Browse code
Remove USE_SSL support
tls-proxy is the way we're now doing a standard install using https
between services. There is a lot more work to make services directly
handle https, and having python daemons do that directly is a bit of
an anti pattern. Nothing currently tests this in project-config from
my recent grepping, so in the interest of long term maintenance,
delete it all.
Change-Id: I910df4ceab6f24f3d9c484e0433c93b06f17d6e1
Sean Dague authored on 2017/04/13 23:11:48Showing 13 changed files
- lib/cinder
- lib/glance
- lib/keystone
- lib/neutron
- lib/neutron-legacy
- lib/nova
- lib/placement
- lib/swift
- lib/tempest
- lib/tls
- stack.sh
- stackrc
- unstack.sh
| ... | ... |
@@ -58,7 +58,7 @@ CINDER_CONF=$CINDER_CONF_DIR/cinder.conf |
| 58 | 58 |
CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini |
| 59 | 59 |
|
| 60 | 60 |
# Public facing bits |
| 61 |
-if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then |
|
| 61 |
+if is_service_enabled tls-proxy; then |
|
| 62 | 62 |
CINDER_SERVICE_PROTOCOL="https" |
| 63 | 63 |
fi |
| 64 | 64 |
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
| ... | ... |
@@ -215,11 +215,6 @@ function _cinder_config_apache_wsgi {
|
| 215 | 215 |
local cinder_api_port=$CINDER_SERVICE_PORT |
| 216 | 216 |
local venv_path="" |
| 217 | 217 |
|
| 218 |
- if is_ssl_enabled_service c-api; then |
|
| 219 |
- cinder_ssl="SSLEngine On" |
|
| 220 |
- cinder_certfile="SSLCertificateFile $CINDER_SSL_CERT" |
|
| 221 |
- cinder_keyfile="SSLCertificateKeyFile $CINDER_SSL_KEY" |
|
| 222 |
- fi |
|
| 223 | 218 |
if [[ ${USE_VENV} = True ]]; then
|
| 224 | 219 |
venv_path="python-path=${PROJECT_VENV["cinder"]}/lib/python2.7/site-packages"
|
| 225 | 220 |
fi |
| ... | ... |
@@ -347,7 +342,7 @@ function configure_cinder {
|
| 347 | 347 |
iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS" |
| 348 | 348 |
|
| 349 | 349 |
iniset $CINDER_CONF DEFAULT glance_api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}"
|
| 350 |
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then |
|
| 350 |
+ if is_service_enabled tls-proxy; then |
|
| 351 | 351 |
iniset $CINDER_CONF DEFAULT glance_protocol https |
| 352 | 352 |
iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE |
| 353 | 353 |
fi |
| ... | ... |
@@ -356,14 +351,6 @@ function configure_cinder {
|
| 356 | 356 |
iniset $CINDER_CONF DEFAULT glance_api_version 2 |
| 357 | 357 |
fi |
| 358 | 358 |
|
| 359 |
- # Register SSL certificates if provided |
|
| 360 |
- if is_ssl_enabled_service cinder; then |
|
| 361 |
- ensure_certificates CINDER |
|
| 362 |
- |
|
| 363 |
- iniset $CINDER_CONF DEFAULT ssl_cert_file "$CINDER_SSL_CERT" |
|
| 364 |
- iniset $CINDER_CONF DEFAULT ssl_key_file "$CINDER_SSL_KEY" |
|
| 365 |
- fi |
|
| 366 |
- |
|
| 367 | 359 |
# Set os_privileged_user credentials (used for os-assisted-snapshots) |
| 368 | 360 |
iniset $CINDER_CONF DEFAULT os_privileged_user_name nova |
| 369 | 361 |
iniset $CINDER_CONF DEFAULT os_privileged_user_password "$SERVICE_PASSWORD" |
| ... | ... |
@@ -464,9 +451,6 @@ function install_cinder {
|
| 464 | 464 |
|
| 465 | 465 |
if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then |
| 466 | 466 |
install_apache_wsgi |
| 467 |
- if is_ssl_enabled_service "c-api"; then |
|
| 468 |
- enable_mod_ssl |
|
| 469 |
- fi |
|
| 470 | 467 |
fi |
| 471 | 468 |
} |
| 472 | 469 |
|
| ... | ... |
@@ -57,7 +57,7 @@ GLANCE_SCHEMA_JSON=$GLANCE_CONF_DIR/schema-image.json |
| 57 | 57 |
GLANCE_SWIFT_STORE_CONF=$GLANCE_CONF_DIR/glance-swift-store.conf |
| 58 | 58 |
