Remove USE_SSL support
tls-proxy is the way we're now doing a standard install using https between services. There is a lot more work to make services directly handle https, and having python daemons do that directly is a bit of an anti pattern. Nothing currently tests this in project-config from my recent grepping, so in the interest of long term maintenance, delete it all. Change-Id: I910df4ceab6f24f3d9c484e0433c93b06f17d6e1
This commit is contained in:
parent
2f8c88e053
commit
f3b2f4c853
20
lib/cinder
20
lib/cinder
@ -58,7 +58,7 @@ CINDER_CONF=$CINDER_CONF_DIR/cinder.conf
|
|||||||
CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini
|
CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini
|
||||||
|
|
||||||
# Public facing bits
|
# Public facing bits
|
||||||
if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
CINDER_SERVICE_PROTOCOL="https"
|
CINDER_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
@ -215,11 +215,6 @@ function _cinder_config_apache_wsgi {
|
|||||||
local cinder_api_port=$CINDER_SERVICE_PORT
|
local cinder_api_port=$CINDER_SERVICE_PORT
|
||||||
local venv_path=""
|
local venv_path=""
|
||||||
|
|
||||||
if is_ssl_enabled_service c-api; then
|
|
||||||
cinder_ssl="SSLEngine On"
|
|
||||||
cinder_certfile="SSLCertificateFile $CINDER_SSL_CERT"
|
|
||||||
cinder_keyfile="SSLCertificateKeyFile $CINDER_SSL_KEY"
|
|
||||||
fi
|
|
||||||
if [[ ${USE_VENV} = True ]]; then
|
if [[ ${USE_VENV} = True ]]; then
|
||||||
venv_path="python-path=${PROJECT_VENV["cinder"]}/lib/python2.7/site-packages"
|
venv_path="python-path=${PROJECT_VENV["cinder"]}/lib/python2.7/site-packages"
|
||||||
fi
|
fi
|
||||||
@ -347,7 +342,7 @@ function configure_cinder {
|
|||||||
iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS"
|
iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS"
|
||||||
|
|
||||||
iniset $CINDER_CONF DEFAULT glance_api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}"
|
iniset $CINDER_CONF DEFAULT glance_api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}"
|
||||||
if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
iniset $CINDER_CONF DEFAULT glance_protocol https
|
iniset $CINDER_CONF DEFAULT glance_protocol https
|
||||||
iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE
|
iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE
|
||||||
fi
|
fi
|
||||||
@ -356,14 +351,6 @@ function configure_cinder {
|
|||||||
iniset $CINDER_CONF DEFAULT glance_api_version 2
|
iniset $CINDER_CONF DEFAULT glance_api_version 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Register SSL certificates if provided
|
|
||||||
if is_ssl_enabled_service cinder; then
|
|
||||||
ensure_certificates CINDER
|
|
||||||
|
|
||||||
iniset $CINDER_CONF DEFAULT ssl_cert_file "$CINDER_SSL_CERT"
|
|
||||||
iniset $CINDER_CONF DEFAULT ssl_key_file "$CINDER_SSL_KEY"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Set os_privileged_user credentials (used for os-assisted-snapshots)
|
# Set os_privileged_user credentials (used for os-assisted-snapshots)
|
||||||
iniset $CINDER_CONF DEFAULT os_privileged_user_name nova
|
iniset $CINDER_CONF DEFAULT os_privileged_user_name nova
|
||||||
iniset $CINDER_CONF DEFAULT os_privileged_user_password "$SERVICE_PASSWORD"
