Merge "OpenStack HTTPS Endpoints support"
diff --git a/README.rst b/README.rst
index 0775ac7..d3f0672 100644
--- a/README.rst
+++ b/README.rst
@@ -168,58 +168,52 @@
....
-**Client-side RabbitMQ TLS configuration.**
+Configuring TLS communications
+------------------------------
-|
-To enable TLS for oslo.messaging you need to provide the CA certificate.
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+- **RabbitMQ TLS**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
+ cinder:
+ controller, volume:
message_queue:
+ port: 5671
ssl:
enabled: True
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+ (optional) version: TLSv1_2
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
- message_queue:
+ cinder:
+ controller:
+ database:
ssl:
enabled: True
- cacert_file: /etc/ssl/rabbitmq-ca.pem
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/mysql-ca.pem
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
.. code-block:: yaml
- cinder:
- controller or volume:
- ....
- message_queue:
- ssl:
- enabled: True
- cacert: |
-
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-------
-
- cacert_file: /etc/openstack/rabbitmq-ca.pem
-
-
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+ cinder:
+ controller, volume:
+ identity:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ glance:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
diff --git a/cinder/client.sls b/cinder/client.sls
index bdb3765..52b3042 100644
--- a/cinder/client.sls
+++ b/cinder/client.sls
@@ -19,7 +19,7 @@
'protocol': identity.get('protocol', 'http'),
'region_name': identity.get('region_name', 'RegionOne'),
'endpoint_type': identity.get('endpoint_type', 'internalURL'),
- 'certificate': identity.get('certificate', 'None')} %}
+ 'certificate': identity.get('certificate', client.cacert_file)} %}
{%- for backend_name, backend in client.get('backend', {}).iteritems() %}
diff --git a/cinder/controller.sls b/cinder/controller.sls
index 34ff377..b5620b9 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -143,7 +143,7 @@
'protocol': identity.get('protocol', 'http'),
'region_name': identity.get('region_name', 'RegionOne'),
'endpoint_type': identity.get('endpoint_type', 'internalURL'),
- 'certificate': identity.get('certificate', 'None')} %}
+ 'certificate': identity.get('certificate', controller.cacert_file)} %}
{%- for backend_name, backend in controller.get('backend', {}).iteritems() %}
diff --git a/cinder/files/ocata/cinder.conf.controller.Debian b/cinder/files/ocata/cinder.conf.controller.Debian
index 9f39498..8bc04ef 100644
--- a/cinder/files/ocata/cinder.conf.controller.Debian
+++ b/cinder/files/ocata/cinder.conf.controller.Debian
@@ -29,7 +29,11 @@
osapi_volume_listen={{ controller.osapi.host }}
-glance_api_servers = http://{{ controller.glance.host }}:{{ controller.glance.port }}
+glance_api_servers = {{ controller.glance.get('protocol','http') }}://{{ controller.glance.host }}:{{ controller.glance.port }}
+{%- if controller.glance.get('protocol','http') == 'https' %}
+glance_ca_certificates_file = {{ controller.glance.get('cacert_file', controller.cacert_file) }}
+{%- endif %}
+
glance_host={{ controller.glance.host }}
glance_port={{ controller.glance.port }}
@@ -40,7 +44,7 @@
os_privileged_user_name={{ controller.identity.user }}
os_privileged_user_password={{ controller.identity.password }}
os_privileged_user_tenant={{ controller.identity.tenant }}
-os_privileged_user_auth_url=http://{{ controller.identity.host }}:5000/v3/
+os_privileged_user_auth_url={{ controller.identity.get('protocol','http') }}://{{ controller.identity.host }}:5000/v3/
volume_backend_name=DEFAULT
@@ -169,8 +173,12 @@
username = {{ controller.identity.user }}
password = {{ controller.identity.password }}
-auth_uri=http://{{ controller.identity.host }}:5000
