Enable TLS by default

This enables TLS by defalut in the undercloud. This is done by setting
the generate_service_certificate option to True by default, although,
the deployer can turn it off if needed.

Change-Id: Id329081c06343373309d6880d464ba99aba0c7be
This commit is contained in:
Juan Antonio Osorio Robles 2018-03-13 09:26:41 +02:00
parent 142d131aad
commit 41f2694d13
4 changed files with 25 additions and 14 deletions

View File

@ -213,10 +213,10 @@ class TestUndercloud(BaseTestCase):
def test_extract_from_stackrc(self):
with open(os.path.expanduser('~/stackrc'), 'w') as f:
f.write('OS_USERNAME=aturing\n')
f.write('OS_AUTH_URL=http://bletchley:5000/\n')
f.write('OS_AUTH_URL=https://bletchley:5000/\n')
self.assertEqual('aturing',
undercloud._extract_from_stackrc('OS_USERNAME'))
self.assertEqual('http://bletchley:5000/',
self.assertEqual('https://bletchley:5000/',
undercloud._extract_from_stackrc('OS_AUTH_URL'))
@mock.patch('instack_undercloud.undercloud._check_hostname')
@ -589,14 +589,14 @@ class TestGenerateEnvironment(BaseTestCase):
if k.startswith('UNDERCLOUD_ENDPOINT')}
self.assertEqual(90, len(endpoint_vars))
# Spot check one service
self.assertEqual('http://192.168.24.1:5000',
self.assertEqual('https://192.168.24.2:13000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
self.assertEqual('http://192.168.24.1:5000',
self.assertEqual('http://192.168.24.3:5000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
self.assertEqual('http://192.168.24.1:35357',
self.assertEqual('http://192.168.24.3:35357',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
# Also check that the tenant id part is preserved
self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s',
self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
def test_generate_endpoints_ssl_manual(self):
@ -615,18 +615,18 @@ class TestGenerateEnvironment(BaseTestCase):
self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
def test_generate_endpoints_ssl_auto(self):
self.conf.config(generate_service_certificate=True)
def test_generate_endpoints_ssl_off(self):
self.conf.config(generate_service_certificate=False)
env = undercloud._generate_environment('.')
# Spot check one service
self.assertEqual('https://192.168.24.2:13000',
self.assertEqual('http://192.168.24.1:5000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
self.assertEqual('http://192.168.24.3:5000',
self.assertEqual('http://192.168.24.1:5000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
self.assertEqual('http://192.168.24.3:35357',
self.assertEqual('http://192.168.24.1:35357',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
# Also check that the tenant id part is preserved
self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s',
env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])
def test_absolute_cert_path(self):
@ -650,6 +650,12 @@ class TestGenerateEnvironment(BaseTestCase):
os.chdir(cur_dir)
def test_no_cert_path(self):
env = undercloud._generate_environment('.')
self.assertEqual('/etc/pki/tls/certs/undercloud-192.168.24.2.pem',
env['UNDERCLOUD_SERVICE_CERTIFICATE'])
def test_no_ssl(self):
self.conf.config(generate_service_certificate=False)
env = undercloud._generate_environment('.')
self.assertEqual('', env['UNDERCLOUD_SERVICE_CERTIFICATE'])

View File

@ -210,7 +210,7 @@ _opts = [
'OpenStack API endpoints, leaving it unset disables SSL.')
),
cfg.BoolOpt('generate_service_certificate',
default=False,
default=True,
help=('When set to True, an SSL certificate will be generated '
'as part of the undercloud install and this certificate '
'will be used in place of the value for '

View File

@ -0,0 +1,5 @@
---
security:
- |
TLS is now used by default for the public endpoints. This is done through
the generate_service_certificates option, which now defaults to 'True'.

View File

@ -81,7 +81,7 @@
# /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem. This
# certificate is signed by CA selected by the
# "certificate_generation_ca" option. (boolean value)
#generate_service_certificate = false
#generate_service_certificate = true
# The certmonger nickname of the CA from which the certificate will be
# requested. This is used only if the generate_service_certificate