Re: [Openstack-operators] OpenStack Architecture, horizon and keystone

Wed, 30 Sep 2015 07:26:54 -0700 

There is two approaches.
1) You make public endpoints and horizon public. White IP, resolvable FQDN for endpoints, etc. 2) You hide endpoints from user (boo... no api, no automation), but expose horizon. 


Second case: horizon will sits as middleware between 'internal' networks 
where endpoints live, and outer world. Horizon may works fine even all 
endpoints are hidden from user. But wsgi part of the Horizon should be 
able to access endpoints.



On 09/30/2015 04:14 PM, Davíð Örn Jóhannsson wrote:

I just recently joined a team in charge of implementing OpenStack 
deployment which I'm trying to grasp the design of.



One problem I encountered is that the openstack environment is on a 
pretty closed network and I need to use ssh
tunnelling to be able to access horizon, so I started to look into 
fronting the service with a reverse proxy
(making it available throug, horizon.example.com/horizon), then I 
noticed the horizon UI needs to contact the
Identity service, which I also fronted with a reverse proxy 
(identity.example.com:5000/v2.0) and configured
OPENSTACK_HOST = identity.example.com in 
/etc/openstack-dashboard/local_settings.py



The reverse proxy proxies requests to http://control1:5000 so when the 
response is sent back from the api it includes
<link href="http://http://control1:5000/v2.0/"; rel="self"/> which the 
client has no network access to and a possible solution
would be to edit the url in /etc/keystone/keystone.conf then it dawned 
on me that we might have to re-think this design.



Possibly we are taking the wrong approach so I wanted to reach out to 
get some opinions on this matter since I'm new
to the architecture of OpenStack and haven't yet totally grasped how 
things are supposed to work together.​


Regards, Davíd Johannsson




_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators






















					Reply via email to