From b368e4833eb986df3a1e89467b88078365454cda Mon Sep 17 00:00:00 2001 From: Sergey Kraynev Date: Mon, 30 Jan 2017 09:16:15 +0000 Subject: [PATCH] TLS support for Glance services List of changes in the current patch: - Add files for certificates - Updated configuration files for services to use mapped ports and 'https' url scheme. Also ca_cert was provided for keystonemiddleware. - Updated bootstrap script to use 'https' scheme with insecure flag, when it create image in glance. - Update jobs for creation endpoints, now address function use 'tls' parameter. - Add files for nginx configurations. Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412 --- service/files/ca-cert.pem.j2 | 1 + service/files/defaults.yaml | 2 ++ service/files/glance-api.conf.j2 | 6 ++++ .../files/glance-cirros-image-upload.sh.j2 | 3 +- service/files/glance-registry.conf.j2 | 4 +++ service/files/nginx-api.conf.j2 | 11 ++++++ service/files/nginx-registry.conf.j2 | 11 ++++++ service/files/server-cert.pem.j2 | 1 + service/files/server-key.pem.j2 | 1 + service/files/upstreams.conf.j2 | 6 ++++ service/glance-api.yaml | 35 +++++++++++++++++++ service/glance-registry.yaml | 35 +++++++++++++++++++ 12 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 service/files/ca-cert.pem.j2 create mode 100644 service/files/nginx-api.conf.j2 create mode 100644 service/files/nginx-registry.conf.j2 create mode 100644 service/files/server-cert.pem.j2 create mode 100644 service/files/server-key.pem.j2 create mode 100644 service/files/upstreams.conf.j2 diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2 new file mode 100644 index 0000000..d52069b --- /dev/null +++ b/service/files/ca-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.ca_cert }} diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml index 5ba7e52..ed13d64 100644 --- a/service/files/defaults.yaml +++ b/service/files/defaults.yaml @@ -1,5 +1,7 @@ configs: glance: + tls: + enabled: true api_port: cont: 9292 ingress: image diff --git a/service/files/glance-api.conf.j2 b/service/files/glance-api.conf.j2 index f5ecd28..4542c40 100644 --- a/service/files/glance-api.conf.j2 +++ b/service/files/glance-api.conf.j2 @@ -5,7 +5,13 @@ use_syslog = false use_stderr = true use_forwarded_for = true +{% if glance.tls.enabled %} +registry_client_protocol = https +registry_client_ca_file = /opt/ccp/etc/tls/ca.pem +bind_host = 127.0.0.1 +{% else %} bind_host = {{ network_topology["private"]["address"] }} +{% endif %} bind_port = {{ glance.api_port.cont }} registry_host = glance-registry diff --git a/service/files/glance-cirros-image-upload.sh.j2 b/service/files/glance-cirros-image-upload.sh.j2 index b3a5610..d195a69 100644 --- a/service/files/glance-cirros-image-upload.sh.j2 +++ b/service/files/glance-cirros-image-upload.sh.j2 @@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default export OS_PASSWORD={{ openstack.user_password }} export OS_USERNAME={{ openstack.user_name }} export OS_PROJECT_NAME={{ openstack.project_name }} -export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3" +export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3" +export OS_CACERT="/opt/ccp/etc/tls/ca.pem" {% set image = glance.bootstrap.image %} FILE="$(mktemp)" diff --git a/service/files/glance-registry.conf.j2 b/service/files/glance-registry.conf.j2 index 92104cd..3b4a705 100644 --- a/service/files/glance-registry.conf.j2 +++ b/service/files/glance-registry.conf.j2 @@ -5,7 +5,11 @@ use_syslog = false use_stderr = true use_forwarded_for = true +{% if glance.tls.enabled %} +bind_host = 127.0.0.1 +{% else %} bind_host = {{ network_topology["private"]["address"] }} +{% endif %} bind_port = {{ glance.registry_port.cont }} [database] diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2 new file mode 100644 index 0000000..0ab1b28 --- /dev/null +++ b/service/files/nginx-api.conf.j2 @@ -0,0 +1,11 