From e3d5a91a9066a7686e7c783dafafd9b5c5591a9e Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Wed, 29 Apr 2020 16:45:34 -0700 Subject: [PATCH] Add support for encrypting Horizon and Placement API This patch introduces an optional backend encryption for Horizon and Placement services. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Horizon and Placement services. Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d Partially-Implements: blueprint add-ssl-internal-network --- ansible/roles/horizon/defaults/main.yml | 7 +++++++ ansible/roles/horizon/tasks/config.yml | 2 +- ansible/roles/horizon/templates/horizon.conf.j2 | 13 +++++++++++++ ansible/roles/horizon/templates/horizon.json.j2 | 14 +++++++++++++- ansible/roles/placement/defaults/main.yml | 7 +++++++ ansible/roles/placement/tasks/config.yml | 2 +- .../placement/templates/placement-api-wsgi.conf.j2 | 13 ++++++++++++- .../placement/templates/placement-api.json.j2 | 14 +++++++++++++- .../encrypt-backend-haproxy-fb96285d74fb464c.yaml | 8 ++++---- 9 files changed, 71 insertions(+), 9 deletions(-) diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml index 17c9d8f8a9..757d5e8e6b 100644 --- a/ansible/roles/horizon/defaults/main.yml +++ b/ansible/roles/horizon/defaults/main.yml @@ -47,6 +47,7 @@ horizon_services: listen_port: "{{ horizon_listen_port }}" backend_http_extra: - "balance source" + tls_backend: "{{ horizon_enable_tls_backend }}" horizon_redirect: enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}" mode: "redirect" @@ -61,6 +62,7 @@ horizon_services: listen_port: "{{ horizon_listen_port }}" backend_http_extra: - "balance source" + tls_backend: "{{ horizon_enable_tls_backend }}" horizon_external_redirect: enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}" mode: "redirect" @@ -124,3 +126,8 @@ horizon_dev_mode: "{{ kolla_dev_mode }}" horizon_murano_dev_mode: "{{ kolla_dev_mode }}" horizon_source_version: "{{ kolla_source_version }}" horizon_murano_source_version: "{{ kolla_source_version }}" + +#################### +# TLS +#################### +horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}" diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml index 9a49e329f9..051b1e38af 100644 --- a/ansible/roles/horizon/tasks/config.yml +++ b/ansible/roles/horizon/tasks/config.yml @@ -135,7 +135,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool + - kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool - include_tasks: check-containers.yml when: kolla_action != "config" diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2 index 7c509676ab..b8f3763e0d 100644 --- a/ansible/roles/horizon/templates/horizon.conf.j2 +++ b/ansible/roles/horizon/templates/horizon.conf.j2 @@ -1,5 +1,12 @@ {% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %} +{% if horizon_enable_tls_backend | bool %} +{% if kolla_base_distro in ['centos'] %} +LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so +{% else %} +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +{% endif %} +{% endif %} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }} ServerSignature Off @@ -35,6 +42,12 @@ TraceEnable off SetHandler None + +{% if horizon_enable_tls_backend | bool %} + SSLEngine On + SSLCertificateFile /etc/horizon/certs/horizon-cert.pem + SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem +{% endif %} {# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #} diff --git a/ansible/roles/horizon/templates/horizon.json.j2 b/ansible/roles/horizon/templates/horizon.json.j2 index 0446423f42..bc2eb6843e 100644 --- a/ansible/roles/horizon/templates/horizon.json.j2 +++ b/ansible/roles/horizon/templates/horizon.json.j2 @@ -29,6 +29,18 @@ "dest": "/etc/openstack-dashboard/custom_local_settings", "owner": "horizon", "perm": "0600" - } + }{% if horizon_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/horizon-cert.pem", + "dest": "/etc/horizon/certs/horizon-cert.pem", + "owner": "horizon", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/horizon-key.pem", + "dest": "/etc/horizon/certs/horizon-key.pem", + "owner": "horizon", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/placement/defaults/main.yml b/ansible/roles/placement/defaults/main.yml index f7c47ef206..6cdf7fa4fb 100644 --- a/ansible/roles/placement/defaults/main.yml +++ b/ansible/roles/placement/defaults/main.yml @@ -16,12 +16,14 @@ placement_services: external: false port: "{{ placement_api_port }}" listen_port: "{{ placement_api_listen_port }}" + tls_backend: "{{ placement_enable_tls_backend }}" placement_api_external: enabled: "{{ enable_placement }}" mode: "http" external: true port: "{{ placement_api_port }}" listen_port: "{{ placement_api_listen_port }}" + tls_backend: "{{ placement_enable_tls_backend }}" #################### # Database @@ -108,3 +110,8 @@ placement_ks_users: user: "{{ placement_keystone_user }}" password: "{{ placement_keystone_password }}" role: "admin" + +#################### +# TLS +#################### +placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}" diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml index 2f42c13c72..39d7be080b 100644 --- a/ansible/roles/placement/tasks/config.yml +++ b/ansible/roles/placement/tasks/config.yml @@ -33,7 +33,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool + - kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool - name: Copying over config.json files for services become: true diff --git a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 index ee8261f277..26d68199cf 100644 --- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 +++ b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 @@ -5,7 +5,13 @@ {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %} {% endif %} {% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %} - +{% if placement_enable_tls_backend | bool %} +{% if kolla_base_distro in ['centos'] %} +LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so +{% else %} +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +{% endif %} +{% endif %} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }} ServerSignature Off @@ -33,4 +39,9 @@ LogLevel info Require all granted +{% if placement_enable_tls_backend | bool %} + SSLEngine on + SSLCertificateFile /etc/placement/certs/placement-cert.pem + SSLCertificateKeyFile /etc/placement/certs/placement-key.pem +{% endif %} diff --git a/ansible/roles/placement/templates/placement-api.json.j2 b/ansible/roles/placement/templates/placement-api.json.j2 index 7bec6e74e5..e489cec5af 100644 --- a/ansible/roles/placement/templates/placement-api.json.j2 +++ b/ansible/roles/placement/templates/placement-api.json.j2 @@ -26,7 +26,19 @@ "dest": "/etc/placement/migrate-db.rc", "owner": "placement", "perm": "0600" - } + }{% if placement_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/placement-cert.pem", + "dest": "/etc/placement/certs/placement-cert.pem", + "owner": "placement", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/placement-key.pem", + "dest": "/etc/placement/certs/placement-key.pem", + "owner": "placement", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml index 7385b29302..bfe710a8b1 100644 --- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml +++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml @@ -2,7 +2,7 @@ features: - | Added configuration options to enable backend TLS encryption from HAProxy - to the Keystone, Glance, Heat, and Cinder services. When used in - conjunction with enabling TLS for service API endpoints, network - communcation will be encrypted end to end, from client through HAProxy to - the backend service. + to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services. + When used in conjunction with enabling TLS for service API endpoints, + network communcation will be encrypted end to end, from client through + HAProxy to the backend service.