With gerrit 2.8, and the new change screen, this will trigger syntax
highlighting in gerrit. Thus making reviewing code a lot nicer.
Change-Id: Id238748417ffab53e02d59413dba66f61e724383
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
Minor cleanups in a couple ofplaces:
* Config funtions
* Stackforge
* TLS
Combined a couple of smaller changesets that are loosly related
Change-Id: Ifa16f2e4c0eca0ef3401c0dfdc4f3d91809021a5
the tls code was leaking out $service as a global variable, which
was causing all manner of confusing errors in grenade trying to
use that variable name. All lower case vars should be localize.
Change-Id: I74fa597f20ee7c714cab83490b42d874ea93db02
Certificates and the index were left in the data directory after
running unstack. That would break devstack on the next run.
partial blueprint devstack-https
Change-Id: I6eb552a76fb29addf4d02254c027e473d6805df1
Rerunning stack.sh after some failure unrelated to ssl setup will fail
due to certificates already existing in the CA index. Don't regenerate
them instead. This is a workaround making devstack development easier
rather than something typical user would run into.
Change-Id: Icfd4cb5132c8c9297eb73159e592b7006295184f
When using ZSH, the line `if [[ (!$cert && !$key && $ca) ]]` fails
due to a syntax error. Instead of checking the variables as a boolean,
we can simply check if they have a non-zero length. This works in ZSH.
Change-Id: I171ed10a8c0af354e82bd6119508a0c44b6bcd9c
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check. Add a note to HACKING.rst
Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.
Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.
Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
for files that don't start with a #! or end in .sh, the added tags
are nice for emacs users to automatically switch to the right mode.
Change-Id: If4b93e106191bc744ccad8420cef20e751cdf902
* Adds lib/tls to create test CA/certs
* Start proxy if 'tls-proxy' is enabled
* Configure keystone service catalog for TLS
* Tear down proxy in unstack.sh
* Set auth protocol and ca-cert chain in openrc
* Add DATA_DIR to stackrc
This is the first in a series of patches to enable TLS support
for the service API endpoints.
Change-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6