Support SSL for OpenStack endpoints

Registered by Vladimir Kuklin on 2014-03-11

Problem:
   We need to support SSL for OpenStack endpoints in order to harden the deployment security.
This includes SSL endpoints to public REST API OpenStack services (keystone, nova, glance, ..) as well as Horizon dashboard.

Needed solution:
    Add SSL encryption between in communication between an external user and the OpenStack APIs
exposed publicly.

Feature Lead: Stanislaw Bogatkin
Mandatory Design Reviewers: Mike Scherbakov
Developers: Stanislaw Bogatkin
QA: Alexander Kurenyshev

Whiteboard

Draft design https://etherpad.openstack.org/p/fuel_support_ssl_for_openstack_endpoints

Build new HAProxy: https://bugs.launchpad.net/fuel/+bug/1346365

Sync puppet OpenStack manifests from upstream needs review: https://review.openstack.org/#/c/107639/

Gerrit topic: https://review.openstack.org/#q,topic:bp/ssl-endpoints,n,z

Addressed by: https://review.openstack.org/102273
    OpenStack endpoints that provide APIs on public networks need to operate over SSL.

Addressed by: https://review.openstack.org/114909
    Ensure Puppet CM for SSL in OpenStack deployment.

Addressed by: https://review.openstack.org/121821
    Import the camptocamp openssl module version 0.3.1.

Addressed by: https://review.openstack.org/121822
    Add x509_sign provider to openssl module.

Gerrit topic: https://review.openstack.org/#q,topic:bp/ssl-endpoints-ca-management,n,z

Addressed by: https://review.openstack.org/147858
    Sync puppet haproxy module from upstream

Addressed by: https://review.openstack.org/147860
    Adapt new haproxy module to Fuel

Addressed by: https://review.openstack.org/186035
    Pass CLUSTER_ID to task

Addressed by: https://review.openstack.org/186015
    Implement SSL keys generation

Addressed by: https://review.openstack.org/186498
    Add SSL to HAProxy and Keystone

Addressed by: https://review.openstack.org/186706
    Add SSL-related fields to settings page

Gerrit topic: https://review.openstack.org/#q,topic:bp/Provides,n,z

Addressed by: https://review.openstack.org/190228
    Openstack SSL for public endpoints blueprint

Addressed by: https://review.openstack.org/192169
    File contents control for settings tab

Gerrit topic: https://review.openstack.org/#q,topic:ssl-keys-generation,n,z

Addressed by: https://review.openstack.org/195265
    Add ability to select http or https notification

Gerrit topic: https://review.openstack.org/#q,topic:new-ssl-int-adm-imp,n,z

Addressed by: https://review.openstack.org/180611
    Add basic SSL for master node UI

Addressed by: https://review.openstack.org/206666
    Add SSL support to the Fuel-QA tests (draft)

Gerrit topic: https://review.openstack.org/#q,topic:ssl_supp,n,z

Addressed by: https://review.openstack.org/209038
    Verify is public_ssl_attr take place in cluster

Addressed by: https://review.openstack.org/208444
    Add ssl suport for master node

Gerrit topic: https://review.openstack.org/#q,topic:ssl-endpoints,n,z

Addressed by: https://review.openstack.org/218342
    Add SSL support to the OSTF tests. Platform tests could not work. Investigation is needed. Test with authorization user to the Horizon is modified to fix problem. But there is an error with redirection check from horison

(?)

Work Items

Work items:
Sync puppet OpenStack core manifests from upstream (support SSL): DONE
Adapt HAProxy manifests to Fuel: DONE
Build new HAProxy 1.5 in Fuel repos: DONE
Ensure Puppet CM for SSL in OpenStack deployment: DONE
Generate a self-signed certificate that will be used for authentification: DONE
Deploy the certificate to the nodes that are running HAProxy: DONE

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.