Merge "Add support for encrypting Horizon and Placement API"
This commit is contained in:
Zuul
Gerrit Code Review
commit
bc22925906
@ -47,6 +47,7 @@ horizon_services:
|
|||||||
listen_port: "{{ horizon_listen_port }}"
|
listen_port: "{{ horizon_listen_port }}"
|
||||||
backend_http_extra:
|
backend_http_extra:
|
||||||
- "balance source"
|
- "balance source"
|
||||||
|
tls_backend: "{{ horizon_enable_tls_backend }}"
|
||||||
horizon_redirect:
|
horizon_redirect:
|
||||||
enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}"
|
enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}"
|
||||||
mode: "redirect"
|
mode: "redirect"
|
||||||
@ -61,6 +62,7 @@ horizon_services:
|
|||||||
listen_port: "{{ horizon_listen_port }}"
|
listen_port: "{{ horizon_listen_port }}"
|
||||||
backend_http_extra:
|
backend_http_extra:
|
||||||
- "balance source"
|
- "balance source"
|
||||||
|
tls_backend: "{{ horizon_enable_tls_backend }}"
|
||||||
horizon_external_redirect:
|
horizon_external_redirect:
|
||||||
enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
|
enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
|
||||||
mode: "redirect"
|
mode: "redirect"
|
||||||
@ -124,3 +126,8 @@ horizon_dev_mode: "{{ kolla_dev_mode }}"
|
|||||||
horizon_murano_dev_mode: "{{ kolla_dev_mode }}"
|
horizon_murano_dev_mode: "{{ kolla_dev_mode }}"
|
||||||
horizon_source_version: "{{ kolla_source_version }}"
|
horizon_source_version: "{{ kolla_source_version }}"
|
||||||
horizon_murano_source_version: "{{ kolla_source_version }}"
|
horizon_murano_source_version: "{{ kolla_source_version }}"
|
||||||
|
|
||||||
|
####################
|
||||||
|
# TLS
|
||||||
|
####################
|
||||||
|
horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
||||||
|
|||||||
@ -135,7 +135,7 @@
|
|||||||
|
|
||||||
- include_tasks: copy-certs.yml
|
- include_tasks: copy-certs.yml
|
||||||
when:
|
when:
|
||||||
- kolla_copy_ca_into_containers | bool
|
- kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool
|
||||||
|
|
||||||
- include_tasks: check-containers.yml
|
- include_tasks: check-containers.yml
|
||||||
when: kolla_action != "config"
|
when: kolla_action != "config"
|
||||||
|
|||||||
@ -1,5 +1,12 @@
|
|||||||
{% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
{% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
||||||
|
|
||||||
|
{% if horizon_enable_tls_backend | bool %}
|
||||||
|
{% if kolla_base_distro in ['centos'] %}
|
||||||
|
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||||
|
{% else %}
|
||||||
|
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
|
||||||
|
|
||||||
ServerSignature Off
|
ServerSignature Off
|
||||||
@ -35,6 +42,12 @@ TraceEnable off
|
|||||||
<Location "/static">
|
<Location "/static">
|
||||||
SetHandler None
|
SetHandler None
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
{% if horizon_enable_tls_backend | bool %}
|
||||||
|
SSLEngine On
|
||||||
|
SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
|
||||||
|
SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
|
||||||
|
{% endif %}
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
{# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #}
|
{# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #}
|
||||||
|
|||||||
@ -29,6 +29,18 @@
|
|||||||
"dest": "/etc/openstack-dashboard/custom_local_settings",
|
"dest": "/etc/openstack-dashboard/custom_local_settings",
|
||||||
"owner": "horizon",
|
"owner": "horizon",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
}
|
}{% if horizon_enable_tls_backend | bool %},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/horizon-cert.pem",
|
||||||
|
"dest": "/etc/horizon/certs/horizon-cert.pem",
|
||||||
|
"owner": "horizon",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/horizon-key.pem",
|
||||||
|
"dest": "/etc/horizon/certs/horizon-key.pem",
|
||||||
|
"owner": "horizon",
|
||||||
|
"perm": "0600"
|
||||||
|
}{% endif %}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@ -16,12 +16,14 @@ placement_services:
|
|||||||
external: false
|
external: false
|
||||||
port: "{{ placement_api_port }}"
