Add TLS support for Keystone
- Add files for certificates - Add config file for nginx service - Update service definition by adding new container for nginx - Update wsgi to use localhost This patch requires patches in other repos: - fuel-ccp - fuel-ccp-entrypoint - fuel-ccp-nginx Co-Authored-By: Artur Zarzycki <azarzycki@mirantis.com> Depends-On: I65002b7ff9cfa2faf9d5bce470334aae95334d00 Depends-On: I88bc21571589dcd4c31bb5ce5015a75676ed2d85 Depends-On: I0660cc3ca2723bc06871b61f859adfed42c0d807 Change-Id: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2
This commit is contained in:
parent
7aaf8cc10b
commit
0a9850e1d4
|
@ -9,4 +9,7 @@ project_name = {{ service_account.project }}
|
||||||
username = {{ username }}
|
username = {{ username }}
|
||||||
password = {{ password }}
|
password = {{ password }}
|
||||||
memcached_servers = {{ address("memcached", memcached.port) }}
|
memcached_servers = {{ address("memcached", memcached.port) }}
|
||||||
|
{% if keystone.tls.enabled %}
|
||||||
|
cafile = /opt/ccp/etc/tls/ca.pem
|
||||||
|
{% endif %}
|
||||||
{%- endmacro %}
|
{%- endmacro %}
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
{{ security.tls.ca_cert }}
|
|
@ -1,7 +1,8 @@
|
||||||
configs:
|
configs:
|
||||||
keystone:
|
keystone:
|
||||||
debug: false
|
debug: false
|
||||||
|
tls:
|
||||||
|
enabled: true
|
||||||
public_port:
|
public_port:
|
||||||
cont: 5000
|
cont: 5000
|
||||||
ingress: identity
|
ingress: identity
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
{{ security.tls.server_cert }}
|
|
@ -0,0 +1 @@
|
||||||
|
{{ security.tls.server_key }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
server {
|
||||||
|
listen {{ network_topology["private"]["address"] }}:{{ keystone.admin_port.cont }} ssl;
|
||||||
|
include common/ssl.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://keystone_admin;
|
||||||
|
include common/proxy-headers.conf;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
listen {{ network_topology["private"]["address"] }}:{{ keystone.public_port.cont }} ssl;
|
||||||
|
include common/ssl.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://keystone_public;
|
||||||
|
include common/proxy-headers.conf;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,6 @@
|
||||||
|
upstream keystone_admin {
|
||||||
|
server 127.0.0.1:{{ keystone.admin_port.cont }};
|
||||||
|
}
|
||||||
|
upstream keystone_public {
|
||||||
|
server 127.0.0.1:{{ keystone.public_port.cont }};
|
||||||
|
}
|
|
@ -1,8 +1,18 @@
|
||||||
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
|
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
|
||||||
|
|
||||||
|
{% if keystone.tls.enabled %}
|
||||||
|
Listen 127.0.0.1:{{ keystone.public_port.cont }}
|
||||||
|
Listen 127.0.0.1:{{ keystone.admin_port.cont }}
|
||||||
|
{% else %}
|
||||||
Listen {{ keystone.public_port.cont }}
|
Listen {{ keystone.public_port.cont }}
|
||||||
Listen {{ keystone.admin_port.cont }}
|
Listen {{ keystone.admin_port.cont }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if keystone.tls.enabled %}
|
||||||
|
<VirtualHost 127.0.0.1:{{ keystone.public_port.cont }}>
|
||||||
|
{% else %}
|
||||||
<VirtualHost *:{{ keystone.public_port.cont }}>
|
<VirtualHost *:{{ keystone.public_port.cont }}>
|
||||||
|
{% endif %}
|
||||||
WSGIDaemonProcess keystone-public processes={{ keystone.wsgi.processes }} threads={{ keystone.wsgi.threads }} user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
|
WSGIDaemonProcess keystone-public processes={{ keystone.wsgi.processes }} threads={{ keystone.wsgi.threads }} user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
