summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Kraynev <skraynev@mirantis.com>2017-01-30 09:16:15 +0000
committerSergey Kraynev <skraynev@mirantis.com>2017-02-22 08:00:49 +0000
commitb368e4833eb986df3a1e89467b88078365454cda (patch)
treef10da26831f05dfa585cba537eb194ff1822c2bc
parent5e6c2391f03608a8498151e32cf2321680e29a57 (diff)
TLS support for Glance services
List of changes in the current patch: - Add files for certificates - Updated configuration files for services to use mapped ports and 'https' url scheme. Also ca_cert was provided for keystonemiddleware. - Updated bootstrap script to use 'https' scheme with insecure flag, when it create image in glance. - Update jobs for creation endpoints, now address function use 'tls' parameter. - Add files for nginx configurations. Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412
Notes
Notes (review): Code-Review+2: Andrey Pavlov <apavlov@mirantis.com> Verified+1: Mirantis CCP CI <mirantis-fuel-ccp-ci@mirantis.com> Workflow+1: Sergey Reshetnyak <sreshetniak@mirantis.com> Code-Review+2: Sergey Reshetnyak <sreshetniak@mirantis.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Tue, 28 Feb 2017 10:09:13 +0000 Reviewed-on: https://review.openstack.org/426685 Project: openstack/fuel-ccp-glance Branch: refs/heads/master
-rw-r--r--service/files/ca-cert.pem.j21
-rw-r--r--service/files/defaults.yaml2
-rw-r--r--service/files/glance-api.conf.j26
-rw-r--r--service/files/glance-cirros-image-upload.sh.j23
-rw-r--r--service/files/glance-registry.conf.j24
-rw-r--r--service/files/nginx-api.conf.j211
-rw-r--r--service/files/nginx-registry.conf.j211
-rw-r--r--service/files/server-cert.pem.j21
-rw-r--r--service/files/server-key.pem.j21
-rw-r--r--service/files/upstreams.conf.j26
-rw-r--r--service/glance-api.yaml35
-rw-r--r--service/glance-registry.yaml35
12 files changed, 115 insertions, 1 deletions
diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2
new file mode 100644
index 0000000..d52069b
--- /dev/null
+++ b/service/files/ca-cert.pem.j2
@@ -0,0 +1 @@
{{ security.tls.ca_cert }}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 5ba7e52..ed13d64 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
1configs: 1configs:
2 glance: 2 glance:
3 tls:
4 enabled: true
3 api_port: 5 api_port:
4 cont: 9292 6 cont: 9292
5 ingress: image 7 ingress: image
diff --git a/service/files/glance-api.conf.j2 b/service/files/glance-api.conf.j2
index f5ecd28..4542c40 100644
--- a/service/files/glance-api.conf.j2
+++ b/service/files/glance-api.conf.j2
@@ -5,7 +5,13 @@ use_syslog = false
5use_stderr = true 5use_stderr = true
6use_forwarded_for = true 6use_forwarded_for = true
7 7
8{% if glance.tls.enabled %}
9registry_client_protocol = https
10registry_client_ca_file = /opt/ccp/etc/tls/ca.pem
11bind_host = 127.0.0.1
12{% else %}
8bind_host = {{ network_topology["private"]["address"] }} 13bind_host = {{ network_topology["private"]["address"] }}
14{% endif %}
9bind_port = {{ glance.api_port.cont }} 15bind_port = {{ glance.api_port.cont }}
10 16
11registry_host = glance-registry 17registry_host = glance-registry
diff --git a/service/files/glance-cirros-image-upload.sh.j2 b/service/files/glance-cirros-image-upload.sh.j2
index b3a5610..d195a69 100644
--- a/service/files/glance-cirros-image-upload.sh.j2
+++ b/service/files/glance-cirros-image-upload.sh.j2
@@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default
8export OS_PASSWORD={{ openstack.user_password }} 8export OS_PASSWORD={{ openstack.user_password }}
9export OS_USERNAME={{ openstack.user_name }} 9export OS_USERNAME={{ openstack.user_name }}
10export OS_PROJECT_NAME={{ openstack.project_name }} 10export OS_PROJECT_NAME={{ openstack.project_name }}
11export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3" 11export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3"
12export OS_CACERT="/opt/ccp/etc/tls/ca.pem"
12 13
13{% set image = glance.bootstrap.image %} 14{% set image = glance.bootstrap.image %}
14FILE="$(mktemp)" 15FILE="$(mktemp)"
diff --git a/service/files/glance-registry.conf.j2 b/service/files/glance-registry.conf.j2
index 92104cd..3b4a705 100644
--- a/service/files/glance-registry.conf.j2
+++ b/service/files/glance-registry.conf.j2
@@ -5,7 +5,11 @@ use_syslog = false
5use_stderr = true 5use_stderr = true
6use_forwarded_for = true 6use_forwarded_for = true
7 7
8{% if glance.tls.enabled %}
9bind_host = 127.0.0.1
10{% else %}
8bind_host = {{ network_topology["private"]["address"] }} 11bind_host = {{ network_topology["private"]["address"] }}
12{% endif %}
