summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2018-03-13 09:26:41 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2018-03-21 09:33:17 +0000
commit41f2694d13386a2c533ca300f109afc2fc2f0595 (patch)
tree3b50dedff0b47d38e3563d1969ae73d740af1511
parent142d131aad348f966bedc86ea7dc71c8ebd4ed62 (diff)
Enable TLS by default
This enables TLS by defalut in the undercloud. This is done by setting the generate_service_certificate option to True by default, although, the deployer can turn it off if needed. Change-Id: Id329081c06343373309d6880d464ba99aba0c7be
Notes
Notes (review): Code-Review+1: Saravanan KR <skramaja@redhat.com> Code-Review+1: Luke Hinds <lhinds@redhat.com> Code-Review+1: Oliver Walsh <owalsh@redhat.com> Code-Review+2: Emilien Macchi <emilien@redhat.com> Code-Review+2: Michele Baldessari <michele@acksyn.org> Code-Review+2: Steven Hardy <shardy@redhat.com> Code-Review+1: Trinh Nguyen <dangtrinhnt@gmail.com> Workflow+1: Juan Antonio Osorio Robles <jaosorior@redhat.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 21 Mar 2018 14:57:47 +0000 Reviewed-on: https://review.openstack.org/552382 Project: openstack/instack-undercloud Branch: refs/heads/master
-rw-r--r--instack_undercloud/tests/test_undercloud.py30
-rw-r--r--instack_undercloud/undercloud.py2
-rw-r--r--releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml5
-rw-r--r--undercloud.conf.sample2
4 files changed, 25 insertions, 14 deletions
diff --git a/instack_undercloud/tests/test_undercloud.py b/instack_undercloud/tests/test_undercloud.py
index b2e9af8..086a237 100644
--- a/instack_undercloud/tests/test_undercloud.py
+++ b/instack_undercloud/tests/test_undercloud.py
@@ -213,10 +213,10 @@ class TestUndercloud(BaseTestCase):
213 def test_extract_from_stackrc(self): 213 def test_extract_from_stackrc(self):
214 with open(os.path.expanduser('~/stackrc'), 'w') as f: 214 with open(os.path.expanduser('~/stackrc'), 'w') as f:
215 f.write('OS_USERNAME=aturing\n') 215 f.write('OS_USERNAME=aturing\n')
216 f.write('OS_AUTH_URL=http://bletchley:5000/\n') 216 f.write('OS_AUTH_URL=https://bletchley:5000/\n')
217 self.assertEqual('aturing', 217 self.assertEqual('aturing',
218 undercloud._extract_from_stackrc('OS_USERNAME')) 218 undercloud._extract_from_stackrc('OS_USERNAME'))
219 self.assertEqual('http://bletchley:5000/', 219 self.assertEqual('https://bletchley:5000/',
220 undercloud._extract_from_stackrc('OS_AUTH_URL')) 220 undercloud._extract_from_stackrc('OS_AUTH_URL'))
221 221
222 @mock.patch('instack_undercloud.undercloud._check_hostname') 222 @mock.patch('instack_undercloud.undercloud._check_hostname')
@@ -589,14 +589,14 @@ class TestGenerateEnvironment(BaseTestCase):
589 if k.startswith('UNDERCLOUD_ENDPOINT')} 589 if k.startswith('UNDERCLOUD_ENDPOINT')}
590 self.assertEqual(90, len(endpoint_vars)) 590 self.assertEqual(90, len(endpoint_vars))
591 # Spot check one service 591 # Spot check one service
592 self.assertEqual('http://192.168.24.1:5000', 592 self.assertEqual('https://192.168.24.2:13000',
593 env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC']) 593 env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
594 self.assertEqual('http://192.168.24.1:5000', 594 self.assertEqual('http://192.168.24.3:5000',
595 env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL']) 595 env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
596 self.assertEqual('http://192.168.24.1:35357', 596 self.assertEqual('http://192.168.24.3:35357',
597 env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN']) 597 env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
598 # Also check that the tenant id part is preserved 598 # Also check that the tenant id part is preserved
599 self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s', 599 self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
600 env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC']) 600 env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
601 601
602 def test_generate_endpoints_ssl_manual(self): 602 def test_generate_endpoints_ssl_manual(self):
@@ -615,18 +615,18 @@ class TestGenerateEnvironment(BaseTestCase):
615 self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s', 615 self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
616 env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC']) 616 env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
617 617
618 def test_generate_endpoints_ssl_auto(self): 618 def test_generate_endpoints_ssl_off(self):
619 self.conf.config(generate_service_certificate=True) 619 self.conf.config(generate_service_certificate=False)
620 env = undercloud._generate_environment('.') 620 env = undercloud._generate_environment('.')
