Add support for encrypting heat api

This patch introduces an optional backend encryption for Heat
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Heat service.

Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/722028/
This commit is contained in:
James Kirsch 2020-04-23 08:24:09 -07:00 committed by Mark Goddard
parent 8618cfac2f
commit ff84292269
8 changed files with 183 additions and 12 deletions

View File

@ -16,12 +16,14 @@ heat_services:
external: false external: false
port: "{{ heat_api_port }}" port: "{{ heat_api_port }}"
listen_port: "{{ heat_api_listen_port }}" listen_port: "{{ heat_api_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat_api_external: heat_api_external:
enabled: "{{ enable_heat }}" enabled: "{{ enable_heat }}"
mode: "http" mode: "http"
external: true external: true
port: "{{ heat_api_port }}" port: "{{ heat_api_port }}"
listen_port: "{{ heat_api_listen_port }}" listen_port: "{{ heat_api_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat-api-cfn: heat-api-cfn:
container_name: heat_api_cfn container_name: heat_api_cfn
group: heat-api-cfn group: heat-api-cfn
@ -36,12 +38,14 @@ heat_services:
external: false external: false
port: "{{ heat_api_cfn_port }}" port: "{{ heat_api_cfn_port }}"
listen_port: "{{ heat_api_cfn_listen_port }}" listen_port: "{{ heat_api_cfn_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat_api_cfn_external: heat_api_cfn_external:
enabled: "{{ enable_heat }}" enabled: "{{ enable_heat }}"
mode: "http" mode: "http"
external: true external: true
port: "{{ heat_api_cfn_port }}" port: "{{ heat_api_cfn_port }}"
listen_port: "{{ heat_api_cfn_listen_port }}" listen_port: "{{ heat_api_cfn_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat-engine: heat-engine:
container_name: heat_engine container_name: heat_engine
group: heat-engine group: heat-engine
@ -173,3 +177,8 @@ heat_ks_user_roles:
- project: "{{ openstack_auth.project_name }}" - project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}" user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}" role: "{{ heat_stack_owner_role }}"
####################
# TLS
####################
heat_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

View File

@ -33,7 +33,7 @@
- include_tasks: copy-certs.yml - include_tasks: copy-certs.yml
when: when:
- kolla_copy_ca_into_containers | bool - kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool
- name: Copying over config.json files for services - name: Copying over config.json files for services
become: true become: true
@ -82,5 +82,33 @@
notify: notify:
- Restart {{ item.key }} container - Restart {{ item.key }} container
- name: Copying over heat-api wsgi config
vars:
service: "{{ heat_services['heat-api'] }}"
template:
src: "{{ role_path }}/templates/wsgi-heat-api.conf.j2"
dest: "{{ node_config_directory }}/heat-api/wsgi-heat-api.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service['group']]
- service.enabled | bool
notify:
- Restart heat-api container
- name: Copying over heat-api-cfn wsgi config
vars:
service: "{{ heat_services['heat-api-cfn'] }}"
template:
src: "{{ role_path }}/templates/wsgi-heat-api-cfn.conf.j2"
dest: "{{ node_config_directory }}/heat-api-cfn/wsgi-heat-api-cfn.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service['group']]
- service.enabled | bool
notify:
- Restart heat-api-cfn container
- include_tasks: check-containers.yml - include_tasks: check-containers.yml
when: kolla_action != "config" when: kolla_action != "config"

View File

@ -1,18 +1,38 @@
{% set heat_api_cfn_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{ {
"command": "heat-api-cfn", "command": "/usr/sbin/{{ heat_api_cfn_cmd }} -DFOREGROUND",
"config_files": [ "config_files": [
{ {
"source": "{{ container_config_directory }}/heat.conf", "source": "{{ container_config_directory }}/heat.conf",
"dest": "/etc/heat/heat.conf", "dest": "/etc/heat/heat.conf",
"owner": "heat", "owner": "heat",
"perm": "0600" "perm": "0600"
},{
"source": "{{ container_config_directory }}/wsgi-heat-api-cfn.conf",
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api-cfn.conf",
"owner": "heat",
"perm": "0600"
}{% if heat_policy_file is defined %}, }{% if heat_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/{{ heat_policy_file }}", "source": "{{ container_config_directory }}/{{ heat_policy_file }}",
"dest": "/etc/heat/{{ heat_policy_file }}", "dest": "/etc/heat/{{ heat_policy_file }}",
"owner": "heat", "owner": "heat",
"perm": "0600" "perm": "0600"
}{% endif %} }{% endif %}{% if heat_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/heat-cert.pem",
"dest": "/etc/heat/certs/heat-cert.pem",
"owner": "heat",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/heat-key.pem",
"dest": "/etc/heat/certs/heat-key.pem",
"owner": "heat",
"perm": "0600"
}
{% endif %}
], ],
"permissions": [ "permissions": [
{ {

