Configure endpoints to use SSL natively or via proxy
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
diff --git a/lib/keystone b/lib/keystone
index 9eca80a..a7742a9 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -95,7 +95,7 @@
KEYSTONE_VALID_ASSIGNMENT_BACKENDS=kvs,ldap,sql
# if we are running with SSL use https protocols
-if is_ssl_enabled_service "key"; then
+if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
@@ -123,7 +123,21 @@
sudo mkdir -p $KEYSTONE_WSGI_DIR
local keystone_apache_conf=$(apache_site_config_for keystone)
- local apache_version=$(get_apache_version)
+ local keystone_ssl=""
+ local keystone_certfile=""
+ local keystone_keyfile=""
+ local keystone_service_port=$KEYSTONE_SERVICE_PORT
+ local keystone_auth_port=$KEYSTONE_AUTH_PORT
+
+ if is_ssl_enabled_service key; then
+ keystone_ssl="SSLEngine On"
+ keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT"
+ keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY"
+ fi
+ if is_service_enabled tls-proxy; then
+ keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
+ keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
+ fi
# copy proxy vhost and wsgi file
sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/main
@@ -131,11 +145,14 @@
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
sudo sed -e "
- s|%PUBLICPORT%|$KEYSTONE_SERVICE_PORT|g;
- s|%ADMINPORT%|$KEYSTONE_AUTH_PORT|g;
+ s|%PUBLICPORT%|$keystone_service_port|g;
+ s|%ADMINPORT%|$keystone_auth_port|g;
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%PUBLICWSGI%|$KEYSTONE_WSGI_DIR/main|g;
s|%ADMINWSGI%|$KEYSTONE_WSGI_DIR/admin|g;
+ s|%SSLENGINE%|$keystone_ssl|g;
+ s|%SSLCERTFILE%|$keystone_certfile|g;
+ s|%SSLKEYFILE%|$keystone_keyfile|g;
s|%USER%|$STACK_USER|g
" -i $keystone_apache_conf
}
@@ -200,8 +217,13 @@
fi
# Set the URL advertised in the ``versions`` structure returned by the '/' route
- iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/"
- iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/"
+ if is_service_enabled tls-proxy; then
+ iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/"
+ iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/"
+ else
+ iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/"
+ iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/"
+ fi
iniset $KEYSTONE_CONF DEFAULT admin_bind_host "$KEYSTONE_ADMIN_BIND_HOST"
# Register SSL certificates if provided
@@ -412,7 +434,7 @@
iniset $conf_file $section auth_port $KEYSTONE_AUTH_PORT
iniset $conf_file $section auth_protocol $KEYSTONE_AUTH_PROTOCOL
iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI
- iniset $conf_file $section cafile $KEYSTONE_SSL_CA
+ iniset $conf_file $section cafile $SSL_BUNDLE_FILE
configure_API_version $conf_file $IDENTITY_API_VERSION $section
iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME
iniset $conf_file $section admin_user $admin_user
@@ -489,6 +511,9 @@
setup_develop $KEYSTONE_DIR
if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then
install_apache_wsgi
+ if is_ssl_enabled_service "key"; then
+ enable_mod_ssl
+ fi
fi
}
@@ -496,8 +521,10 @@
function start_keystone {
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT
+ local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT
+ auth_protocol="http"
fi
if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then
@@ -514,7 +541,7 @@
# Check that the keystone service is running. Even if the tls tunnel
# should be enabled, make sure the internal port is checked using
# unencryted traffic at this point.
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -k -s http://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then
+ if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -k -s $auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then
die $LINENO "keystone did not start"
fi