GLANCE_V1_ENABLED=${GLANCE_V1_ENABLED:-False}
|
| 59 | 59 |
|
| 60 |
-if is_ssl_enabled_service "glance" || is_service_enabled tls-proxy; then |
|
| 60 |
+if is_service_enabled tls-proxy; then |
|
| 61 | 61 |
GLANCE_SERVICE_PROTOCOL="https" |
| 62 | 62 |
fi |
| 63 | 63 |
|
| ... | ... |
@@ -187,18 +187,7 @@ function configure_glance {
|
| 187 | 187 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
| 188 | 188 |
fi |
| 189 | 189 |
|
| 190 |
- # Register SSL certificates if provided |
|
| 191 |
- if is_ssl_enabled_service glance; then |
|
| 192 |
- ensure_certificates GLANCE |
|
| 193 |
- |
|
| 194 |
- iniset $GLANCE_API_CONF DEFAULT cert_file "$GLANCE_SSL_CERT" |
|
| 195 |
- iniset $GLANCE_API_CONF DEFAULT key_file "$GLANCE_SSL_KEY" |
|
| 196 |
- |
|
| 197 |
- iniset $GLANCE_REGISTRY_CONF DEFAULT cert_file "$GLANCE_SSL_CERT" |
|
| 198 |
- iniset $GLANCE_REGISTRY_CONF DEFAULT key_file "$GLANCE_SSL_KEY" |
|
| 199 |
- fi |
|
| 200 |
- |
|
| 201 |
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then |
|
| 190 |
+ if is_service_enabled tls-proxy; then |
|
| 202 | 191 |
iniset $GLANCE_API_CONF DEFAULT registry_client_protocol https |
| 203 | 192 |
fi |
| 204 | 193 |
|
| ... | ... |
@@ -233,7 +222,7 @@ function configure_glance {
|
| 233 | 233 |
|
| 234 | 234 |
cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR |
| 235 | 235 |
|
| 236 |
- if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then |
|
| 236 |
+ if is_service_enabled tls-proxy; then |
|
| 237 | 237 |
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
| 238 | 238 |
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
| 239 | 239 |
|
| ... | ... |
@@ -116,7 +116,7 @@ SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
|
| 116 | 116 |
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
|
| 117 | 117 |
|
| 118 | 118 |
# if we are running with SSL use https protocols |
| 119 |
-if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then |
|
| 119 |
+if is_service_enabled tls-proxy; then |
|
| 120 | 120 |
KEYSTONE_AUTH_PROTOCOL="https" |
| 121 | 121 |
KEYSTONE_SERVICE_PROTOCOL="https" |
| 122 | 122 |
fi |
| ... | ... |
@@ -171,12 +171,6 @@ function _config_keystone_apache_wsgi {
|
| 171 | 171 |
local keystone_auth_port=$KEYSTONE_AUTH_PORT |
| 172 | 172 |
local venv_path="" |
| 173 | 173 |
|
| 174 |
- if is_ssl_enabled_service key; then |
|
| 175 |
- keystone_ssl_listen="" |
|
| 176 |
- keystone_ssl="SSLEngine On" |
|
| 177 |
- keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT" |
|
| 178 |
- keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY" |
|
| 179 |
- fi |
|
| 180 | 174 |
if is_service_enabled tls-proxy; then |
| 181 | 175 |
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT |
| 182 | 176 |
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT |
| ... | ... |
@@ -247,11 +241,6 @@ function configure_keystone {
|
| 247 | 247 |
|
| 248 | 248 |
iniset_rpc_backend keystone $KEYSTONE_CONF |
| 249 | 249 |
|
| 250 |
- # Register SSL certificates if provided |
|
| 251 |
- if is_ssl_enabled_service key; then |
|
| 252 |
- ensure_certificates KEYSTONE |
|
| 253 |
- fi |
|
| 254 |
- |
|
| 255 | 250 |
local service_port=$KEYSTONE_SERVICE_PORT |
| 256 | 251 |
local auth_port=$KEYSTONE_AUTH_PORT |
| 257 | 252 |
|
| ... | ... |
@@ -297,7 +286,6 @@ function configure_keystone {
|
| 297 | 297 |
_config_keystone_apache_wsgi |
| 298 | 298 |
else # uwsgi |
| 299 | 299 |
# iniset creates these files when it's called if they don't exist. |
| 300 |
- |
|
| 301 | 300 |
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port" |
