tls-proxy is the way we're now doing a standard install using https
between services. There is a lot more work to make services directly
handle https, and having python daemons do that directly is a bit of
an anti pattern. Nothing currently tests this in project-config from
my recent grepping, so in the interest of long term maintenance,
delete it all.
Change-Id: I910df4ceab6f24f3d9c484e0433c93b06f17d6e1
... | ... |
@@ -58,7 +58,7 @@ CINDER_CONF=$CINDER_CONF_DIR/cinder.conf |
58 | 58 |
CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini |
59 | 59 |
|
60 | 60 |
# Public facing bits |
61 |
-if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then |
|
61 |
+if is_service_enabled tls-proxy; then |
|
62 | 62 |
CINDER_SERVICE_PROTOCOL="https" |
63 | 63 |
fi |
64 | 64 |
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} |
... | ... |
@@ -215,11 +215,6 @@ function _cinder_config_apache_wsgi { |
215 | 215 |
local cinder_api_port=$CINDER_SERVICE_PORT |
216 | 216 |
local venv_path="" |
217 | 217 |
|
218 |
- if is_ssl_enabled_service c-api; then |
|
219 |
- cinder_ssl="SSLEngine On" |
|
220 |
- cinder_certfile="SSLCertificateFile $CINDER_SSL_CERT" |
|
221 |
- cinder_keyfile="SSLCertificateKeyFile $CINDER_SSL_KEY" |
|
222 |
- fi |
|
223 | 218 |
if [[ ${USE_VENV} = True ]]; then |
224 | 219 |
venv_path="python-path=${PROJECT_VENV["cinder"]}/lib/python2.7/site-packages" |
225 | 220 |
fi |
... | ... |
@@ -347,7 +342,7 @@ function configure_cinder { |
347 | 347 |
iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS" |
348 | 348 |
|
349 | 349 |
iniset $CINDER_CONF DEFAULT glance_api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}" |
350 |
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then |
|
350 |
+ if is_service_enabled tls-proxy; then |
|
351 | 351 |
iniset $CINDER_CONF DEFAULT glance_protocol https |
352 | 352 |
iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE |
353 | 353 |
fi |
... | ... |
@@ -356,14 +351,6 @@ function configure_cinder { |
356 | 356 |
iniset $CINDER_CONF DEFAULT glance_api_version 2 |
357 | 357 |
fi |
358 | 358 |
|
359 |
- # Register SSL certificates if provided |
|
360 |
- if is_ssl_enabled_service cinder; then |
|
361 |
- ensure_certificates CINDER |
|
362 |
- |
|
363 |
- iniset $CINDER_CONF DEFAULT ssl_cert_file "$CINDER_SSL_CERT" |
|
364 |
- iniset $CINDER_CONF DEFAULT ssl_key_file "$CINDER_SSL_KEY" |
|
365 |
- fi |
|
366 |
- |
|
367 | 359 |
# Set os_privileged_user credentials (used for os-assisted-snapshots) |
368 | 360 |
iniset $CINDER_CONF DEFAULT os_privileged_user_name nova |
369 | 361 |
iniset $CINDER_CONF DEFAULT os_privileged_user_password "$SERVICE_PASSWORD" |
... | ... |
@@ -464,9 +451,6 @@ function install_cinder { |
464 | 464 |
|
465 | 465 |
if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then |
466 | 466 |
install_apache_wsgi |
467 |
- if is_ssl_enabled_service "c-api"; then |
|
468 |
- enable_mod_ssl |
|
469 |
- fi |
|
470 | 467 |
fi |
471 | 468 |
} |
472 | 469 |
|
... | ... |
@@ -57,7 +57,7 @@ GLANCE_SCHEMA_JSON=$GLANCE_CONF_DIR/schema-image.json |
57 | 57 |
GLANCE_SWIFT_STORE_CONF=$GLANCE_CONF_DIR/glance-swift-store.conf |
58 | 58 |
GLANCE_V1_ENABLED=${GLANCE_V1_ENABLED:-False} |
59 | 59 |
|
60 |
-if is_ssl_enabled_service "glance" || is_service_enabled tls-proxy; then |
|
60 |
+if is_service_enabled tls-proxy; then |
|
61 | 61 |
