Merge "Use correct endpoint scheme for api to registry connection"
This commit is contained in:
commit
4024cbc13e
|
@ -156,7 +156,11 @@ TODO: Add DB2 support on other platforms
|
|||
SSL attributes
|
||||
---------------
|
||||
|
||||
* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry endpoints. NOTE: Once enabled, Glance service endpoint must be configured to use https on Keystone. Default is false.
|
||||
Once SSL is enabled, endpoints attributes in Common need to updated to specify the https protocol.
|
||||
|
||||
* `openstack['image']['ssl']['enabled']` - Enable SSL for Glance API and registry bind endpoints. Default is false.
|
||||
* `openstack['image']['ssl']['api']['enabled']` - Enable SSL for Glance API bind endpoint. Default is from ['image']['ssl']['enabled'].
|
||||
* `openstack['image']['ssl']['registry']['enabled']` - Enable SSL for Glance Registry bind endpoint. Default is from ['image']['ssl']['enabled'].
|
||||
* `openstack['image']['ssl']['basedir']` - Base directory for SSL certficate and key file.
|
||||
* `openstack['image']['ssl']['cert_file']` - Path of the cert file for SSL.
|
||||
* `openstack['image']['ssl']['key_file']` - Path of the keyfile for SSL.
|
||||
|
|
|
@ -28,9 +28,12 @@ default['openstack']['image']['custom_template_banner'] = '
|
|||
'
|
||||
|
||||
# SSL Options
|
||||
# Enable SSL for glance-api endpoint. NOTE: Once enabled, Glance service endpoint
|
||||
# must be set to https on Keystone
|
||||
# Enable SSL for glance api and registry bind endpoints.
|
||||
default['openstack']['image']['ssl']['enabled'] = false
|
||||
# Enable SSL for glance api bind endpoint.
|
||||
default['openstack']['image']['ssl']['api']['enabled'] = node['openstack']['image']['ssl']['enabled']
|
||||
# Enable SSL for glance registry bind endpoint.
|
||||
default['openstack']['image']['ssl']['registry']['enabled'] = node['openstack']['image']['ssl']['enabled']
|
||||
# Base directory for SSL certficate and key
|
||||
default['openstack']['image']['ssl']['basedir'] = '/etc/glance/ssl'
|
||||
# Path of the cert file for SSL.
|
||||
|
|
|
@ -169,6 +169,7 @@ template '/etc/glance/glance-api.conf' do
|
|||
api_bind_port: api_bind.port,
|
||||
registry_ip_address: registry_endpoint.host,
|
||||
registry_port: registry_endpoint.port,
|
||||
registry_scheme: registry_endpoint.scheme,
|
||||
sql_connection: sql_connection,
|
||||
glance_flavor: glance_flavor,
|
||||
auth_uri: auth_uri,
|
||||
|
|
|
@ -100,7 +100,15 @@ describe 'openstack-image::api' do
|
|||
key_file: '/etc/glance/ssl/private/sslkey.pem'
|
||||
}
|
||||
|
||||
it 'configures SSL cert and key file' do
|
||||
it 'configures SSL cert and key file when api is enabled for ssl' do
|
||||
node.set['openstack']['image']['ssl']['api']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
it 'configures SSL cert and key file when glance is enabled ssl' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
|
@ -124,14 +132,13 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry configuration with ssl enabled' do
|
||||
it 'sets registry client protocol to https' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = https$/)
|
||||
end
|
||||
|
||||
# if cert required then certfile
|
||||
context 'glance-registry with cert required' do
|
||||
it 'configures CA cert file' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = true
|
||||
node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem'
|
||||
r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem')
|
||||
|
@ -139,9 +146,34 @@ describe 'openstack-image::api' do
|
|||
end
|
||||
end
|
||||
|
||||
context 'glance-registry key and cert files' do
|
||||
default_opts = {
|
||||
registry_client_cert_file: '/etc/glance/ssl/certs/sslcert.pem',
|
||||
registry_client_key_file: '/etc/glance/ssl/private/sslkey.pem'
|
||||
}
|
||||
|
||||
it 'configures registry client key and cert files' do
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not configure registry client key and cert files when nil or empty' do
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['openstack']['image']['ssl']['cert_file'] = nil
|
||||
node.set['openstack']['openstack']['image']['ssl']['key_file'] = ''
|
||||
default_opts.each do |key|
|
||||
r = line_regexp("#{key} =")
|
||||
expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'glance-registry with cert not required' do
|
||||
it 'does not configure CA cert file' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = false
|
||||
node.set['openstack']['image']['registry']['auth']['cafile'] = '/etc/glance/ssl/certs/sslca.pem'
|
||||
r = line_regexp('registry_client_ca_file = /etc/glance/ssl/certs/sslca.pem')
|
||||
|
@ -151,7 +183,7 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry with certificate validation enabled' do
|
||||
it 'enables SSL in insecure mode' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['registry']['auth']['insecure'] = false
|
||||
r = line_regexp('registry_client_insecure = false')
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
@ -160,7 +192,7 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry with certificate validation disabled' do
|
||||
it 'enables SSL in secure mode' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['endpoints']['image-registry']['scheme'] = 'https'
