OpenStack HTTPS Endpoints support
Communication between services usually done via internal
endpoints that are located in internal network. In some
cases it is required to encrypt traffic even on internal
network. This patch unhardcode communication protocol between
Cinder and other services. Also adds possibility to specify
ca_file to verify SSL certificates of remote peers.
PROD-15735
Change-Id: Ib441eb4b37f40ed6bf5209b9dcfbcf80480708a1
diff --git a/README.rst b/README.rst
index 1dc3850..9ef35aa 100644
--- a/README.rst
+++ b/README.rst
@@ -166,58 +166,52 @@
....
-**Client-side RabbitMQ TLS configuration.**
+Configuring TLS communications
+------------------------------
-|
-To enable TLS for oslo.messaging you need to provide the CA certificate.
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+- **RabbitMQ TLS**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
+ cinder:
+ controller, volume:
message_queue:
+ port: 5671
ssl:
enabled: True
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+ (optional) version: TLSv1_2
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
- message_queue:
+ cinder:
+ controller:
+ database:
ssl:
enabled: True
- cacert_file: /etc/ssl/rabbitmq-ca.pem
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/mysql-ca.pem
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
- message_queue:
- ssl:
- enabled: True
- cacert: |
-
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-------
-
- cacert_file: /etc/openstack/rabbitmq-ca.pem
-
-
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+ cinder:
+ controller, volume:
+ identity:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ glance:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
diff --git a/cinder/client.sls b/cinder/client.sls
index bdb3765..52b3042 100644
--- a/cinder/client.sls
+++ b/cinder/client.sls
@@ -19,7 +19,7 @@
'protocol': identity.get('protocol', 'http'),
'region_name': identity.get('region_name', 'RegionOne'),
'endpoint_type': identity.get('endpoint_type', 'internalURL'),
- 'certificate': identity.get('certificate', 'None')} %}
+ 'certificate': identity.get('certificate', client.cacert_file)} %}
{%- for backend_name, backend in client.get('backend', {}).iteritems() %}
diff --git a/cinder/controller.sls b/cinder/controller.sls
index 34ff377..b5620b9 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -143,7 +143,7 @@
'protocol': identity.get('protocol', 'http'),
'region_name': identity.get('region_name', 'RegionOne'),
'endpoint_type': identity.get('endpoint_type', 'internalURL'),
- 'certificate': identity.get('certificate', 'None')} %}
+ 'certificate': identity.get('certificate', controller.cacert_file)} %}
{%- for backend_name, backend in controller.get('backend', {}).iteritems() %}
diff --git a/cinder/files/ocata/cinder.conf.controller.Debian b/cinder/files/ocata/cinder.conf.controller.Debian
index 9900510..6db5fe3 100644
--- a/cinder/files/ocata/cinder.conf.controller.Debian
+++ b/cinder/files/ocata/cinder.conf.controller.Debian
@@ -29,7 +29,11 @@
osapi_volume_listen={{ controller.osapi.host }}
-glance_api_servers = http://{{ controller.glance.host }}:{{ controller.glance.port }}
+glance_api_servers = {{ controller.glance.get('protocol','http') }}://{{ controller.glance.host }}:{{ controller.glance.port }}
+{%- if controller.glance.get('protocol','http') == 'https' %}
+glance_ca_certificates_file = {{ controller.glance.get('cacert_file', controller.cacert_file) }}
+{%- endif %}
+
glance_host={{ controller.glance.host }}
glance_port={{ controller.glance.port }}
@@ -40,7 +44,7 @@
os_privileged_user_name={{ controller.identity.user }}
os_privileged_user_password={{ controller.identity.password }}
os_privileged_user_tenant={{ controller.identity.tenant }}
-os_privileged_user_auth_url=http://{{ controller.identity.host }}:5000/v3/
+os_privileged_user_auth_url={{ controller.identity.get('protocol','http') }}://{{ controller.identity.host }}:5000/v3/
volume_backend_name=DEFAULT
