Support SSL for OpenStack endpoints

Registered by Vladimir Kuklin

   We need to support SSL for OpenStack endpoints in order to harden the deployment security.
This includes SSL endpoints to public REST API OpenStack services (keystone, nova, glance, ..) as well as Horizon dashboard.

Needed solution:
    Add SSL encryption between in communication between an external user and the OpenStack APIs
exposed publicly.

Feature Lead: Stanislaw Bogatkin
Mandatory Design Reviewers: Mike Scherbakov
Developers: Stanislaw Bogatkin
QA: Alexander Kurenyshev


Draft design

Build new HAProxy:

Sync puppet OpenStack manifests from upstream needs review:

Gerrit topic:,topic:bp/ssl-endpoints,n,z

Addressed by:
    OpenStack endpoints that provide APIs on public networks need to operate over SSL.

Addressed by:
    Ensure Puppet CM for SSL in OpenStack deployment.

Addressed by:
    Import the camptocamp openssl module version 0.3.1.

Addressed by:
    Add x509_sign provider to openssl module.

Gerrit topic:,topic:bp/ssl-endpoints-ca-management,n,z

Addressed by:
    Sync puppet haproxy module from upstream

Addressed by:
    Adapt new haproxy module to Fuel

Addressed by:
    Pass CLUSTER_ID to task

Addressed by:
    Implement SSL keys generation

Addressed by:
    Add SSL to HAProxy and Keystone

Addressed by:
    Add SSL-related fields to settings page

Gerrit topic:,topic:bp/Provides,n,z

Addressed by:
    Openstack SSL for public endpoints blueprint

Addressed by:
    File contents control for settings tab

Gerrit topic:,topic:ssl-keys-generation,n,z

Addressed by:
    Add ability to select http or https notification

Gerrit topic:,topic:new-ssl-int-adm-imp,n,z

Addressed by:
    Add basic SSL for master node UI

Addressed by:
    Add SSL support to the Fuel-QA tests (draft)

Gerrit topic:,topic:ssl_supp,n,z

Addressed by:
    Verify is public_ssl_attr take place in cluster

Addressed by:
    Add ssl suport for master node

Gerrit topic:,topic:ssl-endpoints,n,z

Addressed by:
    Add SSL support to the OSTF tests. Platform tests could not work. Investigation is needed. Test with authorization user to the Horizon is modified to fix problem. But there is an error with redirection check from horison


Work Items

Work items:
Sync puppet OpenStack core manifests from upstream (support SSL): DONE
Adapt HAProxy manifests to Fuel: DONE
Build new HAProxy 1.5 in Fuel repos: DONE
Ensure Puppet CM for SSL in OpenStack deployment: DONE
Generate a self-signed certificate that will be used for authentification: DONE
Deploy the certificate to the nodes that are running HAProxy: DONE

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.