openstack/openstack-helm
Code Issues Proposed changes
1907d08aff
openstack-helm/tools/deployment/common/setup-certificates.sh
Pete Birley e19be77f08 Ingress: Add initial TLS Support for core service public endpoints 
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.

Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
2018-06-26 07:15:24 +00:00

418 lines
11 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright 2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
CURRENT_DIR=$(pwd)
CFSSLURL=https://pkg.cfssl.org/R1.2
TDIR=/tmp/certs
rm -rf $TDIR
mkdir -p $TDIR/bin
cd $TDIR
curl -sSL -o bin/cfssl $CFSSLURL/cfssl_linux-amd64
curl -sSL -o bin/cfssljson $CFSSLURL/cfssljson_linux-amd64
chmod +x bin/{cfssl,cfssljson}
export PATH=$PATH:./bin
OSH_CONFIG_ROOT="/etc/openstack-helm"
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
sudo mkdir -p ${OSH_CONFIG_ROOT}
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
mkdir -p "${OSH_CA_ROOT}"
tee ${OSH_CA_ROOT}/ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "24h"
},
"profiles": {
"server": {
"expiry": "24h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
EOF
tee ${OSH_CA_ROOT}/ca-csr.json << EOF
{
"CN": "ACME Company",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "SomeState",
"ST": "SomeCity",
"O": "SomeOrg",
"OU": "SomeUnit"
}
]
}
EOF
cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
function check_cert_and_key () {
TLS_CERT=$1
TLS_KEY=$2
openssl x509 -inform pem -in ${TLS_CERT} -noout -text
CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
echo "Failure: TLS private key does not match this certificate."
exit 1
else
CERT_MOD=""
KEY_MOD=""
echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
fi
}
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
DOMAIN=openstackhelm.test
for HOSTNAME in "swift" "keystone" "heat" "cloudformation" "horizon" "glance" "cinder" "nova" "placement" "novnc" "metadata" "neutron" "barbican"; do
FQDN="${HOSTNAME}.${DOMAIN}"
OSH_SERVER_CERTS="${OSH_SERVER_TLS_ROOT}/${HOSTNAME}"
mkdir -p "${OSH_SERVER_CERTS}"
tee ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json <<EOF
{
"CN": "${FQDN}",
"hosts": [
"${FQDN}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "SomeState",
"ST": "SomeCity",
"O": "SomeOrg",
"OU": "SomeUnit"
}
]
}
EOF
cfssl gencert \
-hostname="${FQDN}" \
-ca=${OSH_CA_ROOT}/ca.pem \
-ca-key=${OSH_CA_ROOT}/ca-key.pem \
-config=${OSH_CA_ROOT}/ca-config.json \
-profile=server \
${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json | cfssljson -bare ${OSH_SERVER_CERTS}/server
check_cert_and_key ${OSH_SERVER_CERTS}/server.pem ${OSH_SERVER_CERTS}/server-key.pem
done
cd $CURRENT_DIR
KEYSTONE_CRT=${OSH_SERVER_TLS_ROOT}/keystone/server.pem
KEYSTONE_KEY=${OSH_SERVER_TLS_ROOT}/keystone/server-key.pem
KEYSTONE_CSR=${OSH_SERVER_TLS_ROOT}/keystone/server-csr-keystone.json
SWIFT_CRT=${OSH_SERVER_TLS_ROOT}/swift/server.pem
SWIFT_KEY=${OSH_SERVER_TLS_ROOT}/swift/server-key.pem
SWIFT_CSR=${OSH_SERVER_TLS_ROOT}/swift/server-csr-swift.json
BARBICAN_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
BARBICAN_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
BARBICAN_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
HEAT_API_CRT=${OSH_SERVER_TLS_ROOT}/heat/server.pem
HEAT_API_KEY=${OSH_SERVER_TLS_ROOT}/heat/server-key.pem
HEAT_API_CSR=${OSH_SERVER_TLS_ROOT}/heat/server-csr-heat.json
HEAT_CFN_CRT=${OSH_SERVER_TLS_ROOT}/cloudformation/server.pem
HEAT_CFN_KEY=${OSH_SERVER_TLS_ROOT}/cloudformation/server-key.pem
HEAT_CFN_CSR=${OSH_SERVER_TLS_ROOT}/cloudformation/server-csr-cloudformation.json
HORIZON_CRT=${OSH_SERVER_TLS_ROOT}/horizon/server.pem
HORIZON_KEY=${OSH_SERVER_TLS_ROOT}/horizon/server-key.pem
HORIZON_CSR=${OSH_SERVER_TLS_ROOT}/horizon/server-csr-horizon.json
GLANCE_API_CRT=${OSH_SERVER_TLS_ROOT}/glance/server.pem
GLANCE_API_KEY=${OSH_SERVER_TLS_ROOT}/glance/server-key.pem
GLANCE_API_CSR=${OSH_SERVER_TLS_ROOT}/glance/server-csr-glance.json
CINDER_CRT=${OSH_SERVER_TLS_ROOT}/cinder/server.pem
CINDER_KEY=${OSH_SERVER_TLS_ROOT}/cinder/server-key.pem
CINDER_CSR=${OSH_SERVER_TLS_ROOT}/cinder/server-csr-cinder.json
NOVA_API_CRT=${OSH_SERVER_TLS_ROOT}/nova/server.pem
NOVA_API_KEY=${OSH_SERVER_TLS_ROOT}/nova/server-key.pem
NOVA_API_CSR=${OSH_SERVER_TLS_ROOT}/nova/server-csr-nova.json
