Hi Andy,
Thank you for that, I will get straight onto that and make sure all of
the public endpoints are HTTPS. Those are the ones that I care about for
obvious reasons.
If I get stuck, I will be sure to chat in #openstack-ansible
Once again thanks for the speedy reply and help.
Grant
On 28/02/17 11:42, Andy McCrae wrote:
On 28 February 2017 at 09:59, Grant Morley <gr...@absolutedevops.io
<mailto:gr...@absolutedevops.io>> wrote:
Hi All,
We have an OSA Mitaka deployment and for some reason all of the
end points ( keystone, neutron, glance etc.. ) are all reporting
as HTTP rather than HTTPS. The only thing that seems to have
worked with HTTPS is Horizon ( I know that isn't an api endpoint,
just for clarification).
We have placed our SSL certs in the correct directory for the
deployment "/etc/openstack_deploy/ssl/" but for some reason when
the setup has run it is only using HTTP as below:
+----------------------------------+-----------+--------------+----------------+---------+-----------+----------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled |
Interface | URL |
+----------------------------------+-----------+--------------+----------------+---------+-----------+----------------------------------------------+
| 0b7ca91c06334207b3199eeca432d5fe | lon1 | cinder |
volume | True | admin |
http://10.6.0.3:8776/v1/%(tenant_id)s
<http://10.6.0.3:8776/v1/%%28tenant_id%29s> |
| 0f7440688cbc4d1f8f3c62158889729d | lon1 | keystone |
identity | True | internal | http://10.6.0.3:5000/v3 |
Is there something else I have missed or do I need to put our SSL
certs in a different directory for OSA to setup the endpoints with
HTTPS on haproxy?
Grateful for any help.
Regards,
Grant
Hi Grant,
I took a look back at the stable/mitaka branch for OSA - we do default
the value to be http, so if you don't override the setting it will be
setup as http.
That's changed since, but you can overwrite this by setting
"openstack_service_publicuri_proto: https" which would then set the
public endpoints to be https.
Although the paste you have above implies you want all endpoints to be
https - as it stands I don't believe there is support for that - that
is to say that
internal traffic (internal/admin endpoints) would be http, and your
public endpoint (terminating at your LB - haproxy if you are using the
built in one) would be
https.
There are a few exceptions in keystone, rabbitmq, horizon and HAProxy:
https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-sslcertificates.html
Here are some docs about securing haproxy with ssl-certificates that
may be helpful:
https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates
If you're stuck or running into issues feel free to jump into the
#openstack-ansible channel on Freenode IRC, there are usually quite a
few people around to help and answer questions.
Andy
--
Grant Morley
Cloud Lead
Absolute DevOps Ltd
Units H, J & K, Gateway 1000, Whittle Way, Stevenage, Herts, SG1 2FP
www.absolutedevops.io <http://www.absolutedevops.io/>
gr...@absolutedevops.io <mailto:grant@absolutedevops.i> 0845 874 0580
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
