b475643c11
This patch introduces an optional backend encryption for Keystone service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Keystone service. Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519 Partially-Implements: blueprint add-ssl-internal-network
20 lines
1002 B
YAML
20 lines
1002 B
YAML
---
|
|
features:
|
|
- |
|
|
When 'kolla_copy_ca_into_containers' is configured to 'yes', the
|
|
certificate authority files in /etc/kolla/certificates/ca will be copied
|
|
into service containers to enable trust for those CA certificates. This
|
|
is required for any certificates that are either self-signed or signed by
|
|
a private CA, and are not already present in the service image trust store.
|
|
Otherwise, either CA validation will need to be explicitly disabled or the
|
|
path to the CA certificate must be configured in the service using
|
|
the ``openstack_cacert`` parameter.
|
|
|
|
issues:
|
|
- |
|
|
Python Requests library will not trust self-signed or privately signed CAs
|
|
even if they are added into the OS trusted CA folder and update-ca-trust is
|
|
executed. For services that rely on the Python Requests library, either CA
|
|
verification must be explicitly disabled in the service or the path to the
|
|
CA certificate must be configured using the ``openstack_cacert`` parameter.
|