Remove USE_SSL support

tls-proxy is the way we're now doing a standard install using https
between services. There is a lot more work to make services directly
handle https, and having python daemons do that directly is a bit of
an anti pattern. Nothing currently tests this in project-config from
my recent grepping, so in the interest of long term maintenance,
delete it all.

Change-Id: I910df4ceab6f24f3d9c484e0433c93b06f17d6e1
This commit is contained in:
Sean Dague 2017-04-13 10:11:48 -04:00
parent 2f8c88e053
commit f3b2f4c853
13 changed files with 24 additions and 156 deletions

View File

@ -58,7 +58,7 @@ CINDER_CONF=$CINDER_CONF_DIR/cinder.conf
CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini
# Public facing bits
if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
CINDER_SERVICE_PROTOCOL="https"
fi
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
@ -215,11 +215,6 @@ function _cinder_config_apache_wsgi {
local cinder_api_port=$CINDER_SERVICE_PORT
local venv_path=""
if is_ssl_enabled_service c-api; then
cinder_ssl="SSLEngine On"
cinder_certfile="SSLCertificateFile $CINDER_SSL_CERT"
cinder_keyfile="SSLCertificateKeyFile $CINDER_SSL_KEY"
fi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["cinder"]}/lib/python2.7/site-packages"
fi
@ -347,7 +342,7 @@ function configure_cinder {
iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS"
iniset $CINDER_CONF DEFAULT glance_api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}"
if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
iniset $CINDER_CONF DEFAULT glance_protocol https
iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE
fi
@ -356,14 +351,6 @@ function configure_cinder {
iniset $CINDER_CONF DEFAULT glance_api_version 2
fi
# Register SSL certificates if provided
if is_ssl_enabled_service cinder; then
ensure_certificates CINDER
iniset $CINDER_CONF DEFAULT ssl_cert_file "$CINDER_SSL_CERT"
iniset $CINDER_CONF DEFAULT ssl_key_file "$CINDER_SSL_KEY"
fi
# Set os_privileged_user credentials (used for os-assisted-snapshots)
iniset $CINDER_CONF DEFAULT os_privileged_user_name nova
iniset $CINDER_CONF DEFAULT os_privileged_user_password "$SERVICE_PASSWORD"
@ -464,9 +451,6 @@ function install_cinder {
if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then
install_apache_wsgi
if is_ssl_enabled_service "c-api"; then
enable_mod_ssl
fi
fi
}

View File

@ -57,7 +57,7 @@ GLANCE_SCHEMA_JSON=$GLANCE_CONF_DIR/schema-image.json
GLANCE_SWIFT_STORE_CONF=$GLANCE_CONF_DIR/glance-swift-store.conf
GLANCE_V1_ENABLED=${GLANCE_V1_ENABLED:-False}
if is_ssl_enabled_service "glance" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
GLANCE_SERVICE_PROTOCOL="https"
fi
@ -187,18 +187,7 @@ function configure_glance {
iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
fi
# Register SSL certificates if provided
if is_ssl_enabled_service glance; then
ensure_certificates GLANCE
iniset $GLANCE_API_CONF DEFAULT cert_file "$GLANCE_SSL_CERT"
iniset $GLANCE_API_CONF DEFAULT key_file "$GLANCE_SSL_KEY"
iniset $GLANCE_REGISTRY_CONF DEFAULT cert_file "$GLANCE_SSL_CERT"
iniset $GLANCE_REGISTRY_CONF DEFAULT key_file "$GLANCE_SSL_KEY"
fi
if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
iniset $GLANCE_API_CONF DEFAULT registry_client_protocol https
fi
@ -233,7 +222,7 @@ function configure_glance {
cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR
if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}

View File

@ -116,7 +116,7 @@ SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
# if we are running with SSL use https protocols
if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
@ -171,12 +171,6 @@ function _config_keystone_apache_wsgi {
local keystone_auth_port=$KEYSTONE_AUTH_PORT
local venv_path=""
if is_ssl_enabled_service key; then
keystone_ssl_listen=""
keystone_ssl="SSLEngine On"
keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT"
keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY"
fi
if is_service_enabled tls-proxy; then
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
@ -247,11 +241,6 @@ function configure_keystone {
iniset_rpc_backend keystone $KEYSTONE_CONF
# Register SSL certificates if provided
if is_ssl_enabled_service key; then
ensure_certificates KEYSTONE
fi
local service_port=$KEYSTONE_SERVICE_PORT
local auth_port=$KEYSTONE_AUTH_PORT
@ -297,7 +286,6 @@ function configure_keystone {
_config_keystone_apache_wsgi
else # uwsgi
# iniset creates these files when it's called if they don't exist.
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port"
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port"
fi
@ -546,9 +534,6 @@ function install_keystone {
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
install_apache_wsgi
if is_ssl_enabled_service "key"; then
enable_mod_ssl
fi
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then
pip_install uwsgi
fi