|
iniset $CINDER_CONF DEFAULT os_privileged_user_password "$SERVICE_PASSWORD"
|
||||||
@ -464,9 +451,6 @@ function install_cinder {
|
|||||||
|
|
||||||
if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then
|
if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then
|
||||||
install_apache_wsgi
|
install_apache_wsgi
|
||||||
if is_ssl_enabled_service "c-api"; then
|
|
||||||
enable_mod_ssl
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
17
lib/glance
17
lib/glance
@ -57,7 +57,7 @@ GLANCE_SCHEMA_JSON=$GLANCE_CONF_DIR/schema-image.json
|
|||||||
GLANCE_SWIFT_STORE_CONF=$GLANCE_CONF_DIR/glance-swift-store.conf
|
GLANCE_SWIFT_STORE_CONF=$GLANCE_CONF_DIR/glance-swift-store.conf
|
||||||
GLANCE_V1_ENABLED=${GLANCE_V1_ENABLED:-False}
|
GLANCE_V1_ENABLED=${GLANCE_V1_ENABLED:-False}
|
||||||
|
|
||||||
if is_ssl_enabled_service "glance" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
GLANCE_SERVICE_PROTOCOL="https"
|
GLANCE_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -187,18 +187,7 @@ function configure_glance {
|
|||||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
|
iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Register SSL certificates if provided
|
if is_service_enabled tls-proxy; then
|
||||||
if is_ssl_enabled_service glance; then
|
|
||||||
ensure_certificates GLANCE
|
|
||||||
|
|
||||||
iniset $GLANCE_API_CONF DEFAULT cert_file "$GLANCE_SSL_CERT"
|
|
||||||
iniset $GLANCE_API_CONF DEFAULT key_file "$GLANCE_SSL_KEY"
|
|
||||||
|
|
||||||
iniset $GLANCE_REGISTRY_CONF DEFAULT cert_file "$GLANCE_SSL_CERT"
|
|
||||||
iniset $GLANCE_REGISTRY_CONF DEFAULT key_file "$GLANCE_SSL_KEY"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
|
|
||||||
iniset $GLANCE_API_CONF DEFAULT registry_client_protocol https
|
iniset $GLANCE_API_CONF DEFAULT registry_client_protocol https
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -233,7 +222,7 @@ function configure_glance {
|
|||||||
|
|
||||||
cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR
|
cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR
|
||||||
|
|
||||||
if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
||||||
|
|
||||||
|
17
lib/keystone
17
lib/keystone
@ -116,7 +116,7 @@ SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
|
|||||||
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
|
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
|
||||||
|
|
||||||
# if we are running with SSL use https protocols
|
# if we are running with SSL use https protocols
|
||||||
if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
KEYSTONE_AUTH_PROTOCOL="https"
|
KEYSTONE_AUTH_PROTOCOL="https"
|
||||||
KEYSTONE_SERVICE_PROTOCOL="https"
|
KEYSTONE_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
@ -171,12 +171,6 @@ function _config_keystone_apache_wsgi {
|
|||||||
local keystone_auth_port=$KEYSTONE_AUTH_PORT
|
local keystone_auth_port=$KEYSTONE_AUTH_PORT
|
||||||
local venv_path=""
|
local venv_path=""
|
||||||
|
|
||||||
if is_ssl_enabled_service key; then
|
|
||||||
keystone_ssl_listen=""
|
|
||||||
keystone_ssl="SSLEngine On"
|
|
||||||
keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT"
|
|
||||||
keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY"