| 302 | 301 |
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port" |
| 303 | 302 |
fi |
| ... | ... |
@@ -546,9 +534,6 @@ function install_keystone {
|
| 546 | 546 |
|
| 547 | 547 |
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
| 548 | 548 |
install_apache_wsgi |
| 549 |
- if is_ssl_enabled_service "key"; then |
|
| 550 |
- enable_mod_ssl |
|
| 551 |
- fi |
|
| 552 | 549 |
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then |
| 553 | 550 |
pip_install uwsgi |
| 554 | 551 |
fi |
| ... | ... |
@@ -61,7 +61,7 @@ NEUTRON_META_BINARY=${NEUTRON_META_BINARY:-neutron-metadata-agent}
|
| 61 | 61 |
NEUTRON_METERING_BINARY=${NEUTRON_METERING_BINARY:-neutron-metering-agent}
|
| 62 | 62 |
|
| 63 | 63 |
# Public facing bits |
| 64 |
-if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then |
|
| 64 |
+if is_service_enabled tls-proxy; then |
|
| 65 | 65 |
NEUTRON_SERVICE_PROTOCOL="https" |
| 66 | 66 |
fi |
| 67 | 67 |
NEUTRON_SERVICE_HOST=${NEUTRON_SERVICE_HOST:-$SERVICE_HOST}
|
| ... | ... |
@@ -243,14 +243,6 @@ function configure_neutron_new {
|
| 243 | 243 |
iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT" |
| 244 | 244 |
fi |
| 245 | 245 |
|
| 246 |
- if is_ssl_enabled_service "neutron"; then |
|
| 247 |
- ensure_certificates NEUTRON |
|
| 248 |
- |
|
| 249 |
- iniset $NEUTRON_CONF DEFAULT use_ssl True |
|
| 250 |
- iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT" |
|
| 251 |
- iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY" |
|
| 252 |
- fi |
|
| 253 |
- |
|
| 254 | 246 |
# Metering |
| 255 | 247 |
if is_service_enabled neutron-metering; then |
| 256 | 248 |
cp $NEUTRON_DIR/etc/metering_agent.ini.sample $NEUTRON_METERING_AGENT_CONF |
| ... | ... |
@@ -404,17 +396,10 @@ function start_neutron_api {
|
| 404 | 404 |
# TODO(sc68cal) Stop hard coding this |
| 405 | 405 |
run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts" |
| 406 | 406 |
|
| 407 |
- if is_ssl_enabled_service "neutron"; then |
|
| 408 |
- ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
|
|
| 409 |
- local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$NEUTRON_SERVICE_HOST:$service_port"
|
|
| 410 |
- test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT |
|
| 411 |
- else |
|
| 412 |
- if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then |
|
| 413 |
- die $LINENO "neutron-api did not start" |
|
| 414 |
- fi |
|
| 407 |
+ if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then |
|
| 408 |
+ die $LINENO "neutron-api did not start" |
|
| 415 | 409 |
fi |
| 416 | 410 |
|
| 417 |
- |
|
| 418 | 411 |
# Start proxy if enabled |
| 419 | 412 |
if is_service_enabled tls-proxy; then |
| 420 | 413 |
start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT |
| ... | ... |
@@ -61,7 +61,7 @@ |
| 61 | 61 |
|
| 62 | 62 |
deprecated "Using lib/neutron-legacy is deprecated, and it will be removed in the future" |
| 63 | 63 |
|
| 64 |
-if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then |
|
| 64 |
+if is_service_enabled tls-proxy; then |
|
| 65 | 65 |
Q_PROTOCOL="https" |
| 66 | 66 |
fi |
| 67 | 67 |
|
| ... | ... |
@@ -461,9 +461,6 @@ function start_neutron_service_and_check {
|
| 461 | 461 |
# Start the Neutron service |
| 462 | 462 |
run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options" |
| 463 | 463 |
echo "Waiting for Neutron to start..." |
| 464 |
- if is_ssl_enabled_service "neutron"; then |
|
| 465 |
- ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
|
|
| 466 |
- fi |
|
| 467 | 464 |
|
| 468 | 465 |