View File

@ -61,7 +61,7 @@ NEUTRON_META_BINARY=${NEUTRON_META_BINARY:-neutron-metadata-agent}
NEUTRON_METERING_BINARY=${NEUTRON_METERING_BINARY:-neutron-metering-agent}
# Public facing bits
if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
NEUTRON_SERVICE_PROTOCOL="https"
fi
NEUTRON_SERVICE_HOST=${NEUTRON_SERVICE_HOST:-$SERVICE_HOST}
@ -243,14 +243,6 @@ function configure_neutron_new {
iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT"
fi
if is_ssl_enabled_service "neutron"; then
ensure_certificates NEUTRON
iniset $NEUTRON_CONF DEFAULT use_ssl True
iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT"
iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY"
fi
# Metering
if is_service_enabled neutron-metering; then
cp $NEUTRON_DIR/etc/metering_agent.ini.sample $NEUTRON_METERING_AGENT_CONF
@ -404,16 +396,9 @@ function start_neutron_api {
# TODO(sc68cal) Stop hard coding this
run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts"
if is_ssl_enabled_service "neutron"; then
ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$NEUTRON_SERVICE_HOST:$service_port"
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT
else
if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then
die $LINENO "neutron-api did not start"
fi
fi
# Start proxy if enabled
if is_service_enabled tls-proxy; then

View File

@ -61,7 +61,7 @@
deprecated "Using lib/neutron-legacy is deprecated, and it will be removed in the future"
if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
Q_PROTOCOL="https"
fi
@ -461,9 +461,6 @@ function start_neutron_service_and_check {
# Start the Neutron service
run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options"
echo "Waiting for Neutron to start..."
if is_ssl_enabled_service "neutron"; then
ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
fi
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$Q_HOST:$service_port"
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT
@ -714,18 +711,6 @@ function _configure_neutron_common {
iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT"
fi
if is_ssl_enabled_service "nova"; then
iniset $NEUTRON_CONF nova cafile $SSL_BUNDLE_FILE
fi
if is_ssl_enabled_service "neutron"; then
ensure_certificates NEUTRON
iniset $NEUTRON_CONF DEFAULT use_ssl True
iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT"
iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY"
fi
_neutron_setup_rootwrap
}

View File

@ -68,7 +68,7 @@ fi
# Toggle for deploying Nova-API under HTTPD + mod_wsgi
NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False}
if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
NOVA_SERVICE_PROTOCOL="https"
fi
@ -262,11 +262,6 @@ function _config_nova_apache_wsgi {
local nova_metadata_port=$METADATA_SERVICE_PORT
local venv_path=""
if is_ssl_enabled_service nova-api; then
nova_ssl="SSLEngine On"
nova_certfile="SSLCertificateFile $NOVA_SSL_CERT"
nova_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY"
fi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["nova"]}/lib/$(python_version)/site-packages"
fi
@ -501,7 +496,7 @@ function create_nova_conf {
fi
if is_service_enabled cinder; then
if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE
@ -586,20 +581,10 @@ function create_nova_conf {
iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
iniset $NOVA_CONF DEFAULT glance_protocol https
fi
# Register SSL certificates if provided
if is_ssl_enabled_service nova; then
ensure_certificates NOVA
iniset $NOVA_CONF DEFAULT ssl_cert_file "$NOVA_SSL_CERT"
iniset $NOVA_CONF DEFAULT ssl_key_file "$NOVA_SSL_KEY"
iniset $NOVA_CONF DEFAULT enabled_ssl_apis "$NOVA_ENABLED_APIS"
fi
if is_service_enabled n-sproxy; then
iniset $NOVA_CONF serial_console serialproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
iniset $NOVA_CONF serial_console enabled True
@ -790,9 +775,6 @@ function install_nova {
if [ "$NOVA_USE_MOD_WSGI" == "True" ]; then
install_apache_wsgi
if is_ssl_enabled_service "nova-api"; then
enable_mod_ssl
fi
fi
}

