* Adds lib/tls to create test CA/certs
* Start proxy if 'tls-proxy' is enabled
* Configure keystone service catalog for TLS
* Tear down proxy in unstack.sh
* Set auth protocol and ca-cert chain in openrc
* Add DATA_DIR to stackrc
This is the first in a series of patches to enable TLS support
for the service API endpoints.
Change-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6
... | ... |
@@ -4,7 +4,7 @@ |
4 | 4 |
# Dependencies: |
5 | 5 |
# ``functions`` file |
6 | 6 |
# ``BASE_SQL_CONN`` |
7 |
-# ``SERVICE_HOST`` |
|
7 |
+# ``SERVICE_HOST``, ``SERVICE_PROTOCOL`` |
|
8 | 8 |
# ``SERVICE_TOKEN`` |
9 | 9 |
# ``S3_SERVICE_PORT`` (template backend only) |
10 | 10 |
|
... | ... |
@@ -48,10 +48,14 @@ KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI} |
48 | 48 |
# Set Keystone interface configuration |
49 | 49 |
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} |
50 | 50 |
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} |
51 |
-KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http} |
|
51 |
+KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358} |
|
52 |
+KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL} |
|
53 |
+ |
|
54 |
+# Public facing bits |
|
52 | 55 |
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST} |
53 | 56 |
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} |
54 |
-KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-http} |
|
57 |
+KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001} |
|
58 |
+KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} |
|
55 | 59 |
|
56 | 60 |
|
57 | 61 |
# Entry Points |
... | ... |
@@ -88,6 +92,13 @@ function configure_keystone() { |
88 | 88 |
# Rewrite stock ``keystone.conf`` |
89 | 89 |
local dburl |
90 | 90 |
database_connection_url dburl keystone |
91 |
+ |
|
92 |
+ if is_service_enabled tls-proxy; then |
|
93 |
+ # Set the service ports for a proxy to take the originals |
|
94 |
+ iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT |
|
95 |
+ iniset $KEYSTONE_CONF DEFAULT admin_port $KEYSTONE_AUTH_PORT_INT |
|
96 |
+ fi |
|
97 |
+ |
|
91 | 98 |
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN" |
92 | 99 |
iniset $KEYSTONE_CONF signing token_format "$KEYSTONE_TOKEN_FORMAT" |
93 | 100 |
iniset $KEYSTONE_CONF sql connection $dburl |
... | ... |
@@ -213,9 +224,9 @@ create_keystone_accounts() { |
213 | 213 |
keystone endpoint-create \ |
214 | 214 |
--region RegionOne \ |
215 | 215 |
--service_id $KEYSTONE_SERVICE \ |
216 |
- --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \ |
|
217 |
- --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \ |
|
218 |
- --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" |
|
216 |
+ --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0" \ |
|
217 |
+ --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0" \ |
|
218 |
+ --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0" |
|
219 | 219 |
fi |
220 | 220 |
|
221 | 221 |
# TODO(dtroyer): This is part of a series of changes...remove these when |
... | ... |
@@ -268,13 +279,25 @@ function install_keystone() { |
