From 41f2694d13386a2c533ca300f109afc2fc2f0595 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 13 Mar 2018 09:26:41 +0200 Subject: [PATCH] Enable TLS by default This enables TLS by defalut in the undercloud. This is done by setting the generate_service_certificate option to True by default, although, the deployer can turn it off if needed. Change-Id: Id329081c06343373309d6880d464ba99aba0c7be --- instack_undercloud/tests/test_undercloud.py | 30 +++++++++++-------- instack_undercloud/undercloud.py | 2 +- .../TLS-by-default-bc12660c12ba7ab1.yaml | 5 ++++ undercloud.conf.sample | 2 +- 4 files changed, 25 insertions(+), 14 deletions(-) create mode 100644 releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml diff --git a/instack_undercloud/tests/test_undercloud.py b/instack_undercloud/tests/test_undercloud.py index b2e9af8dd..086a23734 100644 --- a/instack_undercloud/tests/test_undercloud.py +++ b/instack_undercloud/tests/test_undercloud.py @@ -213,10 +213,10 @@ class TestUndercloud(BaseTestCase): def test_extract_from_stackrc(self): with open(os.path.expanduser('~/stackrc'), 'w') as f: f.write('OS_USERNAME=aturing\n') - f.write('OS_AUTH_URL=http://bletchley:5000/\n') + f.write('OS_AUTH_URL=https://bletchley:5000/\n') self.assertEqual('aturing', undercloud._extract_from_stackrc('OS_USERNAME')) - self.assertEqual('http://bletchley:5000/', + self.assertEqual('https://bletchley:5000/', undercloud._extract_from_stackrc('OS_AUTH_URL')) @mock.patch('instack_undercloud.undercloud._check_hostname') @@ -589,14 +589,14 @@ class TestGenerateEnvironment(BaseTestCase): if k.startswith('UNDERCLOUD_ENDPOINT')} self.assertEqual(90, len(endpoint_vars)) # Spot check one service - self.assertEqual('http://192.168.24.1:5000', + self.assertEqual('https://192.168.24.2:13000', env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC']) - self.assertEqual('http://192.168.24.1:5000', + self.assertEqual('http://192.168.24.3:5000', env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL']) - self.assertEqual('http://192.168.24.1:35357', + self.assertEqual('http://192.168.24.3:35357', env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN']) # Also check that the tenant id part is preserved - self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s', + self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s', env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC']) def test_generate_endpoints_ssl_manual(self): @@ -615,18 +615,18 @@ class TestGenerateEnvironment(BaseTestCase): self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s', env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC']) - def test_generate_endpoints_ssl_auto(self): - self.conf.config(generate_service_certificate=True) + def test_generate_endpoints_ssl_off(self): + self.conf.config(generate_service_certificate=False) env = undercloud._generate_environment('.') # Spot check one service - self.assertEqual('https://192.168.24.2:13000', + self.assertEqual('http://192.168.24.1:5000', env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC']) - self.assertEqual('http://192.168.24.3:5000', + self.assertEqual('http://192.168.24.1:5000', env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL']) - self.assertEqual('http://192.168.24.3:35357', + self.assertEqual('http://192.168.24.1:35357', env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN']) # Also check that the tenant id part is preserved - self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s', + self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s', env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC']) def test_absolute_cert_path(self): @@ -650,6 +650,12 @@ class TestGenerateEnvironment(BaseTestCase): os.chdir(cur_dir) def test_no_cert_path(self): + env = undercloud._generate_environment('.') + self.assertEqual('/etc/pki/tls/certs/undercloud-192.168.24.2.pem', + env['UNDERCLOUD_SERVICE_CERTIFICATE']) + + def test_no_ssl(self): + self.conf.config(generate_service_certificate=False) env = undercloud._generate_environment('.') self.assertEqual('', env['UNDERCLOUD_SERVICE_CERTIFICATE']) diff --git a/instack_undercloud/undercloud.py b/instack_undercloud/undercloud.py index b3f7aab20..4059b211a 100644 --- a/instack_undercloud/undercloud.py +++ b/instack_undercloud/undercloud.py @@ -210,7 +210,7 @@ _opts = [ 'OpenStack API endpoints, leaving it unset disables SSL.') ), cfg.BoolOpt('generate_service_certificate', - default=False, + default=True, help=('When set to True, an SSL certificate will be generated ' 'as part of the undercloud install and this certificate ' 'will be used in place of the value for ' diff --git a/releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml b/releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml new file mode 100644 index 000000000..19ff88828 --- /dev/null +++ b/releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + TLS is now used by default for the public endpoints. This is done through + the generate_service_certificates option, which now defaults to 'True'. diff --git a/undercloud.conf.sample b/undercloud.conf.sample index d3dea9a5f..78a3aae72 100644 --- a/undercloud.conf.sample +++ b/undercloud.conf.sample @@ -81,7 +81,7 @@ # /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem. This # certificate is signed by CA selected by the # "certificate_generation_ca" option. (boolean value) -#generate_service_certificate = false +#generate_service_certificate = true # The certmonger nickname of the CA from which the certificate will be # requested. This is used only if the generate_service_certificate