Tls support configurations
Change-Id: If16d60d03629734a3abe0393a967e8458653f3ff Partially-implements: bp tls-support
This commit is contained in:
parent
c74d18d850
commit
1e3d164a71
48
README.rst
48
README.rst
|
@ -232,8 +232,52 @@ vif binding executables. For example, if you installed it on Debian or Ubuntu::
|
|||
Running Kuryr
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Currently, Kuryr utilizes a bash script to start the service. Make sure that
|
||||
you have installed `tox` before the execution of the command below::
|
||||
Currently, Kuryr utilizes a bash script to start the service.
|
||||
Make sure that you have installed `tox` before the execution of
|
||||
the following commands:
|
||||
|
||||
If SSL needs to be enabled follow this step or skip to next step::
|
||||
|
||||
$tox -egenconfig
|
||||
|
||||
Add these 3 parameters in generated file[etc/kuryr.conf.sample]:
|
||||
ssl_cert_file <Absolute Path for Cert file>
|
||||
ssl_key_file <Absolute Path for private key>
|
||||
enable_ssl <True or False>
|
||||
|
||||
$export SSL_ENABLED=True
|
||||
|
||||
Add the path names in [contrib/tls/kuryr.json]:
|
||||
InsecureSkipVerify <false/true>
|
||||
CAFile: <Absolute Path for CA file>
|
||||
CertFile: <Absolute Path for Cert file>
|
||||
KeyFile: <Absolute Path for private key>
|
||||
|
||||
Placement of cert files:
|
||||
By default Kuryr places it certs in /var/lib/kuryr/certs directory,
|
||||
Please make sure that certs are on proper location as mentioned in kuryr.conf
|
||||
|
||||
Verification of kuryr.json:
|
||||
Please make sure that your kuryr.json look similar to below sample
|
||||
with appropiate paths of certs updated, and remove older .spec files
|
||||
if any exists.
|
||||
and https configuration url::
|
||||
{
|
||||
"Name": "kuryr",
|
||||
"Addr": "https://127.0.0.1:23750",
|
||||
"TLSConfig": {
|
||||
"InsecureSkipVerify": false,
|
||||
"CAFile": "/var/lib/kuryr/certs/ca.pem",
|
||||
"CertFile": "/var/lib/kuryr/certs/cert.pem",
|
||||
"KeyFile": "/var/lib/kuryr/certs/key.pem"
|
||||
}
|
||||
}
|
||||
|
||||
Optional:
|
||||
For locally generating and testing, please refer to below link:
|
||||
http://tech.paulcz.net/2016/01/secure-docker-with-tls/
|
||||
|
||||
Run Kuryr Server from command below::
|
||||
|
||||
$ sudo ./scripts/run_kuryr.sh
|
||||
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"Name": "kuryr",
|
||||
"Addr": "https://127.0.0.1:23750",
|
||||
"TLSConfig": {
|
||||
"InsecureSkipVerify": false,
|
||||
"CAFile": "/var/lib/kuryr/certs/ca.pem",
|
||||
"CertFile": "/var/lib/kuryr/certs/cert.pem",
|
||||
"KeyFile": "/var/lib/kuryr/certs/key.pem"
|
||||
}
|
||||
}
|
|
@ -15,6 +15,7 @@
|
|||
XTRACE=$(set +o | grep xtrace)
|
||||
set +o xtrace
|
||||
|
||||
echo_summary "kuryr-libnetwork's plugin.sh was called..."
|
||||
ETCD_VERSION=v2.2.2
|
||||
|
||||
function install_etcd_data_store {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
|
||||
KURYR_HOME=${KURYR_HOME:-$DEST/kuryr-libnetwork}
|
||||
KURYR_ACTIVATOR_FILENAME=kuryr.spec
|
||||
KURYR_ACTIVATOR_FILENAME=${KURYR_ACTIVATOR_FILENAME:-kuryr.spec}
|
||||
KURYR_DEFAULT_ACTIVATOR=${KURYR_HOME}/etc/${KURYR_ACTIVATOR_FILENAME}
|
||||
|
||||
# See libnetwork's plugin discovery mechanism:
|
||||
|
|
|
@ -45,6 +45,17 @@ core_opts = [
|
|||
cfg.StrOpt('port_driver',
|
||||
default='kuryr_libnetwork.port_driver.drivers.veth',
|
||||
help=_('Driver for the desired deployment model')),
|
||||
cfg.StrOpt('ssl_cert_file',
|
||||
default='/var/lib/kuryr/certs/cert.pem',
|
||||
help=_('This option allows setting absolute path'
|
||||
'to the SSL certificate')),
|
||||
cfg.StrOpt('ssl_key_file',
|
||||
default='/var/lib/kuryr/certs/key.pem',
|
||||
help=_('This option allows setting absolute path'
|
||||
'to the SSL private key')),
|
||||
cfg.BoolOpt('enable_ssl',
|
||||
default=False,
|
||||
help=_('Enable SSL for Kuryr'))
|
||||
]
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
|
|
@ -15,6 +15,7 @@ import sys
|
|||
from oslo_log import log
|
||||
from six.moves.urllib import parse
|
||||
|
||||
from kuryr.lib._i18n import _
|
||||
from kuryr_libnetwork import app
|
||||
from kuryr_libnetwork import config
|
||||
from kuryr_libnetwork import controllers
|
||||
|
@ -30,10 +31,33 @@ def configure_app():
