commit d5c9600beafb2dce56b8b255d7d305b2967b16bf
author Ondrej Smola <osmola@mirantis.com> Fri Jan 19 09:35:17 2018 +0000
committer Gerrit Code Review <gerrit2@56fc70e46927> Fri Jan 19 09:35:17 2018 +0000
tree 45b70e49276bcc3291a39ae2d872f2f049fe541e
parent 55e2900b6327bb8ebd510a40715983c213892fd4
parent 00da251b2a0456f022211512cec3c1ca51c6c0d8

Merge "OpenStack HTTPS Endpoints support"

README.rst

diff --git a/README.rst b/README.rst
index fff1463..414df49 100644
--- a/README.rst
+++ b/README.rst
@@ -161,45 +161,55 @@
           virtual_host: '/openstack'
         ....
 
-Client-side RabbitMQ TLS configuration:
 
-|
 
-To enable TLS for oslo.messaging you need to provide the CA certificate.
+Configuring TLS communications
+-------------------------------
 
-By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
 
-.. code-block:: yaml
+ **Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
 
-      ....
-      message_queue:
-        ssl:
-          enabled: True
 
-Use `cacert_file` param to specify the CA-cert file location explicitly:
+ - **RabbitMQ TLS**
 
-.. code-block:: yaml
+ .. code-block:: yaml
 
-      ....
-      message_queue:
-        ssl:
-          enabled: True
-          cacert_file: /etc/ssl/rabbitmq-ca.pem
+  heat:
+    server:
+       message_queue:
+         port: 5671
+         ssl:
+           enabled: True
+           (optional) cacert: cert body if the cacert_file does not exists
+           (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
+           (optional) version: TLSv1_2
 
-To manage content of the `cacert_file` use the `cacert` param:
 
-.. code-block:: yaml
+ - **MySQL TLS**
 
-      ....
-      message_queue:
-        ssl:
-          enabled: True
-          cacert: { file content here }
-          cacert_file: /etc/openstack/rabbitmq-ca.pem
+ .. code-block:: yaml
 
-Notice:
- * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
- * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+  heat:
+    server:
+       database:
+         ssl:
+           enabled: True
+           (optional) cacert: cert body if the cacert_file does not exists
+           (optional) cacert_file: /etc/openstack/mysql-ca.pem
+
+ - **Openstack HTTPS API**
+
+ .. code-block:: yaml
+
+  heat:
+   server:
+       identity:
+          protocol: https
+          (optional) cacert_file: /etc/openstack/proxy.pem
+       clients:
+          keystone:
+            protocol: https
+            (optional) cacert_file: /etc/openstack/proxy.pem
 
 Enhanced logging with logging.conf
 ----------------------------------

heat/files/ocata/heat.conf.Debian

diff --git a/heat/files/ocata/heat.conf.Debian b/heat/files/ocata/heat.conf.Debian
index d32e11b..74f8fbf 100644
--- a/heat/files/ocata/heat.conf.Debian
+++ b/heat/files/ocata/heat.conf.Debian
@@ -1299,7 +1299,7 @@
 #
 
 # Authentication Endpoint URI. (string value)
-auth_uri=http://{{ server.identity.host }}:5000/v2.0
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000/v2.0
 
 # Allow orchestration of multiple clouds. (boolean value)
 #multi_cloud=false
@@ -1308,8 +1308,10 @@
 # enabled. At least one endpoint needs to be specified. (list
 # value)
 #allowed_auth_uris=
-
-keystone_ec2_uri=http://{{ server.identity.host }}:5000/v2.0/ec2tokens
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+ca_file = {{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
+keystone_ec2_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000/v2.0/ec2tokens
 
 [clients]
 endpoint_type = {{ server.identity.get('endpoint_type_default', 'publicURL') }}
@@ -1317,6 +1319,9 @@
 {%- if server.clients.insecure is defined %}
 insecure = {{ server.clients.insecure }}
 {%- endif %}
+{%- if server.clients.get('protocol', 'http') == 'https' %}
+ca_file={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 {%- endif %}
 
 [clients_heat]
@@ -1328,7 +1333,10 @@
 insecure = {{ server.clients.keystone.get('insecure', false) }}
 {%- endif %}
 {%- endif %}
-auth_uri=http://{{ server.identity.host }}:35357
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+ca_file={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 
 {%- if pillar.get('opencontrail', {}).get('client', {}).get('enabled', False) %}
 
@@ -1739,12 +1747,15 @@
 # Config Section from which to load plugin specific options (string value)
 #auth_section = <None>
 auth_type = password
-auth_uri=http://{{ server.identity.host }}:5000/v2.0
+auth_uri={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000/v2.0
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
 #identity_uri=http://{{ server.identity.host }}:35357
 #admin_user={{ server.identity.user }}
 #admin_password={{ server.identity.password }}
 #admin_tenant_name={{ server.identity.tenant }}
-auth_url=http://{{ server.identity.host }}:35357
+auth_url={{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
 username = {{ server.identity.user }}
 password = {{ server.identity.password }}
 project_name = {{ server.identity.tenant }}
@@ -2717,7 +2728,7 @@
 # From heat.common.context
 #
 auth_plugin = password
-auth_url = http://{{ server.identity.host }}:35357
+auth_url = {{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
 username = {{ server.identity.user }}
 password = {{ server.identity.password }}
 user_domain_name = default