From 3ede834e41dfe3ca70171cd58a5d58a5d7c3398a Mon Sep 17 00:00:00 2001 From: Mark Vanderwiel Date: Thu, 4 Jun 2015 15:22:37 -0500 Subject: [PATCH] Use correct endpoint scheme for api to registry connection The ['openstack']['image']['ssl']['enabled'] was being used for both the API/Regsitry services AND the APIs internal connection to the registry. Need to allow for separate control for enabling SSL for API and Registry. Added attributes to cover this. And the APIs internal connection to the registry needs to be configured correctly based upon the Registry's internal endpoint scheme (http or https). Change-Id: Ieed28ad891192d81356c0d40ba48d70517087950 Closes-Bug: #1462388 --- README.md | 6 ++- attributes/default.rb | 7 +++- recipes/api.rb | 1 + spec/api_spec.rb | 47 ++++++++++++++++++---- spec/registry_spec.rb | 15 +++++-- templates/default/glance-api.conf.erb | 23 +++++------ templates/default/glance-registry.conf.erb | 3 +- 7 files changed, 75 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 0d6dbf2..07581aa 100644 --- a/README.md +++ b/README.md @@ -156,7 +156,11 @@ TODO: Add DB2 support on other platforms SSL attributes --------------- -* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry endpoints. NOTE: Once enabled, Glance service endpoint must be configured to use https on Keystone. Default is false. +Once SSL is enabled, endpoints attributes in Common need to updated to specify the https protocol. + +* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry bind endpoints. Default is false. +* `openstack['image']['ssl']['api']['enabled']` - Enable SSL for Glance API bind endpoint. Default is from ['image']['ssl']['enabled']. +* `openstack['image']['ssl']['registry']['enabled']` - Enable SSL for Glance Registry bind endpoint. Default is from ['image']['ssl']['enabled']. * `openstack['image']['ssl']['basedir']` - Base directory for SSL certficate and key file. * `openstack['image']['ssl']['cert_file']` - Path of the cert file for SSL. * `openstack['image']['ssl']['key_file']` - Path of the keyfile for SSL. diff --git a/attributes/default.rb b/attributes/default.rb index f482621..ba5d279 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -28,9 +28,12 @@ default['openstack']['image']['custom_template_banner'] = ' ' # SSL Options -# Enable SSL for glance-api endpoint. NOTE: Once enabled, Glance service endpoint -# must be set to https on Keystone +# Enable SSL for glance api and registry bind endpoints. default['openstack']['image']['ssl']['enabled'] = false +# Enable SSL for glance api bind endpoint. +default['openstack']['image']['ssl']['api']['enabled'] = node['openstack']['image']['ssl']['enabled'] +# Enable SSL for glance registry bind endpoint. +default['openstack']['image']['ssl']['registry']['enabled'] = node['openstack']['image']['ssl']['enabled'] # Base directory for SSL certficate and key default['openstack']['image']['ssl']['basedir'] = '/etc/glance/ssl' # Path of the cert file for SSL. diff --git a/recipes/api.rb b/recipes/api.rb index ac83c29..d9b1dc3 100644 --- a/recipes/api.rb +++ b/recipes/api.rb @@ -169,6 +169,7 @@ template '/etc/glance/glance-api.conf' do api_bind_port: api_bind.port, registry_ip_address: registry_endpoint.host, registry_port: registry_endpoint.port, + registry_scheme: registry_endpoint.scheme, sql_connection: sql_connection, glance_flavor: glance_flavor, auth_uri: auth_uri, diff --git a/spec/api_spec.rb b/spec/api_spec.rb index c3fd3b1..5d8f408 100644 --- a/spec/api_spec.rb +++ b/spec/api_spec.rb @@ -100,7 +100,15 @@ describe 'openstack-image::api' do key_file: '/etc/glance/ssl/private/sslkey.pem' } - it 'configures SSL cert and key file' do + it 'configures SSL cert and key file when api is enabled for ssl' do + node.set['openstack']['image']['ssl']['api']['enabled'] = true + default_opts.each do |key, val| + r = line_regexp("#{key} = #{val}") + expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + + it 'configures SSL cert and key file when glance is enabled ssl' do node.set['openstack']['image']['ssl']['enabled'] = true default_opts.each do |key, val| r = line_regexp("#{key} = #{val}") @@ -124,14 +132,13 @@ describe 'openstack-image::api' do context 'glance-registry configuration with ssl enabled' do it 'sets registry client protocol to https' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = https$/) end - # if cert required then certfile context 'glance-registry with cert required' do it 'configures CA cert file' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['ssl']['cert_required'] = true node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem' r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem') @@ -139,9 +146,34 @@ describe 'openstack-image::api' do end end + context 'glance-registry key and cert files' do + default_opts = { + registry_client_cert_file: '/etc/glance/ssl/certs/sslcert.pem', + registry_client_key_file: '/etc/glance/ssl/private/sslkey.pem' + } + + it 'configures registry client key and cert files' do + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' + default_opts.each do |key, val| + r = line_regexp("#{key} = #{val}") + expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + + it 'does not configure registry client key and cert files when nil or empty' do + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' + node.set['openstack']['openstack']['image']['ssl']['cert_file'] = nil + node.set['openstack']['openstack']['image']['ssl']['key_file'] = '' + default_opts.each do |key| + r = line_regexp("#{key} =") + expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + end + context 'glance-registry with cert not required' do it 'does not configure CA cert file' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['ssl']['cert_required'] = false node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem' r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem') @@ -151,7 +183,7 @@ describe 'openstack-image::api' do