diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml
index 17c9d8f8a9bff4cb87ca2cbf50847fabfe89a214..757d5e8e6b3000dfe3b2ca05720bf2dc150f6427 100644
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@@ -47,6 +47,7 @@ horizon_services:
listen_port: "{{ horizon_listen_port }}"
backend_http_extra:
- "balance source"
+ tls_backend: "{{ horizon_enable_tls_backend }}"
horizon_redirect:
enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}"
mode: "redirect"
@@ -61,6 +62,7 @@ horizon_services:
listen_port: "{{ horizon_listen_port }}"
backend_http_extra:
- "balance source"
+ tls_backend: "{{ horizon_enable_tls_backend }}"
horizon_external_redirect:
enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
mode: "redirect"
@@ -124,3 +126,8 @@ horizon_dev_mode: "{{ kolla_dev_mode }}"
horizon_murano_dev_mode: "{{ kolla_dev_mode }}"
horizon_source_version: "{{ kolla_source_version }}"
horizon_murano_source_version: "{{ kolla_source_version }}"
+
+####################
+# TLS
+####################
+horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml
index 9a49e329f9966f4baa7e6d7904f7eb3e24450ddc..051b1e38af7ecf4f3f09e52c2f48bd74a1305735 100644
--- a/ansible/roles/horizon/tasks/config.yml
+++ b/ansible/roles/horizon/tasks/config.yml
@@ -135,7 +135,7 @@
- include_tasks: copy-certs.yml
when:
- - kolla_copy_ca_into_containers | bool
+ - kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool
- include_tasks: check-containers.yml
when: kolla_action != "config"
diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
index 7c509676ab841ab3bd1fd8a189d1e1e846d20d03..b8f3763e0d31eb3bb89b1345b6befeade48b43cb 100644
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -1,5 +1,12 @@
{% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
+{% if horizon_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos'] %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
ServerSignature Off
@@ -35,6 +42,12 @@ TraceEnable off
<Location "/static">
SetHandler None
</Location>
+
+{% if horizon_enable_tls_backend | bool %}
+ SSLEngine On
+ SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
+ SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
+{% endif %}
</VirtualHost>
{# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #}
diff --git a/ansible/roles/horizon/templates/horizon.json.j2 b/ansible/roles/horizon/templates/horizon.json.j2
index 0446423f4226e4e0961e0c34dbe7dfa707f2ca8b..bc2eb6843ec01c999f20ef61e574561671942cb6 100644
--- a/ansible/roles/horizon/templates/horizon.json.j2
+++ b/ansible/roles/horizon/templates/horizon.json.j2
@@ -29,6 +29,18 @@
"dest": "/etc/openstack-dashboard/custom_local_settings",
"owner": "horizon",
"perm": "0600"
- }
+ }{% if horizon_enable_tls_backend | bool %},
+ {
+ "source": "{{ container_config_directory }}/horizon-cert.pem",
+ "dest": "/etc/horizon/certs/horizon-cert.pem",
+ "owner": "horizon",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/horizon-key.pem",
+ "dest": "/etc/horizon/certs/horizon-key.pem",
+ "owner": "horizon",
+ "perm": "0600"
+ }{% endif %}
]
}
diff --git a/ansible/roles/placement/defaults/main.yml b/ansible/roles/placement/defaults/main.yml
index f7c47ef206c0d9bb8a62d57913586ca529fd40e4..6cdf7fa4fbbeb5a5ac42b7117108c661b0fac161 100644
--- a/ansible/roles/placement/defaults/main.yml
+++ b/ansible/roles/placement/defaults/main.yml
@@ -16,12 +16,14 @@ placement_services:
external: false
port: "{{ placement_api_port }}"
listen_port: "{{ placement_api_listen_port }}"
+ tls_backend: "{{ placement_enable_tls_backend }}"
placement_api_external:
enabled: "{{ enable_placement }}"
mode: "http"
external: true
port: "{{ placement_api_port }}"
listen_port: "{{ placement_api_listen_port }}"
+ tls_backend: "{{ placement_enable_tls_backend }}"
####################
# Database
@@ -108,3 +110,8 @@ placement_ks_users:
user: "{{ placement_keystone_user }}"
password: "{{ placement_keystone_password }}"
role: "admin"
+
+####################
+# TLS
+####################
+placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml
index 2f42c13c720ae7e6d52623efa154b7efcb7046a6..39d7be080b11b1e6f9dbc0af5434c21d88958372 100644
--- a/ansible/roles/placement/tasks/config.yml
+++ b/ansible/roles/placement/tasks/config.yml
@@ -33,7 +33,7 @@
- include_tasks: copy-certs.yml
when:
- - kolla_copy_ca_into_containers | bool
+ - kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool
- name: Copying over config.json files for services
become: true
diff --git a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
index ee8261f2776edfbadd45872824914374a682fd4b..26d68199cf6288b395564f758ccb1176398d7489 100644
--- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
+++ b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
@@ -5,7 +5,13 @@
{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
{% endif %}
{% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
-
+{% if placement_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos'] %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}
ServerSignature Off
@@ -33,4 +39,9 @@ LogLevel info
Require all granted
</Files>
</Directory>
+{% if placement_enable_tls_backend | bool %}
+ SSLEngine on
+ SSLCertificateFile /etc/placement/certs/placement-cert.pem
+ SSLCertificateKeyFile /etc/placement/certs/placement-key.pem
+{% endif %}
</VirtualHost>
diff --git a/ansible/roles/placement/templates/placement-api.json.j2 b/ansible/roles/placement/templates/placement-api.json.j2
index 7bec6e74e5c6ee6b390cb96b93fbf12f0a45ce19..e489cec5af2d58b6fe6511ed59871cf7589f64f5 100644
--- a/ansible/roles/placement/templates/placement-api.json.j2
+++ b/ansible/roles/placement/templates/placement-api.json.j2
@@ -26,7 +26,19 @@
"dest": "/etc/placement/migrate-db.rc",
"owner": "placement",
"perm": "0600"
- }
+ }{% if placement_enable_tls_backend | bool %},
+ {
+ "source": "{{ container_config_directory }}/placement-cert.pem",
+ "dest": "/etc/placement/certs/placement-cert.pem",
+ "owner": "placement",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/placement-key.pem",
+ "dest": "/etc/placement/certs/placement-key.pem",
+ "owner": "placement",
+ "perm": "0600"
+ }{% endif %}
],
"permissions": [
{
diff --git a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
index 7385b29302f15a737f80bace2a9fa614e9596e6b..bfe710a8b19777da31892611a407620b14663e4a 100644
--- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
@@ -2,7 +2,7 @@
features:
- |
Added configuration options to enable backend TLS encryption from HAProxy
- to the Keystone, Glance, Heat, and Cinder services. When used in
- conjunction with enabling TLS for service API endpoints, network
- communcation will be encrypted end to end, from client through HAProxy to
- the backend service.
+ to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
+ When used in conjunction with enabling TLS for service API endpoints,
+ network communcation will be encrypted end to end, from client through
+ HAProxy to the backend service.