|
||||
node.set['openstack']['image']['registry']['auth']['insecure'] = true
|
||||
r = line_regexp('registry_client_insecure = true')
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
@ -170,7 +202,6 @@ describe 'openstack-image::api' do
|
|||
|
||||
context 'glance-registry configuration with ssl disabled' do
|
||||
it 'sets registry client protocol to http' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = false
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', /^registry_client_protocol = http$/)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -218,16 +218,25 @@ describe 'openstack-image::registry' do
|
|||
}
|
||||
cert = { 'ca_file' => '/etc/glance/ssl/certs/sslca.pem' }
|
||||
|
||||
it 'configures SSL cert and key file' do
|
||||
it 'configures SSL cert and key file when api is enabled for ssl' do
|
||||
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
it 'configures SSL cert and key file when glance is enabled ssl' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
default_opts.each do |key, val|
|
||||
r = line_regexp("#{key} = #{val}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with cert required' do
|
||||
it 'configures CA cert ' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = true
|
||||
r = line_regexp("ca_file = #{cert['ca_file']}")
|
||||
expect(chef_run).to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
@ -236,7 +245,7 @@ describe 'openstack-image::registry' do
|
|||
|
||||
context 'with cert not required' do
|
||||
it 'configures CA cert ' do
|
||||
node.set['openstack']['image']['ssl']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['registry']['enabled'] = true
|
||||
node.set['openstack']['image']['ssl']['cert_required'] = false
|
||||
r = line_regexp("ca_file = #{cert['ca_file']}")
|
||||
expect(chef_run).not_to render_config_file(file.name).with_section_content('DEFAULT', r)
|
||||
|
|
|
@ -126,12 +126,11 @@ log_config = /etc/openstack/logging.conf
|
|||
log_file = /var/log/glance/api.log
|
||||
<% end %>
|
||||
|
||||
|
||||
# ================= SSL Options ===============================
|
||||
|
||||
# Certificate file to use when starting API server securely
|
||||
<% if node['openstack']['image']['ssl']['api']['enabled'] -%>
|
||||
|
||||
<% if node['openstack']['image']['ssl']['enabled'] -%>
|
||||
# Certificate file to use when starting API server securely
|
||||
cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
|
||||
|
||||
# Private key file to use when starting API server securely
|
||||
|
@ -160,35 +159,35 @@ registry_host = <%= @registry_ip_address %>
|
|||
registry_port = <%= @registry_port %>
|
||||
|
||||
# What protocol to use when connecting to the registry server?
|
||||
registry_client_protocol = <%= @registry_scheme %>
|
||||
|
||||
<% if node['openstack']['image']['ssl']['enabled'] -%>
|
||||
# Set to https for secure HTTP communication
|
||||
registry_client_protocol = https
|
||||
|
||||
<% if @registry_scheme == 'https' -%>
|
||||
<% unless node["openstack"]["image"]['ssl']['key_file'].to_s.empty? -%>
|
||||
# The path to the key file to use in SSL connections to the
|
||||
# registry server, if any. Alternately, you may set the
|
||||
# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file
|
||||
registry_client_key_file = <%= node['openstack']['image']['ssl']['key_file'] %>
|
||||
<% end -%>
|
||||
|
||||
<% unless node["openstack"]["image"]['ssl']['cert_file'].to_s.empty? -%>
|
||||
# The path to the cert file to use in SSL connections to the
|
||||
# registry server, if any. Alternately, you may set the
|
||||
# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file
|
||||
registry_client_cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
|
||||
<% if node['openstack']['image']['ssl']['cert_required'] %>
|
||||
<% end -%>
|
||||
|
||||
<% if node['openstack']['image']['ssl']['cert_required'] -%>
|
||||
# The path to the certifying authority cert file to use in SSL connections
|
||||
# to the registry server, if any. Alternately, you may set the
|
||||
# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file
|
||||
registry_client_ca_file = <%= node['openstack']['image']['registry']['auth']['cafile'] %>
|
||||
|
||||
<% end %>
|
||||
<% end -%>
|
||||
|
||||
# When using SSL in connections to the registry server, do not require
|
||||
# validation via a certifying authority. This is the registry's equivalent of
|
||||
# specifying --insecure on the command line using glanceclient for the API
|
||||
# Default: False
|
||||
registry_client_insecure = <%= node['openstack']['image']['registry']['auth']['insecure'] %>
|
||||
<% else -%>
|
||||
registry_client_protocol = http
|
||||
<% end -%>
|
||||
|
||||
# The period of time, in seconds, that the API server will wait for a registry
|
||||
|
|
|
@ -85,7 +85,8 @@ log_file = /var/log/glance/registry.log
|
|||
|
||||
# ================= SSL Options ===============================
|
||||
|
||||
<% if node['openstack']['image']['ssl']['enabled'] -%>
|
||||
<% if node['openstack']['image']['ssl']['registry']['enabled'] -%>
|
||||
|
||||
# Certificate file to use when starting registry server securely
|
||||
cert_file = <%= node['openstack']['image']['ssl']['cert_file'] %>
|
||||
|
||||
|
|
Loading…
Reference in New Issue