18 Commits

Author SHA1 Message Date
Sean Dague
e263c82e48 add shebang lines to all lib files
With gerrit 2.8, and the new change screen, this will trigger syntax
highlighting in gerrit. Thus making reviewing code a lot nicer.

Change-Id: Id238748417ffab53e02d59413dba66f61e724383
2014-12-10 11:28:05 -05:00
Jenkins
e5dbec252a Merge "Fix docs build errors" 2014-10-08 22:14:51 +00:00
Dean Troyer
3324f19f5a Fix docs build errors
Fix shocco errors during docs generation

Closes-Bug: 1362691
Change-Id: I2b7fb008c89f0b4e7280b2d0a054320765e83e47
2014-10-02 15:30:50 -05:00
Rob Crittenden
18d4778cf7 Configure endpoints to use SSL natively or via proxy
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.

To enable SSL via proxy, in local.conf add

ENABLED_SERVICES+=,tls-proxy

This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.

To enable SSL natively, in local.conf add:

USE_SSL=True

Native SSL by default will also use the devstack-generate root and
subordinate CA.

You can override this on a per-service basis by setting

<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca

You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.

Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
2014-09-24 18:36:37 -04:00
Jenkins
73ad94c9b4 Merge "Don't try to regenerate existing ssl certificates" 2014-08-25 14:42:35 +00:00
Dean Troyer
b1e3d0f222 Clean up local variable usage - Remainder
Minor cleanups in a couple ofplaces:
* Config funtions
* Stackforge
* TLS

Combined a couple of smaller changesets that are loosly related

Change-Id: Ifa16f2e4c0eca0ef3401c0dfdc4f3d91809021a5
2014-08-19 19:14:04 -05:00
Sean Dague
f0bd8dbe37 stop leaking service as a global var
the tls code was leaking out $service as a global variable, which
was causing all manner of confusing errors in grenade trying to
use that variable name. All lower case vars should be localize.

Change-Id: I74fa597f20ee7c714cab83490b42d874ea93db02
2014-07-23 15:14:07 -04:00
Stanislaw Pitucha
bd5dae0618 Do a proper tls/ca cleanup in unstack
Certificates and the index were left in the data directory after
running unstack. That would break devstack on the next run.

partial blueprint devstack-https
Change-Id: I6eb552a76fb29addf4d02254c027e473d6805df1
2014-06-30 10:52:25 +01:00
Stanislaw Pitucha
2e0f0544ec Comment fix - correct function names
Change-Id: Idecc6cd9bc255ab20d3bc8f4b3a3e7f248b585f0
2014-06-27 16:10:55 +01:00
Stanislaw Pitucha
2f69c6b853 Don't try to regenerate existing ssl certificates
Rerunning stack.sh after some failure unrelated to ssl setup will fail
due to certificates already existing in the CA index. Don't regenerate
them instead. This is a workaround making devstack development easier
rather than something typical user would run into.

Change-Id: Icfd4cb5132c8c9297eb73159e592b7006295184f
2014-06-25 15:07:48 +01:00
Solly Ross
66115e5323 Fix broken if statement in lib/tls on ZSH
When using ZSH, the line `if [[ (!$cert && !$key && $ca) ]]` fails
due to a syntax error.  Instead of checking the variables as a boolean,
we can simply check if they have a non-zero length.  This works in ZSH.

Change-Id: I171ed10a8c0af354e82bd6119508a0c44b6bcd9c
2014-03-24 14:05:08 -04:00
Ian Wienand
aee18c749b Enforce function declaration format in bash8
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check.  Add a note to HACKING.rst

Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
2014-02-28 07:59:03 +11:00
Jamie Lennox
bd24a8d0f8 Allow deploying keystone with SSL certificates
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.

Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
2013-11-25 22:27:51 +00:00
Adam Spiers
6a5aa7c6a2 Fix some Markdown formatting issues
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.

Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
2013-10-24 17:38:19 +01:00
Dean Troyer
cc6b443545 Formatting cleanups, doc updates and whatnot
Change-Id: Ica8298353be22f947c8e8a03d8dc29ded9cb26dd
2013-04-09 14:05:32 -05:00
Sean Dague
584d90ec56 add emacs shell-script tagging
for files that don't start with a #! or end in .sh, the added tags
are nice for emacs users to automatically switch to the right mode.

Change-Id: If4b93e106191bc744ccad8420cef20e751cdf902
2013-03-29 14:36:49 -04:00
Dean Troyer
ca80217123 Add tools/make_cert.sh
This allows use of either the DevStack CA or creating another CA
independent of stack.sh.

Change-Id: I055679b5fd06e830c8e6d7d7331c52dd8782d0b6
2013-01-10 01:56:23 -06:00
Dean Troyer
c83a7e125f Add TLS support for keystone via proxy
* Adds lib/tls to create test CA/certs
* Start proxy if 'tls-proxy' is enabled
* Configure keystone service catalog for TLS
* Tear down proxy in unstack.sh
* Set auth protocol and ca-cert chain in openrc
* Add DATA_DIR to stackrc

This is the first in a series of patches to enable TLS support
for the service API endpoints.

Change-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6
2012-12-11 17:08:54 -06:00