Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1463355

Summary: [RFE] Add TLS support for HAProxy management interface (stats socket)
Product: Red Hat OpenStack Reporter: Nathan Kinder <nkinder>
Component: puppet-tripleoAssignee: Angus Thomas <athomas>
Status: CLOSED ERRATA QA Contact: Prasanth Anbalagan <panbalag>
Severity: unspecified Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: bperkins, dbecker, jjoyce, jschluet, kbasil, mburns, mlopes, morazi, panbalag, rhel-osp-director-maint, slinaber, tvignaud
Target Milestone: Upstream M3Keywords: FutureFeature, Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-7.4.1-0.20170916161117.4a16f48.el7ost Doc Type: Release Note
Doc Text:
When TLS everywhere is enabled, the HAProxy stats interface will also use TLS. As a result, you will need to access the interface though the individual node's ctlplane address, which is either the actual IP address or the FQDN (using the convention <node name>.ctlplane.<domain>, for example, overcloud-controller-0.ctlplane.example.com). This setting can be configured by the `CloudNameCtlplane` parameter in `tripleo-heat-templates`. Note that you can still use the `haproxy_stats_certificate` parameter from the HAproxy class, and it will take precedence if set.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 21:33:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Kinder 2017-06-20 15:40:48 UTC 
Director needs to have support for configuring the HAProxy management interface (stats socket) to use TLS.  Director configures HAProxy to listen on a TCP socket for this interface.  More details are available here:

  https://cbonte.github.io/haproxy-dconv/1.6/management.html#9.2

Note - This was split off from the TLS everywhere RFE for OSP12 (bug# 1336504), which added TLS support for other internal traffic.
Comment 7 errata-xmlrpc 2017-12-13 21:33:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462