Add support for encrypting heat api
This patch introduces an optional backend encryption for Heat service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Heat service. Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/722028/
This commit is contained in:
parent
8618cfac2f
commit
ff84292269
@ -16,12 +16,14 @@ heat_services:
|
|||||||
external: false
|
external: false
|
||||||
port: "{{ heat_api_port }}"
|
port: "{{ heat_api_port }}"
|
||||||
listen_port: "{{ heat_api_listen_port }}"
|
listen_port: "{{ heat_api_listen_port }}"
|
||||||
|
tls_backend: "{{ heat_enable_tls_backend }}"
|
||||||
heat_api_external:
|
heat_api_external:
|
||||||
enabled: "{{ enable_heat }}"
|
enabled: "{{ enable_heat }}"
|
||||||
mode: "http"
|
mode: "http"
|
||||||
external: true
|
external: true
|
||||||
port: "{{ heat_api_port }}"
|
port: "{{ heat_api_port }}"
|
||||||
listen_port: "{{ heat_api_listen_port }}"
|
listen_port: "{{ heat_api_listen_port }}"
|
||||||
|
tls_backend: "{{ heat_enable_tls_backend }}"
|
||||||
heat-api-cfn:
|
heat-api-cfn:
|
||||||
container_name: heat_api_cfn
|
container_name: heat_api_cfn
|
||||||
group: heat-api-cfn
|
group: heat-api-cfn
|
||||||
@ -36,12 +38,14 @@ heat_services:
|
|||||||
external: false
|
external: false
|
||||||
port: "{{ heat_api_cfn_port }}"
|
port: "{{ heat_api_cfn_port }}"
|
||||||
listen_port: "{{ heat_api_cfn_listen_port }}"
|
listen_port: "{{ heat_api_cfn_listen_port }}"
|
||||||
|
tls_backend: "{{ heat_enable_tls_backend }}"
|
||||||
heat_api_cfn_external:
|
heat_api_cfn_external:
|
||||||
enabled: "{{ enable_heat }}"
|
enabled: "{{ enable_heat }}"
|
||||||
mode: "http"
|
mode: "http"
|
||||||
external: true
|
external: true
|
||||||
port: "{{ heat_api_cfn_port }}"
|
port: "{{ heat_api_cfn_port }}"
|
||||||
listen_port: "{{ heat_api_cfn_listen_port }}"
|
listen_port: "{{ heat_api_cfn_listen_port }}"
|
||||||
|
tls_backend: "{{ heat_enable_tls_backend }}"
|
||||||
heat-engine:
|
heat-engine:
|
||||||
container_name: heat_engine
|
container_name: heat_engine
|
||||||
group: heat-engine
|
group: heat-engine
|
||||||
@ -173,3 +177,8 @@ heat_ks_user_roles:
|
|||||||
- project: "{{ openstack_auth.project_name }}"
|
- project: "{{ openstack_auth.project_name }}"
|
||||||
user: "{{ openstack_auth.username }}"
|
user: "{{ openstack_auth.username }}"
|
||||||
role: "{{ heat_stack_owner_role }}"
|
role: "{{ heat_stack_owner_role }}"
|
||||||
|
|
||||||
|
####################
|
||||||
|
# TLS
|
||||||
|
####################
|
||||||
|
heat_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
|
|
||||||
- include_tasks: copy-certs.yml
|
- include_tasks: copy-certs.yml
|
||||||
when:
|
when:
|
||||||
- kolla_copy_ca_into_containers | bool
|
- kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool
|
||||||
|
|
||||||
- name: Copying over config.json files for services
|
- name: Copying over config.json files for services
|
||||||
become: true
|
become: true
|
||||||
@ -82,5 +82,33 @@
|
|||||||
notify:
|
notify:
|
||||||
- Restart {{ item.key }} container
|
- Restart {{ item.key }} container
|
||||||
|
|
||||||
|
- name: Copying over heat-api wsgi config
|
||||||
|
vars:
|
||||||
|
service: "{{ heat_services['heat-api'] }}"
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/wsgi-heat-api.conf.j2"
|
||||||
|
dest: "{{ node_config_directory }}/heat-api/wsgi-heat-api.conf"
|
||||||
|
mode: "0660"
|
||||||
|
become: true
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups[service['group']]
|
||||||
|
- service.enabled | bool
|
||||||
|
notify:
|
||||||
|
- Restart heat-api container
|
||||||
|
|
||||||
|
- name: Copying over heat-api-cfn wsgi config
|
||||||
|
vars:
|
||||||
|
service: "{{ heat_services['heat-api-cfn'] }}"
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/wsgi-heat-api-cfn.conf.j2"
|
||||||
|
dest: "{{ node_config_directory }}/heat-api-cfn/wsgi-heat-api-cfn.conf"
|
||||||
|
mode: "0660"
|
||||||
|
become: true
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups[service['group']]
|
||||||
|
- service.enabled | bool
|
||||||
|
notify:
|
||||||
|
- Restart heat-api-cfn container
|
||||||
|
|
||||||
- include_tasks: check-containers.yml
|
- include_tasks: check-containers.yml
|
||||||
when: kolla_action != "config"
|