View File

@ -40,7 +40,7 @@ PLACEMENT_AUTH_STRATEGY=${PLACEMENT_AUTH_STRATEGY:-placement}
# yet merged in nova but is coming soon.
PLACEMENT_DB_ENABLED=$(trueorfalse False PLACEMENT_DB_ENABLED)
if is_ssl_enabled_service "placement-api" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
PLACEMENT_SERVICE_PROTOCOL="https"
fi
@ -72,12 +72,6 @@ function _config_placement_apache_wsgi {
nova_bin_dir=$(get_python_exec_prefix)
placement_api_apache_conf=$(apache_site_config_for placement-api)
# reuse nova's cert if a cert is being used
if is_ssl_enabled_service "placement-api"; then
placement_ssl="SSLEngine On"
placement_certfile="SSLCertificateFile $NOVA_SSL_CERT"
placement_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY"
fi
# reuse nova's venv if there is one as placement code lives
# there
if [[ ${USE_VENV} = True ]]; then
@ -149,9 +143,6 @@ function init_placement {
# install_placement() - Collect source and prepare
function install_placement {
install_apache_wsgi
if is_ssl_enabled_service "placement-api"; then
enable_mod_ssl
fi
}
# start_placement_api() - Start the API processes ahead of other things

View File

@ -31,7 +31,7 @@ set +o xtrace
# Defaults
# --------
if is_ssl_enabled_service "s-proxy" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
SWIFT_SERVICE_PROTOCOL="https"
fi
@ -398,13 +398,6 @@ function configure_swift {
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT bind_port ${SWIFT_DEFAULT_BIND_PORT}
fi
if is_ssl_enabled_service s-proxy; then
ensure_certificates SWIFT
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT cert_file "$SWIFT_SSL_CERT"
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT key_file "$SWIFT_SSL_KEY"
fi
# DevStack is commonly run in a small slow environment, so bump the timeouts up.
# ``node_timeout`` is the node read operation response time to the proxy server
# ``conn_timeout`` is how long it takes a connect() system call to return

View File

@ -279,7 +279,7 @@ function configure_tempest {
fi
iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3}
if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
if is_service_enabled tls-proxy; then
iniset $TEMPEST_CONFIG identity ca_certificates_file $SSL_BUNDLE_FILE
fi

25
lib/tls
View File

@ -343,7 +343,7 @@ function make_root_CA {
# one. If the value for the CA is not rooted in /etc then we know
# we need to change it.
function fix_system_ca_bundle_path {
if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
if is_service_enabled tls-proxy; then
local capath
capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass')
@ -362,27 +362,14 @@ function fix_system_ca_bundle_path {
}
# Only for compatibility, return if the tls-proxy is enabled
function is_ssl_enabled_service {
return is_service_enabled tls-proxy
}
# Certificate Input Configuration
# ===============================
# check to see if the service(s) specified are to be SSL enabled.
#
# Multiple services specified as arguments are ``OR``'ed together; the test
# is a short-circuit boolean, i.e it returns on the first match.
#
# Uses global ``SSL_ENABLED_SERVICES``
function is_ssl_enabled_service {
local services=$@
local service=""
if [ "$USE_SSL" == "False" ]; then
return 1
fi
for service in ${services}; do
[[ ,${SSL_ENABLED_SERVICES}, =~ ,${service}, ]] && return 0
done
return 1
}
# Ensure that the certificates for a service are in place. This function does
# not check that a service is SSL enabled, this should already have been
# completed.

View File

@ -539,13 +539,6 @@ rm -f $SSL_BUNDLE_FILE
source $TOP_DIR/lib/database
source $TOP_DIR/lib/rpc_backend
# Service to enable with SSL if ``USE_SSL`` is True
SSL_ENABLED_SERVICES="key,nova,cinder,glance,s-proxy,neutron"
if is_service_enabled tls-proxy && [ "$USE_SSL" == "True" ]; then
die $LINENO "tls-proxy and SSL are mutually exclusive"
fi
# Configure Projects
# ==================
@ -806,7 +799,7 @@ if is_service_enabled cinder nova; then
fi
# Setup TLS certs
if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
if is_service_enabled tls-proxy; then
configure_CA
init_CA
init_cert
@ -886,7 +879,7 @@ if is_service_enabled horizon; then
stack_install_service horizon
fi
if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
if is_service_enabled tls-proxy; then
fix_system_ca_bundle_path
fi

View File

@ -846,9 +846,6 @@ SYSLOG_PORT=${SYSLOG_PORT:-516}
# Set to 0 to disable shallow cloning
GIT_DEPTH=${GIT_DEPTH:-0}
# Use native SSL for servers in ``SSL_ENABLED_SERVICES``
USE_SSL=$(trueorfalse False USE_SSL)
# We may not need to recreate database in case 2 Keystone services
# sharing the same database. It would be useful for multinode Grenade tests.
RECREATE_KEYSTONE_DB=$(trueorfalse True RECREATE_KEYSTONE_DB)

View File

@ -129,9 +129,6 @@ if is_service_enabled tls-proxy; then
stop_tls_proxy
cleanup_CA
fi
if [ "$USE_SSL" == "True" ]; then
cleanup_CA
fi
SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*