Juniper Openstack

SSL for metadata service

  1. Series trunk
  2. Bug #1628783
Bug #1628783 reported by Hari Prasad Killi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.0
Fix Committed
Wishlist
RAVI KIRAN
Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk
Fix Committed
Wishlist
RAVI KIRAN
Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

contrail-vrouter-agent proxies for metadata service requests coming from virtual instances. Currently, SSL is not supported on the communication between vrouter-agent and nova-api. This request is to add SSL support for this.

Note: Currently available workaround for this is to use shared secret for metadata, which will generate a Hmac token and send it to the metadata server in the X-Instance-ID-Signature.

Tags: vrouter
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/24565
Submitter: RAVI KIRAN (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/24565
Committed: http://github.org/Juniper/contrail-controller/commit/08378f7d667cbebf69839b1c0af121cfbc9ac381
Submitter: Zuul
Branch: master

commit 08378f7d667cbebf69839b1c0af121cfbc9ac381
Author: Ravi BK <email address hidden>
Date: Thu Sep 29 22:09:36 2016 +0530

SSL support for Agent metadata proxy service

Currently metadata requests sent by VM are proxied by agent to
nova api-server using http which is insecure. Adding ssl support
for the communication by setting required curl options to the
requests.

Change-Id: Ibad42e8ffc3e51a0c1e830e1fde2f307149c90de
Closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/33264
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/33264
Committed: http://github.com/Juniper/contrail-controller/commit/18b127651cf32d0679565ff4c62a6c82d6299e60
Submitter: Zuul (<email address hidden>)
Branch: master

commit 18b127651cf32d0679565ff4c62a6c82d6299e60
Author: Hari Prasad Killi <email address hidden>
Date: Wed Jun 28 19:52:14 2017 +0530

Blueprint for Metadata SSL service

Change-Id: Ibad42e8ffc3e51a0c1e830e1fde2f307149c90ea
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34590
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/34588
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/34589
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/34591
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34592
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/34593
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/34599
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34591
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34600
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34599
Committed: http://github.com/Juniper/contrail-ansible/commit/9df8de38eda92064521f8133d839df0d2e58f6f9
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 9df8de38eda92064521f8133d839df0d2e58f6f9
Author: Harsh Kumar <email address hidden>
Date: Tue Aug 15 23:01:47 2017 +0530

Ansible changes for metadata ssl service
If metadata_ssl flag is enabled in inventory file
agent.conf will be updated with ssl cert file to
be used for secure communication with openstack node.

Change-Id: I26be827e6cabbf3e3a0cf386976e704830bcd3ee
Implements: blueprint metadata_ssl
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34588
Committed: http://github.com/Juniper/contrail-ansible/commit/e490ce4fee17911bc632ff4bd46bb965ef1099db
Submitter: Zuul (<email address hidden>)
Branch: master

commit e490ce4fee17911bc632ff4bd46bb965ef1099db
Author: Harsh Kumar <email address hidden>
Date: Tue Aug 15 21:19:34 2017 +0530

Ansible changes for metadata ssl service
If metadata_ssl flag is enabled in inventory file
agent.conf will be updated with ssl cert file to
be used for secure communication with openstack node.

Change-Id: I26be827e6cabbf3e3a0cf386976e704830bcd3ee
Implements: blueprint metadata_ssl
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34600
Committed: http://github.com/Juniper/contrail-controller/commit/a616888c3a667253d0cc46bf581d7ffa90613f00
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit a616888c3a667253d0cc46bf581d7ffa90613f00
Author: Kumar Harsh <email address hidden>
Date: Tue Aug 15 23:50:31 2017 +0530

Agent provisioning changes for metadata ssl service
Populate ssl configuration to be used by agent under
metadata section in agent.conf.

Change-Id: Ic16128c50179899f803c0eaa5d72aafdc5bc8229
Implements: blueprint metadata_ssl
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34592
Committed: http://github.com/Juniper/contrail-ansible-internal/commit/abb1f60bfe452f2452d6a96bfca53432de00bed5
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit abb1f60bfe452f2452d6a96bfca53432de00bed5
Author: Harsh Kumar <email address hidden>
Date: Tue Aug 15 21:26:25 2017 +0530

Ansible internal changes for metadata ssl service.
For agent running in container enabling metadata_ssl_enable
in inventory file will update agent.conf with ssl certs and
related configuration .

Change-Id: Ie9ad91caa9478f0594d07c6fa25459c99944bef3
Implements: blueprint metadata_ssl
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34590
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34593
Submitter: Kumar Harsh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34590
Committed: http://github.com/Juniper/contrail-docker/commit/e35933d77713d370ca4daf9d3ea70a2c9a2c56ad
Submitter: Zuul (<email address hidden>)
Branch: master

commit e35933d77713d370ca4daf9d3ea70a2c9a2c56ad
Author: Harsh Kumar <email address hidden>
Date: Tue Aug 15 21:30:04 2017 +0530

Add metadata_ssl_enable to agent contrailctl schema

Change-Id: I6b592e8a7f9f38271c14f51f318143c3e2cef8c9
Implements: Blueprint for Metadata SSL service
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34593
Committed: http://github.com/Juniper/contrail-docker/commit/8630f09ac2a51a66cf6759600ddd27f55ed381e5
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 8630f09ac2a51a66cf6759600ddd27f55ed381e5
Author: Harsh Kumar <email address hidden>
Date: Tue Aug 15 21:30:04 2017 +0530

Add metadata_ssl_enable to agent contrailctl schema

Change-Id: I6b592e8a7f9f38271c14f51f318143c3e2cef8c9
Implements: Blueprint for Metadata SSL service
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34591
Committed: http://github.com/Juniper/contrail-controller/commit/bd1f48a4a22d9be80fba2e88dac1ecb775f2d908
Submitter: Zuul (<email address hidden>)
Branch: master

commit bd1f48a4a22d9be80fba2e88dac1ecb775f2d908
Author: Kumar Harsh <email address hidden>
Date: Tue Aug 15 23:38:52 2017 +0530

Agent provisioning changes for metadata ssl service
Populate ssl configuration to be used by agent under
metadata section in agent.conf.

Change-Id: I01140e1b588b0d410f3d7c77086e67e6163803c0
Implements: blueprint metadata_ssl
closes-bug: #1628783

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34589
Committed: http://github.com/Juniper/contrail-ansible-internal/commit/9ab2a1c7a7098c0c032d6d1d0ecde77e7d5a52fc
Submitter: Zuul (<email address hidden>)
Branch: master

commit 9ab2a1c7a7098c0c032d6d1d0ecde77e7d5a52fc
Author: Harsh Kumar <email address hidden>
Date: Tue Aug 15 21:26:25 2017 +0530

Ansible internal changes for metadata ssl service.
For agent running in container enabling metadata_ssl_enable
in inventory file will update agent.conf with ssl certs and
related configuration .

Change-Id: Ie9ad91caa9478f0594d07c6fa25459c99944bef3
Implements: blueprint metadata_ssl
closes-bug: #1628783

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.