268 | 268 |
|
269 | 269 |
# start_keystone() - Start running processes, including screen |
270 | 270 |
function start_keystone() { |
271 |
+ # Get right service port for testing |
|
272 |
+ local service_port=$KEYSTONE_SERVICE_PORT |
|
273 |
+ if is_service_enabled tls-proxy; then |
|
274 |
+ service_port=$KEYSTONE_SERVICE_PORT_INT |
|
275 |
+ fi |
|
276 |
+ |
|
271 | 277 |
# Start Keystone in a screen window |
272 | 278 |
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug" |
273 | 279 |
echo "Waiting for keystone to start..." |
274 |
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then |
|
280 |
+ if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s http://$SERVICE_HOST:$service_port/v2.0/ >/dev/null; do sleep 1; done"; then |
|
275 | 281 |
echo "keystone did not start" |
276 | 282 |
exit 1 |
277 | 283 |
fi |
284 |
+ |
|
285 |
+ # Start proxies if enabled |
|
286 |
+ if is_service_enabled tls-proxy; then |
|
287 |
+ start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT & |
|
288 |
+ start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT & |
|
289 |
+ fi |
|
278 | 290 |
} |
279 | 291 |
|
280 | 292 |
# stop_keystone() - Stop running processes |
281 | 293 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,314 @@ |
0 |
+# lib/tls |
|
1 |
+# Functions to control the configuration and operation of the TLS proxy service |
|
2 |
+ |
|
3 |
+# Dependencies: |
|
4 |
+# !! source _before_ any services that use ``SERVICE_HOST`` |
|
5 |
+# ``functions`` file |
|
6 |
+# ``DEST``, ``DATA_DIR`` must be defined |
|
7 |
+# ``HOST_IP``, ``SERVICE_HOST`` |
|
8 |
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined |
|
9 |
+ |
|
10 |
+# Entry points: |
|
11 |
+# configure_CA |
|
12 |
+# init_CA |
|
13 |
+ |
|
14 |
+# configure_proxy |
|
15 |
+# start_tls_proxy |
|
16 |
+ |
|
17 |
+# make_root_ca |
|
18 |
+# make_int_ca |
|
19 |
+# new_cert $INT_CA_DIR int-server "abc" |
|
20 |
+# start_tls_proxy HOST_IP 5000 localhost 5000 |
|
21 |
+ |
|
22 |
+ |
|
23 |
+if is_service_enabled tls-proxy; then |
|
24 |
+ # TODO(dtroyer): revisit this below after the search for HOST_IP has been done |
|
25 |
+ TLS_IP=${TLS_IP:-$SERVICE_IP} |
|
26 |
+ |
|
27 |
+ # Set the default ``SERVICE_PROTOCOL`` for TLS |
|
28 |
+ SERVICE_PROTOCOL=https |
|
29 |
+fi |
|
30 |
+ |
|
31 |
+# Make up a hostname for cert purposes |
|
32 |
+# will be added to /etc/hosts? |
|
33 |
+DEVSTACK_HOSTNAME=secure.devstack.org |
|
34 |
+DEVSTACK_CERT_NAME=devstack-cert |
|
35 |
+DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem |
|
36 |
+ |
|
37 |
+# CA configuration |
|
38 |
+ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca} |
|
39 |
+INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca} |
|
40 |
+ |
|
41 |
+ORG_NAME="OpenStack" |
|
42 |
+ORG_UNIT_NAME="DevStack" |
|
43 |
+ |
|
44 |
+# Stud configuration |
|
45 |
+STUD_PROTO="--tls" |
|
46 |
+STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH' |
|
47 |
+ |
|
48 |
+ |
|
49 |
+# CA Functions |
|
50 |
+# ============ |
|
51 |
+ |
|
52 |
+# There may be more than one, get specific |