NOVA_NOVNC_CRT=${OSH_SERVER_TLS_ROOT}/novnc/server.pem
NOVA_NOVNC_KEY=${OSH_SERVER_TLS_ROOT}/novnc/server-key.pem
NOVA_NOVNC_CSR=${OSH_SERVER_TLS_ROOT}/novnc/server-csr-novnc.json
PLACEMENT_CRT=${OSH_SERVER_TLS_ROOT}/placement/server.pem
PLACEMENT_KEY=${OSH_SERVER_TLS_ROOT}/placement/server-key.pem
PLACEMENT_CSR=${OSH_SERVER_TLS_ROOT}/placement/server-csr-placement.json
NEUTRON_SERVER_CRT=${OSH_SERVER_TLS_ROOT}/neutron/server.pem
NEUTRON_SERVER_KEY=${OSH_SERVER_TLS_ROOT}/neutron/server-key.pem
NEUTRON_SERVER_CSR=${OSH_SERVER_TLS_ROOT}/neutron/server-csr-neutron.json
BARBICAN_API_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
BARBICAN_API_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
BARBICAN_API_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
tee /tmp/tls-endpoints.yaml << EOF
endpoints:
object_store:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${SWIFT_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${SWIFT_CRT} | sed 's/^/ /')
key: |
$(cat ${SWIFT_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
identity:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${KEYSTONE_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${KEYSTONE_CRT} | sed 's/^/ /')
key: |
$(cat ${KEYSTONE_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
orchestration:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${HEAT_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${HEAT_API_CRT} | sed 's/^/ /')
key: |
$(cat ${HEAT_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
cloudformation:
scheme:
public: https
port:
cfn:
public: 443
host_fqdn_override:
public:
host: "$(cat "${HEAT_CFN_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${HEAT_CFN_CRT} | sed 's/^/ /')
key: |
$(cat ${HEAT_CFN_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
dashboard:
scheme:
public: https
port:
web:
public: 443
host_fqdn_override:
public:
host: "$(cat "${HORIZON_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${HORIZON_CRT} | sed 's/^/ /')
key: |
$(cat ${HORIZON_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
image:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${GLANCE_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${GLANCE_API_CRT} | sed 's/^/ /')
key: |
$(cat ${GLANCE_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
volume:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${CINDER_CRT} | sed 's/^/ /')
key: |
$(cat ${CINDER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
volumev2:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${CINDER_CRT} | sed 's/^/ /')
key: |
$(cat ${CINDER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
volumev3:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${CINDER_CRT} | sed 's/^/ /')
key: |
$(cat ${CINDER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
compute:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${NOVA_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${NOVA_API_CRT} | sed 's/^/ /')
key: |
$(cat ${NOVA_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
compute_novnc_proxy:
scheme:
public: https
port:
novnc_proxy:
public: 443
host_fqdn_override:
public:
host: "$(cat "${NOVA_NOVNC_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${NOVA_NOVNC_CRT} | sed 's/^/ /')
key: |
$(cat ${NOVA_NOVNC_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
placement:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${PLACEMENT_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${PLACEMENT_CRT} | sed 's/^/ /')
key: |
$(cat ${PLACEMENT_KEY} | sed 's/^/ /')
ca: |
$(cat ${PLACEMENT_ROOT}/ca.pem | sed 's/^/ /')
network:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${NEUTRON_SERVER_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${NEUTRON_SERVER_CRT} | sed 's/^/ /')
key: |
$(cat ${NEUTRON_SERVER_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
key_manager:
scheme:
public: https
port:
api:
public: 443
host_fqdn_override:
public:
host: "$(cat "${BARBICAN_API_CSR}" | jq -r '.CN')"
tls:
crt: |
$(cat ${BARBICAN_API_CRT} | sed 's/^/ /')
key: |
$(cat ${BARBICAN_API_KEY} | sed 's/^/ /')
ca: |
$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /')
EOF
export OSH_EXTRA_HELM_ARGS="--values=/tmp/tls-endpoints.yaml"
View Git Blame Copy Permalink