Use correct endpoint scheme for api to registry connection
The ['openstack']['image']['ssl']['enabled'] was being used for both the API/Regsitry services AND the APIs internal connection to the registry. Need to allow for separate control for enabling SSL for API and Registry. Added attributes to cover this. And the APIs internal connection to the registry needs to be configured correctly based upon the Registry's internal endpoint scheme (http or https). Change-Id: Ieed28ad891192d81356c0d40ba48d70517087950 Closes-Bug: #1462388
This commit is contained in:
parent
b2dc2318e7
commit
3ede834e41
|
@ -156,7 +156,11 @@ TODO: Add DB2 support on other platforms
|
|||
SSL attributes
|
||||
---------------
|
||||
|
||||
* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry endpoints. NOTE: Once enabled, Glance service endpoint must be configured to use https on Keystone. Default is false.
|
||||
Once SSL is enabled, endpoints attributes in Common need to updated to specify the https protocol.
|
||||
|
||||
* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry bind endpoints. Default is false.
|
||||
* `openstack['image']['ssl']['api']['enabled']` - Enable SSL for Glance API bind endpoint. Default is from ['image']['ssl']['enabled'].
|
||||
* `openstack['image']['ssl']['registry']['enabled']` - Enable SSL for Glance Registry bind endpoint. Default is from ['image']['ssl']['enabled'].
|
||||
* `openstack['image']['ssl']['basedir']` - Base directory for SSL certficate and key file.
|
||||
* `openstack['image']['ssl']['cert_file']` - Path of the cert file for SSL.
|
||||
* `openstack['image']['ssl']['key_file']` - Path of the keyfile for SSL.
|
||||
|
|
|
@ -28,9 +28,12 @@ default['openstack']['image']['custom_template_banner'] = '
|
|||
'
|
||||
|
||||
# SSL Options
|
||||
# Enable SSL for glance-api endpoint. NOTE: Once enabled, Glance service endpoint
|
||||
# must be set to https on Keystone
|
||||
# Enable SSL for glance api and registry bind endpoints.
|
||||
default['openstack']['image']['ssl']['enabled'] = false
|
||||
# Enable SSL for glance api bind endpoint.
|
||||
default['openstack']['image']['ssl']['api']['enabled'] = node['openstack']['image']['ssl']['enabled']
|
||||
# Enable SSL for glance registry bind endpoint.
|
||||
default['openstack']['image']['ssl']['registry']['enabled'] = node['openstack']['image']['ssl']['enabled']
|
||||
# Base directory for SSL certficate and key
|
||||
default['openstack']['image']['ssl']['basedir'] = '/etc/glance/ssl'
|
||||
# Path of the cert file for SSL.
|
||||
|
|
|
@ -169,6 +169,7 @@ template '/etc/glance/glance-api.conf' do
|
|||
api_bind_port: api_bind.port,
|
||||
registry_ip_address: registry_endpoint.host,
|
||||
registry_port: registry_endpoint.port,
|
||||
registry_scheme: registry_endpoint.scheme,
|
||||
sql_connection: sql_connection,
|
||||
glance_flavor: glance_flavor,
|
||||
auth_uri: auth_uri,
|
||||
|
|
|
@ -100,7 +100,15 @@ describe 'openstack-image::api' do
|
|||
key_file: '/etc/glance/ssl/private/sslkey.pem'
|
||||
}
|
||||
|
||||
it 'configures SSL cert and key file' do
|
||||
it 'configures SSL cert and key file when api is enabled for ssl' do
|
||||
node.set['openstack']['image']['ssl']['api']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
it 'configures SSL cert and key file when glance is enabled ssl' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
|
@ -124,14 +132,13 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry configuration with ssl enabled' do
|
||||
it 'sets registry client protocol to https' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = https$/)
|
||||
end
|
||||
|
||||
# if cert required then certfile
|
||||
context 'glance-registry with cert required' do
|
||||
it 'configures CA cert file' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = true
|
||||
node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem'
|
||||
r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem')
|
||||
|
@ -139,9 +146,34 @@ describe 'openstack-image::api' do
|
|||
end
|
||||
end
|
||||
|
||||
context 'glance-registry key and cert files' do
|
||||
default_opts = {
|
||||
registry_client_cert_file: '/etc/glance/ssl/certs/sslcert.pem',
|
||||
registry_client_key_file: '/etc/glance/ssl/private/sslkey.pem'
|
||||
}
|
||||
|
||||
it 'configures registry client key and cert files' do
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not configure registry client key and cert files when nil or empty' do
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['openstack']['image']['ssl']['cert_file'] = nil
|
||||
node.set['openstack']['openstack']['image']['ssl']['key_file'] = ''
|
||||
default_opts.each do |key|
|
||||
r = line_regexp("#{key} =")
|
||||
expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'glance-registry with cert not required' do
|
||||
it 'does not configure CA cert file' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = false
|
||||
node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem'
|
||||
r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem')
|
||||
|
@ -151,7 +183,7 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry with certificate validation enabled' do
|
||||