-auth_url=http://{{ controller.identity.host }}:35357
+auth_uri={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.host }}:5000
+auth_url={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.host }}:35357
+{%- if controller.identity.get('protocol', 'http') == 'https' %}
+cafile={{ controller.identity.get('cacert_file', controller.cacert_file) }}
+{%- endif %}
+
# Temporary disabled for backward compataiblity
#auth_uri=http://{{ controller.identity.host }}/identity
#auth_url=http://{{ controller.identity.host }}/identity_v2_admin
@@ -182,8 +190,12 @@
{%- if controller.get('barbican', {}).get('enabled', False) %}
[key_manager]
api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+
[barbican]
auth_endpoint = {{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.get('host', 'localhost') }}:{{ controller.identity.get('port', '5000') }}/v3
+{%- if controller.barbican.get('protocol', 'http') == 'https' %}
+cafile={{ controller.barbican.get('cacert_file', controller.cacerts_file) }}
+{%- endif %}
{%- endif %}
[database]
diff --git a/cinder/files/ocata/cinder.conf.volume.Debian b/cinder/files/ocata/cinder.conf.volume.Debian
index 197309b..f999860 100644
--- a/cinder/files/ocata/cinder.conf.volume.Debian
+++ b/cinder/files/ocata/cinder.conf.volume.Debian
@@ -28,7 +28,11 @@
osapi_volume_listen={{ volume.osapi.host }}
-glance_api_servers = http://{{ volume.glance.host }}:{{ volume.glance.port }}
+glance_api_servers = {{ volume.glance.get('protocol','http') }}://{{ volume.glance.host }}:{{ volume.glance.port }}
+{%- if volume.glance.get('protocol','http') == 'https' %}
+glance_ca_certificates_file = {{ volume.glance.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
+
glance_host={{ volume.glance.host }}
glance_port={{ volume.glance.port }}
@@ -37,7 +41,7 @@
os_privileged_user_name={{ volume.identity.user }}
os_privileged_user_password={{ volume.identity.password }}
os_privileged_user_tenant={{ volume.identity.tenant }}
-os_privileged_user_auth_url=http://{{ volume.identity.host }}:5000/v3/
+os_privileged_user_auth_url={{ volume.identity.get('protocol','http') }}://{{ volume.identity.host }}:5000/v3/
volume_backend_name=DEFAULT
@@ -156,9 +160,12 @@
project_name = {{ volume.identity.tenant }}
username = {{ volume.identity.user }}
password = {{ volume.identity.password }}
+auth_uri={{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.host }}:5000
+auth_url={{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.host }}:35357
+{%- if volume.identity.get('protocol', 'http') == 'https' %}
+cafile={{ volume.identity.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
-auth_uri=http://{{ volume.identity.host }}:5000/v3
-auth_url=http://{{ volume.identity.host }}:35357/v3
# Temporary disabled for backward compataiblity
#auth_uri=http://{{ volume.identity.host }}/identity
#auth_url=http://{{ volume.identity.host }}/identity_v2_admin
@@ -172,6 +179,9 @@
api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
[barbican]
auth_endpoint = {{ volume.identity.get('protocol', 'http') }}://{{ volume.identity.get('host', 'localhost') }}:{{ volume.identity.get('port', '5000') }}/v3
+{%- if volume.barbican.get('protocol', 'https') %}
+cafile={{ volume.identity.get('cacert_file', volume.cacert_file) }}
+{%- endif %}
{%- endif %}
[database]
diff --git a/cinder/map.jinja b/cinder/map.jinja
index 3922417..e04b232 100644
--- a/cinder/map.jinja
+++ b/cinder/map.jinja
@@ -82,13 +82,14 @@
}, merge=pillar.cinder.get('volume', {}), base='BaseDefaults') %}
{% set client = salt['grains.filter_by']({
+ 'BaseDefaults': default_params,
'Debian': {
'pkgs': ['python-cinderclient']
},
'RedHat': {
'pkgs': ['python-cinderclient']
},
-}, merge=pillar.cinder.get('client', {})) %}
+}, merge=pillar.cinder.get('client', {}), base='BaseDefaults') %}
{% set monitoring = salt['grains.filter_by']({
'default': {