openstack/kolla-ansible
Code Issues Proposed changes

Merge "Add support for encrypting heat api"

Browse Source
This commit is contained in:
Zuul 2020-04-29 17:19:51 +00:00 committed by Gerrit Code Review
commit 059fee1ea3
8 changed files with 183 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ansible/roles/heat/defaults/main.yml
View File

@ -16,12 +16,14 @@ heat_services:
external: false
port: "{{ heat_api_port }}"
listen_port: "{{ heat_api_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat_api_external:
enabled: "{{ enable_heat }}"
mode: "http"
external: true
port: "{{ heat_api_port }}"
listen_port: "{{ heat_api_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat-api-cfn:
container_name: heat_api_cfn
group: heat-api-cfn
@ -36,12 +38,14 @@ heat_services:
external: false
port: "{{ heat_api_cfn_port }}"
listen_port: "{{ heat_api_cfn_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat_api_cfn_external:
enabled: "{{ enable_heat }}"
mode: "http"
external: true
port: "{{ heat_api_cfn_port }}"
listen_port: "{{ heat_api_cfn_listen_port }}"
tls_backend: "{{ heat_enable_tls_backend }}"
heat-engine:
container_name: heat_engine
group: heat-engine
@ -173,3 +177,8 @@ heat_ks_user_roles:
- project: "{{ openstack_auth.project_name }}"
user: "{{ openstack_auth.username }}"
role: "{{ heat_stack_owner_role }}"
####################
# TLS
####################
heat_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

30
ansible/roles/heat/tasks/config.yml
View File

@ -33,7 +33,7 @@
- include_tasks: copy-certs.yml
when:
- kolla_copy_ca_into_containers | bool
- kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool
- name: Copying over config.json files for services
become: true
@ -82,5 +82,33 @@
notify:
- Restart {{ item.key }} container
- name: Copying over heat-api wsgi config
vars:
service: "{{ heat_services['heat-api'] }}"
template:
src: "{{ role_path }}/templates/wsgi-heat-api.conf.j2"
dest: "{{ node_config_directory }}/heat-api/wsgi-heat-api.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service['group']]
- service.enabled | bool
notify:
- Restart heat-api container
- name: Copying over heat-api-cfn wsgi config
vars:
service: "{{ heat_services['heat-api-cfn'] }}"
template:
src: "{{ role_path }}/templates/wsgi-heat-api-cfn.conf.j2"
dest: "{{ node_config_directory }}/heat-api-cfn/wsgi-heat-api-cfn.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service['group']]
- service.enabled | bool
notify:
- Restart heat-api-cfn container
- include_tasks: check-containers.yml
when: kolla_action != "config"

24
ansible/roles/heat/templates/heat-api-cfn.json.j2
View File

@ -1,18 +1,38 @@
{% set heat_api_cfn_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{
"command": "heat-api-cfn",
"command": "/usr/sbin/{{ heat_api_cfn_cmd }} -DFOREGROUND",
"config_files": [
{
"source": "{{ container_config_directory }}/heat.conf",
"dest": "/etc/heat/heat.conf",
"owner": "heat",
"perm": "0600"
},{
"source": "{{ container_config_directory }}/wsgi-heat-api-cfn.conf",
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api-cfn.conf",
"owner": "heat",
"perm": "0600"
}{% if heat_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
"dest": "/etc/heat/{{ heat_policy_file }}",
"owner": "heat",
"perm": "0600"
}{% endif %}
}{% endif %}{% if heat_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/heat-cert.pem",
"dest": "/etc/heat/certs/heat-cert.pem",
"owner": "heat",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/heat-key.pem",
"dest": "/etc/heat/certs/heat-key.pem",
"owner": "heat",
"perm": "0600"
}
{% endif %}
],
"permissions": [
{

