From 41bb9d3aee75a99aadbdb22b126bd6e42e1aeaf0 Mon Sep 17 00:00:00 2001 From: Witek Bedyk Date: Fri, 8 Feb 2019 10:55:24 +0100 Subject: [PATCH] monasca: Add SSL configuration (SOC-7423) The change adds support for configuring Monasca APIs to use SSL. --- chef/cookbooks/monasca/attributes/default.rb | 8 +++++++ chef/cookbooks/monasca/libraries/helper.rb | 24 +++++-------------- chef/cookbooks/monasca/recipes/log_agent.rb | 1 + chef/cookbooks/monasca/recipes/monasca_api.rb | 22 ++++++++++++----- .../monasca/recipes/monasca_log_api.rb | 12 ++++------ .../templates/default/log-agent.conf.erb | 1 + .../migrate/monasca/316_add_ssl_attributes.rb | 9 +++++++ chef/data_bags/crowbar/template-monasca.json | 10 +++++++- .../data_bags/crowbar/template-monasca.schema | 10 ++++++++ .../app/helpers/barclamp/monasca_helper.rb | 10 ++++++++ .../monasca/_edit_attributes.html.haml | 20 ++++++++++++++++ .../config/locales/monasca/en.yml | 9 +++++++ 12 files changed, 104 insertions(+), 32 deletions(-) create mode 100644 chef/data_bags/crowbar/migrate/monasca/316_add_ssl_attributes.rb diff --git a/chef/cookbooks/monasca/attributes/default.rb b/chef/cookbooks/monasca/attributes/default.rb index 8771fb5f50..37167aa51d 100644 --- a/chef/cookbooks/monasca/attributes/default.rb +++ b/chef/cookbooks/monasca/attributes/default.rb @@ -137,3 +137,11 @@ default[:monasca][:api][:user] = "monasca-api" default[:monasca][:api][:group] = "monasca" default[:monasca][:api][:influxdb_user] = "mon_api" + +# SSL +default[:monasca][:ssl][:certfile] = "/etc/monasca/ssl/certs/signing_cert.pem" +default[:monasca][:ssl][:keyfile] = "/etc/monasca/ssl/private/signing_key.pem" +default[:monasca][:ssl][:generate_certs] = false +default[:monasca][:ssl][:insecure] = false +default[:monasca][:ssl][:cert_required] = false +default[:monasca][:ssl][:ca_certs] = "/etc/monasca/ssl/certs/ca.pem" diff --git a/chef/cookbooks/monasca/libraries/helper.rb b/chef/cookbooks/monasca/libraries/helper.rb index fa5742b006..83c76b2608 100644 --- a/chef/cookbooks/monasca/libraries/helper.rb +++ b/chef/cookbooks/monasca/libraries/helper.rb @@ -30,27 +30,21 @@ def self.monasca_admin_host(node) def self.api_public_url(node) host = monasca_public_host(node) - # SSL is not supported at this moment - # protocol = node[:monasca][:api][:ssl] ? "https" : "http" - protocol = "http" + protocol = node[:monasca][:api][:protocol] port = node[:monasca][:api][:bind_port] "#{protocol}://#{host}:#{port}/v2.0" end def self.api_admin_url(node) host = monasca_admin_host(node) - # SSL is not supported at this moment - # protocol = node[:monasca][:api][:ssl] ? "https" : "http" - protocol = "http" + protocol = node[:monasca][:api][:protocol] port = node[:monasca][:api][:bind_port] "#{protocol}://#{host}:#{port}/v2.0" end def self.api_internal_url(node) host = get_host_for_monitoring_url(node) - # SSL is not supported at this moment - # protocol = node[:monasca][:api][:ssl] ? "https" : "http" - protocol = "http" + protocol = node[:monasca][:api][:protocol] port = node[:monasca][:api][:bind_port] "#{protocol}://#{host}:#{port}/v2.0" end @@ -69,27 +63,21 @@ def self.api_network_url(node) def self.log_api_public_url(node, version = "v3.0") host = monasca_public_host(node) - # SSL is not supported at this moment - # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http" - protocol = "http" + protocol = node[:monasca][:api][:protocol] port = node[:monasca][:log_api][:bind_port] "#{protocol}://#{host}:#{port}/#{version}" end def self.log_api_admin_url(node, version = "v3.0") host = monasca_admin_host(node) - # SSL is not supported at this moment - # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http" - protocol = "http" + protocol = node[:monasca][:api][:protocol] port = node[:monasca][:log_api][:bind_port] "#{protocol}://#{host}:#{port}/#{version}" end def self.log_api_internal_url(node, version = "v3.0") host = get_host_for_monitoring_url(node) - # SSL is not supported at this moment - # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http" - protocol = "http" + protocol = node[:monasca][:api][:protocol] port = node[:monasca][:log_api][:bind_port] "#{protocol}://#{host}:#{port}/#{version}" end diff --git a/chef/cookbooks/monasca/recipes/log_agent.rb