TLS via certmonger for containers
the tls-via-certmonger blueprint specified the approach to take for baremetal services, however, now that containers took place, we need an approach for this to work with them as well. We should be able to deploy TLS in the internal network when containers are deployed as well.
The main objective of this blueprint is to make TLS in the internal network work for some basic containers (basic OpenStack services), as well as some crucial ones like RabbitMQ and MariaDB. As well as write proper documentation so people can deploy and integrate with it. So teams should be able to enable TLS in the internal network for their own services.
the proposed approach is the following:
* Separate the certificate requests from the puppet files of the services
* Do the certificate requests on the baremetal node and output these in service-specific directories
* bind mount the directories in the containers
The rest should be the same as it was before.
Blueprint information
- Status:
- Complete
- Approver:
- Emilien Macchi
- Priority:
- High
- Drafter:
- Juan Antonio Osorio Robles
- Direction:
- Approved
- Assignee:
- Juan Antonio Osorio Robles
- Definition:
- Approved
- Series goal:
- Accepted for pike
- Implementation:
- Implemented
- Milestone target:
- pike-rc1
- Started by
- Emilien Macchi
- Completed by
- Emilien Macchi
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Create profile to request certificates for the services in the node
Addressed by: https:/
Add certmonger-user profile
Addressed by: https:/
Remove certificate request bits from service profiles
Addressed by: https:/
Ensure directory exists for certificates for httpd
Addressed by: https:/
Change the directory for httpd certs/keys to be service-specific
Addressed by: https:/
Bind mount directories that contain the key/certs for keystone
Addressed by: https:/
Output metadata_settings in docker services.yaml
Addressed by: https:/
docker/
Addressed by: https:/
Enable deploy of TLS-everywhere containers
Addressed by: https:/
docker/internal TLS: spawn extra container for swift's TLS proxy
Addressed by: https:/
TLS-everywhere: Add missing profiles to docker compute services
Addressed by: https:/
Containers: Bind mount directories with the key/certs for heat
Addressed by: https:/
Add httpd packages to swift proxy image
Addressed by: https:/
Add httpd packages to glance API image
Addressed by: https:/
docker/internal TLS: spawn extra container for glance API's TLS proxy
Addressed by: https:/
Add httpd packages to neutron server image
Addressed by: https:/
Use neutron-server image for neutron services
Addressed by: https:/
docker/internal TLS: spawn extra container for neutron server's TLS proxy
Addressed by: https:/
docker/
Addressed by: https:/
Enable novajoin user on keystone profile
Addressed by: https:/
Add novajoin images
Addressed by: https:/
Bind mount internal CA file to all containers
Gerrit topic: https:/
Addressed by: https:/
Make containerized nova-api run with httpd
Addressed by: https:/
Enable TLS for nova api and placement containers
Addressed by: https:/
Ensure directory exists for certificates for haproxy
Addressed by: https:/
Change the directory for haproxy certs/keys to be service-specific
Addressed by: https:/
Enable TLS for containeried haproxy
Addressed by: https:/
Use nova-api image for configuration as well
Addressed by: https:/
Docker/TLS everywhere: Add telemetry and neutron services to environment
Gerrit topic: https:/
Addressed by: https:/
Modify resource dependencies of certmonger_user resources
Gerrit topic: https:/
Addressed by: https:/
Create separate resource for HAProxy horizon endpoint
Gerrit topic: https:/
Addressed by: https:/
Enable TLS configuration for containerized Galera
Addressed by: https:/
Internal TLS support for mongodb container
Addressed by: https:/
Bind mount tripleo.cnf in transient bootstrap containers
Addressed by: https:/
TLS for containerized MySQL
Addressed by: https:/
Enable TLS for containerized RabbitMQ
Addressed by: https:/
Certmonger: Make postsave command configurable
Addressed by: https:/
Remove iscsid from TLS everywhere docker environment
Addressed by: https:/
TLS everywhere/docker: add nova services to environment
Gerrit topic: https:/
Addressed by: https:/
Enable listening on TLS for the internal network for horizon
Addressed by: https:/
TLS for containerized horizon
Addressed by: https:/
Add nova metadata to TLS everywhere/docker services list
Addressed by: https:/
TLS-
Addressed by: https:/
Docker: Enable TLS in the internal network for libvirt
Addressed by: https:/
docker/internal TLS: spawn extra container for ec2api TLS proxy
Addressed by: https:/
Add httpd packages to ec2api image
Addressed by: https:/
Add httpd packages to ec2api image
Addressed by: https:/
Set ProxyPreserveHost in ec2api TLS proxy
Addressed by: https:/
Set ProxyPreserveHost in ec2api TLS proxy
Addressed by: https:/
docker/internal TLS: spawn extra container for ec2api TLS proxy