Add support for encrypting Horizon and Placement API
This patch introduces an optional backend encryption for Horizon and Placement services. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Horizon and Placement services. Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d Partially-Implements: blueprint add-ssl-internal-network
This commit is contained in:
parent
f87814f794
commit
e3d5a91a90
@ -47,6 +47,7 @@ horizon_services:
|
|||||||
listen_port: "{{ horizon_listen_port }}"
|
listen_port: "{{ horizon_listen_port }}"
|
||||||
backend_http_extra:
|
backend_http_extra:
|
||||||
- "balance source"
|
- "balance source"
|
||||||
|
tls_backend: "{{ horizon_enable_tls_backend }}"
|
||||||
horizon_redirect:
|
horizon_redirect:
|
||||||
enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}"
|
enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}"
|
||||||
mode: "redirect"
|
mode: "redirect"
|
||||||
@ -61,6 +62,7 @@ horizon_services:
|
|||||||
listen_port: "{{ horizon_listen_port }}"
|
listen_port: "{{ horizon_listen_port }}"
|
||||||
backend_http_extra:
|
backend_http_extra:
|
||||||
- "balance source"
|
- "balance source"
|
||||||
|
tls_backend: "{{ horizon_enable_tls_backend }}"
|
||||||
horizon_external_redirect:
|
horizon_external_redirect:
|
||||||
enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
|
enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
|
||||||
mode: "redirect"
|
mode: "redirect"
|
||||||
@ -124,3 +126,8 @@ horizon_dev_mode: "{{ kolla_dev_mode }}"
|
|||||||
horizon_murano_dev_mode: "{{ kolla_dev_mode }}"
|
horizon_murano_dev_mode: "{{ kolla_dev_mode }}"
|
||||||
horizon_source_version: "{{ kolla_source_version }}"
|
horizon_source_version: "{{ kolla_source_version }}"
|
||||||
horizon_murano_source_version: "{{ kolla_source_version }}"
|
horizon_murano_source_version: "{{ kolla_source_version }}"
|
||||||
|
|
||||||
|
####################
|
||||||
|
# TLS
|
||||||
|
####################
|
||||||
|
horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
||||||
|
@ -135,7 +135,7 @@
|
|||||||
|
|
||||||
- include_tasks: copy-certs.yml
|
- include_tasks: copy-certs.yml
|
||||||
when:
|
when:
|
||||||
- kolla_copy_ca_into_containers | bool
|
- kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool
|
||||||
|
|
||||||
- include_tasks: check-containers.yml
|
- include_tasks: check-containers.yml
|
||||||
when: kolla_action != "config"
|
when: kolla_action != "config"
|
||||||
|
@ -1,5 +1,12 @@
|
|||||||
{% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
{% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
||||||
|
|
||||||
|
{% if horizon_enable_tls_backend | bool %}
|
||||||
|
{% if kolla_base_distro in ['centos'] %}
|
||||||
|
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||||
|
{% else %}
|
||||||
|
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
|
||||||
|
|
||||||
ServerSignature Off
|
ServerSignature Off
|
||||||
@ -35,6 +42,12 @@ TraceEnable off
|
|||||||
<Location "/static">
|
<Location "/static">
|
||||||
SetHandler None
|
SetHandler None
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
{% if horizon_enable_tls_backend | bool %}
|
||||||
|
SSLEngine On
|
||||||
|
SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
|
||||||
|
SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
|
||||||
|
{% endif %}
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
{# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #}
|
{# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #}
|
||||||
|
@ -29,6 +29,18 @@
|
|||||||
"dest": "/etc/openstack-dashboard/custom_local_settings",
|
"dest": "/etc/openstack-dashboard/custom_local_settings",
|
||||||
"owner": "horizon",
|
"owner": "horizon",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
}
|
}{% if horizon_enable_tls_backend | bool %},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/horizon-cert.pem",
|
||||||
|
"dest": "/etc/horizon/certs/horizon-cert.pem",
|
||||||
|
"owner": "horizon",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/horizon-key.pem",
|
||||||
|
"dest": "/etc/horizon/certs/horizon-key.pem",
|
||||||
|
"owner": "horizon",
|
||||||
|
"perm": "0600"
|
||||||
|