b/chef/cookbooks/monasca/recipes/log_agent.rb index 9e2f5264ae..3f3328f397 100644 --- a/chef/cookbooks/monasca/recipes/log_agent.rb +++ b/chef/cookbooks/monasca/recipes/log_agent.rb @@ -72,6 +72,7 @@ mode 0o640 variables( monasca_log_api_url: monasca_log_api_url, + insecure: node[:monasca][:ssl][:insecure], log_agent_keystone: log_agent_keystone, log_agent_settings: log_agent_settings, log_agent_dimensions: log_agent_dimensions, diff --git a/chef/cookbooks/monasca/recipes/monasca_api.rb b/chef/cookbooks/monasca/recipes/monasca_api.rb index 1cad595ea1..985cff483c 100644 --- a/chef/cookbooks/monasca/recipes/monasca_api.rb +++ b/chef/cookbooks/monasca/recipes/monasca_api.rb @@ -24,6 +24,18 @@ keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name) +if node[:monasca][:api][:protocol] == "https" + ssl_setup "setting up ssl for monasca-api" do + generate_certs node[:monasca][:ssl][:generate_certs] + certfile node[:monasca][:ssl][:certfile] + keyfile node[:monasca][:ssl][:keyfile] + group node[:monasca][:api][:group] + fqdn node[:fqdn] + cert_required node[:monasca][:ssl][:cert_required] + ca_certs node[:monasca][:ssl][:ca_certs] + end +end + memcached_servers = MemcachedHelper.get_memcached_servers( if node[:monasca][:ha][:enabled] CrowbarPacemakerHelper.cluster_nodes(node, "monasca-server") @@ -168,12 +180,10 @@ user node[:monasca][:api][:user] group node[:monasca][:api][:group] ssl_enable node[:monasca][:api][:protocol] == "https" - # FIXME(toabctl): the attributes do not even extist so SSL is broken! - ssl_certfile nil # node[:monasca][:ssl][:certfile] - ssl_keyfile nil # node[:monasca][:ssl][:keyfile] - # if node[:monasca][:ssl][:cert_required] - # ssl_cacert node[:monasca][:ssl][:ca_certs] - # end + ssl_certfile node[:monasca][:ssl][:certfile] + ssl_keyfile node[:monasca][:ssl][:keyfile] + ssl_cacert node[:monasca][:ssl][:ca_certs] if + node[:monasca][:ssl][:cert_required] end apache_site "monasca-api.conf" do diff --git a/chef/cookbooks/monasca/recipes/monasca_log_api.rb b/chef/cookbooks/monasca/recipes/monasca_log_api.rb index a8972c305e..5aaffd5d8c 100644 --- a/chef/cookbooks/monasca/recipes/monasca_log_api.rb +++ b/chef/cookbooks/monasca/recipes/monasca_log_api.rb @@ -56,13 +56,11 @@ script_alias "/usr/bin/monasca-log-api-wsgi" user node[:monasca][:log_api][:user] group node[:monasca][:log_api][:group] - ssl_enable node[:monasca][:log_api][:protocol] == "https" - # FIXME(toabctl): the attributes do not even extist so SSL is broken! - ssl_certfile nil # node[:monasca][:ssl][:certfile] - ssl_keyfile nil # node[:monasca][:ssl][:keyfile] - # if node[:monasca][:ssl][:cert_required] - # ssl_cacert node[:monasca][:ssl][:ca_certs] - # end + ssl_enable node[:monasca][:api][:protocol] == "https" + ssl_certfile node[:monasca][:ssl][:certfile] + ssl_keyfile node[:monasca][:ssl][:keyfile] + ssl_cacert node[:monasca][:ssl][:ca_certs] if + node[:monasca][:ssl][:cert_required] end apache_site "monasca-log-api.conf" do diff --git a/chef/cookbooks/monasca/templates/default/log-agent.conf.erb b/chef/cookbooks/monasca/templates/default/log-agent.conf.erb index 8565ca5d71..aa8b2f6f25 100644 --- a/chef/cookbooks/monasca/templates/default/log-agent.conf.erb +++ b/chef/cookbooks/monasca/templates/default/log-agent.conf.erb @@ -38,6 +38,7 @@ output { project_domain_name => "<%= @keystone_settings['admin_domain'] %>" ### monasca specific settings monasca_log_api_url => "<%= @monasca_log_api_url %>" + monasca_log_api_insecure => "<%= @insecure %>" num_of_logs => <%= @log_agent_settings[:num_of_logs] %> elapsed_time_sec => <%= @log_agent_settings[:elapsed_time_sec] %> delay => <%= @log_agent_settings[:delay] %> diff --git a/chef/data_bags/crowbar/migrate/monasca/316_add_ssl_attributes.rb b/chef/data_bags/crowbar/migrate/monasca/316_add_ssl_attributes.rb new file mode 100644 index 0000000000..eda07b1546 --- /dev/null +++ b/chef/data_bags/crowbar/migrate/monasca/316_add_ssl_attributes.rb @@ -0,0 +1,9 @@ +def upgrade(template_attrs, template_deployment, attrs, deployment) + attrs["ssl"] = template_attrs["ssl"] + return attrs, deployment +end + +def downgrade(template_attrs, template_deployment, attrs, deployment) + attrs.delete("ssl") + return