diff --git a/service/files/apache-placement-api.conf.j2 b/service/files/apache-placement-api.conf.j2 index 1a91741..b405afa 100644 --- a/service/files/apache-placement-api.conf.j2 +++ b/service/files/apache-placement-api.conf.j2 @@ -1,5 +1,10 @@ +{% if placement.tls.enabled %} +Listen 127.0.0.1:{{ placement.port.cont }} + +{% else %} Listen {{ placement.port.cont }} +{% endif %} WSGIDaemonProcess placement-api processes={{ placement.wsgi.processes }} threads={{ placement.wsgi.threads }} user=nova display-name=%{GROUP} python-path=/var/lib/microservices/venv/lib/python2.7/site-packages WSGIProcessGroup placement-api WSGIScriptAlias / /var/lib/microservices/venv/bin/nova-placement-api diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml index 33c97f8..b96229e 100644 --- a/service/files/defaults.yaml +++ b/service/files/defaults.yaml @@ -219,6 +219,8 @@ configs: port: cont: 8780 ingress: placement + tls: + enabled: true wsgi: processes: 4 threads: 4 diff --git a/service/files/nginx-placement-api.conf.j2 b/service/files/nginx-placement-api.conf.j2 new file mode 100644 index 0000000..f153f93 --- /dev/null +++ b/service/files/nginx-placement-api.conf.j2 @@ -0,0 +1,9 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ placement.port.cont }} ssl; + include common/ssl.conf; + + location / { + proxy_pass http://nova_placement_api; + include common/proxy-headers.conf; + } +} diff --git a/service/files/nova.conf.j2 b/service/files/nova.conf.j2 index aa9dd71..205e1ad 100644 --- a/service/files/nova.conf.j2 +++ b/service/files/nova.conf.j2 @@ -208,6 +208,9 @@ username = {{ placement.account.username }} password = {{ placement.account.password }} memcached_servers = {{ address("memcached", memcached.port) }} os_region_name = RegionOne +{% if keystone.tls.enabled %} +cafile = /opt/ccp/etc/tls/ca.pem +{% endif %} {% endif %} {# messaging macros templates #} diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2 index 6de65f1..886a4dc 100644 --- a/service/files/upstreams.conf.j2 +++ b/service/files/upstreams.conf.j2 @@ -9,3 +9,7 @@ upstream nova_api { upstream nova_metadata { server 127.0.0.1:{{ nova.metadata.port.cont }}; } + +upstream nova_placement_api { + server 127.0.0.1:{{ placement.port.cont }}; +} diff --git a/service/nginx-placement-api.conf.j2 b/service/nginx-placement-api.conf.j2 new file mode 100644 index 0000000..ca63adf --- /dev/null +++ b/service/nginx-placement-api.conf.j2 @@ -0,0 +1,9 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ placement.port.cont }} ssl; + include common/ssl.conf; + + location / { + proxy_pass http://nova_placement_api; + include common/proxy-headers.conf; + } +} diff --git a/service/placement-api.yaml b/service/placement-api.yaml index b2bd565..3ad93b9 100644 --- a/service/placement-api.yaml +++ b/service/placement-api.yaml @@ -47,6 +47,21 @@ service: files: - nova.conf - apache-placement-api.conf + # {% if keystone.tls.enabled %} + - ca-cert + # {% endif %} + + # {% if placement.tls.enabled %} + - name: nginx-placement-api + image: nginx + daemon: + files: + - upstreams + - servers + - server-cert + - server-key + command: nginx + # {% endif %} files: nova.conf: @@ -57,3 +72,27 @@ files: path: /etc/apache2/conf-enabled/nova-placement-api.conf content: apache-placement-api.conf.j2 perm: "0600" + # {% if placement.tls.enabled %} + servers: + path: /etc/nginx/conf.d/servers.conf + content: nginx-placement-api.conf.j2 + perm: "0400" + upstreams: + path: /etc/nginx/conf.d/upstreams.conf + content: upstreams.conf.j2 + perm: "0400" + server-cert: + path: /opt/ccp/etc/tls/server-cert.pem + content: server-cert.pem.j2 + perm: "0400" + server-key: + path: /opt/ccp/etc/tls/server-key.pem + content: server-key.pem.j2 + perm: "0400" + # {% endif %} + # {% if keystone.tls.enabled %} + ca-cert: + path: /opt/ccp/etc/tls/ca.pem + content: ca-cert.pem.j2 + perm: "0400" + # {% endif %}