064aae8458
This patch provides TLS endpoints secured by a self-signed certificate. Another patch will provide support for trusted CA-signed certificates. A new config.tls.generate-cert option is added that defaults to true. When true, a self-signed certificate will be generated and OpenStack API endpoints will be configured to use TLS with that self-signed certificate. The following config options are added: snap get microstack config.tls.generate-self-signed snap get microstack config.tls.cacert-path snap get microstack config.tls.cert-path snap get microstack config.tls.key-path Users can provide their own self-signed certificate by setting generate-self-signed to false and storing their own certificates/key at the paths specified by cacert-path, cert-path, and key-path. 'snap set' can also be used to change the cert/key file names. If using clustering, the certificates/key will be copied from the control node to the compute nodes. The config for cacert-path, cert-path, and key-path will be set to the same values as on the control node. Other notable changes: * The existing generate_selfsigned() function is modified to change the subject alternative name to be made up of the hostname and optionally an IP. The controller hostname and IP are used when generating the certificate for self-signed TLS endpoints. The hostname is now used instead of 'microstack.run' when generating the clustering certificate. * This change also aligns logging for nginx and corresponding sites and moves all nginx sites to {snap_common}/etc/nginx/sites-enabled. Change-Id: Iceea3127822404a3275fcf8a221cbedc4b52c217
38 lines
1.6 KiB
Bash
38 lines
1.6 KiB
Bash
#!/bin/bash
|
|
# This is a script that helps test configure and install hook commands,
|
|
# without the need to rebuild the snap with each change. It works in
|
|
# concert with a "configure-the-things" app in the snap, which will
|
|
# find and run this script if you put it in the right place.
|
|
# To use this script:
|
|
# 1) Install microstack on a machine
|
|
# 2) Copy (or symlink) this script into
|
|
# /var/snap/microstack/common/bin/configure-the-things.sh
|
|
# 3) Run microstack.configure-the-things
|
|
|
|
set -ex
|
|
|
|
MYSQL_PASSWORD=fnord # TODO use snapctl
|
|
MYSQL_TMP_PASSWORD=`sudo cat /var/snap/microstack/common/log/error.log | grep "temporary password" | cut -d " " -f11`
|
|
|
|
echo "ALTER USER 'root'@'10.20.20.1' IDENTIFIED BY 'fnord';" | microstack.mysql-client -u root -p"$MYSQL_TMP_PASSWORD" --connect-expired-password
|
|
|
|
echo "CREATE DATABASE IF NOT EXISTS keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'10.20.20.1' IDENTIFIED BY 'keystone';" | sudo microstack.mysql-client -u root -p"$MYSQL_PASSWORD"
|
|
|
|
sudo microstack.keystone-manage fernet_setup --keystone-user root --keystone-group root
|
|
sudo microstack.keystone-manage db_sync
|
|
|
|
sudo systemctl restart snap.microstack.*
|
|
|
|
microstack.openstack user show admin || {
|
|
sudo microstack.keystone-manage bootstrap \
|
|
--bootstrap-password $OS_PASSWORD \
|
|
--bootstrap-admin-url https://10.20.20.1:5000/v3/ \
|
|
--bootstrap-internal-url https://10.20.20.1:5000/v3/ \
|
|
--bootstrap-public-url https://10.20.20.1:5000/v3/ \
|
|
--bootstrap-region-id microstack
|
|
}
|
|
|
|
microstack.openstack project show service || {
|
|
microstack.openstack project create --domain default --description "Service Project" service
|
|
}
|