it 'enables SSL in insecure mode' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['registry']['auth']['insecure'] = false
|
||||
r = line_regexp('registry_client_insecure = false')
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
@ -160,7 +192,7 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry with certificate validation disabled' do
|
||||
it 'enables SSL in secure mode' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['registry']['auth']['insecure'] = true
|
||||
r = line_regexp('registry_client_insecure = true')
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
@ -170,7 +202,6 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry configuration with ssl disabled' do
|
||||
it 'sets registry client protocol to http' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = false
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = http$/)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -218,16 +218,25 @@ describe 'openstack-image::registry' do
|
|||
}
|
||||
cert = { 'ca_file' => '/etc/glance/ssl/certs/sslca.pem' }
|
||||
|
||||
it 'configures SSL cert and key file' do
|
||||
it 'configures SSL cert and key file when api is enabled for ssl' do
|
||||
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
it 'configures SSL cert and key file when glance is enabled ssl' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with cert required' do
|
||||
it 'configures CA cert ' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = true
|
||||
r = line_regexp("ca_file = #{cert['ca_file']}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
@ -236,7 +245,7 @@ describe 'openstack-image::registry' do
|
|||
|
||||
context 'with cert not required' do
|
||||
it 'configures CA cert ' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = false
|
||||
r = line_regexp("ca_file = #{cert['ca_file']}")
|
||||
expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
|
|
@ -126,12 +126,11 @@ log_config = /etc/openstack/logging.conf
|
|||
log_file = /var/log/glance/api.log
|
||||
<% end %>
|
||||
|
||||
|
||||
# ================= SSL Options ===============================
|
||||
|
||||
# Certificate file to use when starting API server securely
|
||||
<% if node['openstack']['image']['ssl']['api']['enabled'] -%>
|
||||
|
||||
<% if node['openstack']['image']['ssl']['enabled'] -%>
|
||||
# Certificate file to use when starting API server securely
|
||||
cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
|
||||
|
||||
# Private key file to use when starting API server securely
|
||||
|
@ -160,35 +159,35 @@ registry_host = <%= @registry_ip_address %>
|
|||
registry_port = <%= @registry_port %>
|
||||
|
||||
# What protocol to use when connecting to the registry server?
|
||||
registry_client_protocol = <%= @registry_scheme %>
|
||||
|
||||
<% if node['openstack']['image']['ssl']['enabled'] -%>
|
||||
# Set to https for secure HTTP communication
|
||||
registry_client_protocol = https
|
||||
|
||||
<% if @registry_scheme == 'https' -%>
|
||||
<% unless node["openstack"]["image"]['ssl']['key_file'].to_s.empty? -%>
|
||||
# The path to the key file to use in SSL connections to the
|
||||
# registry server, if any. Alternately, you may set the
|
||||
# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file
|
||||
registry_client_key_file = <%= node['openstack']['image']['ssl']['key_file'] %>
|
||||
<% end -%>
|
||||
|
||||
<% unless node["openstack"]["image"]['ssl']['cert_file'].to_s.empty? -%>
|
||||
# The path to the cert file to use in SSL connections to the
|
||||
# registry server, if any. Alternately, you may set the
|
||||
# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file
|
||||
registry_client_cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
|
||||
<% if node['openstack']['image']['ssl']['cert_required'] %>
|
||||
<% end -%>
|
||||
|
||||
<% if node['openstack']['image']['ssl']['cert_required'] -%>
|
||||
# The path to the certifying authority cert file to use in SSL connections
|
||||
# to the registry server, if any. Alternately, you may set the
|
||||
# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file
|
||||
registry_client_ca_file = <%= node['openstack']['image']['registry']['auth']['cafile'] %>
|
||||
|
||||
<% end %>
|
||||
<% end -%>
|
||||
|
||||
# When using SSL in connections to the registry server, do not require
|
||||
# validation via a certifying authority. This is the registry's equivalent of
|
||||
# specifying --insecure on the command line using glanceclient for the API
|
||||
# Default: False
|
||||
registry_client_insecure = <%= node['openstack']['image']['registry']['auth']['insecure'] %>
|
||||
<% else -%>
|
||||
registry_client_protocol = http
|
||||
<% end -%>
|
||||
|
||||
# The period of time, in seconds, that the API server will wait for a registry
|
||||
|
|
|
@ -85,7 +85,8 @@ log_file = /var/log/glance/registry.log
|
|||
|
||||
# ================= SSL Options ===============================
|
||||
|
||||
<% if node['openstack']['image']['ssl']['enabled'] -%>
|
||||
<% if node['openstack']['image']['ssl']['registry']['enabled'] -%>
|
||||
|
||||
# Certificate file to use when starting registry server securely
|
||||
cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
|
||||
|
||||
|
|
Loading…
Reference in New Issue