SSL support for Sahara

Change-Id: Idd6711b1d31821d17256aaa096149aefe4a9668a
2017-03-06 09:54:48 +00:00 · 2017-03-06 09:54:48 +00:00 · e67e122377
parent b2595c1763
commit e67e122377
7 changed files with 85 additions and 0 deletions
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -1,5 +1,7 @@
 configs:
  sahara:
+    tls:
+      enabled: true
    debug: false
    enable_wait_condition: false
    port:
--- a/service/files/nginx-sahara-api.conf.j2
+++ b/service/files/nginx-sahara-api.conf.j2
@ -0,0 +1,9 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ sahara.port.cont }} ssl;
+    include common/ssl.conf;
+
+    location / {
+        proxy_pass http://sahara_api;
+        include common/proxy-headers.conf;
+    }
+}
--- a/service/files/sahara.conf.j2
+++ b/service/files/sahara.conf.j2
@ -7,9 +7,49 @@ use_stderr = true
 use_neutron = true
 plugins = {{ sahara.plugins | join(',') }}

+{% if sahara.tls.enabled %}
+host = 127.0.0.1
+{% else %}
 host = {{ network_topology["private"]["address"] }}
+{% endif %}
 port = {{ sahara.port.cont }}

+{% if sahara.tls.enabled %}
+#[oslo_middleware]
+#enable_proxy_headers_parsing = true
+#
+{% endif %}
+
+{% if keystone.tls.enabled %}
+[keystone]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
+{% if cinder.tls.enabled %}
+[cinder]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
+{% if heat.tls.enabled %}
+[heat]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
+{% if glance.tls.enabled %}
+[glance]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
+{% if nova.tls.enabled %}
+[nova]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
+{% if neutron.tls.enabled %}
+[neutron]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
 periodic_coordinator_backend_url = memcached://{{ address("memcached", memcached.port) }}

 heat_enable_wait_condition = {{ sahara.enable_wait_condition }}
--- a/service/files/server-cert.pem.j2
+++ b/service/files/server-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_cert }}
--- a/service/files/server-key.pem.j2
+++ b/service/files/server-key.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_key }}
--- a/service/files/upstreams.conf.j2
+++ b/service/files/upstreams.conf.j2
@ -0,0 +1,3 @@
+upstream sahara_api {
+    server 127.0.0.1:{{ sahara.port.cont }};
+}
--- a/service/sahara-api.yaml
+++ b/service/sahara-api.yaml
@ -61,8 +61,37 @@ service:
        dependencies:
          - rpc
        command: sahara-api --config-file /etc/sahara/sahara.conf
+    # {% if sahara.tls.enabled %}
+    - name: nginx-heat-api
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}

 files:
  sahara-conf:
    path: /etc/sahara/sahara.conf
    content: sahara.conf.j2
+  # {% if sahara.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-sahara-api.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}