Add TLS support for placement api

Change-Id: I30d5c8e3e226cddaa795ea864f12b4dbb5e3ab90
This commit is contained in:
Sergey Reshetnyak 2017-03-02 16:13:15 +03:00
parent 6271ff2f1a
commit f8e2969f59
7 changed files with 71 additions and 0 deletions

View File

@ -1,5 +1,10 @@
{% if placement.tls.enabled %}
Listen 127.0.0.1:{{ placement.port.cont }}
<VirtualHost 127.0.0.1:{{ placement.port.cont }}>
{% else %}
Listen {{ placement.port.cont }}
<VirtualHost *:{{ placement.port.cont }}>
{% endif %}
WSGIDaemonProcess placement-api processes={{ placement.wsgi.processes }} threads={{ placement.wsgi.threads }} user=nova display-name=%{GROUP} python-path=/var/lib/microservices/venv/lib/python2.7/site-packages
WSGIProcessGroup placement-api
WSGIScriptAlias / /var/lib/microservices/venv/bin/nova-placement-api

View File

@ -219,6 +219,8 @@ configs:
port:
cont: 8780
ingress: placement
tls:
enabled: true
wsgi:
processes: 4
threads: 4

View File

@ -0,0 +1,9 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ placement.port.cont }} ssl;
include common/ssl.conf;
location / {
proxy_pass http://nova_placement_api;
include common/proxy-headers.conf;
}
}

View File

@ -208,6 +208,9 @@ username = {{ placement.account.username }}
password = {{ placement.account.password }}
memcached_servers = {{ address("memcached", memcached.port) }}
os_region_name = RegionOne
{% if keystone.tls.enabled %}
cafile = /opt/ccp/etc/tls/ca.pem
{% endif %}
{% endif %}
{# messaging macros templates #}

View File

@ -9,3 +9,7 @@ upstream nova_api {
upstream nova_metadata {
server 127.0.0.1:{{ nova.metadata.port.cont }};
}
upstream nova_placement_api {
server 127.0.0.1:{{ placement.port.cont }};
}

View File

@ -0,0 +1,9 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ placement.port.cont }} ssl;
include common/ssl.conf;
location / {
proxy_pass http://nova_placement_api;
include common/proxy-headers.conf;
}
}

View File

@ -47,6 +47,21 @@ service:
files:
- nova.conf
- apache-placement-api.conf
# {% if keystone.tls.enabled %}
- ca-cert
# {% endif %}
# {% if placement.tls.enabled %}
- name: nginx-placement-api
image: nginx
daemon:
files:
- upstreams
- servers
- server-cert
- server-key
command: nginx
# {% endif %}
files:
nova.conf:
@ -57,3 +72,27 @@ files:
path: /etc/apache2/conf-enabled/nova-placement-api.conf
content: apache-placement-api.conf.j2
perm: "0600"
# {% if placement.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: nginx-placement-api.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}
# {% if keystone.tls.enabled %}
ca-cert:
path: /opt/ccp/etc/tls/ca.pem
content: ca-cert.pem.j2
perm: "0400"
# {% endif %}