TLS support for Glance services

List of changes in the current patch: - Add files for certificates - Updated configuration files for services to use mapped ports and 'https' url scheme. Also ca_cert was provided for keystonemiddleware. - Updated bootstrap script to use 'https' scheme with insecure flag, when it create image in glance. - Update jobs for creation endpoints, now address function use 'tls' parameter. - Add files for nginx configurations. Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
author: Sergey Kraynev <skraynev@mirantis.com> 2017-01-30 09:16:15 +0000
committer: Sergey Kraynev <skraynev@mirantis.com> 2017-02-22 08:00:49 +0000
commit: b368e4833eb986df3a1e89467b88078365454cda (patch)
tree: f10da26831f05dfa585cba537eb194ff1822c2bc
parent: 5e6c2391f03608a8498151e32cf2321680e29a57 (diff)
12 files changed, 115 insertions, 1 deletions
diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2
new file mode 100644
index 0000000..d52069b
--- /dev/null
+++ b/service/files/ca-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 5ba7e52..ed13d64 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
 configs:
  glance:
+    tls:
+      enabled: true
    api_port:
      cont: 9292
      ingress: image
diff --git a/service/files/glance-api.conf.j2 b/service/files/glance-api.conf.j2
index f5ecd28..4542c40 100644
--- a/service/files/glance-api.conf.j2
+++ b/service/files/glance-api.conf.j2
@@ -5,7 +5,13 @@ use_syslog = false
 use_stderr = true
 use_forwarded_for = true
+{% if glance.tls.enabled %}
+registry_client_protocol = https
+registry_client_ca_file = /opt/ccp/etc/tls/ca.pem
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 bind_port = {{ glance.api_port.cont }}
 registry_host = glance-registry
diff --git a/service/files/glance-cirros-image-upload.sh.j2 b/service/files/glance-cirros-image-upload.sh.j2
index b3a5610..d195a69 100644
--- a/service/files/glance-cirros-image-upload.sh.j2
+++ b/service/files/glance-cirros-image-upload.sh.j2
@@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default
 export OS_PASSWORD={{ openstack.user_password }}
 export OS_USERNAME={{ openstack.user_name }}
 export OS_PROJECT_NAME={{ openstack.project_name }}
-export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"
+export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3"
+export OS_CACERT="/opt/ccp/etc/tls/ca.pem"
 {% set image = glance.bootstrap.image %}
 FILE="$(mktemp)"
diff --git a/service/files/glance-registry.conf.j2 b/service/files/glance-registry.conf.j2
index 92104cd..3b4a705 100644
--- a/service/files/glance-registry.conf.j2
+++ b/service/files/glance-registry.conf.j2
@@ -5,7 +5,11 @@ use_syslog = false
 use_stderr = true
 use_forwarded_for = true
+{% if glance.tls.enabled %}
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 bind_port = {{ glance.registry_port.cont }}
 [database]
diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2
new file mode 100644
index 0000000..0ab1b28
--- /dev/null
+++ b/service/files/nginx-api.conf.j2
@@ -0,0 +1,11 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }} ssl;
+    include common/ssl.conf;
+    # allows to upload images without being cut off at some low size
+    client_max_body_size 0;
+    location / {
+        proxy_pass http://glance_api;
+        include common/proxy-headers.conf;
+    }
+}
diff --git a/service/files/nginx-registry.conf.j2 b/service/files/nginx-registry.conf.j2
new file mode 100644
index 0000000..7fe1a77
--- /dev/null
+++ b/service/files/nginx-registry.conf.j2
@@ -0,0 +1,11 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }} ssl;
+    include common/ssl.conf;
+    # allows to upload images without being cut off at some low size
+    client_max_body_size 0;
+    location / {
+        proxy_pass http://glance_registry;
+        include common/proxy-headers.conf;
+    }
+}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..716a515
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,6 @@
+upstream glance_api {
+    server 127.0.0.1:{{ glance.api_port.cont }};
+}
+upstream glance_registry {
+    server 127.0.0.1:{{ glance.registry_port.cont }};
+}
diff --git a/service/glance-api.yaml b/service/glance-api.yaml
index adf6a39..c3a13cf 100644
--- a/service/glance-api.yaml
+++ b/service/glance-api.yaml
@@ -61,6 +61,9 @@ service:
      daemon:
        files:
          - glance-api
+          # {% if glance.tls.enabled %}
+          - ca_cert
+          # {% endif %}
          # {% if glance.ceph.enable %}
          - ceph-conf
          - glance-ceph-key
@@ -79,6 +82,17 @@ service:
          files:
            - glance-cirros-image-upload.sh
      # {% endif %}
+    # {% if glance.tls.enabled %}
+    - name: nginx-glance-api
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 files:
  glance-api:
@@ -97,3 +111,24 @@ files:
    path: /opt/ccp/bin/glance-cirros-image-upload.sh
    content: glance-cirros-image-upload.sh.j2
    perm: "500"
+  # {% if glance.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-api.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}
diff --git a/service/glance-registry.yaml b/service/glance-registry.yaml
index cf68b93..d0a6d87 100644
--- a/service/glance-registry.yaml
+++ b/service/glance-registry.yaml
@@ -13,11 +13,46 @@ service:
      daemon:
        files:
          - glance-registry-conf
+          # {% if glance.tls.enabled %}
+          - ca_cert
+          # {% endif %}
        dependencies:
          - glance-api
        command: glance-registry
+    # {% if glance.tls.enabled %}
+    - name: nginx-glance-registry
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 files:
  glance-registry-conf:
    path: /etc/glance/glance-registry.conf
    content: glance-registry.conf.j2
+  # {% if glance.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-registry.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}
author	Sergey Kraynev <skraynev@mirantis.com>	2017-01-30 09:16:15 +0000
committer	Sergey Kraynev <skraynev@mirantis.com>	2017-02-22 08:00:49 +0000
commit	b368e4833eb986df3a1e89467b88078365454cda (patch)
tree	f10da26831f05dfa585cba537eb194ff1822c2bc
parent	5e6c2391f03608a8498151e32cf2321680e29a57 (diff)

diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2 new file mode 100644 index 0000000..d52069b --- /dev/null +++ b/service/files/ca-cert.pem.j2
@@ -0,0 +1 @@
			{{ security.tls.ca_cert }}


diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml index 5ba7e52..ed13d64 100644 --- a/service/files/defaults.yaml +++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
1	configs:	1	configs:
2	glance:	2	glance:
		3	tls:
		4	enabled: true
3	api_port:	5	api_port:
4	cont: 9292	6	cont: 9292
5	ingress: image	7	ingress: image


diff --git a/service/files/glance-api.conf.j2 b/service/files/glance-api.conf.j2 index f5ecd28..4542c40 100644 --- a/service/files/glance-api.conf.j2 +++ b/service/files/glance-api.conf.j2
@@ -5,7 +5,13 @@ use_syslog = false
5	use_stderr = true	5	use_stderr = true
6	use_forwarded_for = true	6	use_forwarded_for = true
7		7
		8	{% if glance.tls.enabled %}
		9	registry_client_protocol = https
		10	registry_client_ca_file = /opt/ccp/etc/tls/ca.pem
		11	bind_host = 127.0.0.1
		12	{% else %}
8	bind_host = {{ network_topology["private"]["address"] }}	13	bind_host = {{ network_topology["private"]["address"] }}
		14	{% endif %}
9	bind_port = {{ glance.api_port.cont }}	15	bind_port = {{ glance.api_port.cont }}
10		16
11	registry_host = glance-registry	17	registry_host = glance-registry