when: kolla_action != "config"
|
||||||
|
@ -1,18 +1,38 @@
|
|||||||
|
{% set heat_api_cfn_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
||||||
|
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
|
||||||
{
|
{
|
||||||
"command": "heat-api-cfn",
|
"command": "/usr/sbin/{{ heat_api_cfn_cmd }} -DFOREGROUND",
|
||||||
"config_files": [
|
"config_files": [
|
||||||
{
|
{
|
||||||
"source": "{{ container_config_directory }}/heat.conf",
|
"source": "{{ container_config_directory }}/heat.conf",
|
||||||
"dest": "/etc/heat/heat.conf",
|
"dest": "/etc/heat/heat.conf",
|
||||||
"owner": "heat",
|
"owner": "heat",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
|
},{
|
||||||
|
"source": "{{ container_config_directory }}/wsgi-heat-api-cfn.conf",
|
||||||
|
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api-cfn.conf",
|
||||||
|
"owner": "heat",
|
||||||
|
"perm": "0600"
|
||||||
}{% if heat_policy_file is defined %},
|
}{% if heat_policy_file is defined %},
|
||||||
{
|
{
|
||||||
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
|
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
|
||||||
"dest": "/etc/heat/{{ heat_policy_file }}",
|
"dest": "/etc/heat/{{ heat_policy_file }}",
|
||||||
"owner": "heat",
|
"owner": "heat",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
}{% endif %}
|
}{% endif %}{% if heat_enable_tls_backend | bool %},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/heat-cert.pem",
|
||||||
|
"dest": "/etc/heat/certs/heat-cert.pem",
|
||||||
|
"owner": "heat",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/heat-key.pem",
|
||||||
|
"dest": "/etc/heat/certs/heat-key.pem",
|
||||||
|
"owner": "heat",
|
||||||
|
"perm": "0600"
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
],
|
],
|
||||||
"permissions": [
|
"permissions": [
|
||||||
{
|
{
|
||||||
|
@ -1,18 +1,38 @@
|
|||||||
|
{% set heat_api_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
||||||
|
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
|
||||||
{
|
{
|
||||||
"command": "heat-api",
|
"command": "/usr/sbin/{{ heat_api_cmd }} -DFOREGROUND",
|
||||||
"config_files": [
|
"config_files": [
|
||||||
{
|
{
|
||||||
"source": "{{ container_config_directory }}/heat.conf",
|
"source": "{{ container_config_directory }}/heat.conf",
|
||||||
"dest": "/etc/heat/heat.conf",
|
"dest": "/etc/heat/heat.conf",
|
||||||
"owner": "heat",
|
"owner": "heat",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
|
},{
|
||||||
|
"source": "{{ container_config_directory }}/wsgi-heat-api.conf",
|
||||||
|
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api.conf",
|
||||||
|
"owner": "heat",
|
||||||
|
"perm": "0600"
|
||||||
}{% if heat_policy_file is defined %},
|
}{% if heat_policy_file is defined %},
|
||||||
{
|
{
|
||||||
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
|
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
|
||||||
"dest": "/etc/heat/{{ heat_policy_file }}",
|
"dest": "/etc/heat/{{ heat_policy_file }}",
|
||||||
"owner": "heat",
|
"owner": "heat",
|
||||||
"perm": "0600"
|
"perm": "0600"
|
||||||
}{% endif %}
|
}{% endif %}{% if heat_enable_tls_backend | bool %},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/heat-cert.pem",
|
||||||
|
"dest": "/etc/heat/certs/heat-cert.pem",
|
||||||
|
"owner": "heat",
|
||||||
|
"perm": "0600"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"source": "{{ container_config_directory }}/heat-key.pem",
|
||||||
|
"dest": "/etc/heat/certs/heat-key.pem",
|
||||||
|
"owner": "heat",
|
||||||
|
"perm": "0600"
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
],
|
],
|
||||||
"permissions": [
|
"permissions": [
|
||||||
{
|
{
|
||||||
|
47
ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
Normal file
47
ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
{% set heat_log_dir = '/var/log/kolla/heat' %}
|
||||||
|
{% if heat_install_type == 'binary' %}
|
||||||
|
{% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python2.7/site-packages' %}
|
||||||
|
{% else %}
|
||||||
|
{% set python_path = '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %}
|
||||||
|
{% endif %}
|
||||||
|
{% set binary_path = '/usr/bin' if heat_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
||||||
|
