diff --git a/README.md b/README.md index 0d6dbf2..07581aa 100644 --- a/README.md +++ b/README.md @@ -156,7 +156,11 @@ TODO: Add DB2 support on other platforms SSL attributes --------------- -* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry endpoints. NOTE: Once enabled, Glance service endpoint must be configured to use https on Keystone. Default is false. +Once SSL is enabled, endpoints attributes in Common need to updated to specify the https protocol. + +* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry bind endpoints. Default is false. +* `openstack['image']['ssl']['api']['enabled']` - Enable SSL for Glance API bind endpoint. Default is from ['image']['ssl']['enabled']. +* `openstack['image']['ssl']['registry']['enabled']` - Enable SSL for Glance Registry bind endpoint. Default is from ['image']['ssl']['enabled']. * `openstack['image']['ssl']['basedir']` - Base directory for SSL certficate and key file. * `openstack['image']['ssl']['cert_file']` - Path of the cert file for SSL. * `openstack['image']['ssl']['key_file']` - Path of the keyfile for SSL. diff --git a/attributes/default.rb b/attributes/default.rb index f482621..ba5d279 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -28,9 +28,12 @@ default['openstack']['image']['custom_template_banner'] = ' ' # SSL Options -# Enable SSL for glance-api endpoint. NOTE: Once enabled, Glance service endpoint -# must be set to https on Keystone +# Enable SSL for glance api and registry bind endpoints. default['openstack']['image']['ssl']['enabled'] = false +# Enable SSL for glance api bind endpoint. +default['openstack']['image']['ssl']['api']['enabled'] = node['openstack']['image']['ssl']['enabled'] +# Enable SSL for glance registry bind endpoint. +default['openstack']['image']['ssl']['registry']['enabled'] = node['openstack']['image']['ssl']['enabled'] # Base directory for SSL certficate and key default['openstack']['image']['ssl']['basedir'] = '/etc/glance/ssl' # Path of the cert file for SSL. diff --git a/recipes/api.rb b/recipes/api.rb index ac83c29..d9b1dc3 100644 --- a/recipes/api.rb +++ b/recipes/api.rb @@ -169,6 +169,7 @@ template '/etc/glance/glance-api.conf' do api_bind_port: api_bind.port, registry_ip_address: registry_endpoint.host, registry_port: registry_endpoint.port, + registry_scheme: registry_endpoint.scheme, sql_connection: sql_connection, glance_flavor: glance_flavor, auth_uri: auth_uri, diff --git a/spec/api_spec.rb b/spec/api_spec.rb index c3fd3b1..5d8f408 100644 --- a/spec/api_spec.rb +++ b/spec/api_spec.rb @@ -100,7 +100,15 @@ describe 'openstack-image::api' do key_file: '/etc/glance/ssl/private/sslkey.pem' } - it 'configures SSL cert and key file' do + it 'configures SSL cert and key file when api is enabled for ssl' do + node.set['openstack']['image']['ssl']['api']['enabled'] = true + default_opts.each do |key, val| + r = line_regexp("#{key} = #{val}") + expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + + it 'configures SSL cert and key file when glance is enabled ssl' do node.set['openstack']['image']['ssl']['enabled'] = true default_opts.each do |key, val| r = line_regexp("#{key} = #{val}") @@ -124,14 +132,13 @@ describe 'openstack-image::api' do context 'glance-registry configuration with ssl enabled' do it 'sets registry client protocol to https' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = https$/) end - # if cert required then certfile context 'glance-registry with cert required' do it 'configures CA cert file' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['ssl']['cert_required'] = true node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem' r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem') @@ -139,9 +146,34 @@ describe 'openstack-image::api' do end end + context 'glance-registry key and cert files' do + default_opts = { + registry_client_cert_file: '/etc/glance/ssl/certs/sslcert.pem', + registry_client_key_file: '/etc/glance/ssl/private/sslkey.pem' + } + + it 'configures registry client key and cert files' do + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' + default_opts.each do |key, val| + r = line_regexp("#{key} = #{val}") + expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + + it 'does not configure registry client key and cert files when nil or empty' do + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' + node.set['openstack']['openstack']['image']['ssl']['cert_file'] = nil + node.set['openstack']['openstack']['image']['ssl']['key_file'] = '' + default_opts.each do |key| + r = line_regexp("#{key} =") + expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + end + context 'glance-registry with cert not required' do it 'does not configure CA cert file' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['ssl']['cert_required'] = false node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem' r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem') @@ -151,7 +183,7 @@ describe 'openstack-image::api' do context 'glance-registry with certificate validation enabled' do it 'enables SSL in insecure mode' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['registry']['auth']['insecure'] = false r = line_regexp('registry_client_insecure = false') expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) @@ -160,7 +192,7 @@ describe 'openstack-image::api' do context 'glance-registry with certificate validation disabled' do it 'enables SSL