cert.pem.j2
143
+    perm: "0400"
144
+  server-key:
145
+    path: /opt/ccp/etc/tls/server-key.pem
146
+    content: server-key.pem.j2
147
+    perm: "0400"
148
+  # {% endif %}
111 149
 secrets:
112 150
   keystone-fernet:
113 151
     path: "/etc/keystone/fernet-keys"

Loading…
Cancel
Save