Add support for encrypting Nova API

This patch introduces an optional backend encryption for the Nova API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Nova service.

Change-Id: I48e1540b973016079d5686b328e82239dcffacfd
Partially-Implements: blueprint add-ssl-internal-network
This commit is contained in:
James Kirsch 2020-04-30 22:43:37 -07:00 committed by Radosław Piliszek
parent d1e5de2120
commit d6251506f7
5 changed files with 113 additions and 11 deletions

View File

@ -17,24 +17,28 @@ nova_services:
external: false external: false
port: "{{ nova_api_port }}" port: "{{ nova_api_port }}"
listen_port: "{{ nova_api_listen_port }}" listen_port: "{{ nova_api_listen_port }}"
tls_backend: "{{ nova_enable_tls_backend }}"
nova_api_external: nova_api_external:
enabled: "{{ enable_nova }}" enabled: "{{ enable_nova }}"
mode: "http" mode: "http"
external: true external: true
port: "{{ nova_api_port }}" port: "{{ nova_api_port }}"
listen_port: "{{ nova_api_listen_port }}" listen_port: "{{ nova_api_listen_port }}"
tls_backend: "{{ nova_enable_tls_backend }}"
nova_metadata: nova_metadata:
enabled: "{{ enable_nova }}" enabled: "{{ enable_nova }}"
mode: "http" mode: "http"
external: false external: false
port: "{{ nova_metadata_port }}" port: "{{ nova_metadata_port }}"
listen_port: "{{ nova_metadata_listen_port }}" listen_port: "{{ nova_metadata_listen_port }}"
tls_backend: "{{ nova_enable_tls_backend }}"
nova_metadata_external: nova_metadata_external:
enabled: "{{ enable_nova }}" enabled: "{{ enable_nova }}"
mode: "http" mode: "http"
external: true external: true
port: "{{ nova_metadata_port }}" port: "{{ nova_metadata_port }}"
listen_port: "{{ nova_metadata_listen_port }}" listen_port: "{{ nova_metadata_listen_port }}"
tls_backend: "{{ nova_enable_tls_backend }}"
nova-scheduler: nova-scheduler:
container_name: "nova_scheduler" container_name: "nova_scheduler"
group: "nova-scheduler" group: "nova-scheduler"
@ -190,3 +194,8 @@ nova_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
nova_dev_repos_pull: "{{ kolla_dev_repos_pull }}" nova_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
nova_dev_mode: "{{ kolla_dev_mode }}" nova_dev_mode: "{{ kolla_dev_mode }}"
nova_source_version: "{{ kolla_source_version }}" nova_source_version: "{{ kolla_source_version }}"
####################
# TLS
####################
nova_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

View File

@ -33,7 +33,7 @@
- include_tasks: copy-certs.yml - include_tasks: copy-certs.yml
when: when:
- kolla_copy_ca_into_containers | bool - kolla_copy_ca_into_containers | bool or nova_enable_tls_backend | bool
- name: Copying over config.json files for services - name: Copying over config.json files for services
become: true become: true
@ -83,5 +83,17 @@
notify: notify:
- "Restart {{ item.key }} container" - "Restart {{ item.key }} container"
- name: Copying over nova-api-wsgi.conf
template:
src: "nova-api-wsgi.conf.j2"
dest: "{{ node_config_directory }}/nova-api/nova-api-wsgi.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups["nova-api"]
- nova_services["nova-api"].enabled | bool
notify:
- "Restart nova-api container"
- import_tasks: check-containers.yml - import_tasks: check-containers.yml
when: kolla_action != "config" when: kolla_action != "config"

View File

@ -0,0 +1,70 @@
{% set nova_log_dir = '/var/log/kolla/nova' %}
{% set wsgi_directory = '/usr/bin' if nova_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if nova_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_api_listen_port }}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
KeepAliveTimeout {{ kolla_httpd_keep_alive }}
<Directory "{{ wsgi_directory }}">
<FilesMatch "^nova-(api-wsgi|metadata-wsgi)$">
Options None
Require all granted
</FilesMatch>
</Directory>
ErrorLog "{{ nova_log_dir }}/apache-error.log"
<IfModule log_config_module>
CustomLog "{{ nova_log_dir }}/apache-access.log" common
</IfModule>
{% if nova_logging_debug | bool %}
LogLevel info
{% endif %}
<VirtualHost *:{{ nova_api_listen_port }}>
WSGIDaemonProcess nova-api processes={{ openstack_service_workers }} threads=1 user=nova group=nova display-name=%{GROUP}
WSGIProcessGroup nova-api
WSGIScriptAlias / {{ wsgi_directory }}/nova-api-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ nova_log_dir }}/nova-api-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ nova_log_dir }}/nova-api-access.log" logformat
{% if nova_enable_tls_backend | bool %}
SSLEngine on
SSLCertificateFile /etc/nova/certs/nova-cert.pem
SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
{% endif %}
</VirtualHost>
<VirtualHost *:{{ nova_metadata_listen_port }}>
WSGIDaemonProcess nova-metadata processes={{ openstack_service_workers }} threads=1 user=nova group=nova display-name=%{GROUP}
WSGIProcessGroup nova-metadata
WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat
{% if nova_enable_tls_backend | bool %}
SSLEngine on
SSLCertificateFile /etc/nova/certs/nova-cert.pem
SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
{% endif %}
</VirtualHost>

View File

@ -1,17 +1,37 @@
{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{ {
"command": "nova-api", "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
"config_files": [ "config_files": [
{ {
"source": "{{ container_config_directory }}/nova.conf", "source": "{{ container_config_directory }}/nova.conf",
"dest": "/etc/nova/nova.conf", "dest": "/etc/nova/nova.conf",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
},
{
"source": "{{ container_config_directory }}/nova-api-wsgi.conf",
"dest": "/etc/{{ apache_conf_dir }}/nova-api-wsgi.conf",
"owner": "nova",
"perm": "0600"
}{% if nova_policy_file is defined %}, }{% if nova_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/{{ nova_policy_file }}", "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
"dest": "/etc/nova/{{ nova_policy_file }}", "dest": "/etc/nova/{{ nova_policy_file }}",
"owner": "nova", "owner": "nova",
"perm": "0600" "perm": "0600"
}{% endif %}{% if nova_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/nova-cert.pem",
"dest": "/etc/nova/certs/nova-cert.pem",
"owner": "nova",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/nova-key.pem",
"dest": "/etc/nova/certs/nova-key.pem",
"owner": "nova",
"perm": "0600"
}{% endif %} }{% endif %}
], ],
"permissions": [ "permissions": [

View File

@ -8,15 +8,6 @@ log_file = /var/log/kolla/nova/nova-super-conductor.log
{% endif %} {% endif %}
state_path = /var/lib/nova state_path = /var/lib/nova
osapi_compute_listen = {{ api_interface_address }}
osapi_compute_listen_port = {{ nova_api_listen_port }}
osapi_compute_workers = {{ openstack_service_workers }}
metadata_workers = {{ openstack_service_workers }}
metadata_listen = {{ api_interface_address }}
metadata_listen_port = {{ nova_metadata_listen_port }}
allow_resize_to_same_host = true allow_resize_to_same_host = true
# Though my_ip is not used directly, lots of other variables use $my_ip # Though my_ip is not used directly, lots of other variables use $my_ip