|
port: "{{ placement_api_port }}"
|
||||||
listen_port: "{{ placement_api_listen_port }}"
|
listen_port: "{{ placement_api_listen_port }}"
|
||||||
|
tls_backend: "{{ placement_enable_tls_backend }}"
|
||||||
placement_api_external:
|
placement_api_external:
|
||||||
enabled: "{{ enable_placement }}"
|
enabled: "{{ enable_placement }}"
|
||||||
mode: "http"
|
mode: "http"
|
||||||
external: true
|
external: true
|
||||||
port: "{{ placement_api_port }}"
|
port: "{{ placement_api_port }}"
|
||||||
listen_port: "{{ placement_api_listen_port }}"
|
listen_port: "{{ placement_api_listen_port }}"
|
||||||
|
tls_backend: "{{ placement_enable_tls_backend }}"
|
||||||
|
|
||||||
####################
|
####################
|
||||||
# Database
|
# Database
|
||||||
@ -108,3 +110,8 @@ placement_ks_users:
|
|||||||
user: "{{ placement_keystone_user }}"
|
user: "{{ placement_keystone_user }}"
|
||||||
password: "{{ placement_keystone_password }}"
|
password: "{{ placement_keystone_password }}"
|
||||||
role: "admin"
|
role: "admin"
|
||||||
|
|
||||||
|
####################
|
||||||
|
# TLS
|
||||||
|
####################
|
||||||
|
placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
||||||
|
|||||||
@ -33,7 +33,7 @@
|
|||||||
|
|
||||||
- include_tasks: copy-certs.yml
|
- include_tasks: copy-certs.yml
|
||||||
when:
|
when:
|
||||||
- kolla_copy_ca_into_containers | bool
|
- kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool
|
||||||
|
|
||||||
- name: Copying over config.json files for services
|
- name: Copying over config.json files for services
|
||||||
become: true
|
become: true
|
||||||
|
|||||||
@ -5,7 +5,13 @@
|
|||||||
{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
{% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
||||||
|
{% if placement_enable_tls_backend | bool %}
|
||||||
|
{% if kolla_base_distro in ['centos'] %}
|
||||||
|
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||||
|
{% else %}
|
||||||
|
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}
|
||||||
|
|
||||||
ServerSignature Off
|
ServerSignature Off
|
||||||
@ -33,4 +39,9 @@ LogLevel info
|
|||||||
Require all granted
|
Require all granted
|
||||||
</Files>
|
</Files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
{% if placement_enable_tls_backend | bool %}
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/placement/certs/placement-cert.pem
|
||||||
|
SSLCertificateKeyFile /etc/placement/certs/placement-key.pem
|
||||||
|
{% endif %}
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|||||||
@ -26,7 +26,19 @@
|
|||||||
"dest": "/etc/placement/migrate-db.rc",
|
"dest": "/etc/placement/migrate-db.rc",
|
||||||
"owner": "placement",
|
"owner": "placement",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
}
|
}{% if placement_enable_tls_backend | bool %},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/placement-cert.pem",
|
||||||
|
"dest": "/etc/placement/certs/placement-cert.pem",
|
||||||
|
"owner": "placement",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/placement-key.pem",
|
||||||
|
"dest": "/etc/placement/certs/placement-key.pem",
|
||||||
|
"owner": "placement",
|
||||||
|
"perm": "0600"
|
||||||
|
}{% endif %}
|
||||||
],
|
],
|
||||||
"permissions": [
|
"permissions": [
|
||||||
{
|
{
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
features:
|
features:
|
||||||
- |
|
- |
|
||||||
Added configuration options to enable backend TLS encryption from HAProxy
|
Added configuration options to enable backend TLS encryption from HAProxy
|
||||||
to the Keystone, Glance, Heat, and Cinder services. When used in
|
to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
|
||||||
conjunction with enabling TLS for service API endpoints, network
|
When used in conjunction with enabling TLS for service API endpoints,
|
||||||
communcation will be encrypted end to end, from client through HAProxy to
|
network communcation will be encrypted end to end, from client through
|
||||||
the backend service.
|
HAProxy to the backend service.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user