Merge "Add support for encrypting Horizon and Placement API"

bc229259 · Zuul · Gerrit Code Review · 76b6cf9f · e3d5a91a · bc229259
Commit bc229259 authored 4 years ago by Zuul Committed by Gerrit Code Review 4 years ago
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@@ -47,6 +47,7 @@ horizon_services:
        listen_port: "{{ horizon_listen_port }}"
        backend_http_extra:
          - "balance source"
+        tls_backend: "{{ horizon_enable_tls_backend }}"
      horizon_redirect:
        enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}"
        mode: "redirect"
@@ -61,6 +62,7 @@ horizon_services:
        listen_port: "{{ horizon_listen_port }}"
        backend_http_extra:
          - "balance source"
+        tls_backend: "{{ horizon_enable_tls_backend }}"
      horizon_external_redirect:
        enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
        mode: "redirect"
@@ -124,3 +126,8 @@ horizon_dev_mode: "{{ kolla_dev_mode }}"
 horizon_murano_dev_mode: "{{ kolla_dev_mode }}"
 horizon_source_version: "{{ kolla_source_version }}"
 horizon_murano_source_version: "{{ kolla_source_version }}"
+
+####################
+# TLS
+####################
+horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
--- a/ansible/roles/horizon/tasks/config.yml
+++ b/ansible/roles/horizon/tasks/config.yml
@@ -135,7 +135,7 @@

 - include_tasks: copy-certs.yml
  when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool

 - include_tasks: check-containers.yml
  when: kolla_action != "config"
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
 {% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}

+{% if horizon_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
 Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}

 ServerSignature Off
@@ -35,6 +42,12 @@ TraceEnable off
    <Location "/static">
        SetHandler None
    </Location>
+
+{% if horizon_enable_tls_backend | bool %}
+    SSLEngine On
+    SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
+    SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
+{% endif %}
 </VirtualHost>

 {# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #}

--- a/ansible/roles/horizon/templates/horizon.json.j2
+++ b/ansible/roles/horizon/templates/horizon.json.j2
@@ -29,6 +29,18 @@
            "dest": "/etc/openstack-dashboard/custom_local_settings",
            "owner": "horizon",
            "perm": "0600"
-        }
+        }{% if horizon_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/horizon-cert.pem",
+            "dest": "/etc/horizon/certs/horizon-cert.pem",
+            "owner": "horizon",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/horizon-key.pem",
+            "dest": "/etc/horizon/certs/horizon-key.pem",
+            "owner": "horizon",
+            "perm": "0600"
+        }{% endif %}
    ]
 }
--- a/ansible/roles/placement/defaults/main.yml
+++ b/ansible/roles/placement/defaults/main.yml
@@ -16,12 +16,14 @@ placement_services:
        external: false
        port: "{{ placement_api_port }}"
        listen_port: "{{ placement_api_listen_port }}"
+        tls_backend: "{{ placement_enable_tls_backend }}"
      placement_api_external:
        enabled: "{{ enable_placement }}"
        mode: "http"
        external: true
        port: "{{ placement_api_port }}"
        listen_port: "{{ placement_api_listen_port }}"
+        tls_backend: "{{ placement_enable_tls_backend }}"

 ####################
 # Database
@@ -108,3 +110,8 @@ placement_ks_users:
    user: "{{ placement_keystone_user }}"
    password: "{{ placement_keystone_password }}"
    role: "admin"
+
+####################
+# TLS
+####################
+placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
--- a/ansible/roles/placement/tasks/config.yml
+++ b/ansible/roles/placement/tasks/config.yml
@@ -33,7 +33,7 @@

 - include_tasks: copy-certs.yml
  when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool

 - name: Copying over config.json files for services
  become: true

--- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
+++ b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
@@ -5,7 +5,13 @@
    {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
 {% endif %}
 {% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
-
+{% if placement_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
 Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}

 ServerSignature Off
@@ -33,4 +39,9 @@ LogLevel info
            Require all granted
        </Files>
    </Directory>
+{% if placement_enable_tls_backend | bool %}
+    SSLEngine on
+    SSLCertificateFile /etc/placement/certs/placement-cert.pem
+    SSLCertificateKeyFile /etc/placement/certs/placement-key.pem
+{% endif %}
 </VirtualHost>
--- a/ansible/roles/placement/templates/placement-api.json.j2
+++ b/ansible/roles/placement/templates/placement-api.json.j2
@@ -26,7 +26,19 @@
            "dest": "/etc/placement/migrate-db.rc",
            "owner": "placement",
            "perm": "0600"
-        }
+        }{% if placement_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/placement-cert.pem",
+            "dest": "/etc/placement/certs/placement-cert.pem",
+            "owner": "placement",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/placement-key.pem",
+            "dest": "/etc/placement/certs/placement-key.pem",
+            "owner": "placement",
+            "perm": "0600"
+        }{% endif %}
    ],
    "permissions": [
        {

--- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
@@ -2,7 +2,7 @@
 features:
  - |
    Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone, Glance, Heat, and Cinder services. When used in
-    conjunction with enabling TLS for service API endpoints, network
-    communcation will be encrypted end to end, from client through HAProxy to
-    the backend service.
+    to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
+    When used in conjunction with enabling TLS for service API endpoints,
+    network communcation will be encrypted end to end, from client through
+    HAProxy to the backend service.