Description of problem: Horizon endpoints shown as http based in keystone endpoint-list on SSL-enabled overcloud +----------------------------------+-----------+-----------------------------------------------------+--------------------------------------------------+-----------------------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+-----------------------------------------------------+--------------------------------------------------+-----------------------------------------------+----------------------------------+ | 0155a41cd06d40c687af3696b5272af9 | regionOne | https://192.168.200.180:13776/v1/%(tenant_id)s | http://192.168.100.11:8776/v1/%(tenant_id)s | http://192.168.100.11:8776/v1/%(tenant_id)s | ebc366add66644f9bba757d81035ade9 | | 03cb933eb91441a48ea3ea8236e70330 | regionOne | https://192.168.200.180:13292/ | http://192.168.110.10:9292/ | http://192.168.110.10:9292/ | 326c52bd42b142fda84f6204e00b3c45 | | 10d3d54aff1d40859bfa9dfb92dd99ec | regionOne | https://192.168.200.180:13696/ | http://192.168.100.11:9696/ | http://192.168.100.11:9696/ | bc78ca9bbfae48e5a55c4e460a114975 | | 3d6839ce484f4d9d804bbfeed686469e | regionOne | http://192.168.200.180:80/dashboard/ | http://192.168.200.180:80/dashboard/ | http://192.168.200.180:80/dashboard/admin | ad5e47afeefd48aea5e8b1b1c7d43948 | | 41f66e777d4342a0b834e5a8637ff002 | regionOne | https://192.168.200.180:13000/v2.0 | http://192.168.100.11:5000/v2.0 | http://192.0.2.6:35357/v2.0 | 6d39d30c11224c8dbfecaa18efaf21c5 | | 4413098261454d9ab91c08d126ab729b | regionOne | https://192.168.200.180:13808/v1/AUTH_%(tenant_id)s | http://192.168.110.10:8080/v1/AUTH_%(tenant_id)s | http://192.168.110.10:8080/v1 | 4905137049704ca38b209def5604d9a0 | | 99ad7f03dc154525bc57e9ab4845d412 | regionOne | https://192.168.200.180:13774/v2.1/$(tenant_id)s | http://192.168.100.11:8774/v2.1/$(tenant_id)s | http://192.168.100.11:8774/v2.1/$(tenant_id)s | 07c273e40952454d9fd667fb0f64d9ea | | a32b5b6bed0e48a3949e2c6f890b579b | regionOne | https://192.168.200.180:13004/v1/%(tenant_id)s | http://192.168.100.11:8004/v1/%(tenant_id)s | http://192.168.100.11:8004/v1/%(tenant_id)s | c58d5a76d10440a09d809e5eff7ac4ec | | b30fcaed1bf14afc93aefb09ff391bf5 | regionOne | https://192.168.200.180:13776/v2/%(tenant_id)s | http://192.168.100.11:8776/v2/%(tenant_id)s | http://192.168.100.11:8776/v2/%(tenant_id)s | f47eb9309f704c078e9e709df112dcfb | | e3caa3cef6a94f08b40030cc18f88848 | regionOne | https://192.168.200.180:13777/ | http://192.168.100.11:8777/ | http://192.168.100.11:8777/ | 0f993e45b8914efca20f932c46c50a85 | +----------------------------------+-----------+-----------------------------------------------------+--------------------------------------------------+-----------------------------------------------+----------------------------------+ There is nothing listening on port 80 on the VIP on the controllers. curl http://192.168.200.180:80/dashboard/ curl: (7) Failed connect to 192.168.200.180:80; Connection refused There is a setting in HAProxy on the controllers: listen horizon bind 192.168.100.11:80 transparent bind 192.168.200.180:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem mode http cookie SERVERID insert indirect nocache rsprep ^Location:\ http://(.