From e26e52e2a8c84b8e85e4308b43a871b147ab42ff Mon Sep 17 00:00:00 2001 From: Sergey Kraynev Date: Thu, 2 Feb 2017 14:56:24 +0000 Subject: [PATCH] SSL implementation for horizon - Updated Docker file for gorizon, which remove list of ports to listen. - Add certificates - Update service definition by extra nginx container and all necessary files. Change-Id: If0be618c4fd584941e21bba44e62cb9b96cc1647 --- docker/horizon/Dockerfile.j2 | 1 + service/files/ca-cert.pem.j2 | 1 + service/files/defaults.yaml | 2 ++ service/files/local_settings.j2 | 2 +- service/files/openstack-dashboard.conf.j2 | 8 +++++ service/files/server-cert.pem.j2 | 1 + service/files/server-key.pem.j2 | 1 + service/files/servers.conf.j2 | 9 ++++++ service/files/upstreams.conf.j2 | 3 ++ service/horizon.yaml | 38 +++++++++++++++++++++++ 10 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 service/files/ca-cert.pem.j2 create mode 100644 service/files/server-cert.pem.j2 create mode 100644 service/files/server-key.pem.j2 create mode 100644 service/files/servers.conf.j2 create mode 100644 service/files/upstreams.conf.j2 diff --git a/docker/horizon/Dockerfile.j2 b/docker/horizon/Dockerfile.j2 index 30b99a0..08e909f 100644 --- a/docker/horizon/Dockerfile.j2 +++ b/docker/horizon/Dockerfile.j2 @@ -5,6 +5,7 @@ RUN apt-get update \ && apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \ apache2 \ libapache2-mod-wsgi \ + && echo > /etc/apache2/ports.conf \ && ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load {{ copy_sources("openstack/horizon", "/horizon") }} diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2 new file mode 100644 index 0000000..d52069b --- /dev/null +++ b/service/files/ca-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.ca_cert }} diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml index eff2c63..b5c4663 100644 --- a/service/files/defaults.yaml +++ b/service/files/defaults.yaml @@ -1,5 +1,7 @@ configs: horizon: + tls: + enabled: true port: cont: 80 ingress: horizon diff --git a/service/files/local_settings.j2 b/service/files/local_settings.j2 index 4502871..5500ffc 100644 --- a/service/files/local_settings.j2 +++ b/service/files/local_settings.j2 @@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" #OPENSTACK_SSL_NO_VERIFY = True # The CA certificate to use to verify SSL connections -#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' +OPENSTACK_SSL_CACERT = '/opt/ccp/etc/tls/ca.pem' # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # capabilities of the auth backend for Keystone. diff --git a/service/files/openstack-dashboard.conf.j2 b/service/files/openstack-dashboard.conf.j2 index 1f0bb78..a734a46 100644 --- a/service/files/openstack-dashboard.conf.j2 +++ b/service/files/openstack-dashboard.conf.j2 @@ -1,6 +1,14 @@ {% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %} +{% if horizon.tls.enabled %} +Listen 127.0.0.1:{{ horizon.port.cont }} + + +{% else %} +Listen {{ horizon.port.cont }} + +{% endif %} WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }} diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2 new file mode 100644 index 0000000..8abc152 --- /dev/null +++ b/service/files/server-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_cert }} diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2 new file mode 100644 index 0000000..70cf751 --- /dev/null +++ b/service/files/server-key.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_key }} diff --git a/service/files/servers.conf.j2 b/service/files/servers.conf.j2 new file mode 100644 index 0000000..a983356 --- /dev/null +++ b/service/files/servers.conf.j2 @@ -0,0 +1,9 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }} ssl; + include common/ssl.conf; + + location / { + proxy_pass http://horizon; + include common/proxy-headers.conf; + } +} diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2 new file mode 100644 index 0000000..90a6ea2 --- /dev/null +++ b/service/files/upstreams.conf.j2 @@ -0,0 +1,3 @@ +upstream horizon { + server 127.0.0.1:{{ horizon.port.cont }}; +} diff --git a/service/horizon.yaml b/service/horizon.yaml index e48a609..3efd992 100644 --- a/service/horizon.yaml +++ b/service/horizon.yaml @@ -11,6 +11,9 @@ service: type: "httpGet" port: {{ horizon.port.cont }} path: "/" + # {% if horizon.tls.enabled %} + scheme: "https" + # {% endif %} volumes: - name: horizon-logs path: "/var/log/ccp/horizon" @@ -28,7 +31,21 @@ service: files: - horizon-local-settings - openstack-dashboard-conf + # {% if horizon.tls.enabled %} + - ca_cert + # {% endif %} command: daemon.sh + # {% if horizon.tls.enabled %} + - name: nginx-horizon + image: nginx + daemon: + files: + - servers + - upstreams + - server-cert + - server-key + command: nginx + # {% endif %} files: horizon-local-settings: @@ -37,3 +54,24 @@ files: openstack-dashboard-conf: path: /etc/apache2/conf-enabled/openstack-dashboard.conf content: openstack-dashboard.conf.j2 + # {% if horizon.tls.enabled %} + servers: + path: /etc/nginx/conf.d/servers.conf + content: servers.conf.j2 + perm: "0400" + upstreams: + path: /etc/nginx/conf.d/upstreams.conf + content: upstreams.conf.j2 + perm: "0400" + ca_cert: + path: /opt/ccp/etc/tls/ca.pem + content: ca-cert.pem.j2 + server-cert: + path: /opt/ccp/etc/tls/server-cert.pem + content: server-cert.pem.j2 + perm: "0400" + server-key: + path: /opt/ccp/etc/tls/server-key.pem + content: server-key.pem.j2 + perm: "0400" + # {% endif %}