Enable SSL Encryption In API Endpoints
At present there's no option to enable SSL communication to all OpenStack API endpoints. We need an option to enable this for security purposes as per the OpenStack Security Guide:
http://
The option needs to work in both HA and non-HA architectures if possible, which will liklely present some additional challenges when dealing with the load balancing layer.
Note that there appears to be a bug in "keystone-manage ssl_setup" that prevents it from producing a working environment, so this won't be fully automated until that is resolved. The real use case for this is probably groups that want to bring their own certs anyway (e.g. certs signed by a genuine CA). It's also possible to get a working setup with certs you manually generate with OpenSSL. One caveat we will want to document is that this approach requires two puppet runs: one to deploy OpenStack (and keystone along with it), then another after you've installed the SSL certs.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Medium
- Drafter:
- Mark T. Voelker
- Direction:
- Needs approval
- Assignee:
- Pradeep Kilambi
- Definition:
- New
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- h.2
- Started by
- Pradeep Kilambi
- Completed by
- Mark T. Voelker
Related branches
Related bugs
Sprints
Whiteboard
Note: new code introduced to puppet-keystone since h.1 was cut introduced a commit or two related to enabling SSL. I pulled them in to the Cisco repos last night.
Patch for master: https:/
Patch for stable/havana: https:/
Composition layer change: https:/