GLANCE_SERVICE_PROTOCOL="https" |
62 | 62 |
fi |
63 | 63 |
|
... | ... |
@@ -187,18 +187,7 @@ function configure_glance { |
187 | 187 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI |
188 | 188 |
fi |
189 | 189 |
|
190 |
- # Register SSL certificates if provided |
|
191 |
- if is_ssl_enabled_service glance; then |
|
192 |
- ensure_certificates GLANCE |
|
193 |
- |
|
194 |
- iniset $GLANCE_API_CONF DEFAULT cert_file "$GLANCE_SSL_CERT" |
|
195 |
- iniset $GLANCE_API_CONF DEFAULT key_file "$GLANCE_SSL_KEY" |
|
196 |
- |
|
197 |
- iniset $GLANCE_REGISTRY_CONF DEFAULT cert_file "$GLANCE_SSL_CERT" |
|
198 |
- iniset $GLANCE_REGISTRY_CONF DEFAULT key_file "$GLANCE_SSL_KEY" |
|
199 |
- fi |
|
200 |
- |
|
201 |
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then |
|
190 |
+ if is_service_enabled tls-proxy; then |
|
202 | 191 |
iniset $GLANCE_API_CONF DEFAULT registry_client_protocol https |
203 | 192 |
fi |
204 | 193 |
|
... | ... |
@@ -233,7 +222,7 @@ function configure_glance { |
233 | 233 |
|
234 | 234 |
cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR |
235 | 235 |
|
236 |
- if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then |
|
236 |
+ if is_service_enabled tls-proxy; then |
|
237 | 237 |
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} |
238 | 238 |
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776} |
239 | 239 |
|
... | ... |
@@ -116,7 +116,7 @@ SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service} |
116 | 116 |
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service} |
117 | 117 |
|
118 | 118 |
# if we are running with SSL use https protocols |
119 |
-if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then |
|
119 |
+if is_service_enabled tls-proxy; then |
|
120 | 120 |
KEYSTONE_AUTH_PROTOCOL="https" |
121 | 121 |
KEYSTONE_SERVICE_PROTOCOL="https" |
122 | 122 |
fi |
... | ... |
@@ -171,12 +171,6 @@ function _config_keystone_apache_wsgi { |
171 | 171 |
local keystone_auth_port=$KEYSTONE_AUTH_PORT |
172 | 172 |
local venv_path="" |
173 | 173 |
|
174 |
- if is_ssl_enabled_service key; then |
|
175 |
- keystone_ssl_listen="" |
|
176 |
- keystone_ssl="SSLEngine On" |
|
177 |
- keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT" |
|
178 |
- keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY" |
|
179 |
- fi |
|
180 | 174 |
if is_service_enabled tls-proxy; then |
181 | 175 |
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT |
182 | 176 |
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT |
... | ... |
@@ -247,11 +241,6 @@ function configure_keystone { |
247 | 247 |
|
248 | 248 |
iniset_rpc_backend keystone $KEYSTONE_CONF |
249 | 249 |
|
250 |
- # Register SSL certificates if provided |
|
251 |
- if is_ssl_enabled_service key; then |
|
252 |
- ensure_certificates KEYSTONE |
|
253 |
- fi |
|
254 |
- |
|
255 | 250 |
local service_port=$KEYSTONE_SERVICE_PORT |
256 | 251 |
local auth_port=$KEYSTONE_AUTH_PORT |
257 | 252 |
|
... | ... |
@@ -297,7 +286,6 @@ function configure_keystone { |
297 | 297 |
_config_keystone_apache_wsgi |
298 | 298 |
else # uwsgi |
299 | 299 |
# iniset creates these files when it's called if they don't exist. |
300 |
- |
|
301 | 300 |
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port" |
302 | 301 |
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port" |
303 | 302 |
fi |
... | ... |