diff --git a/service/files/glance-cirros-image-upload.sh.j2 b/service/files/glance-cirros-image-upload.sh.j2 index b3a5610..d195a69 100644 --- a/service/files/glance-cirros-image-upload.sh.j2 +++ b/service/files/glance-cirros-image-upload.sh.j2
@@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default
8	export OS_PASSWORD={{ openstack.user_password }}	8	export OS_PASSWORD={{ openstack.user_password }}
9	export OS_USERNAME={{ openstack.user_name }}	9	export OS_USERNAME={{ openstack.user_name }}
10	export OS_PROJECT_NAME={{ openstack.project_name }}	10	export OS_PROJECT_NAME={{ openstack.project_name }}
11	export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"	11	export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3"
		12	export OS_CACERT="/opt/ccp/etc/tls/ca.pem"
12		13
13	{% set image = glance.bootstrap.image %}	14	{% set image = glance.bootstrap.image %}
14	FILE="$(mktemp)"	15	FILE="$(mktemp)"


diff --git a/service/files/glance-registry.conf.j2 b/service/files/glance-registry.conf.j2 index 92104cd..3b4a705 100644 --- a/service/files/glance-registry.conf.j2 +++ b/service/files/glance-registry.conf.j2
@@ -5,7 +5,11 @@ use_syslog = false
5	use_stderr = true	5	use_stderr = true
6	use_forwarded_for = true	6	use_forwarded_for = true
7		7
		8	{% if glance.tls.enabled %}
		9	bind_host = 127.0.0.1
		10	{% else %}
8	bind_host = {{ network_topology["private"]["address"] }}	11	bind_host = {{ network_topology["private"]["address"] }}
		12	{% endif %}
9	bind_port = {{ glance.registry_port.cont }}	13	bind_port = {{ glance.registry_port.cont }}
10		14
11	[database]	15	[database]


diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2 new file mode 100644 index 0000000..0ab1b28 --- /dev/null +++ b/service/files/nginx-api.conf.j2
@@ -0,0 +1,11 @@
		1	server {
		2	listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }} ssl;
		3	include common/ssl.conf;
		4	# allows to upload images without being cut off at some low size
		5	client_max_body_size 0;
		6
		7	location / {
		8	proxy_pass http://glance_api;
		9	include common/proxy-headers.conf;
		10	}
		11	}


diff --git a/service/files/nginx-registry.conf.j2 b/service/files/nginx-registry.conf.j2 new file mode 100644 index 0000000..7fe1a77 --- /dev/null +++ b/service/files/nginx-registry.conf.j2
@@ -0,0 +1,11 @@
		1	server {
		2	listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }} ssl;
		3	include common/ssl.conf;
		4	# allows to upload images without being cut off at some low size
		5	client_max_body_size 0;
		6
		7	location / {
		8	proxy_pass http://glance_registry;
		9	include common/proxy-headers.conf;
		10	}
		11	}


diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2 new file mode 100644 index 0000000..8abc152 --- /dev/null +++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
			{{ security.tls.server_cert }}


diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2 new file mode 100644 index 0000000..70cf751 --- /dev/null +++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
			{{ security.tls.server_key }}


diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2 new file mode 100644 index 0000000..716a515 --- /dev/null +++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,6 @@
		1	upstream glance_api {
		2	server 127.0.0.1:{{ glance.api_port.cont }};
		3	}
		4	upstream glance_registry {
		5	server 127.0.0.1:{{ glance.registry_port.cont }};
		6	}