context 'glance-registry with certificate validation enabled' do it 'enables SSL in insecure mode' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['registry']['auth']['insecure'] = false r = line_regexp('registry_client_insecure = false') expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) @@ -160,7 +192,7 @@ describe 'openstack-image::api' do context 'glance-registry with certificate validation disabled' do it 'enables SSL in secure mode' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https' node.set['openstack']['image']['registry']['auth']['insecure'] = true r = line_regexp('registry_client_insecure = true') expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) @@ -170,7 +202,6 @@ describe 'openstack-image::api' do context 'glance-registry configuration with ssl disabled' do it 'sets registry client protocol to http' do - node.set['openstack']['image']['ssl']['enabled'] = false expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = http$/) end end diff --git a/spec/registry_spec.rb b/spec/registry_spec.rb index 80ca770..40abc32 100644 --- a/spec/registry_spec.rb +++ b/spec/registry_spec.rb @@ -218,16 +218,25 @@ describe 'openstack-image::registry' do } cert = { 'ca_file' => '/etc/glance/ssl/certs/sslca.pem' } - it 'configures SSL cert and key file' do + it 'configures SSL cert and key file when api is enabled for ssl' do + node.set['openstack']['image']['ssl']['registry']['enabled'] = true + default_opts.each do |key, val| + r = line_regexp("#{key} = #{val}") + expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) + end + end + + it 'configures SSL cert and key file when glance is enabled ssl' do node.set['openstack']['image']['ssl']['enabled'] = true default_opts.each do |key, val| r = line_regexp("#{key} = #{val}") expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) end end + context 'with cert required' do it 'configures CA cert ' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['image']['ssl']['registry']['enabled'] = true node.set['openstack']['image']['ssl']['cert_required'] = true r = line_regexp("ca_file = #{cert['ca_file']}") expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r) @@ -236,7 +245,7 @@ describe 'openstack-image::registry' do context 'with cert not required' do it 'configures CA cert ' do - node.set['openstack']['image']['ssl']['enabled'] = true + node.set['openstack']['image']['ssl']['registry']['enabled'] = true node.set['openstack']['image']['ssl']['cert_required'] = false r = line_regexp("ca_file = #{cert['ca_file']}") expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r) diff --git a/templates/default/glance-api.conf.erb b/templates/default/glance-api.conf.erb index 2f311c9..7dc1b6c 100644 --- a/templates/default/glance-api.conf.erb +++ b/templates/default/glance-api.conf.erb @@ -126,12 +126,11 @@ log_config = /etc/openstack/logging.conf log_file = /var/log/glance/api.log <% end %> - # ================= SSL Options =============================== -# Certificate file to use when starting API server securely +<% if node['openstack']['image']['ssl']['api']['enabled'] -%> -<% if node['openstack']['image']['ssl']['enabled'] -%> +# Certificate file to use when starting API server securely cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %> # Private key file to use when starting API server securely @@ -160,35 +159,35 @@ registry_host = <%= @registry_ip_address %> registry_port = <%= @registry_port %> # What protocol to use when connecting to the registry server? +registry_client_protocol = <%= @registry_scheme %> -<% if node['openstack']['image']['ssl']['enabled'] -%> -# Set to https for secure HTTP communication -registry_client_protocol = https - +<% if @registry_scheme == 'https' -%> + <% unless node["openstack"]["image"]['ssl']['key_file'].to_s.empty? -%> # The path to the key file to use in SSL connections to the # registry server, if any. Alternately, you may set the # GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file registry_client_key_file = <%= node['openstack']['image']['ssl']['key_file'] %> + <% end -%> + <% unless node["openstack"]["image"]['ssl']['cert_file'].to_s.empty? -%> # The path to the cert file to use in SSL connections to the # registry server, if any. Alternately, you may set the # GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file registry_client_cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %> - <% if node['openstack']['image']['ssl']['cert_required'] %> + <% end -%> + + <% if node['openstack']['image']['ssl']['cert_required'] -%> # The path to the certifying authority cert file to use in SSL connections # to the registry server, if any. Alternately, you may set the # GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file registry_client_ca_file = <%= node['openstack']['image']['registry']['auth']['cafile'] %> - - <% end %> + <% end -%> # When using SSL in connections to the registry server, do not require # validation via a certifying authority. This is the registry's equivalent of # specifying --insecure on the command line using glanceclient for the API # Default: False registry_client_insecure = <%= node['openstack']['image']['registry']['auth']['insecure'] %> -<% else -%> -registry_client_protocol = http <% end -%> # The period of time, in seconds, that the API server will wait for a registry diff --git a/templates/default/glance-registry.conf.erb b/templates/default/glance-registry.conf.erb index 78cd758..35dbc9d 100644 --- a/templates/default/glance-registry.conf.erb +++ b/templates/default/glance-registry.conf.erb @@ -85,7 +85,8 @@ log_file = /var/log/glance/registry.log # ================= SSL Options =============================== -<% if node['openstack']['image']['ssl']['enabled'] -%> +<% if node['openstack']['image']['ssl']['registry']['enabled'] -%> + # Certificate file to use when starting registry server securely cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>