TLS support for Nova services

Change-Id: I36f67df4f02d80ba293fc7d8d496ad9ed6d14032
2017-01-31 14:19:23 +01:00 · 2017-01-31 14:19:23 +01:00 · a78d9aba2e
parent dd34d885db
commit a78d9aba2e
10 changed files with 147 additions and 3 deletions
--- a/service/files/ca-cert.pem.j2
+++ b/service/files/ca-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -1,5 +1,7 @@
 configs:
  nova:
+    tls:
+      enabled: true
    db:
      password: password
      name: nova
--- a/service/files/nginx-nova-api.conf.j2
+++ b/service/files/nginx-nova-api.conf.j2
@ -0,0 +1,18 @@
+   server {
+           listen {{ network_topology["private"]["address"] }}:{{ nova.api_port.cont }} ssl;
+           include common/ssl.conf;
+
+           location / {
+                   proxy_pass http://nova_api;
+                   include common/proxy-headers.conf;
+           }
+   }
+   server {
+           listen {{ network_topology["private"]["address"] }}:{{ nova.metadata.port.cont }} ssl;
+           include common/ssl.conf;
+
+           location / {
+                   proxy_pass http://nova_metadata;
+                   include common/proxy-headers.conf;
+           }
+   }
--- a/service/files/nginx-novncproxy.conf.j2
+++ b/service/files/nginx-novncproxy.conf.j2
@ -0,0 +1,9 @@
+   server {
+           listen {{ network_topology["private"]["address"] }}:{{ nova.novncproxy_port.cont }} ssl;
+           include common/ssl.conf;
+
+           location / {
+                   proxy_pass http://novncproxy;
+                   include common/proxy-headers.conf;
+           }
+   }
--- a/service/files/nova.conf.j2
+++ b/service/files/nova.conf.j2
@ -4,10 +4,14 @@ debug = {{ nova.debug }}

 state_path = /var/lib/nova

+{% if nova.tls.enabled %}
+osapi_compute_listen=127.0.0.1
+metadata_listen = 127.0.0.1
+{% else %}
 osapi_compute_listen = {{ network_topology["private"]["address"] }}
-osapi_compute_listen_port = {{ nova.api_port.cont }}
-
 metadata_listen = {{ network_topology["private"]["address"] }}
+{% endif %}
+osapi_compute_listen_port = {{ nova.api_port.cont }}
 metadata_listen_port = {{ nova.metadata.port.cont }}

 use_neutron = true
@ -49,7 +53,11 @@ secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO

 {% if nova.console == 'novnc' %}
 [vnc]
+{% if nova.tls.enabled %}
+novncproxy_host = 127.0.0.1
+{% else %}
 novncproxy_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 novncproxy_port = {{ nova.novncproxy_port.cont }}
 vncserver_listen = {{ network_topology["private"]["address"] }}
 vncserver_proxyclient_address = {{ network_topology["private"]["address"] }}
@ -88,8 +96,16 @@ api_endpoint = {{ address('ironic-api', ironic.api_port, with_sceme=True) }}/v1
 [oslo_concurrency]
 lock_path = /var/lib/nova/tmp

+{% if glance.tls.enabled %}
+[ssl]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
 [glance]
-api_servers = {{ address('glance-api', glance.api_port) }}
+{% if glance.tls.enabled %}
+protocol = https
+{% endif %}
+api_servers = {{ address('glance-api', glance.api_port, with_scheme=True) }}
 # We need to do N number of retries here, N = number of glance-api daemons running
 # FIXME
 num_retries = 1
@ -98,6 +114,10 @@ num_retries = 1
 catalog_info = volumev2:cinder:internalURL

 [neutron]
+{% if neutron.tls.enabled %}
+protocol = https
+cafile = /opt/ccp/etc/tls/ca.pem
+{% endif %}
 url = {{ address('neutron-server', neutron.server_port, with_scheme=True) }}
 auth_strategy = keystone
 metadata_proxy_shared_secret = {{ nova.metadata.secret }}
@ -164,6 +184,12 @@ compute = auto
 [wsgi]
 api_paste_config = /etc/nova/api-paste.ini

+{% if nova.tls.enabled %}
+[oslo_middleware]
+enable_proxy_headers_parsing = true
+{% endif %}
+
+
 [oslo_messaging_notifications]
 {% if searchlight is defined and searchlight.services.nova %}
 driver = {{ searchlight.notification_driver }}
--- a/service/files/server-cert.pem.j2
+++ b/service/files/server-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_cert }}
--- a/service/files/server-key.pem.j2
+++ b/service/files/server-key.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_key }}
--- a/service/files/upstreams.conf.j2
+++ b/service/files/upstreams.conf.j2
@ -0,0 +1,11 @@
+upstream novncproxy {
+    server 127.0.0.1:{{ nova.novncproxy_port.cont }};
+}
+
+upstream nova_api {
+   server 127.0.0.1:{{ nova.api_port.cont }};
+}
+
+upstream nova_metadata {
+   server 127.0.0.1:{{ nova.metadata.port.cont }};
+}
--- a/service/nova-api.yaml
+++ b/service/nova-api.yaml
@ -103,6 +103,9 @@ service:
        command: nova-api --config-file /etc/nova/nova.conf
        files:
          - nova.conf
+          # {% if nova.tls.enabled %}
+          - ca-cert
+          # {% endif %}
      # {% if nova.bootstrap.enable %}
      post:
      # {% for flavor in nova.bootstrap.flavors %}
@ -111,8 +114,22 @@ service:
          command: /opt/ccp/bin/create-flavor.sh {{ flavor.name }} {{ flavor.id }} {{ flavor.ram }} {{ flavor.disk }} {{ flavor.vcpus }}
          files:
            - create-flavor.sh
+    # {% if nova.tls.enabled %}
+            - ca-cert
+    # {% endif %}
      # {% endfor %}
      # {% endif %}
+    # {% if nova.tls.enabled %}
+    - name: nginx-nova-api
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}

 files:
  nova.conf:
@ -124,3 +141,25 @@ files:
    path: /opt/ccp/bin/create-flavor.sh
    content: create-flavor.sh.j2
    perm: "0700"
+  # {% if nova.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-nova-api.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  ca-cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+    perm: "0400"
+  # {% endif %}
--- a/service/nova-novncproxy.yaml
+++ b/service/nova-novncproxy.yaml
@ -10,10 +10,46 @@ service:
        command: nova-novncproxy --config-file /etc/nova/nova.conf
        files:
          - nova.conf
+    # {% if nova.tls.enabled %}
+          - ca-cert
+    # {% endif %}
        dependencies:
          - nova-db-migrations
+    # {% if nova.tls.enabled %}
+    - name: nginx-nova-novncproxy
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 files:
  nova.conf:
    path: /etc/nova/nova.conf
    content: nova.conf.j2
    perm: "0600"
+  # {% if nova.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-novncproxy.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  ca-cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+    perm: "0400"
+  # {% endif %}