|
|
||||||
fi
|
|
||||||
if is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
|
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
|
||||||
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
|
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
|
||||||
@ -247,11 +241,6 @@ function configure_keystone {
|
|||||||
|
|
||||||
iniset_rpc_backend keystone $KEYSTONE_CONF
|
iniset_rpc_backend keystone $KEYSTONE_CONF
|
||||||
|
|
||||||
# Register SSL certificates if provided
|
|
||||||
if is_ssl_enabled_service key; then
|
|
||||||
ensure_certificates KEYSTONE
|
|
||||||
fi
|
|
||||||
|
|
||||||
local service_port=$KEYSTONE_SERVICE_PORT
|
local service_port=$KEYSTONE_SERVICE_PORT
|
||||||
local auth_port=$KEYSTONE_AUTH_PORT
|
local auth_port=$KEYSTONE_AUTH_PORT
|
||||||
|
|
||||||
@ -297,7 +286,6 @@ function configure_keystone {
|
|||||||
_config_keystone_apache_wsgi
|
_config_keystone_apache_wsgi
|
||||||
else # uwsgi
|
else # uwsgi
|
||||||
# iniset creates these files when it's called if they don't exist.
|
# iniset creates these files when it's called if they don't exist.
|
||||||
|
|
||||||
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port"
|
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port"
|
||||||
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port"
|
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port"
|
||||||
fi
|
fi
|
||||||
@ -546,9 +534,6 @@ function install_keystone {
|
|||||||
|
|
||||||
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
||||||
install_apache_wsgi
|
install_apache_wsgi
|
||||||
if is_ssl_enabled_service "key"; then
|
|
||||||
enable_mod_ssl
|
|
||||||
fi
|
|
||||||
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then
|
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then
|
||||||
pip_install uwsgi
|
pip_install uwsgi
|
||||||
fi
|
fi
|
||||||
|
21
lib/neutron
21
lib/neutron
@ -61,7 +61,7 @@ NEUTRON_META_BINARY=${NEUTRON_META_BINARY:-neutron-metadata-agent}
|
|||||||
NEUTRON_METERING_BINARY=${NEUTRON_METERING_BINARY:-neutron-metering-agent}
|
NEUTRON_METERING_BINARY=${NEUTRON_METERING_BINARY:-neutron-metering-agent}
|
||||||
|
|
||||||
# Public facing bits
|
# Public facing bits
|
||||||
if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
NEUTRON_SERVICE_PROTOCOL="https"
|
NEUTRON_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
NEUTRON_SERVICE_HOST=${NEUTRON_SERVICE_HOST:-$SERVICE_HOST}
|
NEUTRON_SERVICE_HOST=${NEUTRON_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
@ -243,14 +243,6 @@ function configure_neutron_new {
|
|||||||
iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT"
|
iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if is_ssl_enabled_service "neutron"; then
|
|
||||||
ensure_certificates NEUTRON
|
|
||||||
|
|
||||||
iniset $NEUTRON_CONF DEFAULT use_ssl True
|
|
||||||
iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT"
|
|
||||||
iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Metering
|
# Metering
|
||||||
if is_service_enabled neutron-metering; then
|
if is_service_enabled neutron-metering; then
|
||||||
cp $NEUTRON_DIR/etc/metering_agent.ini.sample $NEUTRON_METERING_AGENT_CONF
|
cp $NEUTRON_DIR/etc/metering_agent.ini.sample $NEUTRON_METERING_AGENT_CONF
|
||||||
@ -404,17 +396,10 @@ function start_neutron_api {
|
|||||||
# TODO(sc68cal) Stop hard coding this
|
# TODO(sc68cal) Stop hard coding this
|
||||||
run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts"
|
run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts"
|
||||||
|
|
||||||
if is_ssl_enabled_service "neutron"; then
|
if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then
|
||||||
ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
|
die $LINENO "neutron-api did not start"
|
||||||
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$NEUTRON_SERVICE_HOST:$service_port"
|
|
||||||
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT
|
|
||||||
else
|
|
||||||
if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then
|
|
||||||
die $LINENO "neutron-api did not start"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Start proxy if enabled
|
# Start proxy if enabled
|
||||||
if is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
|
start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
|
||||||
|
@ -61,7 +61,7 @@
|
|||||||
|
|
||||||
deprecated "Using lib/neutron-legacy is deprecated, and it will be removed in the future"
|
deprecated "Using lib/neutron-legacy is deprecated, and it will be removed in the future"
|
||||||
|
|
||||||
if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
Q_PROTOCOL="https"
|
Q_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -461,9 +461,6 @@ function start_neutron_service_and_check {
|
|||||||
# Start the Neutron service
|
# Start the Neutron service
|
||||||
run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options"
|
run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options"
|
||||||
echo "Waiting for Neutron to start..."
|
echo "Waiting for Neutron to start..."
|
||||||
if is_ssl_enabled_service "neutron"; then
|
|
||||||
ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$Q_HOST:$service_port"
|
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$Q_HOST:$service_port"
|
||||||
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT
|
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT
|
||||||
@ -714,18 +711,6 @@ function _configure_neutron_common {
|
|||||||
iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT"
|
iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if is_ssl_enabled_service "nova"; then
|
|
||||||
iniset $NEUTRON_CONF nova cafile $SSL_BUNDLE_FILE
|
|
||||||
fi
|
|
||||||
|
|
||||||
if is_ssl_enabled_service "neutron"; then
|
|
||||||
ensure_certificates NEUTRON
|
|
||||||
|
|
||||||
iniset $NEUTRON_CONF DEFAULT use_ssl True
|
|
||||||
iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT"
|
|
||||||
iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY"
|
|
||||||
fi
|
|
||||||
|
|
||||||
_neutron_setup_rootwrap
|
_neutron_setup_rootwrap
|
||||||
}
|
}
|
||||||
|
|
||||||
|
24
lib/nova
24
lib/nova
@ -68,7 +68,7 @@ fi
|
|||||||
# Toggle for deploying Nova-API under HTTPD + mod_wsgi
|
# Toggle for deploying Nova-API under HTTPD + mod_wsgi
|
||||||
NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False}
|
NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False}
|
||||||
|
|
||||||
if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
NOVA_SERVICE_PROTOCOL="https"
|
NOVA_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -262,11 +262,6 @@ function _config_nova_apache_wsgi {
|
|||||||
local nova_metadata_port=$METADATA_SERVICE_PORT
|
local nova_metadata_port=$METADATA_SERVICE_PORT
|
||||||
local venv_path=""
|
local venv_path=""
|
||||||
|
|
||||||
if is_ssl_enabled_service nova-api; then
|
|
||||||
nova_ssl="SSLEngine On"
|
|
||||||
nova_certfile="SSLCertificateFile $NOVA_SSL_CERT"
|
|
||||||
nova_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY"
|
|
||||||
fi
|
|
||||||
if [[ ${USE_VENV} = True ]]; then
|
if [[ ${USE_VENV} = True ]]; then
|
||||||
venv_path="python-path=${PROJECT_VENV["nova"]}/lib/$(python_version)/site-packages"
|
venv_path="python-path=${PROJECT_VENV["nova"]}/lib/$(python_version)/site-packages"
|
||||||
fi
|
fi
|
||||||
@ -501,7 +496,7 @@ function create_nova_conf {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if is_service_enabled cinder; then
|
if is_service_enabled cinder; then
|
||||||
if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
||||||
iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE
|
iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE
|
||||||
@ -586,20 +581,10 @@ function create_nova_conf {
|
|||||||
|
|
||||||
iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
|
iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
|
||||||
|
|
||||||
if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
iniset $NOVA_CONF DEFAULT glance_protocol https
|
iniset $NOVA_CONF DEFAULT glance_protocol https
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Register SSL certificates if provided
|
|
||||||
if is_ssl_enabled_service nova; then
|
|
||||||
ensure_certificates NOVA
|
|
||||||
|
|
||||||
iniset $NOVA_CONF DEFAULT ssl_cert_file "$NOVA_SSL_CERT"
|
|
||||||
iniset $NOVA_CONF DEFAULT ssl_key_file "$NOVA_SSL_KEY"
|
|
||||||
|
|
||||||
iniset $NOVA_CONF DEFAULT enabled_ssl_apis "$NOVA_ENABLED_APIS"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if is_service_enabled n-sproxy; then
|
if is_service_enabled n-sproxy; then
|
||||||
iniset $NOVA_CONF serial_console serialproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
iniset $NOVA_CONF serial_console serialproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
||||||
iniset $NOVA_CONF serial_console enabled True
|
iniset $NOVA_CONF serial_console enabled True
|
||||||
@ -790,9 +775,6 @@ function install_nova {
|
|||||||
|
|
||||||
if [ "$NOVA_USE_MOD_WSGI" == "True" ]; then
|
if [ "$NOVA_USE_MOD_WSGI" == "True" ]; then
|
||||||
install_apache_wsgi
|
install_apache_wsgi
|
||||||
if is_ssl_enabled_service "nova-api"; then
|
|
||||||
enable_mod_ssl
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ PLACEMENT_AUTH_STRATEGY=${PLACEMENT_AUTH_STRATEGY:-placement}
