OpenStack HTTPS Endpoints support
Communication between services usually done via internal
endpoints that are located in internal network. In some
cases it is required to encrypt traffic even on internal
network. This patch unhardcode communication protocol between
Glance and other services. Also adds possibility to specify
ca_file to verify SSL certificates of remote peers.
This change is fully backward compatible.
Related-Prod: PROD-15737
Change-Id: I7aefbad5101acf68a045aa1595b99b1ab8947d6d
diff --git a/README.rst b/README.rst
index 02da35d..415c31f 100644
--- a/README.rst
+++ b/README.rst
@@ -127,58 +127,64 @@
virtual_host: '/openstack'
....
-Client-side RabbitMQ TLS configuration:
----------------------------------------
+Configuring TLS communications
+------------------------------
-To enable TLS for oslo.messaging you need to provide the CA certificate.
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
+
+
+- **RabbitMQ TLS**
.. code-block:: yaml
- glance:
- server:
- ....
+ glance:
+ server:
message_queue:
+ port: 5671
ssl:
enabled: True
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+ (optional) version: TLSv1_2
-
-Use `cacert_file` option to specify the CA-cert file path explicitly:
+- **MySQL TLS**
.. code-block:: yaml
- glance:
- server:
- ....
- message_queue:
+ glance:
+ server:
+ database:
ssl:
enabled: True
- cacert_file: /etc/ssl/rabbitmq-ca.pem
+ (optional) cacert: cert body if the cacert_file does not exists
+ (optional) cacert_file: /etc/openstack/mysql-ca.pem
-To manage content of the `cacert_file` use the `cacert` option:
+- **Openstack HTTPS API**
+
+
+Set the ``https`` as protocol at ``glance:server`` sections:
.. code-block:: yaml
- glance:
- server:
- ....
- message_queue:
- ssl:
- enabled: True
- cacert: |
+ glance:
+ server:
+ identity:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ registry:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ storage:
+ engine: cinder, swift
+ cinder:
+ protocol: https
+ (optional) cacert_file: /etc/openstack/proxy.pem
+ swift:
+ store:
+ (optional) cafile: /etc/openstack/proxy.pem
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-------
-
- cacert_file: /etc/openstack/rabbitmq-ca.pem
-
-
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
Enable Glance Image Cache:
diff --git a/glance/files/ocata/glance-api.conf.Debian b/glance/files/ocata/glance-api.conf.Debian
index a6abc93..a2ad833 100644
--- a/glance/files/ocata/glance-api.conf.Debian
+++ b/glance/files/ocata/glance-api.conf.Debian
@@ -1247,7 +1247,7 @@
# (string value)
# Allowed values: http, https
#registry_client_protocol = http
-registry_client_protocol = http
+registry_client_protocol = {{ server.registry.get('protocol', 'http') }}
#
# Absolute path to the private key file.
@@ -1314,7 +1314,9 @@
# * registry_client_insecure
#
# (string value)
-#registry_client_ca_file = /etc/ssl/cafile/file.ca
+{%- if server.registry.get('protocol', 'http') == 'https' %}
+registry_client_ca_file = {{ server.registry.get('cacert_file', server.cacert_file) }}
+{%- endif %}
#
# Set verification of the registry server certificate.
@@ -2098,6 +2100,8 @@
#
# (string value)
#cinder_catalog_info = volumev2::publicURL
+
+
cinder_catalog_info = volumev2::{{ server.identity.get('endpoint_type', 'publicURL') }}
#
@@ -2162,7 +2166,10 @@
# * cinder_api_insecure
#
# (string value)
-#cinder_ca_certificates_file = <None>
+
+{%- if 'cinder' in storage_engines and server.storage.cinder.get('protocol', 'http') == 'https' %}
+cinder_ca_certificates_file = {{ server.storage.cinder.get('cacert_file', server.cacert_file) }}
+{%- endif %}
#
# Number of cinderclient retries on failed http calls.
@@ -3394,8 +3401,12 @@
project_name = {{ server.identity.tenant }}
username = {{ server.identity.user }}
password = {{ server.identity.password }}
-auth_uri=http://{{ server.identity.host }}:5000
-auth_url=http://{{ server.identity.host }}:35357
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
+auth_url={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
+
token_cache_time = -1
{%- if server.cache is defined %}
diff --git a/glance/files/ocata/glance-glare.conf.Debian b/glance/files/ocata/glance-glare.conf.Debian
index 3d30443..c9e79d6 100644
--- a/glance/files/ocata/glance-glare.conf.Debian
+++ b/glance/files/ocata/glance-glare.conf.Debian
@@ -858,7 +858,10 @@
# * cinder_api_insecure
#
# (string value)
-#cinder_ca_certificates_file = <None>
+
+{%- if 'cinder' in storage_engines and server.storage.cinder.get('protocol', 'http') == 'https' %}
+cinder_ca_certificates_file = {{ server.storage.cinder.get('cacert_file', server.cacert_file) }}
+{%- endif %}
#
# Number of cinderclient retries on failed http calls.
@@ -2052,8 +2055,11 @@
project_name = {{ server.identity.tenant }}
username = {{ server.identity.user }}
password = {{ server.identity.password }}
-auth_uri=http://{{ server.identity.host }}:5000
-auth_url=http://{{ server.identity.host }}:35357
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
+auth_url={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
token_cache_time = -1
{%- if server.cache is defined %}
diff --git a/glance/files/ocata/glance-registry.conf.Debian b/glance/files/ocata/glance-registry.conf.Debian
index dad9568..d5b34e4 100644
--- a/glance/files/ocata/glance-registry.conf.Debian
+++ b/glance/files/ocata/glance-registry.conf.Debian
@@ -1181,8 +1181,11 @@
project_name = {{ server.identity.tenant }}
username = {{ server.identity.user }}
password = {{ server.identity.password }}
-auth_uri=http://{{ server.identity.host }}:5000
-auth_url=http://{{ server.identity.host }}:35357
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
+auth_url={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
{%- if server.cache is defined %}
memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}