|
53 |
+OPENSSL=${OPENSSL:-/usr/bin/openssl} |
|
54 |
+ |
|
55 |
+# Do primary CA configuration |
|
56 |
+function configure_CA() { |
|
57 |
+ # build common config file |
|
58 |
+ |
|
59 |
+ # Verify ``TLS_IP`` is good |
|
60 |
+ if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then |
|
61 |
+ # auto-discover has changed the IP |
|
62 |
+ TLS_IP=$HOST_IP |
|
63 |
+ fi |
|
64 |
+} |
|
65 |
+ |
|
66 |
+# Creates a new CA directory structure |
|
67 |
+# create_CA_base ca-dir |
|
68 |
+function create_CA_base() { |
|
69 |
+ local ca_dir=$1 |
|
70 |
+ |
|
71 |
+ if [[ -d $ca_dir ]]; then |
|
72 |
+ # Bail out it exists |
|
73 |
+ return 0 |
|
74 |
+ fi |
|
75 |
+ |
|
76 |
+ for i in certs crl newcerts private; do |
|
77 |
+ mkdir -p $ca_dir/$i |
|
78 |
+ done |
|
79 |
+ chmod 710 $ca_dir/private |
|
80 |
+ echo "01" >$ca_dir/serial |
|
81 |
+ cp /dev/null $ca_dir/index.txt |
|
82 |
+} |
|
83 |
+ |
|
84 |
+ |
|
85 |
+# Create a new CA configuration file |
|
86 |
+# create_CA_config ca-dir common-name |
|
87 |
+function create_CA_config() { |
|
88 |
+ local ca_dir=$1 |
|
89 |
+ local common_name=$2 |
|
90 |
+ |
|
91 |
+ echo " |
|
92 |
+[ ca ] |
|
93 |
+default_ca = CA_default |
|
94 |
+ |
|
95 |
+[ CA_default ] |
|
96 |
+dir = $ca_dir |
|
97 |
+policy = policy_match |
|
98 |
+database = \$dir/index.txt |
|
99 |
+serial = \$dir/serial |
|
100 |
+certs = \$dir/certs |
|
101 |
+crl_dir = \$dir/crl |
|
102 |
+new_certs_dir = \$dir/newcerts |
|
103 |
+certificate = \$dir/cacert.pem |
|
104 |
+private_key = \$dir/private/cacert.key |
|
105 |
+RANDFILE = \$dir/private/.rand |
|
106 |
+default_md = default |
|
107 |
+ |
|
108 |
+[ req ] |
|
109 |
+default_bits = 1024 |
|
110 |
+default_md = sha1 |
|
111 |
+ |
|
112 |
+prompt = no |
|
113 |
+distinguished_name = ca_distinguished_name |
|
114 |
+ |
|
115 |
+x509_extensions = ca_extensions |
|
116 |
+ |
|
117 |
+[ ca_distinguished_name ] |
|
118 |
+organizationName = $ORG_NAME |
|
119 |
+organizationalUnitName = $ORG_UNIT_NAME Certificate Authority |
|
120 |
+commonName = $common_name |
|
121 |
+ |
|
122 |
+[ policy_match ] |
|
123 |
+countryName = optional |
|
124 |
+stateOrProvinceName = optional |
|
125 |
+organizationName = match |
|
126 |
+organizationalUnitName = optional |
|
127 |
+commonName = supplied |
|
128 |
+ |
|
129 |
+[ ca_extensions ] |
|
130 |
+basicConstraints = critical,CA:true |
|
131 |
+subjectKeyIdentifier = hash |
|
132 |
+authorityKeyIdentifier = keyid:always, issuer |
|
133 |
+keyUsage = cRLSign, keyCertSign |
|
134 |
+ |
|
135 |
+" >$ca_dir/ca.conf |
|
136 |
+} |
|
137 |
+ |
|
138 |
+# Create a new signing configuration file |
|
139 |
+# create_signing_config ca-dir |
|
140 |
+function create_signing_config() { |
|
141 |
+ local ca_dir=$1 |
|
142 |
+ |
|
143 |
+ echo " |
|
144 |
+[ ca ] |
|
145 |
+default_ca = CA_default |
|
146 |
+ |
|
147 |
+[ CA_default ] |
|
148 |
+dir = $ca_dir |
|
149 |
+policy = policy_match |
|
150 |
+database = \$dir/index.txt |
|
151 |
+serial = \$dir/serial |
|
152 |
+certs = \$dir/certs |
|
153 |
+crl_dir = \$dir/crl |
|
