Downstream clone of https://bugs.launchpad.net/tripleo/+bug/1639996 When deploying an overcloud using RDO Newton TripleO, I have the following set in an environment file parameter_defaults: ServiceNetMap: KeystoneAdminApiNetwork: external And I am deploying the overcloud with ssl enabled. Everything looks correct, the keystone adminurl endpoint is deployed on the external interface, but ssl is not enabled $ openstack endpoint list +----------------------------------+-----------+--------------+----------------+ | ID | Region | Service Name | Service Type | +----------------------------------+-----------+--------------+----------------+ | d6f09efcfee1498db3e27812928ecd9e | regionOne | nova | compute | | 2eb2a73c07f3401a8c55bb52d5e16428 | regionOne | heat | orchestration | | 4ef8b17b94954b3cb6b6acf99acfe26d | regionOne | gnocchi | metric | | f9eac3efb6d143bd94a3c93b988b0979 | RegionOne | heat-cfn | cloudformation | | d20269db7eec4e1abab2e85fed78b3d2 | regionOne | swift | object-store | | c76ebdc497a74f948c034961b748cfff | regionOne | heat-cfn | cloudformation | | 95027035bbe04cb99377d3513149af9d | regionOne | glance | image | | 0b68b0ca2fb4452785921dd523c55828 | regionOne | cinderv2 | volumev2 | | 2170658fbed84966a73cc6467242d6bf | regionOne | neutron | network | | 6cebaed704124836ba895a38ee09f405 | regionOne | aodh | alarming | | c13aab23ca844f8c90e3261944952ee1 | regionOne | keystone | identity | | e3b0c12428034ee5a9768386f9f6a8c3 | regionOne | cinderv3 | volumev3 | | f519d0afafaf47ce9e08b66bc278720b | regionOne | cinder | volume | | 7243f2c080d3459dac61d04c9f022650 | regionOne | ceilometer | metering | +----------------------------------+-----------+--------------+----------------+ [stack@rhosops-test-tripleo openstack-deployment]$ openstack endpoint show keystone +--------------+---------------------------------------------------------------+ | Field | Value | +--------------+---------------------------------------------------------------+ | adminurl | http://10.8.208.1:35357/v2.0 | | enabled | True | | id | c13aab23ca844f8c90e3261944952ee1 | | internalurl | http://172.16.0.2:5000/v2.0 | | publicurl | https://cloud.rhosops-test.lab.eng.rdu2.redhat.com:13000/v2.0 | | region | regionOne | | service_id | d5e529a0d86b445bb606d9e8caa31ef9 | | service_name | keystone | | service_type | identity | +--------------+---------------------------------------------------------------+ Note the difference between publicurl and adminurl. While I understand normally this endpoint is deployed in an internal network, considering this endpoint is the most critical to the entire Openstack environment (from a security perspective) we should always enable it with SSL when the cloud has SSL turned on as part of the deployment
I have a patch upstream to make this the default, but there are concerns about how it will behave in the DNS endpoint case. I haven't had a chance to set up a test environment to determine the best way to handle that yet, but I think that's the only remaining blocker.
According to our records, this should be resolved by puppet-tripleo-5.6.8-16.el7ost. This build is available now.
Can you verify Nathan's comment on this BZ and see if we can verify this BZ again with the same build?
Closing | No new updates to be applied to RHOSP 10 documentation