summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Kraynev <skraynev@mirantis.com>2017-01-26 14:33:09 +0000
committerSergey Kraynev <skraynev@mirantis.com>2017-02-17 10:58:57 +0000
commit0a9850e1d416a528e3d6e5f3584c1af98abde79d (patch)
tree9f245f773e5c6cfec6ff6d0c1f2bea1605ffd9fe
parent7aaf8cc10bfa477758c5cc8d14f3c41e5e21aabf (diff)
Add TLS support for Keystone
- Add files for certificates - Add config file for nginx service - Update service definition by adding new container for nginx - Update wsgi to use localhost This patch requires patches in other repos: - fuel-ccp - fuel-ccp-entrypoint - fuel-ccp-nginx Co-Authored-By: Artur Zarzycki <azarzycki@mirantis.com> Depends-On: I65002b7ff9cfa2faf9d5bce470334aae95334d00 Depends-On: I88bc21571589dcd4c31bb5ce5015a75676ed2d85 Depends-On: I0660cc3ca2723bc06871b61f859adfed42c0d807 Change-Id: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2
Notes
Notes (review): Code-Review+2: Sergey Reshetnyak <sreshetniak@mirantis.com> Verified+1: Mirantis CCP CI <mirantis-fuel-ccp-ci@mirantis.com> Code-Review+2: Andrey Pavlov <apavlov@mirantis.com> Workflow+1: Andrey Pavlov <apavlov@mirantis.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Mon, 20 Feb 2017 10:07:01 +0000 Reviewed-on: https://review.openstack.org/425733 Project: openstack/fuel-ccp-keystone Branch: refs/heads/master
-rw-r--r--exports/keystone_authtoken.j23
-rw-r--r--service/files/ca-cert.pem.j21
-rw-r--r--service/files/defaults.yaml3
-rw-r--r--service/files/server-cert.pem.j21
-rw-r--r--service/files/server-key.pem.j21
-rw-r--r--service/files/servers.conf.j218
-rw-r--r--service/files/upstreams.conf.j26
-rw-r--r--service/files/wsgi-keystone.conf.j214
-rw-r--r--service/keystone.yaml38
9 files changed, 84 insertions, 1 deletions
diff --git a/exports/keystone_authtoken.j2 b/exports/keystone_authtoken.j2
index 219232d..2d712e7 100644
--- a/exports/keystone_authtoken.j2
+++ b/exports/keystone_authtoken.j2
@@ -9,4 +9,7 @@ project_name = {{ service_account.project }}
9username = {{ username }} 9username = {{ username }}
10password = {{ password }} 10password = {{ password }}
11memcached_servers = {{ address("memcached", memcached.port) }} 11memcached_servers = {{ address("memcached", memcached.port) }}
12{% if keystone.tls.enabled %}
13cafile = /opt/ccp/etc/tls/ca.pem
14{% endif %}
12{%- endmacro %} 15{%- endmacro %}
diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2
new file mode 100644
index 0000000..d52069b
--- /dev/null
+++ b/service/files/ca-cert.pem.j2
@@ -0,0 +1 @@
{{ security.tls.ca_cert }}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index e7e4f9d..528b923 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,7 +1,8 @@
1configs: 1configs:
2 keystone: 2 keystone:
3 debug: false 3 debug: false
4 4 tls:
5 enabled: true
5 public_port: 6 public_port:
6 cont: 5000 7 cont: 5000
7 ingress: identity 8 ingress: identity
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_key }}
diff --git a/service/files/servers.conf.j2 b/service/files/servers.conf.j2
new file mode 100644
index 0000000..18a480b
--- /dev/null
+++ b/service/files/servers.conf.j2
@@ -0,0 +1,18 @@
1server {
2 listen {{ network_topology["private"]["address"] }}:{{ keystone.admin_port.cont }} ssl;
3 include common/ssl.conf;
4
5 location / {
6 proxy_pass http://keystone_admin;
7 include common/proxy-headers.conf;
8 }
9}
10server {
11 listen {{ network_topology["private"]["address"] }}:{{ keystone.public_port.cont }} ssl;
12 include common/ssl.conf;
13
14 location / {
15 proxy_pass http://keystone_public;
16 include common/proxy-headers.conf;
17 }
18}
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..ad86c41
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,6 @@
1upstream keystone_admin {
2 server 127.0.0.1:{{ keystone.admin_port.cont }};
3}
4upstream keystone_public {
5 server 127.0.0.1:{{ keystone.public_port.cont }};
6}
diff --git a/service/files/wsgi-keystone.conf.j2 b/service/files/wsgi-keystone.conf.j2
index 9049715..a2ca6fb 100644
--- a/service/files/wsgi-keystone.conf.j2
+++ b/service/files/wsgi-keystone.conf.j2
@@ -1,8 +1,18 @@