|
|||
controllers.load_port_driver()
|
||||
|
||||
|
||||
def _get_ssl_configs(use_ssl):
|
||||
if use_ssl:
|
||||
cert_file = config.CONF.ssl_cert_file
|
||||
key_file = config.CONF.ssl_key_file
|
||||
|
||||
if not os.path.exists(cert_file):
|
||||
raise RuntimeError(
|
||||
_("Unable to find cert_file : %s") % cert_file)
|
||||
|
||||
if not os.path.exists(key_file):
|
||||
raise RuntimeError(
|
||||
_("Unable to find key_file : %s") % key_file)
|
||||
|
||||
return cert_file, key_file
|
||||
else:
|
||||
return None
|
||||
|
||||
|
||||
def start():
|
||||
configure_app()
|
||||
kuryr_uri = parse.urlparse(config.CONF.kuryr_uri)
|
||||
app.run(kuryr_uri.hostname, kuryr_uri.port)
|
||||
|
||||
# SSL configuration
|
||||
use_ssl = config.CONF.enable_ssl
|
||||
|
||||
app.run(kuryr_uri.hostname, kuryr_uri.port,
|
||||
ssl_context=_get_ssl_configs(use_ssl))
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
|
|
@ -58,7 +58,8 @@ class ConfigurationTest(base.TestKuryrBase):
|
|||
mock_neutron_client.assert_called_once()
|
||||
mock_check_neutron_ext_support.assert_called_once()
|
||||
mock_check_neutron_ext_tag.assert_called_once()
|
||||
mock_run.assert_called_once_with(kuryr_uri.hostname, 23750)
|
||||
mock_run.assert_called_once_with(kuryr_uri.hostname, 23750,
|
||||
ssl_context=None)
|
||||
|
||||
def test_check_for_neutron_ext_support_with_ex(self):
|
||||
with mock.patch.object(controllers.app.neutron,
|
||||
|
|
|
@ -16,7 +16,7 @@ KURYR_HOME=${KURYR_HOME:-.}
|
|||
KURYR_JSON_FILENAME=kuryr.json
|
||||
KURYR_DEFAULT_JSON=${KURYR_HOME}/etc/${KURYR_JSON_FILENAME}
|
||||
# See libnetwork's plugin discovery mechanism:
|
||||
# https://github.com/docker/docker/blob/c4d45b6a29a91f2fb5d7a51ac36572f2a9b295c6/docs/extend/plugin_api.md#plugin-discovery
|
||||
# https://github.com/docker/docker/blob/c4d45b6a29a91f2fb5d7a51ac36572f2a9b295c6/docs/extend/plugin_api.md#plugin-discovery
|
||||
KURYR_JSON_DIR=${KURYR_JSON_DIR:-/usr/lib/docker/plugins/kuryr}
|
||||
KURYR_JSON=${KURYR_JSON_DIR}/${KURYR_JSON_FILENAME}
|
||||
|
||||
|
@ -25,6 +25,9 @@ KURYR_DEFAULT_CONFIG=${KURYR_HOME}/etc/${KURYR_CONFIG_FILENAME}
|
|||
KURYR_CONFIG_DIR=${KURYR_CONFIG_DIR:-/etc/kuryr}
|
||||
KURYR_CONFIG=${KURYR_CONFIG_DIR}/${KURYR_CONFIG_FILENAME}
|
||||
|
||||
SSL_ENABLED=${SSL_ENABLED:-False}
|
||||
KURYR_SSL_ENABLED_JSON=${KURYR_HOME}/contrib/tls/${KURYR_JSON_FILENAME}
|
||||
|
||||
|
||||
if [[ ! -d "${KURYR_JSON_DIR}" ]]; then
|
||||
echo -n "${KURYR_JSON_DIR} directory is missing. Creating it... "
|
||||
|
@ -32,8 +35,15 @@ if [[ ! -d "${KURYR_JSON_DIR}" ]]; then
|
|||
echo "Done"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$SSL_ENABLED" == "True" ]; then
|
||||
echo -n "Copying ${KURYR_SSL_ENABLED_JSON} one... "
|
||||
sudo cp ${KURYR_SSL_ENABLED_JSON} ${KURYR_JSON}
|
||||
fi
|
||||
|
||||
|
||||
if [[ ! -f "${KURYR_JSON}" ]]; then
|
||||
echo -n "${KURYR_JSON} is missing. Copying the default one... "
|
||||
echo -n "${KURYR_JSON} is missing. Copying the ssl enabled one... "
|
||||
sudo cp ${KURYR_DEFAULT_JSON} ${KURYR_JSON}
|
||||
echo "Done"
|
||||
fi
|
||||
|
@ -49,11 +59,19 @@ if [[ ! -f "${KURYR_CONFIG}" ]]; then
|
|||
echo -n "${KURYR_CONFIG} is missing. Copying the default one... "
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
|
||||
else
|
||||
echo -n "${KURYR_CONFIG} and the default config missing. Auto generating and copying one... "
|
||||
cd ${KURYR_HOME}
|
||||
tox -egenconfig
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG}.sample ${KURYR_DEFAULT_CONFIG}
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
|
||||
if [ "$SSL_ENABLED" == "True" ];then
|
||||
# To Avoid tls compatible Config file and json file mismatch it would be
|
||||
# better to raise an error than to continue with corrupt env.
|
||||
echo "Please check configuration for Tls.."
|
||||
echo "Aborting"
|
||||
exit 1
|
||||
else
|
||||
echo -n "${KURYR_CONFIG} and the default config missing. Auto generating and copying one... "
|
||||
cd ${KURYR_HOME}
|
||||
tox -egenconfig
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG}.sample ${KURYR_DEFAULT_CONFIG}
|
||||
sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
|
||||
fi
|
||||
fi
|
||||
echo "Done"
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue