kolla-ansible

Add SSL on internal network

Registered by Kevin Tibi

For some companies, security is a priority. Network traffic must be encrypted end-to-end on all networks. For the moment, kolla's internal network does not use encryption. It should be possible to enable SSL on all internal network traffic.

Traffic on internal network:
* Openstack API
* RabbitMQ
* mysql
* tools like telegraf, influxdb, elasticsearch, ...

Design of this feature was discussed here: https://etherpad.openstack.org/p/kolla-internal-tls
Spec: https://opendev.org/openstack/kolla-ansible/src/branch/master/specs/internal-tls-endpoints.rst

Blueprint information

Status:
Complete
Approver:
Jeffrey Zhang
Priority:
High
Drafter:
Kevin Tibi
Direction:
Approved
Assignee:
Krzysztof Klimonda
Definition:
Approved
Series goal:
Accepted for victoria
Implementation:
Implemented
Milestone target:
milestone icon 11.0.0
Started by
Mark Goddard
Completed by
Mark Goddard

Related branches

Sprints

Whiteboard

Related Blueprints:

https://blueprints.launchpad.net/kolla-ansible/+spec/libvirt-tls
https://blueprints.launchpad.net/kolla-ansible/+spec/mariadb-ssl-support
https://blueprints.launchpad.net/kolla-ansible/+spec/message-queue-ssl-support
https://blueprints.launchpad.net/kolla-ansible/+spec/memcached-ssl-support

Related patch started here: https://review.opendev.org/#/c/548407

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-ssl-internal-network

Addressed by: https://review.opendev.org/548407
    Allow disabling insecure API endpoints

Addressed by: https://review.opendev.org/664516
    Add support for encrypting backend HAProxy traffic

Addressed by: https://review.opendev.org/664517
    Add support for self-signed SSL certificates

Addressed by: https://review.opendev.org/663865
    Internal OpenStack endpoints encryption spec

Addressed by: https://review.opendev.org/663555
    Implement TLS encryption for internal endpoints

Addressed by: https://review.opendev.org/693018
    Fix indentation of HAProxy internal http-request config

Addressed by: https://review.opendev.org/694269
    Fix indentation of HAProxy internal http-request config

Addressed by: https://review.opendev.org/696144
    Add internal TLS variables to globals.yml

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-ssl-internal-network/reference-cacerts

Addressed by: https://review.opendev.org/699312
    Include a reference to the globally configured Certificate Authority to all services. Services use the CA to verify HTTPs connections.

Addressed by: https://review.opendev.org/701082
    Add internal TLS variables to globals.yml

Addressed by: https://review.opendev.org/701704
    Add support nova api TLS

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-internal-network/configure-cacert-verification

Addressed by: https://review.opendev.org/707131
    Add support for encrypting nova api

Addressed by: https://review.opendev.org/712005
    Add support for encrypting backend HAProxy traffic

Gerrit topic: https://review.opendev.org/#/q/topic:james_kirsch/bp/add-ssl-internal-network

Addressed by: https://review.opendev.org/713986
    Add support for encrypting backend HAProxy traffic to Keystone service

Addressed by: https://review.opendev.org/722355
    Add support for encrypting heat api

Addressed by: https://review.opendev.org/723051
    Add support for encrypting Glance api

Addressed by: https://review.opendev.org/724441
    Add support for encrypting backend Horizon and Placement HAProxy traffic

Addressed by: https://review.opendev.org/724794
    Add support for encrypting Nova API

Addressed by: https://review.opendev.org/726258
    Add support for encrypting Barbican API

Addressed by: https://review.opendev.org/727835
    Fix Heat WSGI Logging

Addressed by: https://review.opendev.org/727839
    Fix Keystone Centos 8 mod_ssl

Addressed by: https://review.opendev.org/731344
    Generate Root CA for Self-Signed Certificates

Addressed by: https://review.opendev.org/733743
    Replace internal and external VIP CA with root CA

Addressed by: https://review.opendev.org/735874
    Generate Root CA for Self-Signed Certificates

Addressed by: https://review.opendev.org/735954
    Replace internal and external VIP CA with root CA

Addressed by: https://review.opendev.org/736400
    Add support for encrypting etcd traffic

Addressed by: https://review.opendev.org/739144
    Update TLS documentation

Addressed by: https://review.opendev.org/745109
    Update TLS documentation

Addressed by: https://review.opendev.org/745214
    Add Keep Alive Timeout for httpd

Addressed by: https://review.opendev.org/746332
    Add Keep Alive Timeout for httpd

Addressed by: https://review.opendev.org/746512
    Update release note for httpd keep alive

Addressed by: https://review.opendev.org/746606
    Add support for encrypting Ironic API

Addressed by: https://review.opendev.org/751543
    Add support for encrypting Ironic API

Addressed by: https://review.opendev.org/756367
    Add support for encrypting backend Neutron API Server

Addressed by: https://review.opendev.org/c/openstack/kolla-ansible/+/866524
    Enable TLS backend for designate

Gerrit topic: https://review.opendev.org/#/q/topic:designate-tls

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.