tripleo

with tls-everywhere connection from haproxy to novnc proxy is not encrypted

Bug #1785700 reported by Martin Schuppert
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Martin Schuppert
tripleo stein-1

Bug Description

when tls-everywhere is configured we have TLS connection from:
- client -> haproxy
- novncproxy -> vnc server (instance)

but the connection from haproxy -> nova novnxproxy not encrypted

Martin Schuppert (mschuppert)
Changed in tripleo:
assignee: nobody → Martin Schuppert (mschuppert)
status: New → In Progress
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → rocky-rc1
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/589414

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/589434

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/589732

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/589732
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=e380c3f396b76edc95d09bac2bdc73005fdd73ad
Submitter: Zuul
Branch: master

commit e380c3f396b76edc95d09bac2bdc73005fdd73ad
Author: Martin Schuppert <email address hidden>
Date: Wed Aug 8 09:05:14 2018 +0200

    Use https for novnc proxy healthcheck if ssl_only is configured

    If nova novnc proxy is configured to ssl only, (see LP 178570)
    we need to make sure to also use ssl with the healthcheck script.
    With this change we verify if ssl_only is configured in nova.conf
    and set https as the proto to use for the novnc healthcheck.

    With this change we verify if ssl_only is configured in nova.conf
    and set https.

    Change-Id: Idd96815b774b94ad5a6ffbb2af4d5b78306ddd12
    Related-bug: #1785700

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/591141

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/591272

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/591273

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (stable/queens)

Reviewed: https://review.openstack.org/591141
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=7bf83dccb7018dc7266803d32bdbb5d776126d8a
Submitter: Zuul
Branch: stable/queens

commit 7bf83dccb7018dc7266803d32bdbb5d776126d8a
Author: Martin Schuppert <email address hidden>
Date: Wed Aug 8 09:05:14 2018 +0200

    Use https for novnc proxy healthcheck if ssl_only is configured

    If nova novnc proxy is configured to ssl only, (see LP 178570)
    we need to make sure to also use ssl with the healthcheck script.
    With this change we verify if ssl_only is configured in nova.conf
    and set https as the proto to use for the novnc healthcheck.

    With this change we verify if ssl_only is configured in nova.conf
    and set https.

    Change-Id: Idd96815b774b94ad5a6ffbb2af4d5b78306ddd12
    Related-bug: #1785700
    (cherry picked from commit e380c3f396b76edc95d09bac2bdc73005fdd73ad)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/591272
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5b49cc1d4827e6261d21929d6f901d2e35e13280
Submitter: Zuul
Branch: stable/queens

commit 5b49cc1d4827e6261d21929d6f901d2e35e13280
Author: Martin Schuppert <email address hidden>
Date: Tue Aug 7 10:14:04 2018 +0200

    SSL support for haproxy -> novnc proxy connection

    With tls-everywhere enabled the connection from haproxy to the nova novnc
    proxy was not encrypted. Now we request a certificate and configue haproxy
    and the novnc proxy to encrypt this remaining part in a vnc connection to
    be encrypted as well.

    Change-Id: I4667706633205c240f2efb51663e6efbce5e344e
    Related-bug: #1785700
    Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
    (cherry picked from commit 10be0b67c77df7bd510cc8f0b7f4562e24b68cf3)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/591273
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=9881eabad9fdf6b65f92b312e8c456163582ddfd
Submitter: Zuul
Branch: stable/queens

commit 9881eabad9fdf6b65f92b312e8c456163582ddfd
Author: Martin Schuppert <email address hidden>
Date: Tue Aug 7 13:34:02 2018 +0200

    SSL support for haproxy -> novnc proxy connection

    With tls-everywhere enabled the connection from haproxy to the nova novnc
    proxy was not encrypted. Now we request a certificate and configue haproxy
    and the novnc proxy to encrypt this remaining part in a vnc connection to
    be encrypted as well.

    Change-Id: Ia0c8c452f0121298bef58409bd0bdbe4caa54e42
    Closes-Bug: #1785700
    Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
    Depends-On: https://review.openstack.org/591272
    (cherry picked from commit 8d163a21f5c932631736c7e87c168cacdf93ce01)

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: rocky-rc1 → stein-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/589414
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=1587c21d7fd48444a9398c08f22df4c1ae188c31
Submitter: Zuul
Branch: master

commit 1587c21d7fd48444a9398c08f22df4c1ae188c31
Author: Martin Schuppert <email address hidden>
Date: Tue Aug 7 10:14:04 2018 +0200

    SSL support for haproxy -> novnc proxy connection

    With tls-everywhere enabled the connection from haproxy to the nova novnc
    proxy was not encrypted. Now we request a certificate and configue haproxy
    and the novnc proxy to encrypt this remaining part in a vnc connection to
    be encrypted as well.

    Change-Id: I4667706633205c240f2efb51663e6efbce5e344e
    Related-bug: #1785700
    Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/589434
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8d163a21f5c932631736c7e87c168cacdf93ce01
Submitter: Zuul
Branch: master

commit 8d163a21f5c932631736c7e87c168cacdf93ce01
Author: Martin Schuppert <email address hidden>
Date: Tue Aug 7 13:34:02 2018 +0200

    SSL support for haproxy -> novnc proxy connection

    With tls-everywhere enabled the connection from haproxy to the nova novnc
    proxy was not encrypted. Now we request a certificate and configue haproxy
    and the novnc proxy to encrypt this remaining part in a vnc connection to
    be encrypted as well.

    Change-Id: Ia0c8c452f0121298bef58409bd0bdbe4caa54e42
    Closes-Bug: #1785700
    Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
    Depends-On: I4667706633205c240f2efb51663e6efbce5e344e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 9.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.0.6

This issue was fixed in the openstack/tripleo-heat-templates 8.0.6 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.