621 # Spot check one service 621 # Spot check one service
622 self.assertEqual('https://192.168.24.2:13000', 622 self.assertEqual('http://192.168.24.1:5000',
623 env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC']) 623 env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
624 self.assertEqual('http://192.168.24.3:5000', 624 self.assertEqual('http://192.168.24.1:5000',
625 env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL']) 625 env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
626 self.assertEqual('http://192.168.24.3:35357', 626 self.assertEqual('http://192.168.24.1:35357',
627 env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN']) 627 env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
628 # Also check that the tenant id part is preserved 628 # Also check that the tenant id part is preserved
629 self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s', 629 self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s',
630 env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC']) 630 env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
631 631
632 def test_absolute_cert_path(self): 632 def test_absolute_cert_path(self):
@@ -651,6 +651,12 @@ class TestGenerateEnvironment(BaseTestCase):
651 651
652 def test_no_cert_path(self): 652 def test_no_cert_path(self):
653 env = undercloud._generate_environment('.') 653 env = undercloud._generate_environment('.')
654 self.assertEqual('/etc/pki/tls/certs/undercloud-192.168.24.2.pem',
655 env['UNDERCLOUD_SERVICE_CERTIFICATE'])
656
657 def test_no_ssl(self):
658 self.conf.config(generate_service_certificate=False)
659 env = undercloud._generate_environment('.')
654 self.assertEqual('', env['UNDERCLOUD_SERVICE_CERTIFICATE']) 660 self.assertEqual('', env['UNDERCLOUD_SERVICE_CERTIFICATE'])
655 661
656 def test_remove_dib_yum_repo_conf(self): 662 def test_remove_dib_yum_repo_conf(self):
diff --git a/instack_undercloud/undercloud.py b/instack_undercloud/undercloud.py
index b3f7aab..4059b21 100644
--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@@ -210,7 +210,7 @@ _opts = [
210 'OpenStack API endpoints, leaving it unset disables SSL.') 210 'OpenStack API endpoints, leaving it unset disables SSL.')
211 ), 211 ),
212 cfg.BoolOpt('generate_service_certificate', 212 cfg.BoolOpt('generate_service_certificate',
213 default=False, 213 default=True,
214 help=('When set to True, an SSL certificate will be generated ' 214 help=('When set to True, an SSL certificate will be generated '
215 'as part of the undercloud install and this certificate ' 215 'as part of the undercloud install and this certificate '
216 'will be used in place of the value for ' 216 'will be used in place of the value for '
diff --git a/releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml b/releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml
new file mode 100644
index 0000000..19ff888
--- /dev/null
+++ b/releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml
@@ -0,0 +1,5 @@
1---
2security:
3 - |
4 TLS is now used by default for the public endpoints. This is done through
5 the generate_service_certificates option, which now defaults to 'True'.
diff --git a/undercloud.conf.sample b/undercloud.conf.sample
index d3dea9a..78a3aae 100644
--- a/undercloud.conf.sample
+++ b/undercloud.conf.sample
@@ -81,7 +81,7 @@
81# /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem. This 81# /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem. This
82# certificate is signed by CA selected by the 82# certificate is signed by CA selected by the
83# "certificate_generation_ca" option. (boolean value) 83# "certificate_generation_ca" option. (boolean value)
84#generate_service_certificate = false 84#generate_service_certificate = true
85 85
86# The certmonger nickname of the CA from which the certificate will be 86# The certmonger nickname of the CA from which the certificate will be
87# requested. This is used only if the generate_service_certificate 87# requested. This is used only if the generate_service_certificate