Bug 1336504
| Summary: | [RFE] TLS for internal services | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Maxime Payant-Chartier <mpayantc> | |
| Component: | openstack-tripleo-heat-templates | Assignee: | Emilien Macchi <emacchi> | |
| Status: | CLOSED ERRATA | QA Contact: | Prasanth Anbalagan <panbalag> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 11.0 (Ocata) | CC: | achernet, asimonel, brault, cschwede, dbecker, ealcaniz, ehud.malik, fherrman, gcharot, jappleii, jcoufal, jdonohue, jliberma, jmelvin, josorior, jtaleric, kbasil, mburns, mcornea, michele, morazi, nkinder, panbalag, pgrist, racedoro, radoslaw.smigielski, rcritten, rduartes, rhel-osp-director-maint, rkharwar, sclewis, sisadoun, skhodri, thiago, tvignaud, tvvcox, yves.brissette, zaitcev | |
| Target Milestone: | Upstream M2 | Keywords: | FutureFeature, Triaged | |
| Target Release: | 12.0 (Pike) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-tripleo-heat-templates-7.0.0-0.20170706121722.el7ost puppet-tripleo-7.1.1-0.20170706195430.76af0ab.el7ost | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1417142 (view as bug list) | Environment: | ||
| Last Closed: | 2017-12-13 20:41:55 UTC | Type: | Feature Request | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1420946, 1513437, 1513440 | |||
| Bug Blocks: | 1389435, 1417142, 1442136 | |||
|
Description
Maxime Payant-Chartier
2016-05-16 16:39:25 UTC
We are looking for the following with TLS: • Does Nova communicate with Glance securely • Is TLS enabled for authentication? • Does cinder communicate with glance over TLS • Does cinder communicate with nova over TLS • Is TLS enabled on Neutron API server • Does Nova communicate with Glance securely Not yet, patches are up • Is TLS enabled for authentication? yes • Does cinder communicate with glance over TLS not yet, Cinder is using TLS for all it's endpoints, but TLS for glance is in progress. • Does cinder communicate with nova over TLS yes. • Is TLS enabled on Neutron API server not yet. Working on that. There are still services that don't have TLS enabled, my main delays have been trying to get services over httpd, and getting a CI job to test this upstream. The CI job is almost ready, and regarding the services; Even if I spent a lot of time trying to get services such as glance, swift and heat over httpd, those won't happen in this release (and swift probably won't happen at all). So instead I'll use mod_proxy in front of these services (with the pieces to do this landing recently). This bugzilla has been removed from the release and needs to be reviewed for targeting another release. *** Bug 1293943 has been marked as a duplicate of this bug. *** *** Bug 1433717 has been marked as a duplicate of this bug. *** Adding TLS support for MariaDB, RabbitMQ and internal services endpoints are critical requirements for CBIS to achieve ANSSI compliance. Verified using, https://github.com/openstack/novajoin-tempest-plugin/blob/master/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462 |