@@ -546,9 +534,6 @@ function install_keystone { |
546 | 546 |
|
547 | 547 |
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
548 | 548 |
install_apache_wsgi |
549 |
- if is_ssl_enabled_service "key"; then |
|
550 |
- enable_mod_ssl |
|
551 |
- fi |
|
552 | 549 |
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then |
553 | 550 |
pip_install uwsgi |
554 | 551 |
fi |
... | ... |
@@ -61,7 +61,7 @@ NEUTRON_META_BINARY=${NEUTRON_META_BINARY:-neutron-metadata-agent} |
61 | 61 |
NEUTRON_METERING_BINARY=${NEUTRON_METERING_BINARY:-neutron-metering-agent} |
62 | 62 |
|
63 | 63 |
# Public facing bits |
64 |
-if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then |
|
64 |
+if is_service_enabled tls-proxy; then |
|
65 | 65 |
NEUTRON_SERVICE_PROTOCOL="https" |
66 | 66 |
fi |
67 | 67 |
NEUTRON_SERVICE_HOST=${NEUTRON_SERVICE_HOST:-$SERVICE_HOST} |
... | ... |
@@ -243,14 +243,6 @@ function configure_neutron_new { |
243 | 243 |
iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT" |
244 | 244 |
fi |
245 | 245 |
|
246 |
- if is_ssl_enabled_service "neutron"; then |
|
247 |
- ensure_certificates NEUTRON |
|
248 |
- |
|
249 |
- iniset $NEUTRON_CONF DEFAULT use_ssl True |
|
250 |
- iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT" |
|
251 |
- iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY" |
|
252 |
- fi |
|
253 |
- |
|
254 | 246 |
# Metering |
255 | 247 |
if is_service_enabled neutron-metering; then |
256 | 248 |
cp $NEUTRON_DIR/etc/metering_agent.ini.sample $NEUTRON_METERING_AGENT_CONF |
... | ... |
@@ -404,17 +396,10 @@ function start_neutron_api { |
404 | 404 |
# TODO(sc68cal) Stop hard coding this |
405 | 405 |
run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts" |
406 | 406 |
|
407 |
- if is_ssl_enabled_service "neutron"; then |
|
408 |
- ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}" |
|
409 |
- local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$NEUTRON_SERVICE_HOST:$service_port" |
|
410 |
- test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT |
|
411 |
- else |
|
412 |
- if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then |
|
413 |
- die $LINENO "neutron-api did not start" |
|
414 |
- fi |
|
407 |
+ if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then |
|
408 |
+ die $LINENO "neutron-api did not start" |
|
415 | 409 |
fi |
416 | 410 |
|
417 |
- |
|
418 | 411 |
# Start proxy if enabled |
419 | 412 |
if is_service_enabled tls-proxy; then |
420 | 413 |
start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT |
... | ... |
@@ -61,7 +61,7 @@ |
61 | 61 |
|
62 | 62 |
deprecated "Using lib/neutron-legacy is deprecated, and it will be removed in the future" |
63 | 63 |
|
64 |
-if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then |
|
64 |
+if is_service_enabled tls-proxy; then |
|
65 | 65 |
Q_PROTOCOL="https" |
66 | 66 |
fi |
67 | 67 |
|
... | ... |
@@ -461,9 +461,6 @@ function start_neutron_service_and_check { |
461 | 461 |
# Start the Neutron service |
462 | 462 |
run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options" |
463 | 463 |
echo "Waiting for Neutron to start..." |
464 |
- if is_ssl_enabled_service "neutron"; then |
|
465 |
- ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}" |
|
466 |
- fi |
|
467 | 464 |
|
468 | 465 |
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$Q_HOST:$service_port" |
469 | 466 |
