keystone admin endpoint not configured with ssl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Juan Antonio Osorio Robles |
Bug Description
Hi,
When deploying an overcloud using RDO Newton TripleO, I have the following set in an environment file
parameter_defaults:
ServiceNetMap:
KeystoneAdm
And I am deploying the overcloud with ssl enabled.
Everything looks correct, the keystone adminurl endpoint is deployed on the external interface, but ssl is not enabled
$ openstack endpoint list
+------
| ID | Region | Service Name | Service Type |
+------
| d6f09efcfee1498
| 2eb2a73c07f3401
| 4ef8b17b94954b3
| f9eac3efb6d143b
| d20269db7eec4e1
| c76ebdc497a74f9
| 95027035bbe04cb
| 0b68b0ca2fb4452
| 2170658fbed8496
| 6cebaed70412483
| c13aab23ca844f8
| e3b0c12428034ee
| f519d0afafaf47c
| 7243f2c080d3459
+------
[stack@
+------
| Field | Value |
+------
| adminurl | http://
| enabled | True |
| id | c13aab23ca844f8
| internalurl | http://
| publicurl | https:/
| region | regionOne |
| service_id | d5e529a0d86b445
| service_name | keystone |
| service_type | identity |
+------
Note the difference between publicurl and adminurl.
While I understand normally this endpoint is deployed in an internal network, considering this endpoint is the most critical to the entire Openstack environment (from a security perspective) we should always enable it with SSL when the cloud has SSL turned on as part of the deployment
Regards,
Graeme
information type: | Private Security → Public Security |
Changed in tripleo: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → pike-1 |
Changed in tripleo: | |
milestone: | pike-1 → pike-2 |
Changed in tripleo: | |
milestone: | pike-2 → pike-3 |
Changed in tripleo: | |
status: | Triaged → In Progress |
Changed in tripleo: | |
milestone: | pike-3 → pike-rc1 |
Changed in tripleo: | |
assignee: | nobody → Ben Nemec (bnemec) |
Changed in tripleo: | |
assignee: | Ben Nemec (bnemec) → Juan Antonio Osorio Robles (juan-osorio-robles) |
Mhh, it seems like this bug was a feature we did in Ocata, with TLS everywhere and this thing is not backportable... I wonder how we could fix it in Newton though.