|
||||||
WSGIProcessGroup keystone-public
|
WSGIProcessGroup keystone-public
|
||||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/public
|
WSGIScriptAlias / /var/www/cgi-bin/keystone/public
|
||||||
|
@ -17,7 +27,11 @@ Listen {{ keystone.admin_port.cont }}
|
||||||
CustomLog "/var/log/ccp/keystone/keystone-access.log" access
|
CustomLog "/var/log/ccp/keystone/keystone-access.log" access
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
|
{% if keystone.tls.enabled %}
|
||||||
|
<VirtualHost 127.0.0.1:{{ keystone.admin_port.cont }}>
|
||||||
|
{% else %}
|
||||||
<VirtualHost *:{{ keystone.admin_port.cont }}>
|
<VirtualHost *:{{ keystone.admin_port.cont }}>
|
||||||
|
{% endif %}
|
||||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
|
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
|
||||||
WSGIProcessGroup keystone-admin
|
WSGIProcessGroup keystone-admin
|
||||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
|
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
|
||||||
|
|
|
@ -16,6 +16,9 @@ service:
|
||||||
type: "httpGet"
|
type: "httpGet"
|
||||||
port: {{ keystone.admin_port.cont }}
|
port: {{ keystone.admin_port.cont }}
|
||||||
path: "/"
|
path: "/"
|
||||||
|
# {% if keystone.tls.enabled %}
|
||||||
|
scheme: "https"
|
||||||
|
# {% endif %}
|
||||||
volumes:
|
volumes:
|
||||||
- name: keystone-logs
|
- name: keystone-logs
|
||||||
path: "/var/log/ccp/keystone"
|
path: "/var/log/ccp/keystone"
|
||||||
|
@ -78,6 +81,9 @@ service:
|
||||||
- keystone-conf
|
- keystone-conf
|
||||||
- wsgi-keystone-conf
|
- wsgi-keystone-conf
|
||||||
- credential-key
|
- credential-key
|
||||||
|
# {% if keystone.tls.enabled %}
|
||||||
|
- ca_cert
|
||||||
|
# {% endif %}
|
||||||
secrets:
|
secrets:
|
||||||
- keystone-fernet
|
- keystone-fernet
|
||||||
command: daemon.sh
|
command: daemon.sh
|
||||||
|
@ -90,6 +96,17 @@ service:
|
||||||
dependencies:
|
dependencies:
|
||||||
- keystone-create-domain
|
- keystone-create-domain
|
||||||
command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }}
|
command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }}
|
||||||
|
# {% if keystone.tls.enabled %}
|
||||||
|
- name: nginx
|
||||||
|
image: nginx
|
||||||
|
daemon:
|
||||||
|
files:
|
||||||
|
- upstreams
|
||||||
|
- servers
|
||||||
|
- server-cert
|
||||||
|
- server-key
|
||||||
|
command: nginx
|
||||||
|
# {% endif %}
|
||||||
|
|
||||||
files:
|
files:
|
||||||
keystone-conf:
|
keystone-conf:
|
||||||
|
@ -108,6 +125,27 @@ files:
|
||||||
content: fernet-manage.py
|
content: fernet-manage.py
|
||||||
perm: "0400"
|
perm: "0400"
|
||||||
user: keystone
|
user: keystone
|
||||||
|
# {% if keystone.tls.enabled %}
|
||||||
|
servers:
|
||||||
|
path: /etc/nginx/conf.d/servers.conf
|
||||||
|
content: servers.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
upstreams:
|
||||||
|
path: /etc/nginx/conf.d/upstreams.conf
|
||||||
|
content: upstreams.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
ca_cert:
|
||||||
|
path: /opt/ccp/etc/tls/ca.pem
|
||||||
|
content: ca-cert.pem.j2
|
||||||
|
server-cert:
|
||||||
|
path: /opt/ccp/etc/tls/server-cert.pem
|
||||||
|
content: server-cert.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-key:
|
||||||
|
path: /opt/ccp/etc/tls/server-key.pem
|
||||||
|
content: server-key.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
# {% endif %}
|
||||||
secrets:
|
secrets:
|
||||||
keystone-fernet:
|
keystone-fernet:
|
||||||
path: "/etc/keystone/fernet-keys"
|
path: "/etc/keystone/fernet-keys"
|
||||||
|
|
Loading…
Reference in New Issue