devstack

Enable SSL for nova, heat and cinder natively or with TLS proxy

Bug #1328226 reported by Rob Crittenden on 2014-06-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	devstack	Fix Released	Undecided	Rob Crittenden

Bug Description

Native SSL support can be enabled for Keystone and a few services have basic support for a TLS Proxy (stud).

There is more and more interest in running an OpenStack installation entirely secured with SSL. This is difficult to set up and prone to error. Having this working in devstack will provide a model, prevent regressions, find bugs, etc.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-09: Fix proposed to devstack (master)

Fix proposed to branch: master
Review: https://review.openstack.org/98854

Changed in devstack:
assignee:	nobody → Rob Crittenden (rcritten)
status:	New → In Progress

Revision history for this message

Rob Crittenden (rcritten) wrote on 2014-08-27:

During the lifetime of this bug, python-glanceclient switched to python-requests. There are two related bugs from this:

https://bugs.launchpad.net/python-glanceclient/+bug/1347150 - python-glanceclient switch to requests breaks HTTPS

https://bugs.launchpad.net/python-glanceclient/+bug/1362179 - Default to requests cert bundle instead of nothing

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-26: Fix merged to devstack (master)

Reviewed: https://review.openstack.org/98854
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=18d4778cf7bffa60eb2e996a13c129c64f83575f
Submitter: Jenkins
Branch: master

commit 18d4778cf7bffa60eb2e996a13c129c64f83575f
Author: Rob Crittenden <email address hidden>
Date: Wed Mar 19 17:47:42 2014 -0400

Configure endpoints to use SSL natively or via proxy

    Configure nova, cinder, glance, swift and neutron to use SSL
    on the endpoints using either SSL natively or via a TLS proxy
    using stud.

To enable SSL via proxy, in local.conf add

ENABLED_SERVICES+=,tls-proxy

    This will create a new test root CA, a subordinate CA and an SSL
    server cert. It uses the value of hostname -f for the certificate
    subject. The CA certicates are also added to the system CA bundle.

To enable SSL natively, in local.conf add:

USE_SSL=True

Native SSL by default will also use the devstack-generate root and
subordinate CA.

You can override this on a per-service basis by setting

    <SERVICE>_SSL_CERT=/path/to/cert
    <SERVICE>_SSL_KEY=/path/to/key
    <SERVICE>_SSL_PATH=/path/to/ca

You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.

Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226

Changed in devstack:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.