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }} ssl; + include common/ssl.conf; + # allows to upload images without being cut off at some low size + client_max_body_size 0; + + location / { + proxy_pass http://glance_api; + include common/proxy-headers.conf; + } +} diff --git a/service/files/nginx-registry.conf.j2 b/service/files/nginx-registry.conf.j2 new file mode 100644 index 0000000..7fe1a77 --- /dev/null +++ b/service/files/nginx-registry.conf.j2 @@ -0,0 +1,11 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }} ssl; + include common/ssl.conf; + # allows to upload images without being cut off at some low size + client_max_body_size 0; + + location / { + proxy_pass http://glance_registry; + include common/proxy-headers.conf; + } +} diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2 new file mode 100644 index 0000000..8abc152 --- /dev/null +++ b/service/files/server-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_cert }} diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2 new file mode 100644 index 0000000..70cf751 --- /dev/null +++ b/service/files/server-key.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_key }} diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2 new file mode 100644 index 0000000..716a515 --- /dev/null +++ b/service/files/upstreams.conf.j2 @@ -0,0 +1,6 @@ +upstream glance_api { + server 127.0.0.1:{{ glance.api_port.cont }}; +} +upstream glance_registry { + server 127.0.0.1:{{ glance.registry_port.cont }}; +} diff --git a/service/glance-api.yaml b/service/glance-api.yaml index adf6a39..c3a13cf 100644 --- a/service/glance-api.yaml +++ b/service/glance-api.yaml @@ -61,6 +61,9 @@ service: daemon: files: - glance-api + # {% if glance.tls.enabled %} + - ca_cert + # {% endif %} # {% if glance.ceph.enable %} - ceph-conf - glance-ceph-key @@ -79,6 +82,17 @@ service: files: - glance-cirros-image-upload.sh # {% endif %} + # {% if glance.tls.enabled %} + - name: nginx-glance-api + image: nginx + daemon: + files: + - upstreams + - servers + - server-cert + - server-key + command: nginx + # {% endif %} files: glance-api: @@ -97,3 +111,24 @@ files: path: /opt/ccp/bin/glance-cirros-image-upload.sh content: glance-cirros-image-upload.sh.j2 perm: "500" + # {% if glance.tls.enabled %} + servers: + path: /etc/nginx/conf.d/servers.conf + content: nginx-api.conf.j2 + perm: "0400" + upstreams: + path: /etc/nginx/conf.d/upstreams.conf + content: upstreams.conf.j2 + perm: "0400" + ca_cert: + path: /opt/ccp/etc/tls/ca.pem + content: ca-cert.pem.j2 + server-cert: + path: /opt/ccp/etc/tls/server-cert.pem + content: server-cert.pem.j2 + perm: "0400" + server-key: + path: /opt/ccp/etc/tls/server-key.pem + content: server-key.pem.j2 + perm: "0400" + # {% endif %} diff --git a/service/glance-registry.yaml b/service/glance-registry.yaml index cf68b93..d0a6d87 100644 --- a/service/glance-registry.yaml +++ b/service/glance-registry.yaml @@ -13,11 +13,46 @@ service: daemon: files: - glance-registry-conf + # {% if glance.tls.enabled %} + - ca_cert + # {% endif %} dependencies: - glance-api command: glance-registry + # {% if glance.tls.enabled %} + - name: nginx-glance-registry + image: nginx + daemon: + files: + - upstreams + - servers + - server-cert + - server-key + command: nginx + # {% endif %} files: glance-registry-conf: path: /etc/glance/glance-registry.conf content: glance-registry.conf.j2 + # {% if glance.tls.enabled %} + servers: + path: /etc/nginx/conf.d/servers.conf + content: nginx-registry.conf.j2 + perm: "0400" + upstreams: + path: /etc/nginx/conf.d/upstreams.conf + content: upstreams.conf.j2 + perm: "0400" + ca_cert: + path: /opt/ccp/etc/tls/ca.pem + content: ca-cert.pem.j2 + server-cert: + path: /opt/ccp/etc/tls/server-cert.pem + content: server-cert.pem.j2 + perm: "0400" + server-key: + path: /opt/ccp/etc/tls/server-key.pem + content: server-key.pem.j2 + perm: "0400" + # {% endif %}