James Kirsch ff84292269 Add support for encrypting heat api
This patch introduces an optional backend encryption for Heat
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Heat service.

Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/722028/
2020-04-24 12:23:48 +01:00

45 lines
1.5 KiB
Django/Jinja

{% set heat_api_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{
"command": "/usr/sbin/{{ heat_api_cmd }} -DFOREGROUND",
"config_files": [
{
"source": "{{ container_config_directory }}/heat.conf",
"dest": "/etc/heat/heat.conf",
"owner": "heat",
"perm": "0600"
},{
"source": "{{ container_config_directory }}/wsgi-heat-api.conf",
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api.conf",
"owner": "heat",
"perm": "0600"
}{% if heat_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
"dest": "/etc/heat/{{ heat_policy_file }}",
"owner": "heat",
"perm": "0600"
}{% endif %}{% if heat_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/heat-cert.pem",
"dest": "/etc/heat/certs/heat-cert.pem",
"owner": "heat",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/heat-key.pem",
"dest": "/etc/heat/certs/heat-key.pem",
"owner": "heat",
"perm": "0600"
}
{% endif %}
],
"permissions": [
{
"path": "/var/log/kolla/heat",
"owner": "heat:heat",
"recurse": true
}
]
}