custom SSL certificate for Contrail WebUI
Bug #1704746 reported by
Slobodan Blatnjak
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.2 |
Fix Committed
|
Medium
|
Biswajit Mandal | |||
R4.0 |
Fix Committed
|
Medium
|
Biswajit Mandal | |||
R4.1 |
Fix Committed
|
Medium
|
Biswajit Mandal | |||
Trunk |
Fix Committed
|
Medium
|
Biswajit Mandal |
Bug Description
Orange would like to be able to deploy a custom SSL certificate for Contrail WebUI when Contrail is deployed with Red Hat Director.
Currently they can install it manually after Contrail is deployed. Customer need to do it automatically during deployment of Contrail.
See with Nicolas Marcoux and Michael Henkel @Juniper.
tags: | added: orange |
tags: | added: ui |
Changed in juniperopenstack: | |
assignee: | nobody → Anish Mehta (amehta00) |
Changed in juniperopenstack: | |
importance: | Undecided → Medium |
Changed in juniperopenstack: | |
assignee: | Anish Mehta (amehta00) → Biswajit Mandal (bmandal) |
information type: | Proprietary → Public |
To post a comment you must log in.
Some more info on this... ------- ------- ------- ------- ------- ------- ----
-------
Orange reported issue "Impossible to access Contrail WebUI through HAProxy":
"I am currently facing a problem with a deployment RedHat OSP 10 + Contrail 3.2.3 : I am not able to connect to Contrail WebUI using Overcloud VIP on External Network.
When trying to access the WebUI, the webbrowser tries to load the page but nothing happens.
Note that if I try to access the WebUI using Contrail VIP (on Contrail network), it works well. It seems that there is a misconfiguration in haproxy, leading to this issue.
Here is the configuration deployed in haproxy: webui_https tls/private/ overcloud_ endpoint. pem
listen contrail_
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/
bind 192.168.19.2:8143 transparent
balance source
hash-type consistent
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
server 192.168.19.10 192.168.19.10:8143 check fall 5 inter 2000 rise 2
server 192.168.19.11 192.168.19.11:8143 check fall 5 inter 2000 rise 2
172.20.71.115 is the VIP on External network, when I try to access it, it doesn't work. ------- ------- ------- ------- ------- ------- ----
192.168.19.2 is the VIP on Contrail Network, when I try to access it : it works."
-------
Below is the communication with Orange broken into the 3 points:
1. Manual procedure
Changing: tls/private/ overcloud_ endpoint. pem server_ options. key_file, config. server_ options. cert_file in /etc/contrail/ config. global. js webui settings which is probably set to look at default certificate.)
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/
To:
bind 172.20.71.115:8143 transparent
Resolves the problem of access to webui. However, this certificate is not used anymore for contrail webui. Instead of this Orange certificate, you get Contrail's default self-signed certificate when accessing the webui. (Btw, as you have found it already, this is because of:
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
.. in haproxy settings and config.
This is not acceptable since you can't change this default certificate for now (For this we have ER-075586 - Custom SSL certificate for Contrail WebUI).
You have a solution that could be more acceptable. Instead of removing the "ssl crt ..." instruction on the "bind" line, you added "ssl verify none" on "server" lines, giving that solution : webui_https tls/private/ overcloud_ endpoint. pem
listen contrail_
bind 192.168.213.12:8143 transparent ssl crt /etc/pki/
bind 192.168.215.12:8143 transparent
balance source
hash-type consistent
server 192.168.215.18 192.168.215.18:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.19 192.168.215.19:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.20 192.168.215.20:8143 check fall 5 inter 2000 rise 2 ssl verify none
This manual solution worked well and is acceptable to you. User now gets Orange overcloud signed certificate.
You want this to be implemented in point 2 (Managed by RH Director) and you are concerned with point 3 in your design (HAProxy "balance source").
2. Managed by RH Director
You want HAProxy's configuration to be managed by RH Director / Contrail deployme...