View File

@ -1,18 +1,38 @@
{% set heat_api_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{ {
"command": "heat-api", "command": "/usr/sbin/{{ heat_api_cmd }} -DFOREGROUND",
"config_files": [ "config_files": [
{ {
"source": "{{ container_config_directory }}/heat.conf", "source": "{{ container_config_directory }}/heat.conf",
"dest": "/etc/heat/heat.conf", "dest": "/etc/heat/heat.conf",
"owner": "heat", "owner": "heat",
"perm": "0600" "perm": "0600"
},{
"source": "{{ container_config_directory }}/wsgi-heat-api.conf",
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api.conf",
"owner": "heat",
"perm": "0600"
}{% if heat_policy_file is defined %}, }{% if heat_policy_file is defined %},
{ {
"source": "{{ container_config_directory }}/{{ heat_policy_file }}", "source": "{{ container_config_directory }}/{{ heat_policy_file }}",
"dest": "/etc/heat/{{ heat_policy_file }}", "dest": "/etc/heat/{{ heat_policy_file }}",
"owner": "heat", "owner": "heat",
"perm": "0600" "perm": "0600"
}{% endif %} }{% endif %}{% if heat_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/heat-cert.pem",
"dest": "/etc/heat/certs/heat-cert.pem",
"owner": "heat",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/heat-key.pem",
"dest": "/etc/heat/certs/heat-key.pem",
"owner": "heat",
"perm": "0600"
}
{% endif %}
], ],
"permissions": [ "permissions": [
{ {

View File

@ -0,0 +1,47 @@
{% set heat_log_dir = '/var/log/kolla/heat' %}
{% if heat_install_type == 'binary' %}
{% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python2.7/site-packages' %}
{% else %}
{% set python_path = '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %}
{% endif %}
{% set binary_path = '/usr/bin' if heat_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if heat_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_cfn_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
<Directory "{{ binary_path }}">
<FilesMatch "heat-wsgi-api-cfn">
AllowOverride None
Options None
Require all granted
</FilesMatch>
</Directory>
<VirtualHost *:{{ heat_api_cfn_listen_port }}>
WSGIDaemonProcess heat-api-cfn processes={{ openstack_service_workers }} threads=1 user=heat group=heat display-name=%{GROUP} python-path={{ python_path }}
WSGIProcessGroup heat-api-cfn
WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api-cfn
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ heat_log_dir }}/heat-api-cfn-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ heat_log_dir }}/heat-api-cfn-error.log" logformat
{% if heat_enable_tls_backend | bool %}
SSLEngine On
SSLCertificateFile /etc/heat/certs/heat-cert.pem
SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
{% endif %}
</VirtualHost>

View File

@ -0,0 +1,47 @@
{% set heat_log_dir = '/var/log/kolla/heat' %}
{% if heat_install_type == 'binary' %}
{% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python2.7/site-packages' %}
{% else %}
{% set python_path = '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %}
{% endif %}
{% set binary_path = '/usr/bin' if heat_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if heat_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
<Directory "{{ binary_path }}">
<FilesMatch "heat-wsgi-api">
AllowOverride None
Options None
Require all granted
</FilesMatch>
</Directory>
<VirtualHost *:{{ heat_api_listen_port }}>
WSGIDaemonProcess heat-api processes={{ openstack_service_workers }} threads=1 user=heat group=heat display-name=%{GROUP} python-path={{ python_path }}
WSGIProcessGroup heat-api
WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ heat_log_dir }}/heat-api-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ heat_log_dir }}/heat-api-error.log" logformat
{% if heat_enable_tls_backend | bool %}
SSLEngine On
SSLCertificateFile /etc/heat/certs/heat-cert.pem
SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
{% endif %}
</VirtualHost>

View File

@ -0,0 +1,7 @@
---
features:
- |
Added configuration options to enable backend TLS encryption from HAProxy
to the Keystone, Heat, and cinder service. When used in conjunction with
enabling TLS for service API endpoints, network communcation will be
encrypted end to end, from client through HAProxy to the backend service.

View File

@ -1,7 +0,0 @@
---
features:
- |
Added configuration options to enable backend TLS encryption from HAProxy
to the Keystone and cinder service. When used in conjunction with enabling
TLS for service API endpoints, network communcation will be encrypted end
to end, from client through HAProxy to the backend service.