@@ -165,8 +169,12 @@
username = {{ controller.identity.user }}
password = {{ controller.identity.password }}
-auth_uri=http://{{ controller.identity.host }}:5000
-auth_url=http://{{ controller.identity.host }}:35357
+auth_uri={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.host }}:5000
+auth_url={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.host }}:35357
+{%- if controller.identity.get('protocol', 'http') == 'https' %}
+cafile={{ controller.identity.get('cacert_file', controller.cacert_file) }}
+{%- endif %}
+
# Temporary disabled for backward compataiblity
#auth_uri=http://{{ controller.identity.host }}/identity
#auth_url=http://{{ controller.identity.host }}/identity_v2_admin
@@ -178,8 +186,12 @@
{%- if controller.get('barbican', {}).get('enabled', False) %}
[key_manager]
api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+
[barbican]
auth_endpoint = {{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.get('host', 'localhost') }}:{{ controller.identity.get('port', '5000') }}/v3
+{%- if controller.barbican.get('protocol', 'http') == 'https' %}
+cafile={{ controller.barbican.get('cacert_file', controller.cacerts_file) }}
+{%- endif %}
{%- endif %}
[database]
diff --git a/cinder/files/ocata/cinder.conf.volume.Debian b/cinder/files/ocata/cinder.conf.volume.Debian
index 3b7de33..979b0b8 100644
--- a/cinder/files/ocata/cinder.conf.volume.Debian
+++ b/cinder/files/ocata/cinder.conf.volume.Debian
@@ -28,7 +28,11 @@
osapi_volume_listen={{ volume.osapi.host }}
-glance_api_servers = http://{{ volume.glance.host }}:{{ volume.glance.port }}
+glance_api_servers = {{ volume.glance.get('protocol','http') }}://{{ volume.glance.host }}:{{ volume.glance.port }}
+{%- if volume.glance.get('protocol','http') == 'https' %}
+glance_ca_certificates_file = {{ volume.glance.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
+
glance_host={{ volume.glance.host }}
glance_port={{ volume.glance.port }}
@@ -37,7 +41,7 @@
os_privileged_user_name={{ volume.identity.user }}
os_privileged_user_password={{ volume.identity.password }}
os_privileged_user_tenant={{ volume.identity.tenant }}
-os_privileged_user_auth_url=http://{{ volume.identity.host }}:5000/v3/
+os_privileged_user_auth_url={{ volume.identity.get('protocol','http') }}://{{ volume.identity.host }}:5000/v3/
volume_backend_name=DEFAULT
@@ -152,9 +156,12 @@
project_name = {{ volume.identity.tenant }}
username = {{ volume.identity.user }}
password = {{ volume.identity.password }}
+auth_uri={{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.host }}:5000
+auth_url={{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.host }}:35357
+{%- if volume.identity.get('protocol', 'http') == 'https' %}
+cafile={{ volume.identity.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
-auth_uri=http://{{ volume.identity.host }}:5000/v3
-auth_url=http://{{ volume.identity.host }}:35357/v3
# Temporary disabled for backward compataiblity
#auth_uri=http://{{ volume.identity.host }}/identity
#auth_url=http://{{ volume.identity.host }}/identity_v2_admin
@@ -168,6 +175,9 @@
api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
[barbican]
auth_endpoint = {{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.get('host', 'localhost') }}:{{ volume.identity.get('port', '5000') }}/v3
+{%- if volume.barbican.get('protocol', 'https') %}
+cafile={{ volume.identity.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
{%- endif %}
[database]
diff --git a/cinder/map.jinja b/cinder/map.jinja
index 3922417..e04b232 100644
--- a/cinder/map.jinja
+++ b/cinder/map.jinja
@@ -82,13 +82,14 @@
}, merge=pillar.cinder.get('volume', {}), base='BaseDefaults') %}
{% set client = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['python-cinderclient']
},
'RedHat': {
'pkgs': ['python-cinderclient']
},
-}, merge=pillar.cinder.get('client', {})) %}
+}, merge=pillar.cinder.get('client', {}), base='BaseDefaults') %}
{% set monitoring = salt['grains.filter_by']({
'default': {