openstack
/
cookbook-openstack-image
Code Issues Proposed changes

Use correct endpoint scheme for api to registry connection 

The ['openstack']['image']['ssl']['enabled'] was being used for
both the API/Regsitry services AND the APIs internal connection
to the registry.

Need to allow for separate control for enabling SSL for API and Registry.
Added attributes to cover this.

And the APIs internal connection to the registry needs to be
configured correctly based upon the Registry's internal endpoint scheme
(http or https).

Change-Id: Ieed28ad891192d81356c0d40ba48d70517087950
Closes-Bug: #1462388
This commit is contained in:
Mark Vanderwiel 2015-06-04 15:22:37 -05:00
parent b2dc2318e7
commit 3ede834e41
7 changed files with 75 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -156,7 +156,11 @@ TODO: Add DB2 support on other platforms
SSL attributes
---------------
* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry endpoints. NOTE: Once enabled, Glance service endpoint must be configured to use https on Keystone. Default is false.
Once SSL is enabled, endpoints attributes in Common need to updated to specify the https protocol.
* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry bind endpoints. Default is false.
* `openstack['image']['ssl']['api']['enabled']` - Enable SSL for Glance API bind endpoint. Default is from ['image']['ssl']['enabled'].
* `openstack['image']['ssl']['registry']['enabled']` - Enable SSL for Glance Registry bind endpoint. Default is from ['image']['ssl']['enabled'].
* `openstack['image']['ssl']['basedir']` - Base directory for SSL certficate and key file.
* `openstack['image']['ssl']['cert_file']` - Path of the cert file for SSL.
* `openstack['image']['ssl']['key_file']` - Path of the keyfile for SSL.

7
attributes/default.rb
View File

@ -28,9 +28,12 @@ default['openstack']['image']['custom_template_banner'] = '
'
# SSL Options
# Enable SSL for glance-api endpoint. NOTE: Once enabled, Glance service endpoint
# must be set to https on Keystone
# Enable SSL for glance api and registry bind endpoints.
default['openstack']['image']['ssl']['enabled'] = false
# Enable SSL for glance api bind endpoint.
default['openstack']['image']['ssl']['api']['enabled'] = node['openstack']['image']['ssl']['enabled']
# Enable SSL for glance registry bind endpoint.
default['openstack']['image']['ssl']['registry']['enabled'] = node['openstack']['image']['ssl']['enabled']
# Base directory for SSL certficate and key
default['openstack']['image']['ssl']['basedir'] = '/etc/glance/ssl'
# Path of the cert file for SSL.

1
recipes/api.rb
View File

@ -169,6 +169,7 @@ template '/etc/glance/glance-api.conf' do
api_bind_port: api_bind.port,
registry_ip_address: registry_endpoint.host,
registry_port: registry_endpoint.port,
registry_scheme: registry_endpoint.scheme,
sql_connection: sql_connection,
glance_flavor: glance_flavor,
auth_uri: auth_uri,

47
spec/api_spec.rb
View File

@ -100,7 +100,15 @@ describe 'openstack-image::api' do
key_file: '/etc/glance/ssl/private/sslkey.pem'
}
it 'configures SSL cert and key file' do
it 'configures SSL cert and key file when api is enabled for ssl' do
node.set['openstack']['image']['ssl']['api']['enabled'] = true
default_opts.each do |key, val|
r = line_regexp("#{key} = #{val}")
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
end
end
it 'configures SSL cert and key file when glance is enabled ssl' do
node.set['openstack']['image']['ssl']['enabled'] = true
default_opts.each do |key, val|
r = line_regexp("#{key} = #{val}")
@ -124,14 +132,13 @@ describe 'openstack-image::api' do
context 'glance-registry configuration with ssl enabled' do
it 'sets registry client protocol to https' do
node.set['openstack']['image']['ssl']['enabled'] = true
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = https$/)
end
# if cert required then certfile
context 'glance-registry with cert required' do
it 'configures CA cert file' do
node.set['openstack']['image']['ssl']['enabled'] = true
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
node.set['openstack']['image']['ssl']['cert_required'] = true
node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem'
r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem')
@ -139,9 +146,34 @@ describe 'openstack-image::api' do
end
end
context 'glance-registry key and cert files' do
default_opts = {
registry_client_cert_file: '/etc/glance/ssl/certs/sslcert.pem',
registry_client_key_file: '/etc/glance/ssl/private/sslkey.pem'
}
it 'configures registry client key and cert files' do
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
default_opts.each do |key, val|
r = line_regexp("#{key} = #{val}")
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
end
end
it 'does not configure registry client key and cert files when nil or empty' do
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
node.set['openstack']['openstack']['image']['ssl']['cert_file'] = nil
node.set['openstack']['openstack']['image']['ssl']['key_file'] = ''
default_opts.each do |key|
r = line_regexp("#{key} =")
expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r)
end
end
end
context 'glance-registry with cert not required' do
it 'does not configure CA cert file' do
node.set['openstack']['image']['ssl']['enabled'] = true
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
node.set['openstack']['image']['ssl']['cert_required'] = false
node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem'
r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem')
@ -151,7 +183,7 @@ describe 'openstack-image::api' do
context 'glance-registry with certificate validation enabled' do
it 'enables SSL in insecure mode' do
node.set['openstack']['image']['ssl']['enabled'] = true
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
node.set['openstack']['image']['registry']['auth']['insecure'] = false
r = line_regexp('registry_client_insecure = false')
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
@ -160,7 +192,7 @@ describe 'openstack-image::api' do
context 'glance-registry with certificate validation disabled' do
it 'enables SSL in secure mode' do
node.set['openstack']['image']['ssl']['enabled'] = true
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
node.set['openstack']['image']['registry']['auth']['insecure'] = true
r = line_regexp('registry_client_insecure = true')
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
@ -170,7 +202,6 @@ describe 'openstack-image::api' do
context 'glance-registry configuration with ssl disabled' do
it 'sets registry client protocol to http' do
node.set['openstack']['image']['ssl']['enabled'] = false
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = http$/)
end
end