}{% endif %}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -16,12 +16,14 @@ placement_services:
|
|||||||
external: false
|
external: false
|
||||||
port: "{{ placement_api_port }}"
|
port: "{{ placement_api_port }}"
|
||||||
listen_port: "{{ placement_api_listen_port }}"
|
listen_port: "{{ placement_api_listen_port }}"
|
||||||
|
tls_backend: "{{ placement_enable_tls_backend }}"
|
||||||
placement_api_external:
|
placement_api_external:
|
||||||
enabled: "{{ enable_placement }}"
|
enabled: "{{ enable_placement }}"
|
||||||
mode: "http"
|
mode: "http"
|
||||||
external: true
|
external: true
|
||||||
port: "{{ placement_api_port }}"
|
port: "{{ placement_api_port }}"
|
||||||
listen_port: "{{ placement_api_listen_port }}"
|
listen_port: "{{ placement_api_listen_port }}"
|
||||||
|
tls_backend: "{{ placement_enable_tls_backend }}"
|
||||||
|
|
||||||
####################
|
####################
|
||||||
# Database
|
# Database
|
||||||
@ -108,3 +110,8 @@ placement_ks_users:
|
|||||||
user: "{{ placement_keystone_user }}"
|
user: "{{ placement_keystone_user }}"
|
||||||
password: "{{ placement_keystone_password }}"
|
password: "{{ placement_keystone_password }}"
|
||||||
role: "admin"
|
role: "admin"
|
||||||
|
|
||||||
|
####################
|
||||||
|
# TLS
|
||||||
|
####################
|
||||||
|
placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
|
|
||||||
- include_tasks: copy-certs.yml
|
- include_tasks: copy-certs.yml
|
||||||
when:
|
when:
|
||||||
- kolla_copy_ca_into_containers | bool
|
- kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool
|
||||||
|
|
||||||
- name: Copying over config.json files for services
|
- name: Copying over config.json files for services
|
||||||
become: true
|
become: true
|
||||||
|
@ -5,7 +5,13 @@
|
|||||||
{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
{% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
||||||
|
{% if placement_enable_tls_backend | bool %}
|
||||||
|
{% if kolla_base_distro in ['centos'] %}
|
||||||
|
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||||
|
{% else %}
|
||||||
|
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}
|
||||||
|
|
||||||
ServerSignature Off
|
ServerSignature Off
|
||||||
@ -33,4 +39,9 @@ LogLevel info
|
|||||||
Require all granted
|
Require all granted
|
||||||
</Files>
|
</Files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
{% if placement_enable_tls_backend | bool %}
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/placement/certs/placement-cert.pem
|
||||||
|
SSLCertificateKeyFile /etc/placement/certs/placement-key.pem
|
||||||
|
{% endif %}
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
@ -26,7 +26,19 @@
|
|||||||
"dest": "/etc/placement/migrate-db.rc",
|
"dest": "/etc/placement/migrate-db.rc",
|
||||||
"owner": "placement",
|
"owner": "placement",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
}
|
}{% if placement_enable_tls_backend | bool %},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/placement-cert.pem",
|
||||||
|
"dest": "/etc/placement/certs/placement-cert.pem",
|
||||||
|
"owner": "placement",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/placement-key.pem",
|
||||||
|
"dest": "/etc/placement/certs/placement-key.pem",
|
||||||
|
"owner": "placement",
|
||||||
|
"perm": "0600"
|
||||||
|
}{% endif %}
|
||||||
],
|
],
|
||||||
"permissions": [
|
"permissions": [
|
||||||
{
|
{
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
features:
|
features:
|
||||||
- |
|
- |
|
||||||
Added configuration options to enable backend TLS encryption from HAProxy
|
Added configuration options to enable backend TLS encryption from HAProxy
|
||||||
to the Keystone, Glance, Heat, and Cinder services. When used in
|
to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
|
||||||
conjunction with enabling TLS for service API endpoints, network
|
When used in conjunction with enabling TLS for service API endpoints,
|
||||||
communcation will be encrypted end to end, from client through HAProxy to
|
network communcation will be encrypted end to end, from client through
|
||||||
the backend service.
|
HAProxy to the backend service.
|
||||||
|
Loading…
Reference in New Issue
Block a user