154 |
+new_certs_dir = \$dir/newcerts |
|
155 |
+certificate = \$dir/cacert.pem |
|
156 |
+private_key = \$dir/private/cacert.key |
|
157 |
+RANDFILE = \$dir/private/.rand |
|
158 |
+default_md = default |
|
159 |
+ |
|
160 |
+[ req ] |
|
161 |
+default_bits = 1024 |
|
162 |
+default_md = sha1 |
|
163 |
+ |
|
164 |
+prompt = no |
|
165 |
+distinguished_name = req_distinguished_name |
|
166 |
+ |
|
167 |
+x509_extensions = req_extensions |
|
168 |
+ |
|
169 |
+[ req_distinguished_name ] |
|
170 |
+organizationName = $ORG_NAME |
|
171 |
+organizationalUnitName = $ORG_UNIT_NAME Server Farm |
|
172 |
+ |
|
173 |
+[ policy_match ] |
|
174 |
+countryName = optional |
|
175 |
+stateOrProvinceName = optional |
|
176 |
+organizationName = match |
|
177 |
+organizationalUnitName = optional |
|
178 |
+commonName = supplied |
|
179 |
+ |
|
180 |
+[ req_extensions ] |
|
181 |
+basicConstraints = CA:false |
|
182 |
+subjectKeyIdentifier = hash |
|
183 |
+authorityKeyIdentifier = keyid:always, issuer |
|
184 |
+keyUsage = digitalSignature, keyEncipherment, keyAgreement |
|
185 |
+extendedKeyUsage = serverAuth, clientAuth |
|
186 |
+subjectAltName = \$ENV::SUBJECT_ALT_NAME |
|
187 |
+ |
|
188 |
+" >$ca_dir/signing.conf |
|
189 |
+} |
|
190 |
+ |
|
191 |
+# Create root and intermediate CAs and an initial server cert |
|
192 |
+# init_CA |
|
193 |
+function init_CA { |
|
194 |
+ # Ensure CAs are built |
|
195 |
+ make_root_CA $ROOT_CA_DIR |
|
196 |
+ make_int_CA $INT_CA_DIR $ROOT_CA_DIR |
|
197 |
+ |
|
198 |
+ # Create the CA bundle |
|
199 |
+ cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem |
|
200 |
+ |
|
201 |
+ if [[ ! -r $DEVSTACK_CERT ]]; then |
|
202 |
+ if [[ -n "$TLS_IP" ]]; then |
|
203 |
+ # Lie to let incomplete match routines work |
|
204 |
+ TLS_IP="DNS:$TLS_IP" |
|
205 |
+ fi |
|
206 |
+ make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP" |
|
207 |
+ |
|
208 |
+ # Create a cert bundle |
|
209 |
+ cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT |
|
210 |
+ fi |
|
211 |
+} |
|
212 |
+ |
|
213 |
+ |
|
214 |
+# make_cert creates and signs a new certificate with the given commonName and CA |
|
215 |
+# make_cert ca-dir cert-name "common-name" ["alt-name" ...] |
|
216 |
+function make_cert() { |
|
217 |
+ local ca_dir=$1 |
|
218 |
+ local cert_name=$2 |
|
219 |
+ local common_name=$3 |
|
220 |
+ local alt_names=$4 |
|
221 |
+ |
|
222 |
+ # Generate a signing request |
|
223 |
+ $OPENSSL req \ |
|
224 |
+ -sha1 \ |
|
225 |
+ -newkey rsa \ |
|
226 |
+ -nodes \ |
|
227 |
+ -keyout $ca_dir/private/$cert_name.key \ |
|
228 |
+ -out $ca_dir/$cert_name.csr \ |
|
229 |
+ -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" |
|
230 |
+ |
|
231 |
+ if [[ -z "$alt_names" ]]; then |
|
232 |
+ alt_names="DNS:${common_name}" |
|
233 |
+ else |
|
234 |
+ alt_names="DNS:${common_name},${alt_names}" |
|
235 |
+ fi |
|
236 |
+ |
|
237 |
+ # Sign the request valid for 1 year |
|
238 |
+ SUBJECT_ALT_NAME="$alt_names" \ |
|
239 |
+ $OPENSSL ca -config $ca_dir/signing.conf \ |
|
240 |
+ -extensions req_extensions \ |
|
241 |
