Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / glance / 1d477ef2cd95483d3d036579130ef54dbddbad46^2..1d477ef2cd95483d3d036579130ef54dbddbad46 / .
commit1d477ef2cd95483d3d036579130ef54dbddbad46[log] [tgz]
authorJenkins <jenkins@localhost>Thu Dec 14 14:13:26 2017 +0000
committerJenkins <jenkins@localhost>Thu Dec 14 14:13:26 2017 +0000
treefd673112a3409b34892857ec7b2cc1a776ad7622
parentb5584369f80dc9accf196404287dc5344dad1ae2 [diff]
parent5c80e07255af402217523e236f6146557f227580 [diff]
Merge remote-tracking branch 'target/master'

diff --git a/README.rst b/README.rst
index 02da35d..415c31f 100644
--- a/README.rst
+++ b/README.rst

@@ -127,58 +127,64 @@
           virtual_host: '/openstack'
         ....
 
-Client-side RabbitMQ TLS configuration:
----------------------------------------
+Configuring TLS communications
+------------------------------
 
-To enable TLS for oslo.messaging you need to provide the CA certificate.
 
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+- **RabbitMQ TLS**
 
 .. code-block:: yaml
 
-  glance:
-    server:
-      ....
+ glance:
+   server:
       message_queue:
+        port: 5671
         ssl:
           enabled: True
+          (optional) cacert: cert body if the cacert_file does not exists
+          (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+          (optional) version: TLSv1_2
 
 
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
 
 .. code-block:: yaml
 
-  glance:
-    server:
-      ....
-      message_queue:
+ glance:
+   server:
+      database:
         ssl:
           enabled: True
-          cacert_file: /etc/ssl/rabbitmq-ca.pem
+          (optional) cacert: cert body if the cacert_file does not exists
+          (optional) cacert_file: /etc/openstack/mysql-ca.pem
 
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
+
+
+Set the ``https`` as protocol at ``glance:server`` sections:
 
 .. code-block:: yaml
 
-  glance:
-    server:
-      ....
-      message_queue:
-        ssl:
-          enabled: True
-          cacert: |
+ glance:
+   server:
+      identity:
+         protocol: https
+         (optional) cacert_file: /etc/openstack/proxy.pem
+      registry:
+         protocol: https
+         (optional) cacert_file: /etc/openstack/proxy.pem
+      storage:
+         engine: cinder, swift
+         cinder:
+            protocol: https
+           (optional) cacert_file: /etc/openstack/proxy.pem
+         swift:
+            store:
+                (optional) cafile: /etc/openstack/proxy.pem
 
-          -----BEGIN CERTIFICATE-----
-                    ...
-          -----END CERTIFICATE-------
-
-          cacert_file: /etc/openstack/rabbitmq-ca.pem
-
-
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
 
 
 Enable Glance Image Cache:

diff --git a/glance/files/ocata/glance-api.conf.Debian b/glance/files/ocata/glance-api.conf.Debian
index a6abc93..a2ad833 100644
--- a/glance/files/ocata/glance-api.conf.Debian
+++ b/glance/files/ocata/glance-api.conf.Debian

@@ -1247,7 +1247,7 @@
 #  (string value)
 # Allowed values: http, https
 #registry_client_protocol = http
-registry_client_protocol = http
+registry_client_protocol = {{ server.registry.get('protocol', 'http') }}
 
 #
 # Absolute path to the private key file.
@@ -1314,7 +1314,9 @@
 #     * registry_client_insecure
 #
 #  (string value)
-#registry_client_ca_file = /etc/ssl/cafile/file.ca
+{%- if server.registry.get('protocol', 'http') == 'https' %}
+registry_client_ca_file = {{ server.registry.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 
 #
 # Set verification of the registry server certificate.
@@ -2098,6 +2100,8 @@
 #
 #  (string value)
 #cinder_catalog_info = volumev2::publicURL
+
+
 cinder_catalog_info = volumev2::{{ server.identity.get('endpoint_type', 'publicURL') }}
 
 #
@@ -2162,7 +2166,10 @@
 #     * cinder_api_insecure
 #
 #  (string value)
-#cinder_ca_certificates_file = <None>
+
+{%- if 'cinder' in storage_engines and server.storage.cinder.get('protocol', 'http') == 'https' %}
+cinder_ca_certificates_file = {{ server.storage.cinder.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 
 #
 # Number of cinderclient retries on failed http calls.
@@ -3394,8 +3401,12 @@
 project_name = {{ server.identity.tenant }}
 username = {{ server.identity.user }}
 password = {{ server.identity.password }}
-auth_uri=http://{{ server.identity.host }}:5000
-auth_url=http://{{ server.identity.host }}:35357
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
+auth_url={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
+
 token_cache_time = -1
 
 {%- if server.cache is defined %}

diff --git a/glance/files/ocata/glance-glare.conf.Debian b/glance/files/ocata/glance-glare.conf.Debian
index 3d30443..c9e79d6 100644
--- a/glance/files/ocata/glance-glare.conf.Debian
+++ b/glance/files/ocata/glance-glare.conf.Debian

@@ -858,7 +858,10 @@
 #     * cinder_api_insecure
 #
 #  (string value)
-#cinder_ca_certificates_file = <None>
+
+{%- if 'cinder' in storage_engines and server.storage.cinder.get('protocol', 'http') == 'https' %}
+cinder_ca_certificates_file = {{ server.storage.cinder.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 
 #
 # Number of cinderclient retries on failed http calls.
@@ -2052,8 +2055,11 @@
 project_name = {{ server.identity.tenant }}
 username = {{ server.identity.user }}
 password = {{ server.identity.password }}
-auth_uri=http://{{ server.identity.host }}:5000
-auth_url=http://{{ server.identity.host }}:35357
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
+auth_url={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 token_cache_time = -1
 
 {%- if server.cache is defined %}

diff --git a/glance/files/ocata/glance-registry.conf.Debian b/glance/files/ocata/glance-registry.conf.Debian
index dad9568..d5b34e4 100644
--- a/glance/files/ocata/glance-registry.conf.Debian
+++ b/glance/files/ocata/glance-registry.conf.Debian

@@ -1181,8 +1181,11 @@
 project_name = {{ server.identity.tenant }}
 username = {{ server.identity.user }}
 password = {{ server.identity.password }}
-auth_uri=http://{{ server.identity.host }}:5000
-auth_url=http://{{ server.identity.host }}:35357
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
+auth_url={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 
 {%- if server.cache is defined %}
 memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}