Support SSL for OpenStack endpoints
Problem:
We need to support SSL for OpenStack endpoints in order to harden the deployment security.
This includes SSL endpoints to public REST API OpenStack services (keystone, nova, glance, ..) as well as Horizon dashboard.
Needed solution:
Add SSL encryption between in communication between an external user and the OpenStack APIs
exposed publicly.
Feature Lead: Stanislaw Bogatkin
Mandatory Design Reviewers: Mike Scherbakov
Developers: Stanislaw Bogatkin
QA: Alexander Kurenyshev
Blueprint information
- Status:
- Complete
- Approver:
- Mike Scherbakov
- Priority:
- Essential
- Drafter:
- Vladimir Kuklin
- Direction:
- Needs approval
- Assignee:
- Stanislaw Bogatkin
- Definition:
- Review
- Series goal:
- Accepted for 7.0.x
- Implementation:
-
Implemented
- Milestone target:
-
7.0
- Started by
- guillaume thouvenin
- Completed by
- Stanislaw Bogatkin
Related branches
Related bugs
Whiteboard
Draft design https:/
Build new HAProxy: https:/
Sync puppet OpenStack manifests from upstream needs review: https:/
Gerrit topic: https:/
Addressed by: https:/
OpenStack endpoints that provide APIs on public networks need to operate over SSL.
Addressed by: https:/
Ensure Puppet CM for SSL in OpenStack deployment.
Addressed by: https:/
Import the camptocamp openssl module version 0.3.1.
Addressed by: https:/
Add x509_sign provider to openssl module.
Gerrit topic: https:/
Addressed by: https:/
Sync puppet haproxy module from upstream
Addressed by: https:/
Adapt new haproxy module to Fuel
Addressed by: https:/
Pass CLUSTER_ID to task
Addressed by: https:/
Implement SSL keys generation
Addressed by: https:/
Add SSL to HAProxy and Keystone
Addressed by: https:/
Add SSL-related fields to settings page
Gerrit topic: https:/
Addressed by: https:/
Openstack SSL for public endpoints blueprint
Addressed by: https:/
File contents control for settings tab
Gerrit topic: https:/
Addressed by: https:/
Add ability to select http or https notification
Gerrit topic: https:/
Addressed by: https:/
Add basic SSL for master node UI
Addressed by: https:/
Add SSL support to the Fuel-QA tests (draft)
Gerrit topic: https:/
Addressed by: https:/
Verify is public_ssl_attr take place in cluster
Addressed by: https:/
Add ssl suport for master node
Gerrit topic: https:/
Addressed by: https:/
Add SSL support to the OSTF tests. Platform tests could not work. Investigation is needed. Test with authorization user to the Horizon is modified to fix problem. But there is an error with redirection check from horison
Work Items
Work items:
Sync puppet OpenStack core manifests from upstream (support SSL): DONE
Adapt HAProxy manifests to Fuel: DONE
Build new HAProxy 1.5 in Fuel repos: DONE
Ensure Puppet CM for SSL in OpenStack deployment: DONE
Generate a self-signed certificate that will be used for authentification: DONE
Deploy the certificate to the nodes that are running HAProxy: DONE
Dependency tree
* Blueprints in grey have been implemented.