+ -days 365 \ |
|
242 |
+ -notext \ |
|
243 |
+ -in $ca_dir/$cert_name.csr \ |
|
244 |
+ -out $ca_dir/$cert_name.crt \ |
|
245 |
+ -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \ |
|
246 |
+ -batch |
|
247 |
+} |
|
248 |
+ |
|
249 |
+ |
|
250 |
+# Make an intermediate CA to sign everything else |
|
251 |
+# make_int_CA ca-dir signing-ca-dir |
|
252 |
+function make_int_CA() { |
|
253 |
+ local ca_dir=$1 |
|
254 |
+ local signing_ca_dir=$2 |
|
255 |
+ |
|
256 |
+ # Create the root CA |
|
257 |
+ create_CA_base $ca_dir |
|
258 |
+ create_CA_config $ca_dir 'Intermediate CA' |
|
259 |
+ create_signing_config $ca_dir |
|
260 |
+ |
|
261 |
+ # Create a signing certificate request |
|
262 |
+ $OPENSSL req -config $ca_dir/ca.conf \ |
|
263 |
+ -sha1 \ |
|
264 |
+ -newkey rsa \ |
|
265 |
+ -nodes \ |
|
266 |
+ -keyout $ca_dir/private/cacert.key \ |
|
267 |
+ -out $ca_dir/cacert.csr \ |
|
268 |
+ -outform PEM |
|
269 |
+ |
|
270 |
+ # Sign the intermediate request valid for 1 year |
|
271 |
+ $OPENSSL ca -config $signing_ca_dir/ca.conf \ |
|
272 |
+ -extensions ca_extensions \ |
|
273 |
+ -days 365 \ |
|
274 |
+ -notext \ |
|
275 |
+ -in $ca_dir/cacert.csr \ |
|
276 |
+ -out $ca_dir/cacert.pem \ |
|
277 |
+ -batch |
|
278 |
+} |
|
279 |
+ |
|
280 |
+# Make a root CA to sign other CAs |
|
281 |
+# make_root_CA ca-dir |
|
282 |
+function make_root_CA() { |
|
283 |
+ local ca_dir=$1 |
|
284 |
+ |
|
285 |
+ # Create the root CA |
|
286 |
+ create_CA_base $ca_dir |
|
287 |
+ create_CA_config $ca_dir 'Root CA' |
|
288 |
+ |
|
289 |
+ # Create a self-signed certificate valid for 5 years |
|
290 |
+ $OPENSSL req -config $ca_dir/ca.conf \ |
|
291 |
+ -x509 \ |
|
292 |
+ -nodes \ |
|
293 |
+ -newkey rsa \ |
|
294 |
+ -days 21360 \ |
|
295 |
+ -keyout $ca_dir/private/cacert.key \ |
|
296 |
+ -out $ca_dir/cacert.pem \ |
|
297 |
+ -outform PEM |
|
298 |
+} |
|
299 |
+ |
|
300 |
+ |
|
301 |
+# Proxy Functions |
|
302 |
+# =============== |
|
303 |
+ |
|
304 |
+# Starts the TLS proxy for the given IP/ports |
|
305 |
+# start_tls_proxy front-host front-port back-host back-port |
|
306 |
+function start_tls_proxy() { |
|
307 |
+ local f_host=$1 |
|
308 |
+ local f_port=$2 |
|
309 |
+ local b_host=$3 |
|
310 |
+ local b_port=$4 |
|
311 |
+ |
|
312 |
+ stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null |
|
313 |
+} |
... | ... |
@@ -26,6 +26,9 @@ source $RC_DIR/functions |
26 | 26 |
# Load local configuration |
27 | 27 |
source $RC_DIR/stackrc |
28 | 28 |
|
29 |
+# Get some necessary configuration |
|
30 |
+source $RC_DIR/lib/tls |
|
31 |
+ |
|
29 | 32 |
# The introduction of Keystone to the OpenStack ecosystem has standardized the |
30 | 33 |
# term **tenant** as the entity that owns resources. In some places references |
31 | 34 |
# still exist to the original Nova term **project** for this use. Also, |
... | ... |
@@ -49,6 +52,7 @@ export OS_NO_CACHE=${OS_NO_CACHE:-1} |
49 | 49 |
# which is convenient for some localrc configurations. |
50 | 50 |
HOST_IP=${HOST_IP:-127.0.0.1} |
51 | 51 |
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP} |
