Tls support configurations

Change-Id: If16d60d03629734a3abe0393a967e8458653f3ff
Partially-implements: bp tls-support

README.rst

@@ -232,8 +232,52 @@ vif binding executables. For example, if you installed it on Debian or Ubuntu::
 Running Kuryr
 ~~~~~~~~~~~~~
 
-Currently, Kuryr utilizes a bash script to start the service. Make sure that
-you have installed `tox` before the execution of the command below::
+Currently, Kuryr utilizes a bash script to start the service.
+Make sure that you have installed `tox` before the execution of
+the following commands:
+
+If SSL needs to be enabled follow this step or skip to next step::
+
+    $tox -egenconfig
+
+    Add these 3 parameters in generated file[etc/kuryr.conf.sample]:
+        ssl_cert_file <Absolute Path for Cert file>
+        ssl_key_file <Absolute Path for private key>
+        enable_ssl <True or False>
+
+    $export SSL_ENABLED=True
+
+    Add the path names in [contrib/tls/kuryr.json]:
+        InsecureSkipVerify <false/true>
+        CAFile: <Absolute Path for CA file>
+        CertFile: <Absolute Path for Cert file>
+        KeyFile: <Absolute Path for private key>
+
+    Placement of cert files:
+    By default Kuryr places it certs in /var/lib/kuryr/certs directory,
+    Please make sure that certs are on proper location as mentioned in kuryr.conf
+
+    Verification of kuryr.json:
+    Please make sure that your kuryr.json look similar to below sample
+    with appropiate paths of certs updated, and remove older .spec files
+    if any exists.
+    and https configuration url::
+        {
+          "Name": "kuryr",
+          "Addr": "https://127.0.0.1:23750",
+          "TLSConfig": {
+            "InsecureSkipVerify": false,
+            "CAFile": "/var/lib/kuryr/certs/ca.pem",
+            "CertFile": "/var/lib/kuryr/certs/cert.pem",
+            "KeyFile": "/var/lib/kuryr/certs/key.pem"
+          }
+        }
+
+    Optional:
+    For locally generating and testing, please refer to below link:
+        http://tech.paulcz.net/2016/01/secure-docker-with-tls/
+
+Run Kuryr Server from command below::
 
     $ sudo ./scripts/run_kuryr.sh
 

contrib/tls/kuryr.json

@@ -0,0 +1,10 @@
+{
+  "Name": "kuryr",
+  "Addr": "https://127.0.0.1:23750",
+  "TLSConfig": {
+    "InsecureSkipVerify": false,
+    "CAFile": "/var/lib/kuryr/certs/ca.pem",
+    "CertFile": "/var/lib/kuryr/certs/cert.pem",
+    "KeyFile": "/var/lib/kuryr/certs/key.pem"
+  }
+}

devstack/plugin.sh

@@ -15,6 +15,7 @@
 XTRACE=$(set +o | grep xtrace)
 set +o xtrace
 
+echo_summary "kuryr-libnetwork's plugin.sh was called..."
 ETCD_VERSION=v2.2.2
 
 function install_etcd_data_store {

devstack/settings

@@ -1,6 +1,6 @@
 
 KURYR_HOME=${KURYR_HOME:-$DEST/kuryr-libnetwork}
-KURYR_ACTIVATOR_FILENAME=kuryr.spec
+KURYR_ACTIVATOR_FILENAME=${KURYR_ACTIVATOR_FILENAME:-kuryr.spec}
 KURYR_DEFAULT_ACTIVATOR=${KURYR_HOME}/etc/${KURYR_ACTIVATOR_FILENAME}
 
 # See libnetwork's plugin discovery mechanism:

kuryr_libnetwork/config.py

@@ -45,6 +45,17 @@ core_opts = [
     cfg.StrOpt('port_driver',
                default='kuryr_libnetwork.port_driver.drivers.veth',
                help=_('Driver for the desired deployment model')),
+    cfg.StrOpt('ssl_cert_file',
+               default='/var/lib/kuryr/certs/cert.pem',
+               help=_('This option allows setting absolute path'
+                    'to the SSL certificate')),
+    cfg.StrOpt('ssl_key_file',
+               default='/var/lib/kuryr/certs/key.pem',
+               help=_('This option allows setting absolute path'
+                     'to the SSL private key')),
+    cfg.BoolOpt('enable_ssl',
+                default=False,
+                help=_('Enable SSL for Kuryr'))
 ]
 
 CONF = cfg.CONF

kuryr_libnetwork/server.py

@@ -15,6 +15,7 @@ import sys
 from oslo_log import log
 from six.moves.urllib import parse
 
+from kuryr.lib._i18n import _
 from kuryr_libnetwork import app
 from kuryr_libnetwork import config
 from kuryr_libnetwork import controllers
@@ -30,10 +31,33 @@ def configure_app():
     controllers.load_port_driver()
 
 