{% if heat_enable_tls_backend | bool %}
|
||||||
|
{% if kolla_base_distro in ['centos'] %}
|
||||||
|
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||||
|
{% else %}
|
||||||
|
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_cfn_listen_port }}
|
||||||
|
|
||||||
|
ServerSignature Off
|
||||||
|
ServerTokens Prod
|
||||||
|
TraceEnable off
|
||||||
|
|
||||||
|
<Directory "{{ binary_path }}">
|
||||||
|
<FilesMatch "heat-wsgi-api-cfn">
|
||||||
|
AllowOverride None
|
||||||
|
Options None
|
||||||
|
Require all granted
|
||||||
|
</FilesMatch>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
|
||||||
|
<VirtualHost *:{{ heat_api_cfn_listen_port }}>
|
||||||
|
WSGIDaemonProcess heat-api-cfn processes={{ openstack_service_workers }} threads=1 user=heat group=heat display-name=%{GROUP} python-path={{ python_path }}
|
||||||
|
WSGIProcessGroup heat-api-cfn
|
||||||
|
WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api-cfn
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
ErrorLog "{{ heat_log_dir }}/heat-api-cfn-error.log"
|
||||||
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
|
||||||
|
CustomLog "{{ heat_log_dir }}/heat-api-cfn-error.log" logformat
|
||||||
|
{% if heat_enable_tls_backend | bool %}
|
||||||
|
SSLEngine On
|
||||||
|
SSLCertificateFile /etc/heat/certs/heat-cert.pem
|
||||||
|
SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
|
||||||
|
{% endif %}
|
||||||
|
</VirtualHost>
|
47
ansible/roles/heat/templates/wsgi-heat-api.conf.j2
Normal file
47
ansible/roles/heat/templates/wsgi-heat-api.conf.j2
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
{% set heat_log_dir = '/var/log/kolla/heat' %}
|
||||||
|
{% if heat_install_type == 'binary' %}
|
||||||
|
{% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python2.7/site-packages' %}
|
||||||
|
{% else %}
|
||||||
|
{% set python_path = '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %}
|
||||||
|
{% endif %}
|
||||||
|
{% set binary_path = '/usr/bin' if heat_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
||||||
|
{% if heat_enable_tls_backend | bool %}
|
||||||
|
{% if kolla_base_distro in ['centos'] %}
|
||||||
|
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||||
|
{% else %}
|
||||||
|
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_listen_port }}
|
||||||
|
|
||||||
|
ServerSignature Off
|
||||||
|
ServerTokens Prod
|
||||||
|
TraceEnable off
|
||||||
|
|
||||||
|
<Directory "{{ binary_path }}">
|
||||||
|
<FilesMatch "heat-wsgi-api">
|
||||||
|
AllowOverride None
|
||||||
|
Options None
|
||||||
|
Require all granted
|
||||||
|
</FilesMatch>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
|
||||||
|
<VirtualHost *:{{ heat_api_listen_port }}>
|
||||||
|
WSGIDaemonProcess heat-api processes={{ openstack_service_workers }} threads=1 user=heat group=heat display-name=%{GROUP} python-path={{ python_path }}
|
||||||
|
WSGIProcessGroup heat-api
|
||||||
|
WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
ErrorLog "{{ heat_log_dir }}/heat-api-error.log"
|
||||||
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
|
||||||
|
CustomLog "{{ heat_log_dir }}/heat-api-error.log" logformat
|
||||||
|
{% if heat_enable_tls_backend | bool %}
|
||||||
|
SSLEngine On
|
||||||
|
SSLCertificateFile /etc/heat/certs/heat-cert.pem
|
||||||
|
SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
|
||||||
|
{% endif %}
|
||||||
|
</VirtualHost>
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Added configuration options to enable backend TLS encryption from HAProxy
|
||||||
|
to the Keystone, Heat, and cinder service. When used in conjunction with
|
||||||
|
enabling TLS for service API endpoints, network communcation will be
|
||||||
|
encrypted end to end, from client through HAProxy to the backend service.
|
@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
features:
|
|
||||||
- |
|
|
||||||
Added configuration options to enable backend TLS encryption from HAProxy
|
|
||||||
to the Keystone and cinder service. When used in conjunction with enabling
|
|
||||||
TLS for service API endpoints, network communcation will be encrypted end
|
|
||||||
to end, from client through HAProxy to the backend service.
|
|
Loading…
Reference in New Issue
Block a user