|
|||||||
# yet merged in nova but is coming soon.
|
# yet merged in nova but is coming soon.
|
||||||
PLACEMENT_DB_ENABLED=$(trueorfalse False PLACEMENT_DB_ENABLED)
|
PLACEMENT_DB_ENABLED=$(trueorfalse False PLACEMENT_DB_ENABLED)
|
||||||
|
|
||||||
if is_ssl_enabled_service "placement-api" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
PLACEMENT_SERVICE_PROTOCOL="https"
|
PLACEMENT_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -72,12 +72,6 @@ function _config_placement_apache_wsgi {
|
|||||||
nova_bin_dir=$(get_python_exec_prefix)
|
nova_bin_dir=$(get_python_exec_prefix)
|
||||||
placement_api_apache_conf=$(apache_site_config_for placement-api)
|
placement_api_apache_conf=$(apache_site_config_for placement-api)
|
||||||
|
|
||||||
# reuse nova's cert if a cert is being used
|
|
||||||
if is_ssl_enabled_service "placement-api"; then
|
|
||||||
placement_ssl="SSLEngine On"
|
|
||||||
placement_certfile="SSLCertificateFile $NOVA_SSL_CERT"
|
|
||||||
placement_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY"
|
|
||||||
fi
|
|
||||||
# reuse nova's venv if there is one as placement code lives
|
# reuse nova's venv if there is one as placement code lives
|
||||||
# there
|
# there
|
||||||
if [[ ${USE_VENV} = True ]]; then
|
if [[ ${USE_VENV} = True ]]; then
|
||||||
@ -149,9 +143,6 @@ function init_placement {
|
|||||||
# install_placement() - Collect source and prepare
|
# install_placement() - Collect source and prepare
|
||||||
function install_placement {
|
function install_placement {
|
||||||
install_apache_wsgi
|
install_apache_wsgi
|
||||||
if is_ssl_enabled_service "placement-api"; then
|
|
||||||
enable_mod_ssl
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# start_placement_api() - Start the API processes ahead of other things
|
# start_placement_api() - Start the API processes ahead of other things
|
||||||
|
@ -31,7 +31,7 @@ set +o xtrace
|
|||||||
# Defaults
|
# Defaults
|
||||||
# --------
|
# --------
|
||||||
|
|
||||||
if is_ssl_enabled_service "s-proxy" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
SWIFT_SERVICE_PROTOCOL="https"
|
SWIFT_SERVICE_PROTOCOL="https"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -398,13 +398,6 @@ function configure_swift {
|
|||||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT bind_port ${SWIFT_DEFAULT_BIND_PORT}
|
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT bind_port ${SWIFT_DEFAULT_BIND_PORT}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if is_ssl_enabled_service s-proxy; then
|
|
||||||
ensure_certificates SWIFT
|
|
||||||
|
|
||||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT cert_file "$SWIFT_SSL_CERT"
|
|
||||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT key_file "$SWIFT_SSL_KEY"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# DevStack is commonly run in a small slow environment, so bump the timeouts up.
|
# DevStack is commonly run in a small slow environment, so bump the timeouts up.
|
||||||
# ``node_timeout`` is the node read operation response time to the proxy server
|
# ``node_timeout`` is the node read operation response time to the proxy server
|
||||||
# ``conn_timeout`` is how long it takes a connect() system call to return
|
# ``conn_timeout`` is how long it takes a connect() system call to return
|
||||||
|
@ -279,7 +279,7 @@ function configure_tempest {
|
|||||||
fi
|
fi
|
||||||
iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3}
|
iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3}
|
||||||
|
|
||||||
if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
iniset $TEMPEST_CONFIG identity ca_certificates_file $SSL_BUNDLE_FILE
|
iniset $TEMPEST_CONFIG identity ca_certificates_file $SSL_BUNDLE_FILE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
25
lib/tls
25
lib/tls
@ -343,7 +343,7 @@ function make_root_CA {
|
|||||||
# one. If the value for the CA is not rooted in /etc then we know
|
# one. If the value for the CA is not rooted in /etc then we know
|
||||||
# we need to change it.
|
# we need to change it.
|
||||||
function fix_system_ca_bundle_path {
|
function fix_system_ca_bundle_path {
|
||||||
if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
|
if is_service_enabled tls-proxy; then
|
||||||
local capath
|
local capath
|
||||||
capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass')
|
capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass')
|
||||||
|
|
||||||
@ -362,27 +362,14 @@ function fix_system_ca_bundle_path {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Only for compatibility, return if the tls-proxy is enabled