+def _get_ssl_configs(use_ssl):
+    if use_ssl:
+        cert_file = config.CONF.ssl_cert_file
+        key_file = config.CONF.ssl_key_file
+
+        if not os.path.exists(cert_file):
+            raise RuntimeError(
+                _("Unable to find cert_file : %s") % cert_file)
+
+        if not os.path.exists(key_file):
+            raise RuntimeError(
+                _("Unable to find key_file : %s") % key_file)
+
+        return cert_file, key_file
+    else:
+        return None
+
+
 def start():
     configure_app()
     kuryr_uri = parse.urlparse(config.CONF.kuryr_uri)
-    app.run(kuryr_uri.hostname, kuryr_uri.port)
+
+    # SSL configuration
+    use_ssl = config.CONF.enable_ssl
+
+    app.run(kuryr_uri.hostname, kuryr_uri.port,
+        ssl_context=_get_ssl_configs(use_ssl))
 
 
 if __name__ == '__main__':

kuryr_libnetwork/tests/unit/test_config.py

@@ -58,7 +58,8 @@ class ConfigurationTest(base.TestKuryrBase):
         mock_neutron_client.assert_called_once()
         mock_check_neutron_ext_support.assert_called_once()
         mock_check_neutron_ext_tag.assert_called_once()
-        mock_run.assert_called_once_with(kuryr_uri.hostname, 23750)
+        mock_run.assert_called_once_with(kuryr_uri.hostname, 23750,
+            ssl_context=None)
 
     def test_check_for_neutron_ext_support_with_ex(self):
         with mock.patch.object(controllers.app.neutron,

scripts/run_kuryr.sh

@@ -16,7 +16,7 @@ KURYR_HOME=${KURYR_HOME:-.}
 KURYR_JSON_FILENAME=kuryr.json
 KURYR_DEFAULT_JSON=${KURYR_HOME}/etc/${KURYR_JSON_FILENAME}
 # See libnetwork's plugin discovery mechanism:
-#   https://github.com/docker/docker/blob/c4d45b6a29a91f2fb5d7a51ac36572f2a9b295c6/docs/extend/plugin_api.md#plugin-discovery
+# https://github.com/docker/docker/blob/c4d45b6a29a91f2fb5d7a51ac36572f2a9b295c6/docs/extend/plugin_api.md#plugin-discovery
 KURYR_JSON_DIR=${KURYR_JSON_DIR:-/usr/lib/docker/plugins/kuryr}
 KURYR_JSON=${KURYR_JSON_DIR}/${KURYR_JSON_FILENAME}
 
@@ -25,6 +25,9 @@ KURYR_DEFAULT_CONFIG=${KURYR_HOME}/etc/${KURYR_CONFIG_FILENAME}
 KURYR_CONFIG_DIR=${KURYR_CONFIG_DIR:-/etc/kuryr}
 KURYR_CONFIG=${KURYR_CONFIG_DIR}/${KURYR_CONFIG_FILENAME}
 
+SSL_ENABLED=${SSL_ENABLED:-False}
+KURYR_SSL_ENABLED_JSON=${KURYR_HOME}/contrib/tls/${KURYR_JSON_FILENAME}
+
 
 if [[ ! -d "${KURYR_JSON_DIR}" ]]; then
     echo -n "${KURYR_JSON_DIR} directory is missing. Creating it... "
@@ -32,8 +35,15 @@ if [[ ! -d "${KURYR_JSON_DIR}" ]]; then
     echo "Done"
 fi
 
+
+if [ "$SSL_ENABLED" == "True" ]; then
+    echo -n "Copying ${KURYR_SSL_ENABLED_JSON} one... "
+    sudo cp ${KURYR_SSL_ENABLED_JSON} ${KURYR_JSON}
+fi
+
+
 if [[ ! -f "${KURYR_JSON}" ]]; then
-    echo -n "${KURYR_JSON} is missing. Copying the default one... "
+    echo -n "${KURYR_JSON} is missing. Copying the ssl enabled one... "
     sudo cp ${KURYR_DEFAULT_JSON} ${KURYR_JSON}
     echo "Done"
 fi
@@ -49,11 +59,19 @@ if [[ ! -f "${KURYR_CONFIG}" ]]; then
         echo -n "${KURYR_CONFIG} is missing. Copying the default one... "
         sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
     else
-        echo -n "${KURYR_CONFIG} and the default config missing. Auto generating and copying one... "
-        cd ${KURYR_HOME}
-        tox -egenconfig
-        sudo cp ${KURYR_DEFAULT_CONFIG}.sample ${KURYR_DEFAULT_CONFIG}
-        sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
+        if [ "$SSL_ENABLED" == "True" ];then
+            # To Avoid tls compatible Config file and json file mismatch it would be
+            # better to raise an error than to continue with corrupt env.
+            echo "Please check configuration for Tls.."
+            echo "Aborting"
+            exit 1
+        else
+            echo -n "${KURYR_CONFIG} and the default config missing. Auto generating and copying one... "
+            cd ${KURYR_HOME}
+            tox -egenconfig
+            sudo cp ${KURYR_DEFAULT_CONFIG}.sample ${KURYR_DEFAULT_CONFIG}
+            sudo cp ${KURYR_DEFAULT_CONFIG} ${KURYR_CONFIG}
+        fi
     fi
     echo "Done"
 fi