Internal TLS using certmonger
Use certmonger in the overcloud to manage the PKI necessary to have TLS in the internal services (openstack services, message broker and databases)
Blueprint information
- Status:
- Complete
- Approver:
- Steven Hardy
- Priority:
- High
- Drafter:
- Juan Antonio Osorio Robles
- Direction:
- Approved
- Assignee:
- Juan Antonio Osorio Robles
- Definition:
- Approved
- Series goal:
- Accepted for ocata
- Implementation:
-
Implemented
- Milestone target:
-
pike-3
- Started by
- Steven Hardy on 2016-07-22
- Completed by
- Emilien Macchi on 2017-07-31
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Internal TLS using certmonger
Gerrit topic: https:/
Addressed by: https:/
Add certmonger package to controllers
Addressed by: https:/
Add new puppet-certmonger reference
Addressed by: https:/
Add flags to enable internal TLS
Addressed by: https:/
Avoid repetition in endpoint map
Addressed by: https:/
Add placeholder for Internal TLS template
Addressed by: https:/
Use certmonger for automatic cert generation
Addressed by: https:/
Generate TLS endpoints if autogenerate cert is set
Addressed by: https:/
Use Openstack CLI for setting undercloud quota
Addressed by: https:/
Properly set undercloud_
Addressed by: https:/
Enable processing of X-Forwarded-Proto if TLS enabled
Addressed by: https:/
Remove hardcoded endpoints in hiera
Addressed by: https:/
Update help text for certificate generation options
Addressed by: https:/
Revert "Use certmonger for automatic cert generation"
Addressed by: https:/
Generate TLS endpoints if autogenerate cert is set
Addressed by: https:/
Generate TLS endpoints if autogenerate cert is set
Gerrit topic: https:/
Addressed by: https:/
Add HAProxy TLS handled by certmonger as composable service
Gerrit topic: https:/
Addressed by: https:/
Create entries for overcloud VIPs in /etc/hosts
Addressed by: https:/
Enable usage of FQDNs for the endpoints
Gerrit topic: https:/
Addressed by: https:/
Add mod_ssl to overcloud-
Addressed by: https:/
Bind to FQDNs instead of IPs
Addressed by: https:/
Make apache-based services use network-dependent servername
Addressed by: https:/
Add VIP names to allNodesConfig
Addressed by: https:/
Add parameters for internal TLS
Addressed by: https:/
Hook internal TLS flag to apache-based services
Addressed by: https:/
Add keystone networks for the different endpoints
Addressed by: https:/
Make Nova VNC Proxy service name match service net map
Addressed by: https:/
Add Heat's Cfn and Cloudwatch networks to ServiceNetMap
Addressed by: https:/
Switch management endpoint to use actual network name
Gerrit topic: https:/
Addressed by: https:/
Add option to specify Certmonger CA
Addressed by: https:/
Set client protocol for glance registry client
Addressed by: https:/
Enable internal TLS for ceilometer
Addressed by: https:/
Enable internal TLS for aodh
Addressed by: https:/
Enable internal TLS for gnocchi
Addressed by: https:/
Enable TLS in the internal networkf or Mysql
Addressed by: https:/
Add ipa-client package to overcloud-
Addressed by: https:/
Enable TLS in the internal network for gnocchi
Addressed by: https:/
Enable TLS in the internal network for ceilometer
Addressed by: https:/
Enable TLS in the internal network for aodh
Addressed by: https:/
Enable TLS in the internal network for keystone
Addressed by: https:/
Enable internal TLS for MySQL
Addressed by: https:/
Enable TLS in the internal network for Nova API
Addressed by: https:/
Enable internal TLS for Nova API
Addressed by: https:/
Enable TLS in the internal network for Cinder API
Addressed by: https:/
Enable internal TLS for Cinder API
Addressed by: https:/
Enable TLS in the internal network for Barbican API
Addressed by: https:/
Enable internal TLS for Barbican API
Addressed by: https:/
Enable TLS in the internal network for Panko API
Gerrit topic: https:/
Addressed by: https:/
Add verify required and CA bundle to haproxy
Addressed by: https:/
Enable haproxy internal TLS through enable-
Addressed by: https:/
Add FreeIPA enrollment script and tool
Addressed by: https:/
Use TLS proxy for Glance API's internal TLS
Addressed by: https:/
Pass parameters for TLS proxy in front of Glance-API
Addressed by: https:/
Clean TLS proxy-related setup for glance api profile
Addressed by: https:/
Pass hieradata for internal TLS for RabbitMQ
Addressed by: https:/
Enable TLS in the internal network for RabbitMQ
Addressed by: https:/
Add FreeIPA enrollment environment generator
Addressed by: https:/
Pass hieradata for TLS in the internal network for Ceph RGW
Addressed by: https:/
Add TLS proxy resource
Addressed by: https:/
Set rabbitmq's port and IP via the config file and not the env file
Gerrit topic: https:/
Addressed by: https:/
Add metadata settings for needed kerberos principals
Gerrit topic: https:/
Addressed by: https:/
Allow freeipa environment file to be in /tmp
Addressed by: https:/
Add IP to provisioning interface for FreeIPA if requested
Addressed by: https:/
TESTING: ping FreeIPA server
Addressed by: https:/
Add environment for usage by the novajoin in the undercloud
Addressed by: https:/
Fix comment in freeipa_setup.sh script
Addressed by: https:/
Use TLS proxy for neutron server's internal TLS
Addressed by: https:/
Pass parameters for TLS proxy in front of neutron server
Addressed by: https:/
Clean TLS proxy-related setup for neutron-server profile
Addressed by: https:/
Force MySQL users to use SSL if internal TLS is enabled
Addressed by: https:/
Fix MySQL service name parameter
Addressed by: https:/
Deploy Heat APIs over httpd
Addressed by: https:/
Pass hieradata relevant for httpd in the Heat APIs
Addressed by: https:/
httpd: Clean up heat API profiles and add release note
Addressed by: https:/
Add upgrade tasks for heat over httpd
Addressed by: https:/
Remove double quotes in the "when" Ansible conditional.
