openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
James Kirsch ff84292269 Add support for encrypting heat api 
This patch introduces an optional backend encryption for Heat
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Heat service.

Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/722028/
2020-04-24 12:23:48 +01:00

48 lines
1.8 KiB
Django/Jinja
Raw Blame History

{% set heat_log_dir = '/var/log/kolla/heat' %}
{% if heat_install_type == 'binary' %}
{% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python2.7/site-packages' %}
{% else %}
{% set python_path = '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %}
{% endif %}
{% set binary_path = '/usr/bin' if heat_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if heat_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_cfn_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
<Directory "{{ binary_path }}">
<FilesMatch "heat-wsgi-api-cfn">
AllowOverride None
Options None
Require all granted
</FilesMatch>
</Directory>
<VirtualHost *:{{ heat_api_cfn_listen_port }}>
WSGIDaemonProcess heat-api-cfn processes={{ openstack_service_workers }} threads=1 user=heat group=heat display-name=%{GROUP} python-path={{ python_path }}
WSGIProcessGroup heat-api-cfn
WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api-cfn
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ heat_log_dir }}/heat-api-cfn-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ heat_log_dir }}/heat-api-cfn-error.log" logformat
{% if heat_enable_tls_backend | bool %}
SSLEngine On
SSLCertificateFile /etc/heat/certs/heat-cert.pem
SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
{% endif %}
</VirtualHost>
View Git Blame Copy Permalink