52 |
+SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http} |
|
52 | 53 |
|
53 | 54 |
# Some exercises call glance directly. On a single-node installation, Glance |
54 | 55 |
# should be listening on HOST_IP. If its running elsewhere, it can be set here |
... | ... |
@@ -61,7 +65,10 @@ GLANCE_HOST=${GLANCE_HOST:-$HOST_IP} |
61 | 61 |
# |
62 | 62 |
# *NOTE*: Using the 2.0 *identity api* does not mean that compute api is 2.0. We |
63 | 63 |
# will use the 1.1 *compute api* |
64 |
-export OS_AUTH_URL=http://$SERVICE_HOST:5000/v2.0 |
|
64 |
+export OS_AUTH_URL=$SERVICE_PROTOCOL://$SERVICE_HOST:5000/v2.0 |
|
65 |
+ |
|
66 |
+# Set the pointer to our CA certificate chain. Harmless if TLS is not used. |
|
67 |
+export OS_CACERT=$INT_CA_DIR/ca-chain.pem |
|
65 | 68 |
|
66 | 69 |
# Currently novaclient needs you to specify the *compute api* version. This |
67 | 70 |
# needs to match the config of your catalog returned by Keystone. |
... | ... |
@@ -288,6 +288,7 @@ fi |
288 | 288 |
|
289 | 289 |
# Allow the use of an alternate hostname (such as localhost/127.0.0.1) for service endpoints. |
290 | 290 |
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP} |
291 |
+SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http} |
|
291 | 292 |
|
292 | 293 |
# Configure services to use syslog instead of writing to individual log files |
293 | 294 |
SYSLOG=`trueorfalse False $SYSLOG` |
... | ... |
@@ -305,6 +306,7 @@ SERVICE_TIMEOUT=${SERVICE_TIMEOUT:-60} |
305 | 305 |
# ================== |
306 | 306 |
|
307 | 307 |
# Get project function libraries |
308 |
+source $TOP_DIR/lib/tls |
|
308 | 309 |
source $TOP_DIR/lib/horizon |
309 | 310 |
source $TOP_DIR/lib/keystone |
310 | 311 |
source $TOP_DIR/lib/glance |
... | ... |
@@ -847,6 +849,12 @@ if [[ $TRACK_DEPENDS = True ]] ; then |
847 | 847 |
exit 0 |
848 | 848 |
fi |
849 | 849 |
|
850 |
+if is_service_enabled tls-proxy; then |
|
851 |
+ configure_CA |
|
852 |
+ init_CA |
|
853 |
+ # Add name to /etc/hosts |
|
854 |
+ # don't be naive and add to existing line! |
|
855 |
+fi |
|
850 | 856 |
|
851 | 857 |
# Syslog |
852 | 858 |
# ------ |
... | ... |
@@ -923,12 +931,17 @@ screen -r $SCREEN_NAME -X hardstatus alwayslastline "$SCREEN_HARDSTATUS" |
923 | 923 |
|
924 | 924 |
if is_service_enabled key; then |
925 | 925 |
echo_summary "Starting Keystone" |
926 |
- configure_keystone |
|
927 | 926 |
init_keystone |
928 | 927 |
start_keystone |
929 | 928 |
|
930 | 929 |
# Set up a temporary admin URI for Keystone |
931 |
- SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
|
930 |
+ SERVICE_ENDPOINT=$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 |
|
931 |
+ |
|
932 |
+ if is_service_enabled tls-proxy; then |
|
933 |
+ export OS_CACERT=$INT_CA_DIR/ca-chain.pem |
|
934 |
+ # Until the client support is fixed, just use the internal endpoint |
|
935 |
+ SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v2.0 |
|
936 |
+ fi |
|
932 | 937 |
|
933 | 938 |
# Do the keystone-specific bits from keystone_data.sh |
934 | 939 |
export OS_SERVICE_TOKEN=$SERVICE_TOKEN |