Addressed by: https:/
DNM testing repo setup
Addressed by: https:/
DNM testing blacklist of delorean-deps
Addressed by: https:/
Add tests for tripleo:
Addressed by: https:/
Add deployment documentation for TLS-everywhere
Addressed by: https:/
Developer documentation of Internal TLS for httpd services
Addressed by: https:/
Add missing metadata_settings from neutron-api profile
Addressed by: https:/
Add developer docs for internal TLS for services not based on httpd
Addressed by: https:/
TLS-everywhere: Add resources for libvirt's cert for live migration
Addressed by: https:/
TLS-everywhere: Enable for TLS libvirt live migration
Addressed by: https:/
Add TLS in the internal network for Swift Proxy
Addressed by: https:/
Add parameters for internal TLS for swift proxy
Addressed by: https:/
Clean up TLS-related bits from swift-proxy
Addressed by: https:/
Enable TLS in the internal network for Ceph RGW
Addressed by: https:/
TLS everywhere: Add resources for mongodb's TLS configuration
Addressed by: https:/
TLS everywhere: configure mongodb's TLS settings
Addressed by: https:/
Add resource to fetch CRL
Addressed by: https:/
Use CRL for HAProxy
Addressed by: https:/
Configure crl file for HAProxy
Addressed by: https:/
Configure TLS URI if TLS in the internal network is enabled
Addressed by: https:/
Allow certmonger mysql resource to use several DNS names
Addressed by: https:/
Enable TLS for MySQL's replication traffic
Addressed by: https:/
Add node's FQDN to mysql certificate request and CA file
Addressed by: https:/
Enable TLS for the HAProxy stats interface
Addressed by: https:/
Use haproxy::endpoint resource for horizon
Addressed by: https:/
Enable TLS in the internal network for horizon
Addressed by: https:/
Enable listening on TLS for the internal network for horizon
Addressed by: https:/
Create separate resource for HAProxy horizon endpoint
Addressed by: https:/
Add TLS for nova metadata service
Addressed by: https:/
Enable TLS for nova-metadata
Gerrit topic: https:/
Addressed by: https:/
TLS everywhere/haproxy: Remove empty postsave command
Addressed by: https:/
Enable TLS in the internal network for vncproxy
Gerrit topic: https:/
Addressed by: https:/
Enable TLS in the internal network for vnc proxy
Addressed by: https:/
Use TLS proxy for Redis' internal TLS
Addressed by: https:/
[WIP] TLS proxy for redis
Addressed by: https:/
Add manifests to install and configure stunnel
Addressed by: https:/
Add stunnel
Addressed by: https:/
Add stunnel
Addressed by: https:/
Add stunnel to redis image for tls
Addressed by: https:/
Enable TLS for rabbitmq's replication traffic
Addressed by: https:/
Add cert/key bundle for rabbitmq
Addressed by: https:/
Enable redis TLS proxy in HA deployments
Addressed by: https:/
Add stunnel to redis image for tls
Addressed by: https:/
Use FQDN for nodename in rabbitmq configuration
Addressed by: https:/
Add manifests to install and configure stunnel
Addressed by: https:/
Use TLS proxy for Redis' internal TLS
Addressed by: https:/
TLS proxy for redis
Addressed by: https:/
Enable TLS for rabbitmq's replication traffic
Addressed by: https:/
Rabbitmq: Enable Erlang distribution TLS
Addressed by: https:/
Enable redis TLS proxy in HA deployments
Addressed by: https:/
Add TLS for ec2api service
Addressed by: https:/
Enable TLS for ec2api service
Addressed by: https:/
Add TLS for ec2api metadata service
Addressed by: https:/
Enable TLS for ec2api metadata service
Addressed by: https:/
Add ec2api to TLS everywhere services list
Addressed by: https:/
Add TLS for ec2api service
Addressed by: https:/
Enable TLS for ec2api service
Addressed by: https:/
Enable TLS for ec2api metadata service
Addressed by: https:/
Add TLS for ec2api metadata service
Addressed by: https:/
Redis replication does not work with TLS
Addressed by: https:/
Redis replication does not work with TLS
Addressed by: https:/
Redis replication does not work with TLS
Addressed by: https:/
WIP: Add support for creating sub-CAs in FreeIPA role
Addressed by: https:/
WIP: add support for libvirt VNC TLS with dedicated CA
Addressed by: https:/
WIP: add support for libvirt VNC TLS with dedicated CA
Addressed by: https:/
Add support for libvirt VNC TLS
