Juniper Openstack

SM: Keystone SSL Support

Series trunk
Bug #1689761

Bug #1689761 reported by Ignatious Johnson Christopher on 2017-05-10

This bug report is a duplicate of: Bug #1695584: SM: need to support ssl for keystone. Edit Remove

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R4.0	In Progress	High	Dheeraj Gautam	Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk	In Progress	High	Dheeraj Gautam	Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

Need support in SM puppet manifest to enable SSL for keystone service.

Following additional settings are required in /etc/keystone/keystone.conf,
to enable SSL for keystone from Mitaka and later.

[eventlet_server_ssl]
enable = True
certfile = /etc/contrailctl/ssl/server.pem
keyfile = /etc/contrailctl/ssl/server-privkey.pem
ca_certs = /etc/contrailctl/ssl/ca-cert.pem

Here server.pem, server-privkey.pem and ca-cert.pem are certs generated by SM for each nodes in the cluster.

Also
In /etc/neutron.conf file, following additional settings are required to enable neutron to validate certs of keystone before communicating to it.

[keystone_authtoken]
cafile = /etc/contrailctl/ssl/ca-cert.pem

Tags:

Ignatious Johnson Christopher (ijohnson-x) on 2017-05-10

Changed in juniperopenstack:
assignee:	nobody → Abhay Joshi (abhayj)

Jeba Paulaiyan (jebap) on 2017-05-10

tags:

added: blocker provisioning server-manager

Raj Reddy (rajreddy) on 2017-05-11

tags:

removed: blocker

Revision history for this message

Jeba Paulaiyan (jebap) wrote on 2017-05-31:

Release-notes:

Provisioning of SSL for Keystone is not supported using SM in R4.0.0.0

tags:

added: releasenote

Soumil Kulkarni (soumilk) on 2017-06-05

information type:

Proprietary → Public

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-06-28: [Review update] R4.0

Review in progress for https://review.opencontrail.org/33268
Submitter: Dheeraj Gautam (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-06-28: [Review update] master

Review in progress for https://review.opencontrail.org/33269
Submitter: Dheeraj Gautam (<email address hidden>)

Revision history for this message

Dheeraj Gautam (dgautam) wrote on 2017-06-28:

https://github.com/Juniper/contrail-puppet-thirdparty/pull/5 change newton code and passed OS_CACERT to token requests

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-06-29: A change has been merged

Reviewed: https://review.opencontrail.org/33269
Committed: http://github.com/Juniper/contrail-puppet/commit/d6e9a9a76aef2a32d98e01325b66443a733d8170
Submitter: Zuul (<email address hidden>)
Branch: master

commit d6e9a9a76aef2a32d98e01325b66443a733d8170
Author: Dheeraj Gautam <email address hidden>
Date: Wed Jun 28 11:47:44 2017 -0700

support newton keystone-ssl support.

Partial-Bug: #1689761

changes:
1. enabled ssl to apache site configuration files.
2. create keystone certs/keys under /etc/keystone/ssl/ for newton
3. pass public_endpoints and admin_endpoints to keystone.conf

Change-Id: Id188f7e02ca4318006299d56a8303517d00b2772

Revision history for this message

Dheeraj Gautam (dgautam) wrote on 2017-06-29:

https://github.com/Juniper/contrail-puppet-thirdparty/pull/6 : pass os_cacert while creating token

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-04:

Reviewed: https://review.opencontrail.org/33268
Committed: http://github.com/Juniper/contrail-puppet/commit/f5dc9de45f72878603aa8658228343ea0fe53182
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit f5dc9de45f72878603aa8658228343ea0fe53182
Author: Dheeraj Gautam <email address hidden>
Date: Wed Jun 28 11:47:44 2017 -0700

support newton keystone-ssl support.

Partial-Bug: #1689761

changes:
1. enabled ssl to apache site configuration files.
2. create keystone certs/keys under /etc/keystone/ssl/ for newton
3. pass public_endpoints and admin_endpoints to keystone.conf

Change-Id: Id188f7e02ca4318006299d56a8303517d00b2772