918a307427
This patch set enables TLS for the following OpenStack services: keystone, horizon, glance, cinder, heat, nova, placement and neutron for s- (stein) and t- (train) release. This serves as a consolidation and clean up patch for the following patches: [0] https://review.opendev.org/#/c/733291 [1] https://review.opendev.org/#/c/735202 [2] https://review.opendev.org/#/c/733962 [3] https://review.opendev.org/#/c/733404 [4] https://review.opendev.org/#/c/734896 This also addresses comments mentioned in previous patches. Co-authored-by: Gage Hugo <gagehugo@gmail.com> Co-authored-by: sgupta <sg774j@att.com> Depends-on: https://review.opendev.org/#/c/737194/ Change-Id: Id34ace54298660b4b151522916e929a29f5731be Signed-off-by: Tin Lam <tin@irrational.io>
110 lines
3.4 KiB
YAML
110 lines
3.4 KiB
YAML
---
|
|
network:
|
|
dashboard:
|
|
ingress:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
|
conf:
|
|
software:
|
|
apache2:
|
|
a2enmod:
|
|
- headers
|
|
- rewrite
|
|
- ssl
|
|
horizon:
|
|
apache: |
|
|
<IfVersion < 2.4>
|
|
Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
</IfVersion>
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
|
|
<VirtualHost *:80>
|
|
ServerName horizon-int.openstack.svc.cluster.local
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
|
|
</Virtualhost>
|
|
|
|
<VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
|
|
ServerName horizon-int.openstack.svc.cluster.local
|
|
WSGIScriptReloading On
|
|
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
|
|
WSGIProcessGroup horizon-http
|
|
WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
|
|
WSGIPassAuthorization On
|
|
|
|
RewriteEngine On
|
|
RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
|
|
RewriteRule .* - [F]
|
|
|
|
<Location "/">
|
|
Require all granted
|
|
</Location>
|
|
|
|
Alias /static /var/www/html/horizon
|
|
<Location "/static">
|
|
SetHandler static
|
|
</Location>
|
|
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog /dev/stdout
|
|
TransferLog /dev/stdout
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout combined env=!forwarded
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
|
|
ErrorLog /dev/stdout
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/openstack-dashboard/certs/tls.crt
|
|
SSLCertificateKeyFile /etc/openstack-dashboard/certs/tls.key
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
|
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
|
SSLHonorCipherOrder on
|
|
</VirtualHost>
|
|
local_settings:
|
|
config:
|
|
use_ssl: "True"
|
|
csrf_cookie_secure: "True"
|
|
enforce_password_check: "True"
|
|
session_cookie_secure: "True"
|
|
session_cookie_httponly: "True"
|
|
endpoints:
|
|
identity:
|
|
auth:
|
|
admin:
|
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
|
scheme:
|
|
default: https
|
|
port:
|
|
api:
|
|
default: 443
|
|
dashboard:
|
|
host_fqdn_override:
|
|
default:
|
|
tls:
|
|
secretName: horizon-tls-web
|
|
issuerRef:
|
|
name: ca-issuer
|
|
scheme:
|
|
default: https
|
|
public: https
|
|
port:
|
|
web:
|
|
default: 443
|
|
public: 443
|
|
ingress:
|
|
port:
|
|
ingress:
|
|
default: 443
|
|
manifests:
|
|
certificates: true
|
|
...
|