Bug 1336504 - [RFE] TLS for internal services
Summary: [RFE] TLS for internal services
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Upstream M2
: 12.0 (Pike)
Assignee: Emilien Macchi
QA Contact: Prasanth Anbalagan
URL:
Whiteboard:
: 1293943 1433717 (view as bug list)
Depends On: 1420946 1513437 1513440
Blocks: 1389435 1417142 1442136
TreeView+ depends on / blocked
 
Reported: 2016-05-16 16:39 UTC by Maxime Payant-Chartier
Modified: 2019-10-10 12:06 UTC (History)
38 users (show)

Fixed In Version: openstack-tripleo-heat-templates-7.0.0-0.20170706121722.el7ost puppet-tripleo-7.1.1-0.20170706195430.76af0ab.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1417142 (view as bug list)
Environment:
Last Closed: 2017-12-13 20:41:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 282307 0 None MERGED Internal TLS using certmonger 2020-09-11 10:52:44 UTC
OpenStack gerrit 474135 0 None MERGED Enable nova-api to run over httpd again 2020-09-11 10:52:47 UTC
OpenStack gerrit 478617 0 None MERGED Merge the nova HAproxy TLS options 2020-09-11 10:52:46 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Maxime Payant-Chartier 2016-05-16 16:39:25 UTC
Description of problem:

Adding TLS support for MariaDB, RabbitMQ and internal services endpoints.

Comment 9 Ehud 2017-01-09 09:47:56 UTC
We are looking for the following with TLS:
•         Does Nova communicate with Glance securely
•         Is TLS enabled for authentication?
•         Does cinder communicate with glance over TLS
•         Does cinder communicate with nova over TLS
•         Is TLS enabled on Neutron API server

Comment 12 Juan Antonio Osorio 2017-01-10 15:12:44 UTC
•         Does Nova communicate with Glance securely
Not yet, patches are up
•         Is TLS enabled for authentication?
yes
•         Does cinder communicate with glance over TLS
not yet, Cinder is using TLS for all it's endpoints, but TLS for glance is in progress.
•         Does cinder communicate with nova over TLS
yes.
•         Is TLS enabled on Neutron API server
not yet. Working on that.

There are still services that don't have TLS enabled, my main delays have been trying to get services over httpd, and getting a CI job to test this upstream. The CI job is almost ready, and regarding the services; Even if I spent a lot of time trying to get services such as glance, swift and heat over httpd, those won't happen in this release (and swift probably won't happen at all). So instead I'll use mod_proxy in front of these services (with the pieces to do this landing recently).

Comment 15 Red Hat Bugzilla Rules Engine 2017-02-01 01:27:40 UTC
This bugzilla has been removed from the release and needs to be reviewed for targeting another release.

Comment 22 Nathan Kinder 2017-02-09 23:59:15 UTC
*** Bug 1293943 has been marked as a duplicate of this bug. ***

Comment 26 Keith Basil 2017-03-20 13:34:31 UTC
*** Bug 1433717 has been marked as a duplicate of this bug. ***

Comment 35 Yves Brissette 2017-06-20 16:44:31 UTC
Adding TLS support for MariaDB, RabbitMQ and internal services endpoints are critical requirements for CBIS to achieve ANSSI compliance.

Comment 41 errata-xmlrpc 2017-12-13 20:41:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462


Note You need to log in before you can comment on or make changes to this bug.