Configure endpoints to use SSL natively or via proxy
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
diff --git a/lib/heat b/lib/heat
index f64cc90..ff3b307 100644
--- a/lib/heat
+++ b/lib/heat
@@ -113,7 +113,7 @@
configure_auth_token_middleware $HEAT_CONF heat $HEAT_AUTH_CACHE_DIR
if is_ssl_enabled_service "key"; then
- iniset $HEAT_CONF clients_keystone ca_file $KEYSTONE_SSL_CA
+ iniset $HEAT_CONF clients_keystone ca_file $SSL_BUNDLE_FILE
fi
# ec2authtoken
@@ -131,6 +131,18 @@
# Cloudwatch API
iniset $HEAT_CONF heat_api_cloudwatch bind_port $HEAT_API_CW_PORT
+ if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
+ iniset $HEAT_CONF clients_keystone ca_file $SSL_BUNDLE_FILE
+ fi
+
+ if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then
+ iniset $HEAT_CONF clients_nova ca_file $SSL_BUNDLE_FILE
+ fi
+
+ if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
+ iniset $HEAT_CONF clients_cinder ca_file $SSL_BUNDLE_FILE
+ fi
+
# heat environment
sudo mkdir -p $HEAT_ENV_DIR
sudo chown $STACK_USER $HEAT_ENV_DIR