OpenStack-Ansible

Placing certificate on keystone containers does not work

Bug #1759896 reported by Jake Briggs
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Unassigned

Bug Description

I am trying to place my tls certificate on the keystone container for further protection. This should work, but does not. I have set the following variables. Which looks like it should work, but then it does not.

/etc/openstack_deploy/user_variables.yml

keystone_ssl: True
ssl_protocol: 'SSLv2 SSLv3'
keystone_service_internaluri_proto: https
keystone_service_proto: https
keystone_user_ssl_cert: /etc/letsencrypt/live/jake-aio.jakelab.info/cert.pem
keystone_user_ssl_ca_cert: /etc/letsencrypt/live/jake-aio.jakelab.info/chain.pem
keystone_user_ssl_key: /etc/letsencrypt/live/jake-aio.jakelab.info/privkey.pem

haproxy_user_ssl_cert: /etc/letsencrypt/live/jake-aio.jakelab.info/cert.pem
haproxy_user_ssl_ca_cert: /etc/letsencrypt/live/jake-aio.jakelab.info/chain.pem
haproxy_user_ssl_key: /etc/letsencrypt/live/jake-aio.jakelab.info/privkey.pem

/opt/openstack-ansible/group_vars/all/haproxy.yml

  - service:
      haproxy_service_name: keystone_service
      haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
      haproxy_port: 5000
      haproxy_ssl: False
      haproxy_balance_type: tcp
      haproxy_backend_options:
        - "httpchk HEAD /"
  - service:
      haproxy_service_name: keystone_admin
      haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
      haproxy_port: 35357
      haproxy_ssl: False
      haproxy_balance_type: tcp
      haproxy_backend_options:
        - "httpchk HEAD /"
      haproxy_whitelist_networks: "{{ haproxy_keystone_admin_whitelist_networks }}"

Also there appears to be do documentation on how to configure this correctly.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

There is documentation here: https://docs.openstack.org/openstack-ansible/latest/user/security/index.html

Could you tell us what's missing?

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

COuld you also explain what you're trying to achieve? Do you want https between haproxy and keystone, or is https termination in haproxy + http in the (considered internal) management network enough?

Revision history for this message
Jake Briggs (jake-briggs) wrote :

I am trying to place the ssl certificate on the container. HAPROXY should perform pass-through. That way there is no way to sniff the network and glean passwords from it.

Revision history for this message
Jake Briggs (jake-briggs) wrote :

The documentation provided does not work. If you follow it exactly. You will get a broken environment. Weather it is for rabbit or for Keystone.

Jean-Philippe Evrard (jean-philippe-evrard)
Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Jonathan Rosser (jrosser) wrote :

Currently supported versions of openstack-ansible support SSL between haproxy and all the backend services.

Changed in openstack-ansible:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.