diff --git a/service/glance-api.yaml b/service/glance-api.yaml index adf6a39..c3a13cf 100644 --- a/service/glance-api.yaml +++ b/service/glance-api.yaml
@@ -61,6 +61,9 @@ service:
61	daemon:	61	daemon:
62	files:	62	files:
63	- glance-api	63	- glance-api
		64	# {% if glance.tls.enabled %}
		65	- ca_cert
		66	# {% endif %}
64	# {% if glance.ceph.enable %}	67	# {% if glance.ceph.enable %}
65	- ceph-conf	68	- ceph-conf
66	- glance-ceph-key	69	- glance-ceph-key
@@ -79,6 +82,17 @@ service:
79	files:	82	files:
80	- glance-cirros-image-upload.sh	83	- glance-cirros-image-upload.sh
81	# {% endif %}	84	# {% endif %}
		85	# {% if glance.tls.enabled %}
		86	- name: nginx-glance-api
		87	image: nginx
		88	daemon:
		89	files:
		90	- upstreams
		91	- servers
		92	- server-cert
		93	- server-key
		94	command: nginx
		95	# {% endif %}
82		96
83	files:	97	files:
84	glance-api:	98	glance-api:
@@ -97,3 +111,24 @@ files:
97	path: /opt/ccp/bin/glance-cirros-image-upload.sh	111	path: /opt/ccp/bin/glance-cirros-image-upload.sh
98	content: glance-cirros-image-upload.sh.j2	112	content: glance-cirros-image-upload.sh.j2
99	perm: "500"	113	perm: "500"
		114	# {% if glance.tls.enabled %}
		115	servers:
		116	path: /etc/nginx/conf.d/servers.conf
		117	content: nginx-api.conf.j2
		118	perm: "0400"
		119	upstreams:
		120	path: /etc/nginx/conf.d/upstreams.conf
		121	content: upstreams.conf.j2
		122	perm: "0400"
		123	ca_cert:
		124	path: /opt/ccp/etc/tls/ca.pem
		125	content: ca-cert.pem.j2
		126	server-cert:
		127	path: /opt/ccp/etc/tls/server-cert.pem
		128	content: server-cert.pem.j2
		129	perm: "0400"
		130	server-key:
		131	path: /opt/ccp/etc/tls/server-key.pem
		132	content: server-key.pem.j2
		133	perm: "0400"
		134	# {% endif %}


diff --git a/service/glance-registry.yaml b/service/glance-registry.yaml index cf68b93..d0a6d87 100644 --- a/service/glance-registry.yaml +++ b/service/glance-registry.yaml
@@ -13,11 +13,46 @@ service:
13	daemon:	13	daemon:
14	files:	14	files:
15	- glance-registry-conf	15	- glance-registry-conf
		16	# {% if glance.tls.enabled %}
		17	- ca_cert
		18	# {% endif %}
16	dependencies:	19	dependencies:
17	- glance-api	20	- glance-api
18	command: glance-registry	21	command: glance-registry
		22	# {% if glance.tls.enabled %}
		23	- name: nginx-glance-registry
		24	image: nginx
		25	daemon:
		26	files:
		27	- upstreams
		28	- servers
		29	- server-cert
		30	- server-key
		31	command: nginx
		32	# {% endif %}
19		33
20	files:	34	files:
21	glance-registry-conf:	35	glance-registry-conf:
22	path: /etc/glance/glance-registry.conf	36	path: /etc/glance/glance-registry.conf
23	content: glance-registry.conf.j2	37	content: glance-registry.conf.j2
		38	# {% if glance.tls.enabled %}
		39	servers:
		40	path: /etc/nginx/conf.d/servers.conf
		41	content: nginx-registry.conf.j2
		42	perm: "0400"
		43	upstreams:
		44	path: /etc/nginx/conf.d/upstreams.conf
		45	content: upstreams.conf.j2
		46	perm: "0400"
		47	ca_cert:
		48	path: /opt/ccp/etc/tls/ca.pem
		49	content: ca-cert.pem.j2
		50	server-cert:
		51	path: /opt/ccp/etc/tls/server-cert.pem
		52	content: server-cert.pem.j2
		53	perm: "0400"
		54	server-key:
		55	path: /opt/ccp/etc/tls/server-key.pem
		56	content: server-key.pem.j2
		57	perm: "0400"
		58	# {% endif %}