Bug 1230890

Summary: The undercloud does not support ssl for OpenStack endpoints
Product: Red Hat OpenStack Reporter: Ben Nemec <bnemec>
Component: rhosp-directorAssignee: Ben Nemec <bnemec>
Status: CLOSED ERRATA QA Contact: Alexander Chuzhoy <sasha>
Severity: unspecified Docs Contact:
Priority: high    
Version: DirectorCC: avozza, brad, jslagle, kbasil, mburns, rhel-osp-director-maint, sasha
Target Milestone: gaKeywords: Triaged
Target Release: Director   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: os-cloud-config-0.2.8-5.el7ost openstack-ironic-discoverd-1.1.0-5.el7ost python-rdomanager-oscplugin-0.0.8-22.el7ost instack-undercloud-2.1.2-19.el7ost Doc Type: Enhancement
Doc Text:
Feature: SSL support for the OpenStack API endpoints in the Undercloud has been added. The feature is implemented with an HAProxy instance bound to virtual IP's and does SSL termination. The SSL support is optional, and disabled by default. To enable the support, configure the undercloud_public_vip, undercloud_admin_vip, and undercloud_service_certificate options in undercloud.conf prior to running "openstack undercloud install". Reason: Having SSL support for the OpenStack API endpoints in the Undercloud results in a more secure OpenStack installation. Result: SSL is used to encrypt all traffic between clients and the OpenStack API endpoints.
Story Points: ---
Clone Of:
: 1238422 (view as bug list) Environment:
Last Closed: 2015-08-05 13:53:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1238422    
Bug Blocks:    

Description Ben Nemec 2015-06-11 17:26:43 UTC
Description of problem: Currently instack-undercloud is only able to configure the undercloud for non-SSL API endpoints.  In addition, a couple of the clients we use are lacking full support for SSL options that makes it impossible to use common SSL setups.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: These issues are addressed by:
https://review.gerrithub.io/#/c/229968/
https://review.openstack.org/#/c/189952/
https://review.openstack.org/#/c/190251/

Comment 3 Ana Krivokapic 2015-06-22 13:44:13 UTC
*** Bug 1234384 has been marked as a duplicate of this bug. ***

Comment 9 James Slagle 2015-07-08 15:06:27 UTC
ben looking into the failure here

Comment 10 James Slagle 2015-07-08 16:03:55 UTC
had to revert this one:
https://code.engineering.redhat.com/gerrit/#/c/52570/

the revert is built into:
instack-undercloud-2.1.2-17.el7ost.noarch.rpm

Comment 11 Ben Nemec 2015-07-08 20:46:10 UTC
New patch posted that fixes the problem with non-SSL underclouds.

Comment 13 Alexander Chuzhoy 2015-07-21 14:08:17 UTC
Verified:
Environment:
instack-undercloud-2.1.2-21.el7ost.noarch

Was able to deploy an overcloud on top of undercloud with enabled SSL.

Comment 15 errata-xmlrpc 2015-08-05 13:53:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549