SSL/TLS Everywhere missing for Neutron Agents + OVSDB connections
Bug #1746762 reported by
Tim Rozet
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet-neutron |
Fix Released
|
Undecided
|
Alex Schultz | ||
tripleo |
Fix Released
|
High
|
Tim Rozet |
Bug Description
In the SSL/TLS everywhere, internal API endpoints should be secured with TLS. However, ovsdb-server (part of Open vSwitch) is left running as a ptcp listener. Meaning it allows anyone to connect and manage the network dataplane. In OpenDaylight deployments, the certificates/keys are generated for OVS, and a secure connection is made to ODL. However, ODL still relies on neutron dhcp agent on the control nodes in order to service DHCP. In these deployments we configure OVS to use pssl listener, however Neutron OVSDB agent driver is not configured a key/cert in order to be able to connect to OVSDB.
Related Neutron bug to allow SSL URI:
https:/
Changed in tripleo: | |
assignee: | nobody → Tim Rozet (trozet) |
status: | New → In Progress |
importance: | Undecided → Critical |
importance: | Critical → High |
milestone: | none → queens-rc1 |
Changed in puppet-neutron: | |
status: | New → In Progress |
assignee: | nobody → Tim Rozet (trozet) |
Changed in puppet-neutron: | |
assignee: | Tim Rozet (trozet) → Alex Schultz (alex-schultz) |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/540127
Review: https:/