attrs, deployment +end diff --git a/chef/data_bags/crowbar/template-monasca.json b/chef/data_bags/crowbar/template-monasca.json index 593523ed9d..7a04abfd2f 100644 --- a/chef/data_bags/crowbar/template-monasca.json +++ b/chef/data_bags/crowbar/template-monasca.json @@ -73,6 +73,14 @@ "service_role": "monasca-agent" } }, + "ssl": { + "certfile": "/etc/monasca/ssl/certs/signing_cert.pem", + "keyfile": "/etc/monasca/ssl/private/signing_key.pem", + "generate_certs": false, + "insecure": false, + "cert_required": false, + "ca_certs": "/etc/monasca/ssl/certs/ca.pem" + }, "api": { "url": "", "bind_host": "*", @@ -167,7 +175,7 @@ "monasca": { "crowbar-revision": 0, "crowbar-applied": false, - "schema-revision": 315, + "schema-revision": 316, "element_states": { "monasca-server": [ "readying", "ready", "applying" ], "monasca-agent": [ "readying", "ready", "applying" ], diff --git a/chef/data_bags/crowbar/template-monasca.schema b/chef/data_bags/crowbar/template-monasca.schema index 21c2ad3b24..992d97ddeb 100644 --- a/chef/data_bags/crowbar/template-monasca.schema +++ b/chef/data_bags/crowbar/template-monasca.schema @@ -104,6 +104,16 @@ } } }, + "ssl": { + "type": "map", "required": true, "mapping": { + "certfile": { "type" : "str", "required" : true }, + "keyfile": { "type" : "str", "required" : true }, + "generate_certs": { "type" : "bool", "required" : true }, + "insecure": { "type" : "bool", "required" : true }, + "cert_required": { "type" : "bool", "required" : true }, + "ca_certs": { "type" : "str", "required" : true } + } + }, "api": { "required": true, "type": "map", diff --git a/crowbar_framework/app/helpers/barclamp/monasca_helper.rb b/crowbar_framework/app/helpers/barclamp/monasca_helper.rb index 1cc725f65e..96a2793ab2 100644 --- a/crowbar_framework/app/helpers/barclamp/monasca_helper.rb +++ b/crowbar_framework/app/helpers/barclamp/monasca_helper.rb @@ -51,5 +51,15 @@ def tsdbs(selected) selected.to_s ) end + + def api_protocols_for_monasca(selected) + options_for_select( + [ + ["HTTP", "http"], + ["HTTPS", "https"] + ], + selected.to_s + ) + end end end diff --git a/crowbar_framework/app/views/barclamp/monasca/_edit_attributes.html.haml b/crowbar_framework/app/views/barclamp/monasca/_edit_attributes.html.haml index 40e6770f94..de8917cf9e 100644 --- a/crowbar_framework/app/views/barclamp/monasca/_edit_attributes.html.haml +++ b/crowbar_framework/app/views/barclamp/monasca/_edit_attributes.html.haml @@ -33,6 +33,26 @@ = select_field %w(log_api log_level), :collection => :api_log_levels + %fieldset + %legend + = t(".ssl_header") + + = select_field %w(api protocol), + :collection => :api_protocols_for_monasca, + "data-sslprefix" => "ssl", + "data-sslcert" => "/etc/monasca/ssl/certs/signing_cert.pem", + "data-sslkey" => "/etc/monasca/ssl/private/signing_key.pem" + + #ssl-container + = boolean_field %w(ssl generate_certs) + = string_field %w(ssl certfile) + = string_field %w(ssl keyfile) + = boolean_field %w(ssl insecure) + = boolean_field %w(ssl cert_required), + "data-enabler" => "true", + "data-enabler-target" => "#ssl_ca_certs" + = string_field %w(ssl ca_certs) + %fieldset %legend = t(".master_notification_header") diff --git a/crowbar_framework/config/locales/monasca/en.yml b/crowbar_framework/config/locales/monasca/en.yml index 5f77d7abde..b5c6f0d21d 100644 --- a/crowbar_framework/config/locales/monasca/en.yml +++ b/crowbar_framework/config/locales/monasca/en.yml @@ -22,6 +22,7 @@ en: keystone_instance: 'Keystone' api_header: 'API Settings' api: + protocol: 'Protocol' bind_host: 'Address' log_level: 'Log level' processes: 'Number of processes' @@ -62,5 +63,13 @@ en: group: 'Group for Monasca services' user: 'User for Monasca services' tsdb: 'Time series database to use' + ssl_header: 'SSL Support' + ssl: + generate_certs: 'Generate (self-signed) certificates (implies insecure)' + certfile: 'SSL Certificate File' + keyfile: 'SSL (Private) Key File' + insecure: 'SSL Certificate is insecure (for instance, self-signed)' + cert_required: 'Require Client Certificate' + ca_certs: 'SSL CA Certificates File' validation: invalid_network: 'Network "%{network}" configured for Monasca is not defined in the configuration of the network barclamp.'