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT |
... | ... |
@@ -714,18 +711,6 @@ function _configure_neutron_common { |
714 | 714 |
iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT" |
715 | 715 |
fi |
716 | 716 |
|
717 |
- if is_ssl_enabled_service "nova"; then |
|
718 |
- iniset $NEUTRON_CONF nova cafile $SSL_BUNDLE_FILE |
|
719 |
- fi |
|
720 |
- |
|
721 |
- if is_ssl_enabled_service "neutron"; then |
|
722 |
- ensure_certificates NEUTRON |
|
723 |
- |
|
724 |
- iniset $NEUTRON_CONF DEFAULT use_ssl True |
|
725 |
- iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT" |
|
726 |
- iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY" |
|
727 |
- fi |
|
728 |
- |
|
729 | 717 |
_neutron_setup_rootwrap |
730 | 718 |
} |
731 | 719 |
|
... | ... |
@@ -68,7 +68,7 @@ fi |
68 | 68 |
# Toggle for deploying Nova-API under HTTPD + mod_wsgi |
69 | 69 |
NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False} |
70 | 70 |
|
71 |
-if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then |
|
71 |
+if is_service_enabled tls-proxy; then |
|
72 | 72 |
NOVA_SERVICE_PROTOCOL="https" |
73 | 73 |
fi |
74 | 74 |
|
... | ... |
@@ -262,11 +262,6 @@ function _config_nova_apache_wsgi { |
262 | 262 |
local nova_metadata_port=$METADATA_SERVICE_PORT |
263 | 263 |
local venv_path="" |
264 | 264 |
|
265 |
- if is_ssl_enabled_service nova-api; then |
|
266 |
- nova_ssl="SSLEngine On" |
|
267 |
- nova_certfile="SSLCertificateFile $NOVA_SSL_CERT" |
|
268 |
- nova_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY" |
|
269 |
- fi |
|
270 | 265 |
if [[ ${USE_VENV} = True ]]; then |
271 | 266 |
venv_path="python-path=${PROJECT_VENV["nova"]}/lib/$(python_version)/site-packages" |
272 | 267 |
fi |
... | ... |
@@ -501,7 +496,7 @@ function create_nova_conf { |
501 | 501 |
fi |
502 | 502 |
|
503 | 503 |
if is_service_enabled cinder; then |
504 |
- if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then |
|
504 |
+ if is_service_enabled tls-proxy; then |
|
505 | 505 |
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} |
506 | 506 |
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776} |
507 | 507 |
iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE |
... | ... |
@@ -586,20 +581,10 @@ function create_nova_conf { |
586 | 586 |
|
587 | 587 |
iniset $NOVA_CONF cinder os_region_name "$REGION_NAME" |
588 | 588 |
|
589 |
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then |
|
589 |
+ if is_service_enabled tls-proxy; then |
|
590 | 590 |
iniset $NOVA_CONF DEFAULT glance_protocol https |
591 | 591 |
fi |
592 | 592 |
|
593 |
- # Register SSL certificates if provided |
|
594 |
- if is_ssl_enabled_service nova; then |
|
595 |
- ensure_certificates NOVA |
|
596 |
- |
|
597 |
- iniset $NOVA_CONF DEFAULT ssl_cert_file "$NOVA_SSL_CERT" |
|
598 |
- iniset $NOVA_CONF DEFAULT ssl_key_file "$NOVA_SSL_KEY" |
|
599 |
- |
|
600 |
- iniset $NOVA_CONF DEFAULT enabled_ssl_apis "$NOVA_ENABLED_APIS" |
|
601 |
- fi |
|
602 |
- |
|
603 | 593 |
if is_service_enabled n-sproxy; then |
604 | 594 |
iniset $NOVA_CONF serial_console serialproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS" |
605 | 595 |
iniset $NOVA_CONF serial_console enabled True |
... | ... |
@@ -790,9 +775,6 @@ function install_nova { |
790 | 790 |
|
791 | 791 |
if [ "$NOVA_USE_MOD_WSGI" == "True" ]; then |
792 | 792 |
install_apache_wsgi |
793 |
