OpenStack HTTPS Endpoints support
Communication between services usually done via internal
endpoints that are located in internal network. In some
cases it is required to encrypt traffic even on internal
network. This patch unhardcode communication protocol between
Designate and other services. Also adds possibility to specify
ca_file to verify SSL certificates of remote peers.
This change is fully backward compatible.
Related-Prod: PROD-15733
Change-Id: Ib4b41acf90da3b13b718f3d7eda4bff069c3353d
diff --git a/designate/files/ocata/designate.conf.Debian b/designate/files/ocata/designate.conf.Debian
index 65382f0..a89914c 100644
--- a/designate/files/ocata/designate.conf.Debian
+++ b/designate/files/ocata/designate.conf.Debian
@@ -210,10 +210,13 @@
[keystone_authtoken]
auth_host = {{ server.identity.host }}
auth_port = 35357
-auth_protocol = http
+auth_protocol = {{ server.identity.get('protocol', 'http') }}
admin_tenant_name = {{ server.identity.tenant }}
admin_user = {{ server.identity.user }}
admin_password = {{ server.identity.password }}
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile = {{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
#memcached_servers = localhost:11211
#auth_type = password
@@ -518,7 +521,7 @@
# Database connection string - to configure options for a given implementation
# like sqlalchemy or other see below
#connection = sqlite:///$state_path/designate.sqlite
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.main_database }}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.main_database }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
#connection_debug = 0
#connection_trace = False