summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Kraynev <skraynev@mirantis.com>2017-03-03 07:01:03 +0000
committerPeter Razumovsky <prazumovsky@mirantis.com>2017-03-21 09:22:36 +0000
commit89ad4dd4f039dad22915e7027af94403a1835073 (patch)
treee52d5bdeb1ce14a64f1deed45b652d7700a16cf7
parent822cb58246042dbb9054468d593dc7f34076985e (diff)
Implement TLS support for DesignateHEADmaster
- Add certificates - Add new nginx container for termintating ssl - Add Config options for binding service to localhost, when SSL is enabled. Co-authored-by: Peter Razumovsky <prazumovsky@mirantis.com> Change-Id: I5ab74606d8d2004b52d9d1061bf4fb7d9896de0a
Notes
Notes (review): Code-Review+1: Sergey Kraynev <sergejyit@gmail.com> Code-Review+2: Andrey Pavlov <apavlov@mirantis.com> Code-Review+2: Proskurin Kirill <kproskurin@mirantis.com> Workflow+1: Proskurin Kirill <kproskurin@mirantis.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Tue, 21 Mar 2017 10:44:54 +0000 Reviewed-on: https://review.openstack.org/440954 Project: openstack/fuel-ccp-designate Branch: refs/heads/master
-rw-r--r--service/designate-api.yaml29
-rw-r--r--service/files/defaults.yaml2
-rw-r--r--service/files/designate.conf.j212
-rw-r--r--service/files/nginx-api.conf.j29
-rw-r--r--service/files/server-cert.pem.j21
-rw-r--r--service/files/server-key.pem.j21
-rw-r--r--service/files/upstreams.conf.j23
7 files changed, 56 insertions, 1 deletions
diff --git a/service/designate-api.yaml b/service/designate-api.yaml
index 5796e34..e06e2aa 100644
--- a/service/designate-api.yaml
+++ b/service/designate-api.yaml
@@ -62,6 +62,17 @@ service:
62 - designate-conf 62 - designate-conf
63 - api-paste 63 - api-paste
64 command: designate-api --config-file /etc/designate/designate.conf 64 command: designate-api --config-file /etc/designate/designate.conf
65 # {% if designate.tls.enabled %}
66 - name: nginx-designate-api
67 image: nginx
68 daemon:
69 files:
70 - upstreams
71 - servers
72 - server-cert
73 - server-key
74 command: nginx
75 # {% endif %}
65 76
66files: 77files:
67 designate-conf: 78 designate-conf:
@@ -70,3 +81,21 @@ files:
70 api-paste: 81 api-paste:
71 path: /etc/designate/api-paste.ini 82 path: /etc/designate/api-paste.ini
72 content: api-paste.ini.j2 83 content: api-paste.ini.j2
84 # {% if designate.tls.enabled %}
85 servers:
86 path: /etc/nginx/conf.d/servers.conf
87 content: nginx-api.conf.j2
88 perm: "0400"
89 upstreams:
90 path: /etc/nginx/conf.d/upstreams.conf
91 content: upstreams.conf.j2
92 perm: "0400"
93 server-cert:
94 path: /opt/ccp/etc/tls/server-cert.pem
95 content: server-cert.pem.j2
96 perm: "0400"
97 server-key:
98 path: /opt/ccp/etc/tls/server-key.pem
99 content: server-key.pem.j2
100 perm: "0400"
101 # {% endif %}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index faa8f9f..34fbc1d 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
1configs: 1configs:
2 designate: 2 designate:
3 tls:
4 enabled: true
3 api_port: 5 api_port:
4 cont: 9001 6 cont: 9001
5 ingress: dns 7 ingress: dns
diff --git a/service/files/designate.conf.j2 b/service/files/designate.conf.j2
index c9e364c..5828137 100644
--- a/service/files/designate.conf.j2
+++ b/service/files/designate.conf.j2
@@ -47,8 +47,13 @@ threads = {{ designate.service.central.threads }}
47[service:api] 47[service:api]
48workers = {{ designate.service.api.workers }} 48workers = {{ designate.service.api.workers }}
49threads = {{ designate.service.api.threads }} 49threads = {{ designate.service.api.threads }}
50{% if designate.tls.enabled %}
51api_base_uri = {{ address('designate-api', designate.api_port, with_scheme=True) }}
52api_host = 127.0.0.1
53{% else %}
50api_base_uri = http://{{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}/ 54api_base_uri = http://{{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}/
51api_host = {{ network_topology["private"]["address"] }} 55api_host = {{ network_topology["private"]["address"] }}
56{% endif %}
52api_port = {{ designate.api_port.cont }} 57api_port = {{ designate.api_port.cont }}
53auth_strategy = keystone 58auth_strategy = keystone
54enable_api_v1 = True 59enable_api_v1 = True
@@ -56,7 +61,12 @@ enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch
56enable_api_v2 = True 61enable_api_v2 = True
57enabled_extensions_v2 = quotas, reports 62enabled_extensions_v2 = quotas, reports
58enable_api_admin = True 63enable_api_admin = True
59listen = {{ address("designate-api", designate.api_port) }} 64#listen = {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}
65
66{% if designate.tls.enabled %}
67[network_api:neutron]
68ca_certificates_file = /opt/ccp/etc/tls/ca.pem
69{% endif %}
60 70
61#------------- 71#-------------
62# Sink Service 72# Sink Service
diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2
new file mode 100644
index 0000000..1e30a78
--- /dev/null
+++ b/service/files/nginx-api.conf.j2
@@ -0,0 +1,9 @@
1server {
2 listen {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }} ssl;
3 include common/ssl.conf;
4
5 location / {
6 proxy_pass http://designate_api;
7 include common/proxy-headers.conf;
8 }
9}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_key }}
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..a653248
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,3 @@
1upstream designate_api {
2 server 127.0.0.1:{{ designate.api_port.cont }};
3}