Add SSL on internal network

Registered by Kevin Tibi on 2018-03-20

For some companies, security is a priority. Network traffic must be encrypted end-to-end on all networks. For the moment, kolla's internal network does not use encryption. It should be possible to enable SSL on all internal network traffic.

Traffic on internal network:
* Openstack API
* RabbitMQ
* mysql
* tools like telegraf, influxdb, elasticsearch, ...

Design of this feature was discussed here: https://etherpad.openstack.org/p/kolla-internal-tls
Spec: https://opendev.org/openstack/kolla-ansible/src/branch/master/specs/internal-tls-endpoints.rst

Blueprint information

Status:
Started
Approver:
Jeffrey Zhang
Priority:
High
Drafter:
Kevin Tibi
Direction:
Needs approval
Assignee:
Krzysztof Klimonda
Definition:
Approved
Series goal:
Accepted for ussuri
Implementation:
Started
Milestone target:
milestone icon 10.0.0
Started by
Mark Goddard on 2019-06-26

Related branches

Sprints

Whiteboard

Related Blueprints:

https://blueprints.launchpad.net/kolla-ansible/+spec/libvirt-tls
https://blueprints.launchpad.net/kolla-ansible/+spec/mariadb-ssl-support
https://blueprints.launchpad.net/kolla-ansible/+spec/message-queue-ssl-support
https://blueprints.launchpad.net/kolla-ansible/+spec/memcached-ssl-support

Related patch started here: https://review.opendev.org/#/c/548407

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-ssl-internal-network

Addressed by: https://review.opendev.org/548407
    Allow disabling insecure API endpoints

Addressed by: https://review.opendev.org/664516
    Add support for encrypting backend HAProxy traffic

Addressed by: https://review.opendev.org/664517
    Add support for self-signed SSL certificates

Addressed by: https://review.opendev.org/663865
    Internal OpenStack endpoints encryption spec

Addressed by: https://review.opendev.org/663555
    Implement TLS encryption for internal endpoints

Addressed by: https://review.opendev.org/693018
    Fix indentation of HAProxy internal http-request config

Addressed by: https://review.opendev.org/694269
    Fix indentation of HAProxy internal http-request config

Addressed by: https://review.opendev.org/696144
    Add internal TLS variables to globals.yml

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-ssl-internal-network/reference-cacerts

Addressed by: https://review.opendev.org/699312
    Include a reference to the globally configured Certificate Authority to all services. Services use the CA to verify HTTPs connections.

Addressed by: https://review.opendev.org/701082
    Add internal TLS variables to globals.yml

Addressed by: https://review.opendev.org/701704
    Add support nova api TLS

Gerrit topic: https://review.opendev.org/#/q/topic:bp/add-internal-network/configure-cacert-verification

Addressed by: https://review.opendev.org/707131
    Add support for encrypting nova api

Addressed by: https://review.opendev.org/712005
    Add support for encrypting backend HAProxy traffic

Gerrit topic: https://review.opendev.org/#/q/topic:james_kirsch/bp/add-ssl-internal-network

Addressed by: https://review.opendev.org/713986
    Add support for encrypting backend HAProxy traffic to Keystone service

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.