TLS support for Cinder services

Depends-On: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2 Change-Id: Ie24abf9767db88361eb247c4363e7dedfe30d934
2017-02-03 12:54:57 +04:00 · 2017-02-03 12:54:57 +04:00 · dcac93b2d8
parent c7518fc787
commit dcac93b2d8
8 changed files with 64 additions and 15 deletions
--- a/service/cinder-api.yaml
+++ b/service/cinder-api.yaml
@ -13,7 +13,10 @@ service:
          type: single
          command:
            mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ cinder.db.name }};
-            grant all privileges on {{ cinder.db.name }}.* to '{{ cinder.db.username }}'@'%' identified by '{{ cinder.db.password }}';"
+            create user '{{ cinder.db.username }}'@'%' identified by '{{ cinder.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};
+            grant all privileges on {{ cinder.db.name }}.* to '{{ cinder.db.username }}'@'%' identified by '{{ cinder.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};"
        - name: cinder-db-sync
          files:
            - cinder-conf
@ -23,15 +26,15 @@ service:
          command: cinder-manage db sync
        - name: cinder-user-create
          dependencies:
-            - keystone
+            - keystone-create-domain
          type: single
-          command: openstack user create --domain default --password {{ cinder.password  }} {{ cinder.username }}
+          command: openstack user create --domain {{ service_account.domain }} --password {{ cinder.password  }} {{ cinder.username }}
        - name: cinder-role-add
          dependencies:
            - cinder-user-create
            - keystone-create-project
          type: single
-          command: openstack role add --project service --user {{ cinder.username }} admin
+          command: openstack role add --project {{ service_account.project }} --user {{ cinder.username }} admin
        - name: cinder-service-create
          dependencies:
            - keystone
@ -98,13 +101,48 @@ service:
      daemon:
        command: cinder-api --config-file /etc/cinder/cinder.conf
        files:
+          # {% if cinder.tls.enabled %}
+          - ca_cert
+          # {% endif %}
          - cinder-conf
        dependencies:
          - memcached
          - "{{ messaging.dependencies[messaging.backend.rpc] }}"
          - "{{ messaging.dependencies[messaging.backend.notifications] }}"
+    # {% if cinder.tls.enabled %}
+    - name: nginx
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}

 files:
  cinder-conf:
    path: /etc/cinder/cinder.conf
    content: cinder.conf.j2
+  # {% if cinder.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-api.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}
--- a/service/files/ca-cert.pem.j2
+++ b/service/files/ca-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
--- a/service/files/cinder.conf.j2
+++ b/service/files/cinder.conf.j2
@ -14,7 +14,11 @@ os_region_name = RegionOne

 enabled_backends = {{ cinder.enabled_backends }}

+{% if cinder.tls.enabled %}
+osapi_volume_listen = 127.0.0.1
+{% else %}
 osapi_volume_listen = {{ network_topology["private"]["address"] }}
+{% endif %}
 osapi_volume_listen_port = {{ cinder.api_port.cont }}

 api_paste_config = /etc/cinder/api-paste.ini
@ -27,17 +31,7 @@ auth_strategy = keystone
 connection = mysql+pymysql://{{ cinder.db.username }}:{{ cinder.db.password }}@{{ address(service.database) }}/{{ cinder.db.name }}
 max_retries = -1

-[keystone_authtoken]
-auth_version = v3
-auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}/v3
-auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3
-auth_type = password
-project_domain_id = default
-user_domain_id = default
-project_name = service
-username = {{ cinder.username }}
-password = {{ cinder.password }}
-memcached_servers = {{ address('memcached', memcached.port) }}
+{{ keystone_authtoken.keystone_authtoken(cinder.user, cinder.password) }}

 [oslo_concurrency]
 lock_path = /var/lib/cinder/tmp
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -1,5 +1,7 @@
 configs:
  cinder:
+    tls:
+      enabled: true
    api_port:
      cont: 8776
      ingress: volume
--- a/service/files/nginx-api.conf.j2
+++ b/service/files/nginx-api.conf.j2
@ -0,0 +1,9 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ cinder.api_port.cont }} ssl;
+    include common/ssl.conf;
+
+    location / {
+        proxy_pass http://cinder_api;
+        include common/proxy-headers.conf;
+    }
+}
--- a/service/files/server-cert.pem.j2
+++ b/service/files/server-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_cert }}
--- a/service/files/server-key.pem.j2
+++ b/service/files/server-key.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_key }}
--- a/service/files/upstreams.conf.j2
+++ b/service/files/upstreams.conf.j2
@ -0,0 +1,3 @@
+upstream cinder_api {
+    server 127.0.0.1:{{ cinder.api_port.cont }};
+}