OpenContrail

Enable TLS encryption for Discovery service

Bug #1728676 reported by Jeff Fischer on 2017-10-30

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Juniper Openstack
R3.2	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.2.9.0
OpenContrail	New	Undecided	Ignatious Johnson Christopher

Bug Description

Our Contrail 3.2.4 HA deployment has 3 nodes running the discovery service and they are fronted by haproxy on our load balancer nodes. We are required to encrypt all inter-node traffic. Can the discovery service and its clients be configured to use SSL? If not, can Contrail 3.2 be enhanced to support this?

Tags:

Fawad (fshaikh) on 2018-01-09

tags:

added: wpc

Jeba Paulaiyan (jebap) on 2018-01-10

tags:	added: config
no longer affects:	juniperopenstack

Sachin Bansal (sbansal) on 2018-01-31

Changed in opencontrail:
assignee:	nobody → Ignatious Johnson Christopher (ijohnson-x)

Jeba Paulaiyan (jebap) on 2018-02-06

tags:

added: blocker

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-15: [Review update] R3.2

Review in progress for https://review.opencontrail.org/39658
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-24:

Review in progress for https://review.opencontrail.org/40070
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-24:

Review in progress for https://review.opencontrail.org/39658
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-24:

#10

Review in progress for https://review.opencontrail.org/40071
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-24:

#12

Review in progress for https://review.opencontrail.org/39658
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-25:

#18

Review in progress for https://review.opencontrail.org/40070
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-26:

#19

Review in progress for https://review.opencontrail.org/39658
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-26:

#20

Review in progress for https://review.opencontrail.org/40070
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-02-27:

#21

Review in progress for https://review.opencontrail.org/39658
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-03:

#28

Review in progress for https://review.opencontrail.org/40071
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-03:

#30

Review in progress for https://review.opencontrail.org/40070
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-03:

#31

Review in progress for https://review.opencontrail.org/39658
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-03:

#32

Review in progress for https://review.opencontrail.org/40070
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-03:

#33

Review in progress for https://review.opencontrail.org/39658
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-03:

#35

Review in progress for https://review.opencontrail.org/40071
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-04: A change has been merged

#37

Reviewed: https://review.opencontrail.org/40071
Committed: http://github.com/Juniper/contrail-fabric-utils/commit/10535d48cf0901bde5d96901cd68b425e04bde6c
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 10535d48cf0901bde5d96901cd68b425e04bde6c
Author: Ignatious Johnson Christopher <email address hidden>
Date: Fri Feb 23 22:25:56 2018 -0800

Create ssl certs for discovery server

- ssl termination using haproxy
- passing the certs as args to the setup-vnc-<role>
entrypoints

Change-Id: Ic06660e7243ce2d7c8290a402968366fd737fda1
Closes-Bug: 1728676

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-04:

#38

Reviewed: https://review.opencontrail.org/40070
Committed: http://github.com/Juniper/contrail-provisioning/commit/8f1f9aaef45355bed6e868891eef52f919d1ecf1
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 8f1f9aaef45355bed6e868891eef52f919d1ecf1
Author: Ignatious Johnson Christopher <email address hidden>
Date: Fri Feb 23 23:29:55 2018 -0800

provision discovert ssl certs in the

required contrail config file.

Change-Id: Ib3d3f62d18689034b7bd79c291843dea65cf1129
Partial-Bug: 1728676

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-04:

#39

Reviewed: https://review.opencontrail.org/39658
Committed: http://github.com/Juniper/contrail-controller/commit/26ec5b4a3511c42cc4c3b4ba7105dd8d7c32dfb4
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 26ec5b4a3511c42cc4c3b4ba7105dd8d7c32dfb4
Author: Ignatious Johnson Christopher <email address hidden>
Date: Sun Feb 11 08:43:31 2018 +0000

Support https connection to discovery

server.
- modified http client/curl modules to accept
ssl parameters
- modified discovery client to accept ssl params
- all contrail services will now read ssl params
from config file and pass on to discovery client.

Partial-Bug: 1728676

Change-Id: I860ac80c824e225ef004ab3313e6e8b948986fda

Jeba Paulaiyan (jebap) on 2018-03-05

tags:

added: operational

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-06: [Review update] R3.2

#40

Review in progress for https://review.opencontrail.org/40339
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-07: A change has been merged

#42

Reviewed: https://review.opencontrail.org/40339
Committed: http://github.com/Juniper/contrail-provisioning/commit/b585889b2bb7bb07cddde81ddf7e72122f9fd18a
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit b585889b2bb7bb07cddde81ddf7e72122f9fd18a
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Mar 6 19:05:56 2018 +0000

vrouter agent expects the boolean inputs

to be in lower case.

Change-Id: I605544f706e88f27591d3514caa4572ce8ca7f69
Closes-Bug: 1728676

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.