Implement TLS support for Designate

- Add certificates
- Add new nginx container for termintating ssl
- Add Config options for binding service to localhost, when SSL is
  enabled.

Co-authored-by: Peter Razumovsky <prazumovsky@mirantis.com>
Change-Id: I5ab74606d8d2004b52d9d1061bf4fb7d9896de0a
This commit is contained in:
Sergey Kraynev 2017-03-03 07:01:03 +00:00 committed by Peter Razumovsky
parent 822cb58246
commit 89ad4dd4f0
7 changed files with 56 additions and 1 deletions

View File

@ -62,6 +62,17 @@ service:
- designate-conf
- api-paste
command: designate-api --config-file /etc/designate/designate.conf
# {% if designate.tls.enabled %}
- name: nginx-designate-api
image: nginx
daemon:
files:
- upstreams
- servers
- server-cert
- server-key
command: nginx
# {% endif %}
files:
designate-conf:
@ -70,3 +81,21 @@ files:
api-paste:
path: /etc/designate/api-paste.ini
content: api-paste.ini.j2
# {% if designate.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: nginx-api.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}

View File

@ -1,5 +1,7 @@
configs:
designate:
tls:
enabled: true
api_port:
cont: 9001
ingress: dns

View File

@ -47,8 +47,13 @@ threads = {{ designate.service.central.threads }}
[service:api]
workers = {{ designate.service.api.workers }}
threads = {{ designate.service.api.threads }}
{% if designate.tls.enabled %}
api_base_uri = {{ address('designate-api', designate.api_port, with_scheme=True) }}
api_host = 127.0.0.1
{% else %}
api_base_uri = http://{{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}/
api_host = {{ network_topology["private"]["address"] }}
{% endif %}
api_port = {{ designate.api_port.cont }}
auth_strategy = keystone
enable_api_v1 = True
@ -56,7 +61,12 @@ enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch
enable_api_v2 = True
enabled_extensions_v2 = quotas, reports
enable_api_admin = True
listen = {{ address("designate-api", designate.api_port) }}
#listen = {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}
{% if designate.tls.enabled %}
[network_api:neutron]
ca_certificates_file = /opt/ccp/etc/tls/ca.pem
{% endif %}
#-------------
# Sink Service

View File

@ -0,0 +1,9 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }} ssl;
include common/ssl.conf;
location / {
proxy_pass http://designate_api;
include common/proxy-headers.conf;
}
}

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1,3 @@
upstream designate_api {
server 127.0.0.1:{{ designate.api_port.cont }};
}