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$Q_HOST:$service_port"
|
| 469 | 466 |
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT |
| ... | ... |
@@ -714,18 +711,6 @@ function _configure_neutron_common {
|
| 714 | 714 |
iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT" |
| 715 | 715 |
fi |
| 716 | 716 |
|
| 717 |
- if is_ssl_enabled_service "nova"; then |
|
| 718 |
- iniset $NEUTRON_CONF nova cafile $SSL_BUNDLE_FILE |
|
| 719 |
- fi |
|
| 720 |
- |
|
| 721 |
- if is_ssl_enabled_service "neutron"; then |
|
| 722 |
- ensure_certificates NEUTRON |
|
| 723 |
- |
|
| 724 |
- iniset $NEUTRON_CONF DEFAULT use_ssl True |
|
| 725 |
- iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT" |
|
| 726 |
- iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY" |
|
| 727 |
- fi |
|
| 728 |
- |
|
| 729 | 717 |
_neutron_setup_rootwrap |
| 730 | 718 |
} |
| 731 | 719 |
|
| ... | ... |
@@ -68,7 +68,7 @@ fi |
| 68 | 68 |
# Toggle for deploying Nova-API under HTTPD + mod_wsgi |
| 69 | 69 |
NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False}
|
| 70 | 70 |
|
| 71 |
-if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then |
|
| 71 |
+if is_service_enabled tls-proxy; then |
|
| 72 | 72 |
NOVA_SERVICE_PROTOCOL="https" |
| 73 | 73 |
fi |
| 74 | 74 |
|
| ... | ... |
@@ -262,11 +262,6 @@ function _config_nova_apache_wsgi {
|
| 262 | 262 |
local nova_metadata_port=$METADATA_SERVICE_PORT |
| 263 | 263 |
local venv_path="" |
| 264 | 264 |
|
| 265 |
- if is_ssl_enabled_service nova-api; then |
|
| 266 |
- nova_ssl="SSLEngine On" |
|
| 267 |
- nova_certfile="SSLCertificateFile $NOVA_SSL_CERT" |
|
| 268 |
- nova_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY" |
|
| 269 |
- fi |
|
| 270 | 265 |
if [[ ${USE_VENV} = True ]]; then
|
| 271 | 266 |
venv_path="python-path=${PROJECT_VENV["nova"]}/lib/$(python_version)/site-packages"
|
| 272 | 267 |
fi |
| ... | ... |
@@ -501,7 +496,7 @@ function create_nova_conf {
|
| 501 | 501 |
fi |
| 502 | 502 |
|
| 503 | 503 |
if is_service_enabled cinder; then |
| 504 |
- if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then |
|
| 504 |
+ if is_service_enabled tls-proxy; then |
|
| 505 | 505 |
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
|
| 506 | 506 |
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
| 507 | 507 |
iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE |
| ... | ... |
@@ -586,20 +581,10 @@ function create_nova_conf {
|
| 586 | 586 |
|
| 587 | 587 |
iniset $NOVA_CONF cinder os_region_name "$REGION_NAME" |
| 588 | 588 |
|
| 589 |
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then |
|
| 589 |
+ if is_service_enabled tls-proxy; then |
|
| 590 | 590 |
iniset $NOVA_CONF DEFAULT glance_protocol https |
| 591 | 591 |
fi |
| 592 | 592 |
|
| 593 |
- # Register SSL certificates if provided |
|
| 594 |
- if is_ssl_enabled_service nova; then |
|
| 595 |
- ensure_certificates NOVA |
|
| 596 |
- |
|
| 597 |
- iniset $NOVA_CONF DEFAULT ssl_cert_file "$NOVA_SSL_CERT" |
|
| 598 |
- iniset $NOVA_CONF DEFAULT ssl_key_file "$NOVA_SSL_KEY" |
|
| 599 |
- |
|
| 600 |
- iniset $NOVA_CONF DEFAULT enabled_ssl_apis "$NOVA_ENABLED_APIS" |
|
| 601 |
- fi |
|
| 602 |
- |
|
| 603 | 593 |
if is_service_enabled n-sproxy; then |
| 604 | 594 |
iniset $NOVA_CONF serial_console serialproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS" |
| 605 | 595 |
iniset $NOVA_CONF serial_console enabled True |
| ... | ... |
@@ -790,9 +775,6 @@ function install_nova {
|
| 790 | 790 |
|
| 791 | 791 |
if [ "$NOVA_USE_MOD_WSGI" == "True" ]; then |