9bind_port = {{ glance.registry_port.cont }} 13bind_port = {{ glance.registry_port.cont }}
10 14
11[database] 15[database]
diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2
new file mode 100644
index 0000000..0ab1b28
--- /dev/null
+++ b/service/files/nginx-api.conf.j2
@@ -0,0 +1,11 @@
1server {
2 listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }} ssl;
3 include common/ssl.conf;
4 # allows to upload images without being cut off at some low size
5 client_max_body_size 0;
6
7 location / {
8 proxy_pass http://glance_api;
9 include common/proxy-headers.conf;
10 }
11}
diff --git a/service/files/nginx-registry.conf.j2 b/service/files/nginx-registry.conf.j2
new file mode 100644
index 0000000..7fe1a77
--- /dev/null
+++ b/service/files/nginx-registry.conf.j2
@@ -0,0 +1,11 @@
1server {
2 listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }} ssl;
3 include common/ssl.conf;
4 # allows to upload images without being cut off at some low size
5 client_max_body_size 0;
6
7 location / {
8 proxy_pass http://glance_registry;
9 include common/proxy-headers.conf;
10 }
11}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_key }}
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..716a515
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,6 @@
1upstream glance_api {
2 server 127.0.0.1:{{ glance.api_port.cont }};
3}
4upstream glance_registry {
5 server 127.0.0.1:{{ glance.registry_port.cont }};
6}
diff --git a/service/glance-api.yaml b/service/glance-api.yaml
index adf6a39..c3a13cf 100644
--- a/service/glance-api.yaml
+++ b/service/glance-api.yaml
@@ -61,6 +61,9 @@ service:
61 daemon: 61 daemon:
62 files: 62 files:
63 - glance-api 63 - glance-api
64 # {% if glance.tls.enabled %}
65 - ca_cert
66 # {% endif %}
64 # {% if glance.ceph.enable %} 67 # {% if glance.ceph.enable %}
65 - ceph-conf 68 - ceph-conf
66 - glance-ceph-key 69 - glance-ceph-key
@@ -79,6 +82,17 @@ service:
79 files: 82 files:
80 - glance-cirros-image-upload.sh 83 - glance-cirros-image-upload.sh
81 # {% endif %} 84 # {% endif %}
85 # {% if glance.tls.enabled %}
86 - name: nginx-glance-api
87 image: nginx
88 daemon:
89 files:
90 - upstreams
91 - servers
92 - server-cert
93 - server-key
94 command: nginx
95 # {% endif %}
82 96
83files: 97files:
84 glance-api: 98 glance-api:
@@ -97,3 +111,24 @@ files:
97 path: /opt/ccp/bin/glance-cirros-image-upload.sh 111 path: /opt/ccp/bin/glance-cirros-image-upload.sh
98 content: glance-cirros-image-upload.sh.j2 112 content: glance-cirros-image-upload.sh.j2
99 perm: "500" 113 perm: "500"
114 # {% if glance.tls.enabled %}
115 servers:
116 path: /etc/nginx/conf.d/servers.conf
117 content: nginx-api.conf.j2
118 perm: "0400"
119 upstreams:
120 path: /etc/nginx/conf.d/upstreams.conf
121 content: upstreams.conf.j2
122 perm: "0400"
123 ca_cert:
124 path: /opt/ccp/etc/tls/ca.pem
125 content: ca-cert.pem.j2
126 server-cert:
127 path: /opt/ccp/etc/tls/server-cert.pem
128 content: server-cert.pem.j2
129 perm: "0400"
130 server-key:
131 path: /opt/ccp/etc/tls/server-key.pem
132 content: server-key.pem.j2
133 perm: "0400"
134 # {% endif %}
diff --git a/service/glance-registry.yaml b/service/glance-registry.yaml
index cf68b93..d0a6d87 100644
--- a/service/glance-registry.yaml
+++ b/service/glance-registry.yaml
@@ -13,11 +13,46 @@ service:
13 daemon: 13 daemon:
14 files: 14 files:
15 - glance-registry-conf 15 - glance-registry-conf
16 # {% if glance.tls.enabled %}
17 - ca_cert
18 # {% endif %}
16 dependencies: 19 dependencies:
17 - glance-api 20 - glance-api
18 command: glance-registry 21 command: glance-registry
22 # {% if glance.tls.enabled %}
23 - name: nginx-glance-registry
24 image: nginx
25 daemon:
26 files:
27 - upstreams
28 - servers
29 - server-cert
30 - server-key
31 command: nginx
32 # {% endif %}
19 33
20files: 34files:
21 glance-registry-conf: 35 glance-registry-conf:
22 path: /etc/glance/glance-registry.conf 36 path: /etc/glance/glance-registry.conf
23 content: glance-registry.conf.j2 37 content: glance-registry.conf.j2
38 # {% if glance.tls.enabled %}
39 servers:
40 path: /etc/nginx/conf.d/servers.conf
41 content: nginx-registry.conf.j2
42 perm: "0400"
43 upstreams:
44 path: /etc/nginx/conf.d/upstreams.conf
45 content: upstreams.conf.j2
46 perm: "0400"
47 ca_cert:
48 path: /opt/ccp/etc/tls/ca.pem
49 content: ca-cert.pem.j2
50 server-cert:
51 path: /opt/ccp/etc/tls/server-cert.pem
52 content: server-cert.pem.j2
53 perm: "0400"
54 server-key:
55 path: /opt/ccp/etc/tls/server-key.pem
56 content: server-key.pem.j2
57 perm: "0400"
58 # {% endif %}