in secure mode' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['registry']['auth']['insecure'] = true r = line_regexp('registry_client_insecure = true') expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) @@ -170,7 +202,6 @@ describe 'openstack-image::api' do context 'glance-registry configuration with ssl disabled' do it 'sets registry client protocol to http' do - node.set['openstack']['image']['ssl']['enabled'] = false expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = http$/) end end diff --git a/spec/registry_spec.rb b/spec/registry_spec.rb index 80ca770..40abc32 100644 --- a/spec/registry_spec.rb +++ b/spec/registry_spec.rb @@ -218,16 +218,25 @@ describe 'openstack-image::registry' do } cert = { 'ca_file' => '/etc/glance/ssl/certs/sslca.pem' } - it 'configures SSL cert and key file' do + it 'configures SSL cert and key file when api is enabled for ssl' do + node.set['openstack']['image']['ssl']['registry']['enabled'] = true + default_opts.each do |key, val| + r = line_regexp("#{key} = #{val}") + expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + + it 'configures SSL cert and key file when glance is enabled ssl' do node.set['openstack']['image']['ssl']['enabled'] = true default_opts.each do |key, val| r = line_regexp("#{key} = #{val}") expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) end end + context 'with cert required' do it 'configures CA cert ' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['image']['ssl']['registry']['enabled'] = true node.set['openstack']['image']['ssl']['cert_required'] = true r = line_regexp("ca_file = #{cert['ca_file']}") expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) @@ -236,7 +245,7 @@ describe 'openstack-image::registry' do context 'with cert not required' do it 'configures CA cert ' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['image']['ssl']['registry']['enabled'] = true node.set['openstack']['image']['ssl']['cert_required'] = false r = line_regexp("ca_file = #{cert['ca_file']}") expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r) diff --git a/templates/default/glance-api.conf.erb b/templates/default/glance-api.conf.erb index 2f311c9..7dc1b6c 100644 --- a/templates/default/glance-api.conf.erb +++ b/templates/default/glance-api.conf.erb @@ -126,12 +126,11 @@ log_config = /etc/openstack/logging.conf log_file = /var/log/glance/api.log <% end %> - # ================= SSL Options =============================== -# Certificate file to use when starting API server securely +<% if node['openstack']['image']['ssl']['api']['enabled'] -%> -<% if node['openstack']['image']['ssl']['enabled'] -%> +# Certificate file to use when starting API server securely cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %> # Private key file to use when starting API server securely @@ -160,35 +159,35 @@ registry_host = <%= @registry_ip_address %> registry_port = <%= @registry_port %> # What protocol to use when connecting to the registry server? +registry_client_protocol = <%= @registry_scheme %> -<% if node['openstack']['image']['ssl']['enabled'] -%> -# Set to https for secure HTTP communication -registry_client_protocol = https - +<% if @registry_scheme == 'https' -%> + <% unless node["openstack"]["image"]['ssl']['key_file'].to_s.empty? -%> # The path to the key file to use in SSL connections to the # registry server, if any. Alternately, you may set the # GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file registry_client_key_file = <%= node['openstack']['image']['ssl']['key_file'] %> + <% end -%> + <% unless node["openstack"]["image"]['ssl']['cert_file'].to_s.empty? -%> # The path to the cert file to use in SSL connections to the # registry server, if any. Alternately, you may set the # GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file registry_client_cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %> - <% if node['openstack']['image']['ssl']['cert_required'] %> + <% end -%> + + <% if node['openstack']['image']['ssl']['cert_required'] -%> # The path to the certifying authority cert file to use in SSL connections # to the registry server, if any. Alternately, you may set the # GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file registry_client_ca_file = <%= node['openstack']['image']['registry']['auth']['cafile'] %> - - <% end %> + <% end -%> # When using SSL in connections to the registry server, do not require # validation via a certifying authority. This is the registry's equivalent of # specifying --insecure on the command line using glanceclient for the API # Default: False registry_client_insecure = <%= node['openstack']['image']['registry']['auth']['insecure'] %> -<% else -%> -registry_client_protocol = http <% end -%> # The period of time, in seconds, that the API server will wait for a registry diff --git a/templates/default/glance-registry.conf.erb b/templates/default/glance-registry.conf.erb index 78cd758..35dbc9d 100644 --- a/templates/default/glance-registry.conf.erb +++ b/templates/default/glance-registry.conf.erb @@ -85,7 +85,8 @@ log_file = /var/log/glance/registry.log # ================= SSL Options =============================== -<% if node['openstack']['image']['ssl']['enabled'] -%> +<% if node['openstack']['image']['ssl']['registry']['enabled'] -%> + # Certificate file to use when starting registry server securely cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>