- if is_ssl_enabled_service "nova-api"; then |
|
794 |
- enable_mod_ssl |
|
795 |
- fi |
|
796 | 793 |
fi |
797 | 794 |
} |
798 | 795 |
|
... | ... |
@@ -40,7 +40,7 @@ PLACEMENT_AUTH_STRATEGY=${PLACEMENT_AUTH_STRATEGY:-placement} |
40 | 40 |
# yet merged in nova but is coming soon. |
41 | 41 |
PLACEMENT_DB_ENABLED=$(trueorfalse False PLACEMENT_DB_ENABLED) |
42 | 42 |
|
43 |
-if is_ssl_enabled_service "placement-api" || is_service_enabled tls-proxy; then |
|
43 |
+if is_service_enabled tls-proxy; then |
|
44 | 44 |
PLACEMENT_SERVICE_PROTOCOL="https" |
45 | 45 |
fi |
46 | 46 |
|
... | ... |
@@ -72,12 +72,6 @@ function _config_placement_apache_wsgi { |
72 | 72 |
nova_bin_dir=$(get_python_exec_prefix) |
73 | 73 |
placement_api_apache_conf=$(apache_site_config_for placement-api) |
74 | 74 |
|
75 |
- # reuse nova's cert if a cert is being used |
|
76 |
- if is_ssl_enabled_service "placement-api"; then |
|
77 |
- placement_ssl="SSLEngine On" |
|
78 |
- placement_certfile="SSLCertificateFile $NOVA_SSL_CERT" |
|
79 |
- placement_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY" |
|
80 |
- fi |
|
81 | 75 |
# reuse nova's venv if there is one as placement code lives |
82 | 76 |
# there |
83 | 77 |
if [[ ${USE_VENV} = True ]]; then |
... | ... |
@@ -149,9 +143,6 @@ function init_placement { |
149 | 149 |
# install_placement() - Collect source and prepare |
150 | 150 |
function install_placement { |
151 | 151 |
install_apache_wsgi |
152 |
- if is_ssl_enabled_service "placement-api"; then |
|
153 |
- enable_mod_ssl |
|
154 |
- fi |
|
155 | 152 |
} |
156 | 153 |
|
157 | 154 |
# start_placement_api() - Start the API processes ahead of other things |
... | ... |
@@ -31,7 +31,7 @@ set +o xtrace |
31 | 31 |
# Defaults |
32 | 32 |
# -------- |
33 | 33 |
|
34 |
-if is_ssl_enabled_service "s-proxy" || is_service_enabled tls-proxy; then |
|
34 |
+if is_service_enabled tls-proxy; then |
|
35 | 35 |
SWIFT_SERVICE_PROTOCOL="https" |
36 | 36 |
fi |
37 | 37 |
|
... | ... |
@@ -398,13 +398,6 @@ function configure_swift { |
398 | 398 |
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT bind_port ${SWIFT_DEFAULT_BIND_PORT} |
399 | 399 |
fi |
400 | 400 |
|
401 |
- if is_ssl_enabled_service s-proxy; then |
|
402 |
- ensure_certificates SWIFT |
|
403 |
- |
|
404 |
- iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT cert_file "$SWIFT_SSL_CERT" |
|
405 |
- iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT key_file "$SWIFT_SSL_KEY" |
|
406 |
- fi |
|
407 |
- |
|
408 | 401 |
# DevStack is commonly run in a small slow environment, so bump the timeouts up. |
409 | 402 |
# ``node_timeout`` is the node read operation response time to the proxy server |
410 | 403 |
# ``conn_timeout`` is how long it takes a connect() system call to return |
... | ... |
@@ -279,7 +279,7 @@ function configure_tempest { |
279 | 279 |
fi |
280 | 280 |
iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3} |
281 | 281 |
|
282 |
- if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then |
|
282 |
+ if is_service_enabled tls-proxy; then |
|
283 | 283 |
iniset $TEMPEST_CONFIG identity ca_certificates_file $SSL_BUNDLE_FILE |
284 | 284 |
fi |
285 | 285 |
|
... | ... |
@@ -343,7 +343,7 @@ function make_root_CA { |
343 | 343 |
# one. If the value for the CA is not rooted in /etc then we know |
344 | 344 |
# we need to change it. |
345 | 345 |
