Add SSL on internal network
For some companies, security is a priority. Network traffic must be encrypted end-to-end on all networks. For the moment, kolla's internal network does not use encryption. It should be possible to enable SSL on all internal network traffic.
Traffic on internal network:
* Openstack API
* RabbitMQ
* mysql
* tools like telegraf, influxdb, elasticsearch, ...
Design of this feature was discussed here: https:/
Spec: https:/
Blueprint information
- Status:
- Complete
- Approver:
- Jeffrey Zhang
- Priority:
- High
- Drafter:
- Kevin Tibi
- Direction:
- Approved
- Assignee:
- Krzysztof Klimonda
- Definition:
- Approved
- Series goal:
- Accepted for victoria
- Implementation:
- Implemented
- Milestone target:
- 11.0.0
- Started by
- Mark Goddard
- Completed by
- Mark Goddard
Related branches
Related bugs
Sprints
Whiteboard
Related Blueprints:
https:/
https:/
https:/
https:/
Related patch started here: https:/
Gerrit topic: https:/
Addressed by: https:/
Allow disabling insecure API endpoints
Addressed by: https:/
Add support for encrypting backend HAProxy traffic
Addressed by: https:/
Add support for self-signed SSL certificates
Addressed by: https:/
Internal OpenStack endpoints encryption spec
Addressed by: https:/
Implement TLS encryption for internal endpoints
Addressed by: https:/
Fix indentation of HAProxy internal http-request config
Addressed by: https:/
Fix indentation of HAProxy internal http-request config
Addressed by: https:/
Add internal TLS variables to globals.yml
Gerrit topic: https:/
Addressed by: https:/
Include a reference to the globally configured Certificate Authority to all services. Services use the CA to verify HTTPs connections.
Addressed by: https:/
Add internal TLS variables to globals.yml
Addressed by: https:/
Add support nova api TLS
Gerrit topic: https:/
Addressed by: https:/
Add support for encrypting nova api
Addressed by: https:/
Add support for encrypting backend HAProxy traffic
Gerrit topic: https:/
Addressed by: https:/
Add support for encrypting backend HAProxy traffic to Keystone service
Addressed by: https:/
Add support for encrypting heat api
Addressed by: https:/
Add support for encrypting Glance api
Addressed by: https:/
Add support for encrypting backend Horizon and Placement HAProxy traffic
Addressed by: https:/
Add support for encrypting Nova API
Addressed by: https:/
Add support for encrypting Barbican API
Addressed by: https:/
Fix Heat WSGI Logging
Addressed by: https:/
Fix Keystone Centos 8 mod_ssl
Addressed by: https:/
Generate Root CA for Self-Signed Certificates
Addressed by: https:/
Replace internal and external VIP CA with root CA
Addressed by: https:/
Generate Root CA for Self-Signed Certificates
Addressed by: https:/
Replace internal and external VIP CA with root CA
Addressed by: https:/
Add support for encrypting etcd traffic
Addressed by: https:/
Update TLS documentation
Addressed by: https:/
Update TLS documentation
Addressed by: https:/
Add Keep Alive Timeout for httpd
Addressed by: https:/
Add Keep Alive Timeout for httpd
Addressed by: https:/
Update release note for httpd keep alive
Addressed by: https:/
Add support for encrypting Ironic API
Addressed by: https:/
Add support for encrypting Ironic API
Addressed by: https:/
Add support for encrypting backend Neutron API Server
Addressed by: https:/
Enable TLS backend for designate
Gerrit topic: https:/
Work Items
Dependency tree
* Blueprints in grey have been implemented.