From 27dafd6e53dde4f3857a3df86ce6421b3a94f99c Mon Sep 17 00:00:00 2001
From: Anastasiya <atolochkova@mirantis.com>
Date: Fri, 3 Feb 2017 12:54:57 +0400
Subject: [PATCH] TLS support for Cinder services

Depends-On: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2
Change-Id: Ie24abf9767db88361eb247c4363e7dedfe30d934
---
 service/cinder-api.yaml          | 35 ++++++++++++++++++++++++++++++++
 service/files/ca-cert.pem.j2     |  1 +
 service/files/cinder.conf.j2     | 23 ++++++++++++++++-----
 service/files/defaults.yaml      |  2 ++
 service/files/nginx-api.conf.j2  |  9 ++++++++
 service/files/server-cert.pem.j2 |  1 +
 service/files/server-key.pem.j2  |  1 +
 service/files/upstreams.conf.j2  |  3 +++
 8 files changed, 70 insertions(+), 5 deletions(-)
 create mode 100644 service/files/ca-cert.pem.j2
 create mode 100644 service/files/nginx-api.conf.j2
 create mode 100644 service/files/server-cert.pem.j2
 create mode 100644 service/files/server-key.pem.j2
 create mode 100644 service/files/upstreams.conf.j2

diff --git a/service/cinder-api.yaml b/service/cinder-api.yaml
index 51903d4..6096810 100644
--- a/service/cinder-api.yaml
+++ b/service/cinder-api.yaml
@@ -101,13 +101,48 @@ service:
       daemon:
         command: cinder-api --config-file /etc/cinder/cinder.conf
         files:
+          # {% if cinder.tls.enabled %}
+          - ca_cert
+          # {% endif %}
           - cinder-conf
         dependencies:
           - memcached
           - "{{ messaging.dependencies[messaging.backend.rpc] }}"
           - "{{ messaging.dependencies[messaging.backend.notifications] }}"
+    # {% if cinder.tls.enabled %}
+    - name: nginx-cinder-api
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 
 files:
   cinder-conf:
     path: /etc/cinder/cinder.conf
     content: cinder.conf.j2
+  # {% if cinder.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-api.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}
diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2
new file mode 100644
index 0000000..680adb6
--- /dev/null
+++ b/service/files/ca-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
\ No newline at end of file
diff --git a/service/files/cinder.conf.j2 b/service/files/cinder.conf.j2
index 83aad66..ba69a6e 100644
--- a/service/files/cinder.conf.j2
+++ b/service/files/cinder.conf.j2
@@ -5,16 +5,15 @@ use_stderr = True
 
 volume_name_template = volume-%s
 
-glance_api_servers = {{ address('glance-api', glance.api_port) }}
-
-glance_num_retries = 3
-glance_api_version = 2
-
 os_region_name = RegionOne
 
 enabled_backends = {{ cinder.enabled_backends }}
 
+{% if cinder.tls.enabled %}
+osapi_volume_listen = 127.0.0.1
+{% else %}
 osapi_volume_listen = {{ network_topology["private"]["address"] }}
+{% endif %}
 osapi_volume_listen_port = {{ cinder.api_port.cont }}
 
 api_paste_config = /etc/cinder/api-paste.ini
@@ -29,6 +28,20 @@ max_retries = -1
 
 {{ keystone_authtoken.keystone_authtoken(cinder.username, cinder.password) }}
 
+{% if glance.tls.enabled %}
+[ssl]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
+[glance]
+{% if glance.tls.enabled %}
+protocol = https
+{% endif %}
+glance_api_servers = {{ address('glance-api', glance.api_port, with_scheme=True) }}
+
+glance_num_retries = 3
+glance_api_version = 2
+
 [oslo_concurrency]
 lock_path = /var/lib/cinder/tmp
 
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 7a580fd..c82de68 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
 configs:
   cinder:
+    tls:
+      enabled: true
     api_port:
       cont: 8776
       ingress: volume
diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2
new file mode 100644
index 0000000..6385ebe
--- /dev/null
+++ b/service/files/nginx-api.conf.j2
@@ -0,0 +1,9 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ cinder.api_port.cont }} ssl;
+    include common/ssl.conf;
+
+    location / {
+        proxy_pass http://cinder_api;
+        include common/proxy-headers.conf;
+    }
+}
\ No newline at end of file
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..f2d4a38
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}
\ No newline at end of file
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..1c1466f
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
\ No newline at end of file
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..0a3ca99
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,3 @@
+upstream cinder_api {
+    server 127.0.0.1:{{ cinder.api_port.cont }};
+}
\ No newline at end of file