TLS support for Glance services

List of changes in the current patch:
- Add files for certificates
- Updated configuration files for services to use mapped ports and
  'https' url scheme. Also ca_cert was provided for keystonemiddleware.
- Updated bootstrap script to use 'https' scheme with insecure flag,
  when it create image in glance.
- Update jobs for creation endpoints, now address function use 'tls'
  parameter.
- Add files for nginx configurations.

Change-Id: I7d34e18bf41308700f5f7d7a605cb372636fc412

service/files/ca-cert.pem.j2

@@ -0,0 +1 @@
+{{ security.tls.ca_cert }}

service/files/defaults.yaml

@@ -1,5 +1,7 @@
 configs:
   glance:
+    tls:
+      enabled: true
     api_port:
       cont: 9292
       ingress: image

service/files/glance-api.conf.j2

@@ -5,7 +5,13 @@ use_syslog = false
 use_stderr = true
 use_forwarded_for = true
 
+{% if glance.tls.enabled %}
+registry_client_protocol = https
+registry_client_ca_file = /opt/ccp/etc/tls/ca.pem
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 bind_port = {{ glance.api_port.cont }}
 
 registry_host = glance-registry

service/files/glance-cirros-image-upload.sh.j2

@@ -8,7 +8,8 @@ export OS_USER_DOMAIN_NAME=default
 export OS_PASSWORD={{ openstack.user_password }}
 export OS_USERNAME={{ openstack.user_name }}
 export OS_PROJECT_NAME={{ openstack.project_name }}
-export OS_AUTH_URL="http://{{ address('keystone', keystone.admin_port) }}/v3"
+export OS_AUTH_URL="{{ address('keystone', keystone.admin_port, with_scheme=True) }}/v3"
+export OS_CACERT="/opt/ccp/etc/tls/ca.pem"
 
 {% set image = glance.bootstrap.image %}
 FILE="$(mktemp)"

service/files/glance-registry.conf.j2

@@ -5,7 +5,11 @@ use_syslog = false
 use_stderr = true
 use_forwarded_for = true
 
+{% if glance.tls.enabled %}
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 bind_port = {{ glance.registry_port.cont }}
 
 [database]

service/files/nginx-api.conf.j2

@@ -0,0 +1,11 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ glance.api_port.cont }} ssl;
+    include common/ssl.conf;
+    # allows to upload images without being cut off at some low size
+    client_max_body_size 0;
+
+    location / {
+        proxy_pass http://glance_api;
+        include common/proxy-headers.conf;
+    }
+}

service/files/nginx-registry.conf.j2

@@ -0,0 +1,11 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ glance.registry_port.cont }} ssl;
+    include common/ssl.conf;
+    # allows to upload images without being cut off at some low size
+    client_max_body_size 0;
+
+    location / {
+        proxy_pass http://glance_registry;
+        include common/proxy-headers.conf;
+    }
+}

service/files/server-cert.pem.j2

@@ -0,0 +1 @@
+{{ security.tls.server_cert }}

service/files/server-key.pem.j2

@@ -0,0 +1 @@
+{{ security.tls.server_key }}

service/files/upstreams.conf.j2

@@ -0,0 +1,6 @@
+upstream glance_api {
+    server 127.0.0.1:{{ glance.api_port.cont }};
+}
+upstream glance_registry {
+    server 127.0.0.1:{{ glance.registry_port.cont }};
+}

service/glance-api.yaml

@@ -61,6 +61,9 @@ service:
       daemon:
         files:
           - glance-api
+          # {% if glance.tls.enabled %}
+          - ca_cert
+          # {% endif %}
           # {% if glance.ceph.enable %}
           - ceph-conf
           - glance-ceph-key
@@ -79,6 +82,17 @@ service:
           files:
             - glance-cirros-image-upload.sh
       # {% endif %}
+    # {% if glance.tls.enabled %}
+    - name: nginx-glance-api
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 
 files:
   glance-api:
@@ -97,3 +111,24 @@ files:
     path: /opt/ccp/bin/glance-cirros-image-upload.sh
     content: glance-cirros-image-upload.sh.j2
     perm: "500"
+  # {% if glance.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-api.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}

service/glance-registry.yaml

@@ -13,11 +13,46 @@ service:
       daemon:
         files:
           - glance-registry-conf
+          # {% if glance.tls.enabled %}
+          - ca_cert
+          # {% endif %}
         dependencies:
           - glance-api
         command: glance-registry
+    # {% if glance.tls.enabled %}
+    - name: nginx-glance-registry
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 
 files:
   glance-registry-conf:
     path: /etc/glance/glance-registry.conf
     content: glance-registry.conf.j2
+  # {% if glance.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-registry.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  ca_cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}