TLS via certmonger for containers

Registered by Juan Antonio Osorio Robles on 2017-03-24

the tls-via-certmonger blueprint specified the approach to take for baremetal services, however, now that containers took place, we need an approach for this to work with them as well. We should be able to deploy TLS in the internal network when containers are deployed as well.

The main objective of this blueprint is to make TLS in the internal network work for some basic containers (basic OpenStack services), as well as some crucial ones like RabbitMQ and MariaDB. As well as write proper documentation so people can deploy and integrate with it. So teams should be able to enable TLS in the internal network for their own services.

the proposed approach is the following:

* Separate the certificate requests from the puppet files of the services
* Do the certificate requests on the baremetal node and output these in service-specific directories
* bind mount the directories in the containers

The rest should be the same as it was before.

Blueprint information

Status:
Complete
Approver:
Emilien Macchi
Priority:
High
Drafter:
Juan Antonio Osorio Robles
Direction:
Approved
Assignee:
Juan Antonio Osorio Robles
Definition:
Approved
Series goal:
Accepted for pike
Implementation:
Implemented
Milestone target:
milestone icon pike-rc1
Started by
Emilien Macchi on 2017-03-24
Completed by
Emilien Macchi on 2017-08-25

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/tls-via-certmonger-containers,n,z

Addressed by: https://review.openstack.org/#/c/444873
    Create profile to request certificates for the services in the node

Addressed by: https://review.openstack.org/#/c/444876
    Add certmonger-user profile

Addressed by: https://review.openstack.org/#/c/444891
    Remove certificate request bits from service profiles

Addressed by: https://review.openstack.org/449536
    Ensure directory exists for certificates for httpd

Addressed by: https://review.openstack.org/449558
    Change the directory for httpd certs/keys to be service-specific

Addressed by: https://review.openstack.org/449569
    Bind mount directories that contain the key/certs for keystone

Addressed by: https://review.openstack.org/451703
    Output metadata_settings in docker services.yaml

Addressed by: https://review.openstack.org/455705
    docker/keystone: Bind-mount OpenSSL CA bundle

Addressed by: https://review.openstack.org/456226
    Enable deploy of TLS-everywhere containers

Addressed by: https://review.openstack.org/460104
    docker/internal TLS: spawn extra container for swift's TLS proxy

Addressed by: https://review.openstack.org/460435
    TLS-everywhere: Add missing profiles to docker compute services

Addressed by: https://review.openstack.org/463302
    Containers: Bind mount directories with the key/certs for heat

Addressed by: https://review.openstack.org/463933
    Add httpd packages to swift proxy image

Addressed by: https://review.openstack.org/464132
    Add httpd packages to glance API image

Addressed by: https://review.openstack.org/464133
    docker/internal TLS: spawn extra container for glance API's TLS proxy

Addressed by: https://review.openstack.org/464155
    Add httpd packages to neutron server image

Addressed by: https://review.openstack.org/464200
    Use neutron-server image for neutron services

Addressed by: https://review.openstack.org/464201
    docker/internal TLS: spawn extra container for neutron server's TLS proxy

Addressed by: https://review.openstack.org/466751
    docker/TLS-everywhere: Add metadata_settings output to templates

Addressed by: https://review.openstack.org/467026
    Enable novajoin user on keystone profile

Addressed by: https://review.openstack.org/467074
    Add novajoin images

Addressed by: https://review.openstack.org/473762
    Bind mount internal CA file to all containers

Gerrit topic: https://review.openstack.org/#q,topic:nova-wsgi,n,z

Addressed by: https://review.openstack.org/475366
    Make containerized nova-api run with httpd

Addressed by: https://review.openstack.org/489885
    Enable TLS for nova api and placement containers

Addressed by: https://review.openstack.org/489891
    Ensure directory exists for certificates for haproxy

Addressed by: https://review.openstack.org/489896
    Change the directory for haproxy certs/keys to be service-specific

Addressed by: https://review.openstack.org/489900
    Enable TLS for containeried haproxy

Addressed by: https://review.openstack.org/490385
    Use nova-api image for configuration as well

Addressed by: https://review.openstack.org/491782
    Docker/TLS everywhere: Add telemetry and neutron services to environment

Gerrit topic: https://review.openstack.org/#q,topic:certmonger-deps,n,z

Addressed by: https://review.openstack.org/490791
    Modify resource dependencies of certmonger_user resources

Gerrit topic: https://review.openstack.org/#q,topic:horizon-tls-1,n,z

Addressed by: https://review.openstack.org/491437
    Create separate resource for HAProxy horizon endpoint

Gerrit topic: https://review.openstack.org/#q,topic:bug/1708135,n,z

Addressed by: https://review.openstack.org/489963
    Enable TLS configuration for containerized Galera

Addressed by: https://review.openstack.org/492878
    Internal TLS support for mongodb container

Addressed by: https://review.openstack.org/492963
    Bind mount tripleo.cnf in transient bootstrap containers

Addressed by: https://review.openstack.org/493561
    TLS for containerized MySQL

Addressed by: https://review.openstack.org/493632
    Enable TLS for containerized RabbitMQ

Addressed by: https://review.openstack.org/494085
    Certmonger: Make postsave command configurable

Addressed by: https://review.openstack.org/494429
    Remove iscsid from TLS everywhere docker environment

Addressed by: https://review.openstack.org/494430
    TLS everywhere/docker: add nova services to environment

Gerrit topic: https://review.openstack.org/#q,topic:bp/tls-via-certmonger,n,z

Addressed by: https://review.openstack.org/489596
    Enable listening on TLS for the internal network for horizon

Addressed by: https://review.openstack.org/494989
    TLS for containerized horizon

Addressed by: https://review.openstack.org/495917
    Add nova metadata to TLS everywhere/docker services list

Addressed by: https://review.openstack.org/496349
    TLS-everywhere/libvirt: Make postsave command configurable

Addressed by: https://review.openstack.org/496351
    Docker: Enable TLS in the internal network for libvirt

Addressed by: https://review.openstack.org/520547
    docker/internal TLS: spawn extra container for ec2api TLS proxy

Addressed by: https://review.openstack.org/520581
    Add httpd packages to ec2api image

Addressed by: https://review.openstack.org/522060
    Add httpd packages to ec2api image

Addressed by: https://review.openstack.org/522517
    Set ProxyPreserveHost in ec2api TLS proxy

Addressed by: https://review.openstack.org/522772
    Set ProxyPreserveHost in ec2api TLS proxy

Addressed by: https://review.openstack.org/522835
    docker/internal TLS: spawn extra container for ec2api TLS proxy

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.