---
features:
  - The HAProxy role provided by OpenStack-Ansible now terminates SSL
    using a self-signed certificate by default. While this can be
    disabled the inclusion of SSL services on all public endpoints as
    a default will help make deployments more secure without any
    additional user interaction. More information on SSL and certificate
    generation can be `found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates>`_.
upgrade:
  - SSL termination is assumed enabled for all public endpoints by default.
    If this is not needed it can be disabled by setting
    the ``openstack_external_ssl`` option to **false** and the
    ``openstack_service_publicuri_proto`` to **http**.
  - If HAProxy is used as the loadbalancer for a deployment it will generate
    a self-signed certificate by default. If HAProxy is NOT used, an SSL
    certificate should be installed on the external loadbalancer. The
    installation of an SSL certificate on an external load balancer is not
    covered by the deployment tooling.
  - In previous releases connections to Horizon originally terminated SSL
    at the Horizon container. While that is still an option, SSL is now
    assumed to be terminated at the load balancer. If you wish to terminate
    SSL at the horizon node change the ``horizon_external_ssl`` option to
    **false**.
  - Public endpoints will need to be updated using the Keystone admin API to
    support secure endpoints. The Keystone ansible module will not recreate 
    the endpoints automatically. Documentation on the `Keystone service 
    catalog can be found here <http://docs.openstack.org/developer/keystone/configuration.html#service-catalog>`_.
security:
  - A self-signed certificate will now be generated by default when HAproxy
    is used as a load balancer. This certificate is used to terminate the
    public endpoint for Horizon and all OpenStack API services.