function fix_system_ca_bundle_path { |
346 |
- if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
346 |
+ if is_service_enabled tls-proxy; then |
|
347 | 347 |
local capath |
348 | 348 |
capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass') |
349 | 349 |
|
... | ... |
@@ -362,27 +362,14 @@ function fix_system_ca_bundle_path { |
362 | 362 |
} |
363 | 363 |
|
364 | 364 |
|
365 |
-# Certificate Input Configuration |
|
366 |
-# =============================== |
|
367 |
- |
|
368 |
-# check to see if the service(s) specified are to be SSL enabled. |
|
369 |
-# |
|
370 |
-# Multiple services specified as arguments are ``OR``'ed together; the test |
|
371 |
-# is a short-circuit boolean, i.e it returns on the first match. |
|
372 |
-# |
|
373 |
-# Uses global ``SSL_ENABLED_SERVICES`` |
|
365 |
+# Only for compatibility, return if the tls-proxy is enabled |
|
374 | 366 |
function is_ssl_enabled_service { |
375 |
- local services=$@ |
|
376 |
- local service="" |
|
377 |
- if [ "$USE_SSL" == "False" ]; then |
|
378 |
- return 1 |
|
379 |
- fi |
|
380 |
- for service in ${services}; do |
|
381 |
- [[ ,${SSL_ENABLED_SERVICES}, =~ ,${service}, ]] && return 0 |
|
382 |
- done |
|
383 |
- return 1 |
|
367 |
+ return is_service_enabled tls-proxy |
|
384 | 368 |
} |
385 | 369 |
|
370 |
+# Certificate Input Configuration |
|
371 |
+# =============================== |
|
372 |
+ |
|
386 | 373 |
# Ensure that the certificates for a service are in place. This function does |
387 | 374 |
# not check that a service is SSL enabled, this should already have been |
388 | 375 |
# completed. |
... | ... |
@@ -539,13 +539,6 @@ rm -f $SSL_BUNDLE_FILE |
539 | 539 |
source $TOP_DIR/lib/database |
540 | 540 |
source $TOP_DIR/lib/rpc_backend |
541 | 541 |
|
542 |
-# Service to enable with SSL if ``USE_SSL`` is True |
|
543 |
-SSL_ENABLED_SERVICES="key,nova,cinder,glance,s-proxy,neutron" |
|
544 |
- |
|
545 |
-if is_service_enabled tls-proxy && [ "$USE_SSL" == "True" ]; then |
|
546 |
- die $LINENO "tls-proxy and SSL are mutually exclusive" |
|
547 |
-fi |
|
548 |
- |
|
549 | 542 |
# Configure Projects |
550 | 543 |
# ================== |
551 | 544 |
|
... | ... |
@@ -806,7 +799,7 @@ if is_service_enabled cinder nova; then |
806 | 806 |
fi |
807 | 807 |
|
808 | 808 |
# Setup TLS certs |
809 |
-if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
809 |
+if is_service_enabled tls-proxy; then |
|
810 | 810 |
configure_CA |
811 | 811 |
init_CA |
812 | 812 |
init_cert |
... | ... |
@@ -886,7 +879,7 @@ if is_service_enabled horizon; then |
886 | 886 |
stack_install_service horizon |
887 | 887 |
fi |
888 | 888 |
|
889 |
-if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
889 |
+if is_service_enabled tls-proxy; then |
|
890 | 890 |
fix_system_ca_bundle_path |
891 | 891 |
fi |
892 | 892 |
|
... | ... |
@@ -846,9 +846,6 @@ SYSLOG_PORT=${SYSLOG_PORT:-516} |
846 | 846 |
# Set to 0 to disable shallow cloning |
847 | 847 |
GIT_DEPTH=${GIT_DEPTH:-0} |
848 | 848 |
|
849 |
-# Use native SSL for servers in ``SSL_ENABLED_SERVICES`` |
|
850 |
-USE_SSL=$(trueorfalse False USE_SSL) |
|
851 |
- |
|
852 | 849 |
# We may not need to recreate database in case 2 Keystone services |
853 | 850 |
# sharing the same database. It would be useful for multinode Grenade tests. |
854 | 851 |
RECREATE_KEYSTONE_DB=$(trueorfalse True RECREATE_KEYSTONE_DB) |