diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
index 8723f58ab26884dec99b78c748bace7abc0a77c0..703272c040a75d9e3636c88685616426f2e387f9 100644
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@@ -16,12 +16,14 @@ cinder_services:
external: false
port: "{{ cinder_api_port }}"
listen_port: "{{ cinder_api_listen_port }}"
+ tls_backend: "{{ cinder_enable_tls_backend }}"
cinder_api_external:
enabled: "{{ enable_cinder }}"
mode: "http"
external: true
port: "{{ cinder_api_port }}"
listen_port: "{{ cinder_api_listen_port }}"
+ tls_backend: "{{ cinder_enable_tls_backend }}"
cinder-scheduler:
container_name: cinder_scheduler
group: cinder-scheduler
@@ -233,3 +235,8 @@ cinder_ks_users:
user: "{{ cinder_keystone_user }}"
password: "{{ cinder_keystone_password }}"
role: "admin"
+
+####################
+# TLS
+####################
+cinder_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/cinder/templates/cinder-api.json.j2 b/ansible/roles/cinder/templates/cinder-api.json.j2
index 54b557902cd91f4144b2013a7ae59a219d01aab6..bf79435c3f2de3cc1f849007b5f21f38618559b2 100644
--- a/ansible/roles/cinder/templates/cinder-api.json.j2
+++ b/ansible/roles/cinder/templates/cinder-api.json.j2
@@ -20,8 +20,20 @@
"dest": "/etc/cinder/{{ cinder_policy_file }}",
"owner": "cinder",
"perm": "0600"
- }{% endif %}
- ],
+ }{% endif %}{% if cinder_enable_tls_backend | bool %},
+ {
+ "source": "{{ container_config_directory }}/cinder-cert.pem",
+ "dest": "/etc/cinder/certs/cinder-cert.pem",
+ "owner": "cinder",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/cinder-key.pem",
+ "dest": "/etc/cinder/certs/cinder-key.pem",
+ "owner": "cinder",
+ "perm": "0600"
+ }
+ {% endif %}],
"permissions": [
{
"path": "/var/lib/cinder",
diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
index cc426028abd9ccd949c8381059aee35140022851..2d98e73a7ee95105b636aeddc9ad6108c8a1c24f 100644
--- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
+++ b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
@@ -3,6 +3,13 @@
{% else %}
{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
{% endif %}
+{% if cinder_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos'] %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cinder_api_listen_port }}
ServerSignature Off
@@ -25,4 +32,9 @@ LogLevel info
ErrorLog /var/log/kolla/cinder/cinder-api.log
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog /var/log/kolla/cinder/cinder-api-access.log logformat
+{% if cinder_enable_tls_backend | bool %}
+ SSLEngine On
+ SSLCertificateFile /etc/cinder/certs/cinder-cert.pem
+ SSLCertificateKeyFile /etc/cinder/certs/cinder-key.pem
+{% endif %}
</VirtualHost>
diff --git a/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
index 1b78072702fbb517615d4bd1f3f884d04667c17a..2a778e9e72d6af6c4499152ffe12509674d48fde 100644
--- a/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
@@ -2,6 +2,6 @@
features:
- |
Added configuration options to enable backend TLS encryption from HAProxy
- to the Keystone service. When used in conjunction with enabling TLS for
- service API endpoints, network communcation will be encrypted end to end,
- from client through HAProxy to the Keystone service.
+ to the Keystone and cinder service. When used in conjunction with enabling
+ TLS for service API endpoints, network communcation will be encrypted end
+ to end, from client through HAProxy to the backend service.