*) Location:\ https://\1 server overcloud-controller-0 192.168.100.15:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 server overcloud-controller-1 192.168.100.16:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 server overcloud-controller-2 192.168.100.14:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 However it does not pertain to the port 80 listener on the public VIP (192.168.200.180) Version-Release number of selected component (if applicable): openstack-heat-templates-0-0.1.20151019.el7ost.noarch openstack-tripleo-heat-templates-0.8.14-9.el7ost.noarch openstack-tripleo-heat-templates-kilo-0.8.14-9.el7ost.noarch openstack-ironic-common-4.2.2-4.el7ost.noarch openstack-ceilometer-api-5.0.2-2.el7ost.noarch openstack-heat-api-cfn-5.0.1-5.el7ost.noarch openstack-swift-object-2.5.0-2.el7ost.noarch openstack-selinux-0.6.58-1.el7ost.noarch openstack-tripleo-image-elements-0.9.9-2.el7ost.noarch openstack-ceilometer-central-5.0.2-2.el7ost.noarch openstack-nova-conductor-12.0.3-1.el7ost.noarch openstack-glance-11.0.1-4.el7ost.noarch openstack-ceilometer-common-5.0.2-2.el7ost.noarch openstack-nova-compute-12.0.3-1.el7ost.noarch openstack-swift-2.5.0-2.el7ost.noarch openstack-ironic-inspector-2.2.5-2.el7ost.noarch openstack-neutron-openvswitch-7.0.4-3.el7ost.noarch openstack-heat-common-5.0.1-5.el7ost.noarch openstack-heat-api-5.0.1-5.el7ost.noarch openstack-swift-account-2.5.0-2.el7ost.noarch openstack-swift-proxy-2.5.0-2.el7ost.noarch openstack-ceilometer-collector-5.0.2-2.el7ost.noarch openstack-heat-templates-0-0.1.20151019.el7ost.noarch openstack-tripleo-heat-templates-0.8.14-9.el7ost.noarch openstack-tripleo-common-0.3.1-1.el7ost.noarch openstack-ironic-conductor-4.2.2-4.el7ost.noarch openstack-puppet-modules-7.0.17-1.el7ost.noarch openstack-utils-2014.2-1.el7ost.noarch openstack-neutron-common-7.0.4-3.el7ost.noarch openstack-neutron-7.0.4-3.el7ost.noarch openstack-neutron-ml2-7.0.4-3.el7ost.noarch openstack-ironic-api-4.2.2-4.el7ost.noarch openstack-heat-engine-5.0.1-5.el7ost.noarch openstack-nova-scheduler-12.0.3-1.el7ost.noarch openstack-swift-container-2.5.0-2.el7ost.noarch openstack-nova-api-12.0.3-1.el7ost.noarch openstack-ceilometer-polling-5.0.2-2.el7ost.noarch openstack-tripleo-puppet-elements-0.0.5-1.el7ost.noarch openstack-ceilometer-alarm-5.0.2-2.el7ost.noarch openstack-keystone-8.0.1-1.el7ost.noarch openstack-nova-cert-12.0.3-1.el7ost.noarch openstack-nova-common-12.0.3-1.el7ost.noarch openstack-tripleo-0.0.7-1.el7ost.noarch python-openstackclient-1.7.2-1.el7ost.noarch openstack-heat-api-cloudwatch-5.0.1-5.el7ost.noarch openstack-swift-plugin-swift3-1.9-1.el7ost.noarch openstack-ceilometer-notification-5.0.2-2.el7ost.noarch How reproducible: always Steps to Reproduce: 1. deploy RHOS 8 with SSL enabled on the overcloud Actual results: as described above Expected results: either keystone should point to an https endpoint, or there should be a listener on port 80 redirecting to https. Additional info:
I'm guessing this is for OSP-8. This should be partly fixed in OSP9 as per this commit https://review.openstack.org/#/c/294456 . Should I backport? The lack of TLS in the keystone endpoints for horizon is an issue, however, I'll look into it.
Horizon should show up when calling the public vip over https even though the public api endpoint is http. I believe this is done by the haproxy rsprep rule. So curl https://192.168.200.180 should return the dashboard. The 80->443 port redirection should be fixed by the the patch Juan mentioned. This was initially reported in BZ#1301738 and marked as an RFE but I see it's still in NEW state.
This seems like it's something we should consider backporting for OSPd 8.y. The URL for the dashboard in the endpoint catalog simply won't work due to the 'http' scheme since there is nothing listening on that port. Given that TLS support is a really important feature for OSP8, I think we should fix this if it's not too difficult of a backport.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1228