TLS support for neutron

Change-Id: I58a5f2f498ad96907acee68a7560c14ddb5fff1f
2017-02-08 10:26:04 +01:00 · 2017-02-08 10:26:04 +01:00 · 60f43c2ea9
commit 60f43c2ea9
parent 6c2857d671
8 changed files with 61 additions and 1 deletions
--- a/service/files/ca-cert.pem.j2
+++ b/service/files/ca-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -1,5 +1,7 @@
 configs:
  neutron:
+    tls:
+      enabled: true
    db:
      password: password
      name: neutron
--- a/service/files/neutron.conf.j2
+++ b/service/files/neutron.conf.j2
@ -4,8 +4,12 @@ debug = {{ neutron.debug }}

 use_stderr = true
 use_syslog = false
-
+{% if neutron.tls.enabled %}
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
+
 bind_port = {{ neutron.server_port.cont }}

 api_paste_config = /usr/share/neutron/api-paste.ini
@ -47,6 +51,9 @@ project_name = service
 username = {{ nova.db.username }}
 password = {{ nova.db.password }}
 endpoint_type = internal
+{% if nova.tls.enabled %}
+cafile = /opt/ccp/etc/tls/ca.pem
+{% endif %}

 [oslo_concurrency]
 lock_path = /var/lib/neutron/tmp
--- a/service/files/nginx-neutron-server.conf.j2
+++ b/service/files/nginx-neutron-server.conf.j2
@ -0,0 +1,9 @@
+server {
+       listen {{ network_topology["private"]["address"] }}:{{ neutron.server_port.cont }} ssl;
+       include common/ssl.conf;
+
+       location / {
+           proxy_pass http://neutron_server;
+           include common/proxy-headers.conf;
+       }
+}
--- a/service/files/server-cert.pem.j2
+++ b/service/files/server-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_cert }}
--- a/service/files/server-key.pem.j2
+++ b/service/files/server-key.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_key }}
--- a/service/files/upstreams.conf.j2
+++ b/service/files/upstreams.conf.j2
@ -0,0 +1,3 @@
+upstream neutron_server {
+    server 127.0.0.1:{{ neutron.server_port.cont }};
+}
--- a/service/neutron-server.yaml
+++ b/service/neutron-server.yaml
@ -67,10 +67,24 @@ service:
        files:
          - neutron.conf
          - ml2-conf.ini
+          # {% if neutron.tls.enabled %}
+          - ca-cert
+          # {% endif %}
        # {% if neutron.plugin_agent == "opendaylight" %}
        dependencies:
          - openvswitch-vswitchd
        # {% endif %}
+    # {% if neutron.tls.enabled %}
+    - name: nginx-neutron-server
+      image: nginx
+      daemon:
+        files:
+          - servers
+          - server-cert
+          - server-key
+          - upstreams
+        command: nginx
+    # {% endif %}

 files:
  neutron.conf:
@ -81,3 +95,25 @@ files:
    path: /etc/neutron/plugins/ml2/ml2_conf.ini
    content: ml2_conf.ini.j2
    perm: "0600"
+  # {% if neutron.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-neutron-server.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  ca-cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+    perm: "0400"
+  # {% endif %}