Consolidated proxying of Undercloud API services
The TripleO UI uses custom-defined endpoints to communicate with Undercloud API services listening on various ports which are proxied by HAProxy on an SSL-enabled Undercloud deployment. Each of these ip:port combinations are connected to individually by the UI, and some browsers (Firefox) have difficulty verifying the integrity of a self-signed certificate in this situation. This blueprint adds to the SSL-enabled Undercloud proxy configuration the ability to unify these requests to a single port (443/TCP) and leverage Apache rewrite rules to route those requests to the appropriate backend API service ( /keystone/ -> $undercloud_
Blueprint information
- Status:
- Complete
- Approver:
- Steven Hardy
- Priority:
- High
- Drafter:
- Dan Trainor
- Direction:
- Approved
- Assignee:
- Dan Trainor
- Definition:
- Approved
- Series goal:
- Proposed for ocata
- Implementation:
-
Implemented
- Milestone target:
-
ocata-rc1
- Started by
- Emilien Macchi
- Completed by
- Emilien Macchi
Related branches
Sprints
Whiteboard
Originally, the blueprint suggests using haproxy for this, but we're currently using the "old" notation of listen/server, not frontend/backend. The distinction is important because the ACLs that would allow any kind of proxying to facilitate this are only available in the latter notation. In order to do this in haproxy, tripleo::haproxy would need a rewrite (looks pretty trivial, but likely out of scope for this). So I'd really like to isolate this to UI, which is convenient since UI runs largely self-contained inside Apache.
Description of Firefox exceptions that prevent the current functionality to be used:
https:/
https:/
Apache mod_proxy configuration guide:
https:/
Gerrit topic: https:/
Addressed by: https:/
Add additional proxy and config endpoints for UI
Addressed by: https:/
Proxy API endpoints that UI