15
spec/registry_spec.rb
View File

@ -218,16 +218,25 @@ describe 'openstack-image::registry' do
}
cert = { 'ca_file' => '/etc/glance/ssl/certs/sslca.pem' }
it 'configures SSL cert and key file' do
it 'configures SSL cert and key file when api is enabled for ssl' do
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
default_opts.each do |key, val|
r = line_regexp("#{key} = #{val}")
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
end
end
it 'configures SSL cert and key file when glance is enabled ssl' do
node.set['openstack']['image']['ssl']['enabled'] = true
default_opts.each do |key, val|
r = line_regexp("#{key} = #{val}")
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
end
end
context 'with cert required' do
it 'configures CA cert ' do
node.set['openstack']['image']['ssl']['enabled'] = true
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
node.set['openstack']['image']['ssl']['cert_required'] = true
r = line_regexp("ca_file = #{cert['ca_file']}")
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
@ -236,7 +245,7 @@ describe 'openstack-image::registry' do
context 'with cert not required' do
it 'configures CA cert ' do
node.set['openstack']['image']['ssl']['enabled'] = true
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
node.set['openstack']['image']['ssl']['cert_required'] = false
r = line_regexp("ca_file = #{cert['ca_file']}")
expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r)

23
templates/default/glance-api.conf.erb
View File

@ -126,12 +126,11 @@ log_config = /etc/openstack/logging.conf
log_file = /var/log/glance/api.log
<% end %>
# ================= SSL Options ===============================
# Certificate file to use when starting API server securely
<% if node['openstack']['image']['ssl']['api']['enabled'] -%>
<% if node['openstack']['image']['ssl']['enabled'] -%>
# Certificate file to use when starting API server securely
cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
# Private key file to use when starting API server securely
@ -160,35 +159,35 @@ registry_host = <%= @registry_ip_address %>
registry_port = <%= @registry_port %>
# What protocol to use when connecting to the registry server?
registry_client_protocol = <%= @registry_scheme %>
<% if node['openstack']['image']['ssl']['enabled'] -%>
# Set to https for secure HTTP communication
registry_client_protocol = https
<% if @registry_scheme == 'https' -%>
<% unless node["openstack"]["image"]['ssl']['key_file'].to_s.empty? -%>
# The path to the key file to use in SSL connections to the
# registry server, if any. Alternately, you may set the
# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file
registry_client_key_file = <%= node['openstack']['image']['ssl']['key_file'] %>
<% end -%>
<% unless node["openstack"]["image"]['ssl']['cert_file'].to_s.empty? -%>
# The path to the cert file to use in SSL connections to the
# registry server, if any. Alternately, you may set the
# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file
registry_client_cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
<% if node['openstack']['image']['ssl']['cert_required'] %>
<% end -%>
<% if node['openstack']['image']['ssl']['cert_required'] -%>
# The path to the certifying authority cert file to use in SSL connections
# to the registry server, if any. Alternately, you may set the
# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file
registry_client_ca_file = <%= node['openstack']['image']['registry']['auth']['cafile'] %>
<% end %>
<% end -%>
# When using SSL in connections to the registry server, do not require
# validation via a certifying authority. This is the registry's equivalent of
# specifying --insecure on the command line using glanceclient for the API
# Default: False
registry_client_insecure = <%= node['openstack']['image']['registry']['auth']['insecure'] %>
<% else -%>
registry_client_protocol = http
<% end -%>
# The period of time, in seconds, that the API server will wait for a registry

3
templates/default/glance-registry.conf.erb
View File

@ -85,7 +85,8 @@ log_file = /var/log/glance/registry.log
# ================= SSL Options ===============================
<% if node['openstack']['image']['ssl']['enabled'] -%>
<% if node['openstack']['image']['ssl']['registry']['enabled'] -%>
# Certificate file to use when starting registry server securely
cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>