|
||||||
|
function is_ssl_enabled_service {
|
||||||
|
return is_service_enabled tls-proxy
|
||||||
|
}
|
||||||
|
|
||||||
# Certificate Input Configuration
|
# Certificate Input Configuration
|
||||||
# ===============================
|
# ===============================
|
||||||
|
|
||||||
# check to see if the service(s) specified are to be SSL enabled.
|
|
||||||
#
|
|
||||||
# Multiple services specified as arguments are ``OR``'ed together; the test
|
|
||||||
# is a short-circuit boolean, i.e it returns on the first match.
|
|
||||||
#
|
|
||||||
# Uses global ``SSL_ENABLED_SERVICES``
|
|
||||||
function is_ssl_enabled_service {
|
|
||||||
local services=$@
|
|
||||||
local service=""
|
|
||||||
if [ "$USE_SSL" == "False" ]; then
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
for service in ${services}; do
|
|
||||||
[[ ,${SSL_ENABLED_SERVICES}, =~ ,${service}, ]] && return 0
|
|
||||||
done
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
# Ensure that the certificates for a service are in place. This function does
|
# Ensure that the certificates for a service are in place. This function does
|
||||||
# not check that a service is SSL enabled, this should already have been
|
# not check that a service is SSL enabled, this should already have been
|
||||||
# completed.
|
# completed.
|
||||||
|
11
stack.sh
11
stack.sh
@ -539,13 +539,6 @@ rm -f $SSL_BUNDLE_FILE
|
|||||||
source $TOP_DIR/lib/database
|
source $TOP_DIR/lib/database
|
||||||
source $TOP_DIR/lib/rpc_backend
|
source $TOP_DIR/lib/rpc_backend
|
||||||
|
|
||||||
# Service to enable with SSL if ``USE_SSL`` is True
|
|
||||||
SSL_ENABLED_SERVICES="key,nova,cinder,glance,s-proxy,neutron"
|
|
||||||
|
|
||||||
if is_service_enabled tls-proxy && [ "$USE_SSL" == "True" ]; then
|
|
||||||
die $LINENO "tls-proxy and SSL are mutually exclusive"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Configure Projects
|
# Configure Projects
|
||||||
# ==================
|
# ==================
|
||||||
|
|
||||||
@ -806,7 +799,7 @@ if is_service_enabled cinder nova; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup TLS certs
|
# Setup TLS certs
|
||||||
if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
|
if is_service_enabled tls-proxy; then
|
||||||
configure_CA
|
configure_CA
|
||||||
init_CA
|
init_CA
|
||||||
init_cert
|
init_cert
|
||||||
@ -886,7 +879,7 @@ if is_service_enabled horizon; then
|
|||||||
stack_install_service horizon
|
stack_install_service horizon
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
|
if is_service_enabled tls-proxy; then
|
||||||
fix_system_ca_bundle_path
|
fix_system_ca_bundle_path
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
3
stackrc
3
stackrc
@ -846,9 +846,6 @@ SYSLOG_PORT=${SYSLOG_PORT:-516}
|
|||||||
# Set to 0 to disable shallow cloning
|
# Set to 0 to disable shallow cloning
|
||||||
GIT_DEPTH=${GIT_DEPTH:-0}
|
GIT_DEPTH=${GIT_DEPTH:-0}
|
||||||
|
|
||||||
# Use native SSL for servers in ``SSL_ENABLED_SERVICES``
|
|
||||||
USE_SSL=$(trueorfalse False USE_SSL)
|
|
||||||
|
|
||||||
# We may not need to recreate database in case 2 Keystone services
|
# We may not need to recreate database in case 2 Keystone services
|
||||||
# sharing the same database. It would be useful for multinode Grenade tests.
|
# sharing the same database. It would be useful for multinode Grenade tests.
|
||||||
RECREATE_KEYSTONE_DB=$(trueorfalse True RECREATE_KEYSTONE_DB)
|
RECREATE_KEYSTONE_DB=$(trueorfalse True RECREATE_KEYSTONE_DB)
|
||||||
|
@ -129,9 +129,6 @@ if is_service_enabled tls-proxy; then
|
|||||||
stop_tls_proxy
|
stop_tls_proxy
|
||||||
cleanup_CA
|
cleanup_CA
|
||||||
fi
|
fi
|
||||||
if [ "$USE_SSL" == "True" ]; then
|
|
||||||
cleanup_CA
|
|
||||||
fi
|
|
||||||
|
|
||||||
SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*
|
SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user