1{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %} 1{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
2
3{% if keystone.tls.enabled %}
4Listen 127.0.0.1:{{ keystone.public_port.cont }}
5Listen 127.0.0.1:{{ keystone.admin_port.cont }}
6{% else %}
2Listen {{ keystone.public_port.cont }} 7Listen {{ keystone.public_port.cont }}
3Listen {{ keystone.admin_port.cont }} 8Listen {{ keystone.admin_port.cont }}
9{% endif %}
4 10
11{% if keystone.tls.enabled %}
12<VirtualHost 127.0.0.1:{{ keystone.public_port.cont }}>
13{% else %}
5<VirtualHost *:{{ keystone.public_port.cont }}> 14<VirtualHost *:{{ keystone.public_port.cont }}>
15{% endif %}
6 WSGIDaemonProcess keystone-public processes={{ keystone.wsgi.processes }} threads={{ keystone.wsgi.threads }} user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }} 16 WSGIDaemonProcess keystone-public processes={{ keystone.wsgi.processes }} threads={{ keystone.wsgi.threads }} user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
7 WSGIProcessGroup keystone-public 17 WSGIProcessGroup keystone-public
8 WSGIScriptAlias / /var/www/cgi-bin/keystone/public 18 WSGIScriptAlias / /var/www/cgi-bin/keystone/public
@@ -17,7 +27,11 @@ Listen {{ keystone.admin_port.cont }}
17 CustomLog "/var/log/ccp/keystone/keystone-access.log" access 27 CustomLog "/var/log/ccp/keystone/keystone-access.log" access
18</VirtualHost> 28</VirtualHost>
19 29
30{% if keystone.tls.enabled %}
31<VirtualHost 127.0.0.1:{{ keystone.admin_port.cont }}>
32{% else %}
20<VirtualHost *:{{ keystone.admin_port.cont }}> 33<VirtualHost *:{{ keystone.admin_port.cont }}>
34{% endif %}
21 WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }} 35 WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
22 WSGIProcessGroup keystone-admin 36 WSGIProcessGroup keystone-admin
23 WSGIScriptAlias / /var/www/cgi-bin/keystone/admin 37 WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
diff --git a/service/keystone.yaml b/service/keystone.yaml
index 8cd251f..e9cf2eb 100644
--- a/service/keystone.yaml
+++ b/service/keystone.yaml
@@ -16,6 +16,9 @@ service:
16 type: "httpGet" 16 type: "httpGet"
17 port: {{ keystone.admin_port.cont }} 17 port: {{ keystone.admin_port.cont }}
18 path: "/" 18 path: "/"
19 # {% if keystone.tls.enabled %}
20 scheme: "https"
21 # {% endif %}
19 volumes: 22 volumes:
20 - name: keystone-logs 23 - name: keystone-logs
21 path: "/var/log/ccp/keystone" 24 path: "/var/log/ccp/keystone"
@@ -78,6 +81,9 @@ service:
78 - keystone-conf 81 - keystone-conf
79 - wsgi-keystone-conf 82 - wsgi-keystone-conf
80 - credential-key 83 - credential-key
84 # {% if keystone.tls.enabled %}
85 - ca_cert
86 # {% endif %}
81 secrets: 87 secrets:
82 - keystone-fernet 88 - keystone-fernet
83 command: daemon.sh 89 command: daemon.sh
@@ -90,6 +96,17 @@ service:
90 dependencies: 96 dependencies:
91 - keystone-create-domain 97 - keystone-create-domain
92 command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }} 98 command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }}
99 # {% if keystone.tls.enabled %}
100 - name: nginx
101 image: nginx
102 daemon:
103 files:
104 - upstreams
105 - servers
106 - server-cert
107 - server-key
108 command: nginx
109 # {% endif %}
93 110
94files: 111files:
95 keystone-conf: 112 keystone-conf:
@@ -108,6 +125,27 @@ files:
108 content: fernet-manage.py 125 content: fernet-manage.py
109 perm: "0400" 126 perm: "0400"
110 user: keystone 127 user: keystone
128 # {% if keystone.tls.enabled %}
129 servers:
130 path: /etc/nginx/conf.d/servers.conf
131 content: servers.conf.j2
132 perm: "0400"
133 upstreams:
134 path: /etc/nginx/conf.d/upstreams.conf
135 content: upstreams.conf.j2
136 perm: "0400"
137 ca_cert:
138 path: /opt/ccp/etc/tls/ca.pem
139 content: ca-cert.pem.j2
140 server-cert:
141 path: /opt/ccp/etc/tls/server-cert.pem
142 content: server-cert.pem.j2
143 perm: "0400"
144 server-key:
145 path: /opt/ccp/etc/tls/server-key.pem
146 content: server-key.pem.j2
147 perm: "0400"
148 # {% endif %}
111secrets: 149secrets:
112 keystone-fernet: 150 keystone-fernet:
113 path: "/etc/keystone/fernet-keys" 151 path: "/etc/keystone/fernet-keys"