Add TLS support for keystone via proxy
* Adds lib/tls to create test CA/certs
* Start proxy if 'tls-proxy' is enabled
* Configure keystone service catalog for TLS
* Tear down proxy in unstack.sh
* Set auth protocol and ca-cert chain in openrc
* Add DATA_DIR to stackrc
This is the first in a series of patches to enable TLS support
for the service API endpoints.
Change-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6
diff --git a/openrc b/openrc
index 08ef98b..2553b4a 100644
--- a/openrc
+++ b/openrc
@@ -26,6 +26,9 @@
# Load local configuration
source $RC_DIR/stackrc
+# Get some necessary configuration
+source $RC_DIR/lib/tls
+
# The introduction of Keystone to the OpenStack ecosystem has standardized the
# term **tenant** as the entity that owns resources. In some places references
# still exist to the original Nova term **project** for this use. Also,
@@ -49,6 +52,7 @@
# which is convenient for some localrc configurations.
HOST_IP=${HOST_IP:-127.0.0.1}
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
+SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
# Some exercises call glance directly. On a single-node installation, Glance
# should be listening on HOST_IP. If its running elsewhere, it can be set here
@@ -61,7 +65,10 @@
#
# *NOTE*: Using the 2.0 *identity api* does not mean that compute api is 2.0. We
# will use the 1.1 *compute api*
-export OS_AUTH_URL=http://$SERVICE_HOST:5000/v2.0
+export OS_AUTH_URL=$SERVICE_PROTOCOL://$SERVICE_HOST:5000/v2.0
+
+# Set the pointer to our CA certificate chain. Harmless if TLS is not used.
+export OS_CACERT=$INT_CA_DIR/ca-chain.pem
# Currently novaclient needs you to specify the *compute api* version. This
# needs to match the config of your catalog returned by Keystone.