TLS support for Cinder services
Depends-On: If796ea145c0a6b1bcb711496a4ad97a0a4ac2fb2 Change-Id: Ie24abf9767db88361eb247c4363e7dedfe30d934
This commit is contained in:
parent
c7518fc787
commit
dcac93b2d8
|
@ -13,7 +13,10 @@ service:
|
|||
type: single
|
||||
command:
|
||||
mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ cinder.db.name }};
|
||||
grant all privileges on {{ cinder.db.name }}.* to '{{ cinder.db.username }}'@'%' identified by '{{ cinder.db.password }}';"
|
||||
create user '{{ cinder.db.username }}'@'%' identified by '{{ cinder.db.password }}'
|
||||
{% if percona.tls.enabled %} require ssl {% endif %};
|
||||
grant all privileges on {{ cinder.db.name }}.* to '{{ cinder.db.username }}'@'%' identified by '{{ cinder.db.password }}'
|
||||
{% if percona.tls.enabled %} require ssl {% endif %};"
|
||||
- name: cinder-db-sync
|
||||
files:
|
||||
- cinder-conf
|
||||
|
@ -23,15 +26,15 @@ service:
|
|||
command: cinder-manage db sync
|
||||
- name: cinder-user-create
|
||||
dependencies:
|
||||
- keystone
|
||||
- keystone-create-domain
|
||||
type: single
|
||||
command: openstack user create --domain default --password {{ cinder.password }} {{ cinder.username }}
|
||||
command: openstack user create --domain {{ service_account.domain }} --password {{ cinder.password }} {{ cinder.username }}
|
||||
- name: cinder-role-add
|
||||
dependencies:
|
||||
- cinder-user-create
|
||||
- keystone-create-project
|
||||
type: single
|
||||
command: openstack role add --project service --user {{ cinder.username }} admin
|
||||
command: openstack role add --project {{ service_account.project }} --user {{ cinder.username }} admin
|
||||
- name: cinder-service-create
|
||||
dependencies:
|
||||
- keystone
|
||||
|
@ -98,13 +101,48 @@ service:
|
|||
daemon:
|
||||
command: cinder-api --config-file /etc/cinder/cinder.conf
|
||||
files:
|
||||
# {% if cinder.tls.enabled %}
|
||||
- ca_cert
|
||||
# {% endif %}
|
||||
- cinder-conf
|
||||
dependencies:
|
||||
- memcached
|
||||
- "{{ messaging.dependencies[messaging.backend.rpc] }}"
|
||||
- "{{ messaging.dependencies[messaging.backend.notifications] }}"
|
||||
# {% if cinder.tls.enabled %}
|
||||
- name: nginx
|
||||
image: nginx
|
||||
daemon:
|
||||
files:
|
||||
- upstreams
|
||||
- servers
|
||||
- server-cert
|
||||
- server-key
|
||||
command: nginx
|
||||
# {% endif %}
|
||||
|
||||
files:
|
||||
cinder-conf:
|
||||
path: /etc/cinder/cinder.conf
|
||||
content: cinder.conf.j2
|
||||
# {% if cinder.tls.enabled %}
|
||||
servers:
|
||||
path: /etc/nginx/conf.d/servers.conf
|
||||
content: nginx-api.conf.j2
|
||||
perm: "0400"
|
||||
ca_cert:
|
||||
path: /opt/ccp/etc/tls/ca.pem
|
||||
content: ca-cert.pem.j2
|
||||
upstreams:
|
||||
path: /etc/nginx/conf.d/upstreams.conf
|
||||
content: upstreams.conf.j2
|
||||
perm: "0400"
|
||||
server-cert:
|
||||
path: /opt/ccp/etc/tls/server-cert.pem
|
||||
content: server-cert.pem.j2
|
||||
perm: "0400"
|
||||
server-key:
|
||||
path: /opt/ccp/etc/tls/server-key.pem
|
||||
content: server-key.pem.j2
|
||||
perm: "0400"
|
||||
# {% endif %}
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.ca_cert }}
|
|
@ -14,7 +14,11 @@ os_region_name = RegionOne
|
|||
|
||||
enabled_backends = {{ cinder.enabled_backends }}
|
||||
|
||||
{% if cinder.tls.enabled %}
|
||||
osapi_volume_listen = 127.0.0.1
|
||||
{% else %}
|
||||
osapi_volume_listen = {{ network_topology["private"]["address"] }}
|
||||
{% endif %}
|
||||
osapi_volume_listen_port = {{ cinder.api_port.cont }}
|
||||
|
||||
api_paste_config = /etc/cinder/api-paste.ini
|
||||
|
@ -27,17 +31,7 @@ auth_strategy = keystone
|
|||
connection = mysql+pymysql://{{ cinder.db.username }}:{{ cinder.db.password }}@{{ address(service.database) }}/{{ cinder.db.name }}
|
||||
max_retries = -1
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_version = v3
|
||||
auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}/v3
|
||||
auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ cinder.username }}
|
||||
password = {{ cinder.password }}
|
||||
memcached_servers = {{ address('memcached', memcached.port) }}
|
||||
{{ keystone_authtoken.keystone_authtoken(cinder.user, cinder.password) }}
|
||||
|
||||
[oslo_concurrency]
|
||||
lock_path = /var/lib/cinder/tmp
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
configs:
|
||||
cinder:
|
||||
tls:
|
||||
enabled: true
|
||||
api_port:
|
||||
cont: 8776
|
||||
ingress: volume
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
server {
|
||||
listen {{ network_topology["private"]["address"] }}:{{ cinder.api_port.cont }} ssl;
|
||||
include common/ssl.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://cinder_api;
|
||||
include common/proxy-headers.conf;
|
||||
}
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_cert }}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_key }}
|
|
@ -0,0 +1,3 @@
|
|||
upstream cinder_api {
|
||||
server 127.0.0.1:{{ cinder.api_port.cont }};
|
||||
}
|
Loading…
Reference in New Issue