Add TLS support for Keystone

- Add files for certificates
- Add config file for nginx service
- Update service definition by adding new container for nginx
- Update wsgi to use localhost

This patch requires patches in other repos:
 - fuel-ccp
 - fuel-ccp-entrypoint
 - fuel-ccp-nginx

Co-Authored-By: Artur Zarzycki <azarzycki@mirantis.com>

Depends-On: I65002b7ff9cfa2faf9d5bce470334aae95334d00
Depends-On: I88bc21571589dcd4c31bb5ce5015a75676ed2d85
Depends-On: I0660cc3ca2723bc06871b61f859adfed42c0d807

Change-Id: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2
This commit is contained in:
Sergey Kraynev 2017-01-26 14:33:09 +00:00
parent 7aaf8cc10b
commit 0a9850e1d4
9 changed files with 84 additions and 1 deletions

View File

@ -9,4 +9,7 @@ project_name = {{ service_account.project }}
username = {{ username }}
password = {{ password }}
memcached_servers = {{ address("memcached", memcached.port) }}
{% if keystone.tls.enabled %}
cafile = /opt/ccp/etc/tls/ca.pem
{% endif %}
{%- endmacro %}

View File

@ -0,0 +1 @@
{{ security.tls.ca_cert }}

View File

@ -1,7 +1,8 @@
configs:
keystone:
debug: false
tls:
enabled: true
public_port:
cont: 5000
ingress: identity

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1,18 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ keystone.admin_port.cont }} ssl;
include common/ssl.conf;
location / {
proxy_pass http://keystone_admin;
include common/proxy-headers.conf;
}
}
server {
listen {{ network_topology["private"]["address"] }}:{{ keystone.public_port.cont }} ssl;
include common/ssl.conf;
location / {
proxy_pass http://keystone_public;
include common/proxy-headers.conf;
}
}

View File

@ -0,0 +1,6 @@
upstream keystone_admin {
server 127.0.0.1:{{ keystone.admin_port.cont }};
}
upstream keystone_public {
server 127.0.0.1:{{ keystone.public_port.cont }};
}

View File

@ -1,8 +1,18 @@
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
{% if keystone.tls.enabled %}
Listen 127.0.0.1:{{ keystone.public_port.cont }}
Listen 127.0.0.1:{{ keystone.admin_port.cont }}
{% else %}
Listen {{ keystone.public_port.cont }}
Listen {{ keystone.admin_port.cont }}
{% endif %}
{% if keystone.tls.enabled %}
<VirtualHost 127.0.0.1:{{ keystone.public_port.cont }}>
{% else %}
<VirtualHost *:{{ keystone.public_port.cont }}>
{% endif %}
WSGIDaemonProcess keystone-public processes={{ keystone.wsgi.processes }} threads={{ keystone.wsgi.threads }} user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/public
@ -17,7 +27,11 @@ Listen {{ keystone.admin_port.cont }}
CustomLog "/var/log/ccp/keystone/keystone-access.log" access
</VirtualHost>
{% if keystone.tls.enabled %}
<VirtualHost 127.0.0.1:{{ keystone.admin_port.cont }}>
{% else %}
<VirtualHost *:{{ keystone.admin_port.cont }}>
{% endif %}
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ venv_path }}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin

View File

@ -16,6 +16,9 @@ service:
type: "httpGet"
port: {{ keystone.admin_port.cont }}
path: "/"
# {% if keystone.tls.enabled %}
scheme: "https"
# {% endif %}
volumes:
- name: keystone-logs
path: "/var/log/ccp/keystone"
@ -78,6 +81,9 @@ service:
- keystone-conf
- wsgi-keystone-conf
- credential-key
# {% if keystone.tls.enabled %}
- ca_cert
# {% endif %}
secrets:
- keystone-fernet
command: daemon.sh
@ -90,6 +96,17 @@ service:
dependencies:
- keystone-create-domain
command: openstack project create --domain {{ service_account.domain }} {{ service_account.project }}
# {% if keystone.tls.enabled %}
- name: nginx
image: nginx
daemon:
files:
- upstreams
- servers
- server-cert
- server-key
command: nginx
# {% endif %}
files:
keystone-conf:
@ -108,6 +125,27 @@ files:
content: fernet-manage.py
perm: "0400"
user: keystone
# {% if keystone.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: servers.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
ca_cert:
path: /opt/ccp/etc/tls/ca.pem
content: ca-cert.pem.j2
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}
secrets:
keystone-fernet:
path: "/etc/keystone/fernet-keys"