Bug 1230890 - The undercloud does not support ssl for OpenStack endpoints
Summary: The undercloud does not support ssl for OpenStack endpoints
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: Director
Hardware: Unspecified
OS: Unspecified
Target Milestone: ga
: Director
Assignee: Ben Nemec
QA Contact: Alexander Chuzhoy
: 1234384 (view as bug list)
Depends On: 1238422
TreeView+ depends on / blocked
Reported: 2015-06-11 17:26 UTC by Ben Nemec
Modified: 2015-08-05 13:53 UTC (History)
8 users (show)

Fixed In Version: os-cloud-config-0.2.8-5.el7ost openstack-ironic-discoverd-1.1.0-5.el7ost python-rdomanager-oscplugin-0.0.8-22.el7ost instack-undercloud-2.1.2-19.el7ost
Doc Type: Enhancement
Doc Text:
Feature: SSL support for the OpenStack API endpoints in the Undercloud has been added. The feature is implemented with an HAProxy instance bound to virtual IP's and does SSL termination. The SSL support is optional, and disabled by default. To enable the support, configure the undercloud_public_vip, undercloud_admin_vip, and undercloud_service_certificate options in undercloud.conf prior to running "openstack undercloud install". Reason: Having SSL support for the OpenStack API endpoints in the Undercloud results in a more secure OpenStack installation. Result: SSL is used to encrypt all traffic between clients and the OpenStack API endpoints.
Clone Of:
: 1238422 (view as bug list)
Last Closed: 2015-08-05 13:53:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Gerrithub.io 229968 None None None Never
Gerrithub.io 237758 None None None Never
Gerrithub.io 237801 None None None Never
Gerrithub.io 238119 None None None Never
OpenStack gerrit 189952 None None None Never
OpenStack gerrit 190251 None None None Never
OpenStack gerrit 195331 None None None Never
OpenStack gerrit 195686 None None None Never
OpenStack gerrit 196873 None None None Never
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Description Ben Nemec 2015-06-11 17:26:43 UTC
Description of problem: Currently instack-undercloud is only able to configure the undercloud for non-SSL API endpoints.  In addition, a couple of the clients we use are lacking full support for SSL options that makes it impossible to use common SSL setups.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info: These issues are addressed by:

Comment 3 Ana Krivokapic 2015-06-22 13:44:13 UTC
*** Bug 1234384 has been marked as a duplicate of this bug. ***

Comment 9 James Slagle 2015-07-08 15:06:27 UTC
ben looking into the failure here

Comment 10 James Slagle 2015-07-08 16:03:55 UTC
had to revert this one:

the revert is built into:

Comment 11 Ben Nemec 2015-07-08 20:46:10 UTC
New patch posted that fixes the problem with non-SSL underclouds.

Comment 13 Alexander Chuzhoy 2015-07-21 14:08:17 UTC

Was able to deploy an overcloud on top of undercloud with enabled SSL.

Comment 15 errata-xmlrpc 2015-08-05 13:53:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.