| 792 | 792 |
install_apache_wsgi |
| 793 |
- if is_ssl_enabled_service "nova-api"; then |
|
| 794 |
- enable_mod_ssl |
|
| 795 |
- fi |
|
| 796 | 793 |
fi |
| 797 | 794 |
} |
| 798 | 795 |
|
| ... | ... |
@@ -40,7 +40,7 @@ PLACEMENT_AUTH_STRATEGY=${PLACEMENT_AUTH_STRATEGY:-placement}
|
| 40 | 40 |
# yet merged in nova but is coming soon. |
| 41 | 41 |
PLACEMENT_DB_ENABLED=$(trueorfalse False PLACEMENT_DB_ENABLED) |
| 42 | 42 |
|
| 43 |
-if is_ssl_enabled_service "placement-api" || is_service_enabled tls-proxy; then |
|
| 43 |
+if is_service_enabled tls-proxy; then |
|
| 44 | 44 |
PLACEMENT_SERVICE_PROTOCOL="https" |
| 45 | 45 |
fi |
| 46 | 46 |
|
| ... | ... |
@@ -72,12 +72,6 @@ function _config_placement_apache_wsgi {
|
| 72 | 72 |
nova_bin_dir=$(get_python_exec_prefix) |
| 73 | 73 |
placement_api_apache_conf=$(apache_site_config_for placement-api) |
| 74 | 74 |
|
| 75 |
- # reuse nova's cert if a cert is being used |
|
| 76 |
- if is_ssl_enabled_service "placement-api"; then |
|
| 77 |
- placement_ssl="SSLEngine On" |
|
| 78 |
- placement_certfile="SSLCertificateFile $NOVA_SSL_CERT" |
|
| 79 |
- placement_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY" |
|
| 80 |
- fi |
|
| 81 | 75 |
# reuse nova's venv if there is one as placement code lives |
| 82 | 76 |
# there |
| 83 | 77 |
if [[ ${USE_VENV} = True ]]; then
|
| ... | ... |
@@ -149,9 +143,6 @@ function init_placement {
|
| 149 | 149 |
# install_placement() - Collect source and prepare |
| 150 | 150 |
function install_placement {
|
| 151 | 151 |
install_apache_wsgi |
| 152 |
- if is_ssl_enabled_service "placement-api"; then |
|
| 153 |
- enable_mod_ssl |
|
| 154 |
- fi |
|
| 155 | 152 |
} |
| 156 | 153 |
|
| 157 | 154 |
# start_placement_api() - Start the API processes ahead of other things |
| ... | ... |
@@ -31,7 +31,7 @@ set +o xtrace |
| 31 | 31 |
# Defaults |
| 32 | 32 |
# -------- |
| 33 | 33 |
|
| 34 |
-if is_ssl_enabled_service "s-proxy" || is_service_enabled tls-proxy; then |
|
| 34 |
+if is_service_enabled tls-proxy; then |
|
| 35 | 35 |
SWIFT_SERVICE_PROTOCOL="https" |
| 36 | 36 |
fi |
| 37 | 37 |
|
| ... | ... |
@@ -398,13 +398,6 @@ function configure_swift {
|
| 398 | 398 |
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT bind_port ${SWIFT_DEFAULT_BIND_PORT}
|
| 399 | 399 |
fi |
| 400 | 400 |
|
| 401 |
- if is_ssl_enabled_service s-proxy; then |
|
| 402 |
- ensure_certificates SWIFT |
|
| 403 |
- |
|
| 404 |
- iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT cert_file "$SWIFT_SSL_CERT"
|
|
| 405 |
- iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT key_file "$SWIFT_SSL_KEY"
|
|
| 406 |
- fi |
|
| 407 |
- |
|
| 408 | 401 |
# DevStack is commonly run in a small slow environment, so bump the timeouts up. |
| 409 | 402 |
# ``node_timeout`` is the node read operation response time to the proxy server |
| 410 | 403 |
# ``conn_timeout`` is how long it takes a connect() system call to return |
| ... | ... |
@@ -279,7 +279,7 @@ function configure_tempest {
|
| 279 | 279 |
fi |
| 280 | 280 |
iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3}
|
| 281 | 281 |
|
| 282 |
- if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then |
|
| 282 |
+ if is_service_enabled tls-proxy; then |
|
| 283 | 283 |
iniset $TEMPEST_CONFIG identity ca_certificates_file $SSL_BUNDLE_FILE |
| 284 | 284 |
fi |
| 285 | 285 |
|
| ... | ... |
@@ -343,7 +343,7 @@ function make_root_CA {
|
| 343 | 343 |
# one. If the value for the CA is not rooted in /etc then we know |
| 344 | 344 |
# we need to change it. |
| 345 | 345 |