24
ansible/roles/heat/templates/heat-api.json.j2
View File

@ -1,18 +1,38 @@
{% set heat_api_cmd = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set wsgi_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{
"command": "heat-api",
"command": "/usr/sbin/{{ heat_api_cmd }} -DFOREGROUND",
"config_files": [
{
"source": "{{ container_config_directory }}/heat.conf",
"dest": "/etc/heat/heat.conf",
"owner": "heat",
"perm": "0600"
},{
"source": "{{ container_config_directory }}/wsgi-heat-api.conf",
"dest": "/etc/{{ wsgi_conf_dir }}/wsgi-heat-api.conf",
"owner": "heat",
"perm": "0600"
}{% if heat_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ heat_policy_file }}",
"dest": "/etc/heat/{{ heat_policy_file }}",
"owner": "heat",
"perm": "0600"
}{% endif %}
}{% endif %}{% if heat_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/heat-cert.pem",
"dest": "/etc/heat/certs/heat-cert.pem",
"owner": "heat",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/heat-key.pem",
"dest": "/etc/heat/certs/heat-key.pem",
"owner": "heat",
"perm": "0600"
}
{% endif %}
],
"permissions": [
{

47
ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 Normal file
View File

@ -0,0 +1,47 @@
{% set heat_log_dir = '/var/log/kolla/heat' %}
{% if heat_install_type == 'binary' %}
{% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python2.7/site-packages' %}
{% else %}
{% set python_path = '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %}
{% endif %}
{% set binary_path = '/usr/bin' if heat_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if heat_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_cfn_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
<Directory "{{ binary_path }}">
<FilesMatch "heat-wsgi-api-cfn">
AllowOverride None
Options None
Require all granted
</FilesMatch>
</Directory>
<VirtualHost *:{{ heat_api_cfn_listen_port }}>
WSGIDaemonProcess heat-api-cfn processes={{ openstack_service_workers }} threads=1 user=heat group=heat display-name=%{GROUP} python-path={{ python_path }}
WSGIProcessGroup heat-api-cfn
WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api-cfn
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ heat_log_dir }}/heat-api-cfn-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ heat_log_dir }}/heat-api-cfn-error.log" logformat
{% if heat_enable_tls_backend | bool %}
SSLEngine On
SSLCertificateFile /etc/heat/certs/heat-cert.pem
SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
{% endif %}
</VirtualHost>

47
ansible/roles/heat/templates/wsgi-heat-api.conf.j2 Normal file
View File

@ -0,0 +1,47 @@
{% set heat_log_dir = '/var/log/kolla/heat' %}
{% if heat_install_type == 'binary' %}
{% set python_path = '/usr/lib/python3/dist-packages' if kolla_base_distro in ['debian', 'ubuntu'] else '/usr/lib/python2.7/site-packages' %}
{% else %}
{% set python_path = '/usr/lib/python' ~ distro_python_version ~ '/site-packages' %}
{% endif %}
{% set binary_path = '/usr/bin' if heat_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if heat_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
<Directory "{{ binary_path }}">
<FilesMatch "heat-wsgi-api">
AllowOverride None
Options None
Require all granted
</FilesMatch>
</Directory>
<VirtualHost *:{{ heat_api_listen_port }}>
WSGIDaemonProcess heat-api processes={{ openstack_service_workers }} threads=1 user=heat group=heat display-name=%{GROUP} python-path={{ python_path }}
WSGIProcessGroup heat-api
WSGIScriptAlias / {{ binary_path }}/heat-wsgi-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ heat_log_dir }}/heat-api-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ heat_log_dir }}/heat-api-error.log" logformat
{% if heat_enable_tls_backend | bool %}
SSLEngine On
SSLCertificateFile /etc/heat/certs/heat-cert.pem
SSLCertificateKeyFile /etc/heat/certs/heat-key.pem
{% endif %}
</VirtualHost>

7
releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Added configuration options to enable backend TLS encryption from HAProxy
to the Keystone, Heat, and cinder service. When used in conjunction with
enabling TLS for service API endpoints, network communcation will be
encrypted end to end, from client through HAProxy to the backend service.

7
releasenotes/notes/encrypt-backend-haproxy-keystone-fb96285d74fb464c.yaml
View File

@ -1,7 +0,0 @@
---
features:
- |
Added configuration options to enable backend TLS encryption from HAProxy
to the Keystone and cinder service. When used in conjunction with enabling
TLS for service API endpoints, network communcation will be encrypted end
to end, from client through HAProxy to the backend service.