function fix_system_ca_bundle_path {
|
| 346 |
- if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
| 346 |
+ if is_service_enabled tls-proxy; then |
|
| 347 | 347 |
local capath |
| 348 | 348 |
capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass') |
| 349 | 349 |
|
| ... | ... |
@@ -362,27 +362,14 @@ function fix_system_ca_bundle_path {
|
| 362 | 362 |
} |
| 363 | 363 |
|
| 364 | 364 |
|
| 365 |
-# Certificate Input Configuration |
|
| 366 |
-# =============================== |
|
| 367 |
- |
|
| 368 |
-# check to see if the service(s) specified are to be SSL enabled. |
|
| 369 |
-# |
|
| 370 |
-# Multiple services specified as arguments are ``OR``'ed together; the test |
|
| 371 |
-# is a short-circuit boolean, i.e it returns on the first match. |
|
| 372 |
-# |
|
| 373 |
-# Uses global ``SSL_ENABLED_SERVICES`` |
|
| 365 |
+# Only for compatibility, return if the tls-proxy is enabled |
|
| 374 | 366 |
function is_ssl_enabled_service {
|
| 375 |
- local services=$@ |
|
| 376 |
- local service="" |
|
| 377 |
- if [ "$USE_SSL" == "False" ]; then |
|
| 378 |
- return 1 |
|
| 379 |
- fi |
|
| 380 |
- for service in ${services}; do
|
|
| 381 |
- [[ ,${SSL_ENABLED_SERVICES}, =~ ,${service}, ]] && return 0
|
|
| 382 |
- done |
|
| 383 |
- return 1 |
|
| 367 |
+ return is_service_enabled tls-proxy |
|
| 384 | 368 |
} |
| 385 | 369 |
|
| 370 |
+# Certificate Input Configuration |
|
| 371 |
+# =============================== |
|
| 372 |
+ |
|
| 386 | 373 |
# Ensure that the certificates for a service are in place. This function does |
| 387 | 374 |
# not check that a service is SSL enabled, this should already have been |
| 388 | 375 |
# completed. |
| ... | ... |
@@ -539,13 +539,6 @@ rm -f $SSL_BUNDLE_FILE |
| 539 | 539 |
source $TOP_DIR/lib/database |
| 540 | 540 |
source $TOP_DIR/lib/rpc_backend |
| 541 | 541 |
|
| 542 |
-# Service to enable with SSL if ``USE_SSL`` is True |
|
| 543 |
-SSL_ENABLED_SERVICES="key,nova,cinder,glance,s-proxy,neutron" |
|
| 544 |
- |
|
| 545 |
-if is_service_enabled tls-proxy && [ "$USE_SSL" == "True" ]; then |
|
| 546 |
- die $LINENO "tls-proxy and SSL are mutually exclusive" |
|
| 547 |
-fi |
|
| 548 |
- |
|
| 549 | 542 |
# Configure Projects |
| 550 | 543 |
# ================== |
| 551 | 544 |
|
| ... | ... |
@@ -806,7 +799,7 @@ if is_service_enabled cinder nova; then |
| 806 | 806 |
fi |
| 807 | 807 |
|
| 808 | 808 |
# Setup TLS certs |
| 809 |
-if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
| 809 |
+if is_service_enabled tls-proxy; then |
|
| 810 | 810 |
configure_CA |
| 811 | 811 |
init_CA |
| 812 | 812 |
init_cert |
| ... | ... |
@@ -886,7 +879,7 @@ if is_service_enabled horizon; then |
| 886 | 886 |
stack_install_service horizon |
| 887 | 887 |
fi |
| 888 | 888 |
|
| 889 |
-if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
| 889 |
+if is_service_enabled tls-proxy; then |
|
| 890 | 890 |
fix_system_ca_bundle_path |
| 891 | 891 |
fi |
| 892 | 892 |
|
| ... | ... |
@@ -846,9 +846,6 @@ SYSLOG_PORT=${SYSLOG_PORT:-516}
|
| 846 | 846 |
# Set to 0 to disable shallow cloning |
| 847 | 847 |
GIT_DEPTH=${GIT_DEPTH:-0}
|
| 848 | 848 |
|
| 849 |
-# Use native SSL for servers in ``SSL_ENABLED_SERVICES`` |
|
| 850 |
-USE_SSL=$(trueorfalse False USE_SSL) |
|
| 851 |
- |
|
| 852 | 849 |
# We may not need to recreate database in case 2 Keystone services |
| 853 | 850 |
# sharing the same database. It would be useful for multinode Grenade tests. |
| 854 | 851 |
RECREATE_KEYSTONE_DB=$(trueorfalse True RECREATE_KEYSTONE_DB) |