92eb98e1d2
This change makes it so that all services are expecting SSL termination at the load balancer by default. This is more indicative of how a real world deployment will be setup and is being added such that we can test a more production like deployment system by default. The AIO will now terminate SSL in HAProxy using a self-signed cert. Depends-On: I63cfecd6793ba2b28c294d939c9b1c466940cbd1 Depends-On: Iba63636d733fa1eb095564b8bf33a8159d9c2a00 Depends-On: Ib31a48dd480ecb376a6a8c5b35b09dfa5d2e58f6 Depends-On: Ibdeb8b981ca770ce4f56beeae05afd3379964859 Change-Id: Id87fab39c929e0860abbc3755ad386aa6893b151 Co-Authored-By: Logan V <logan2211@gmail.com> Signed-off-by: Logan V <logan2211@gmail.com> Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
32 lines
2.0 KiB
YAML
32 lines
2.0 KiB
YAML
---
|
|
features:
|
|
- The HAProxy role provided by OpenStack-Ansible now terminates SSL
|
|
using a self-signed certificate by default. While this can be
|
|
disabled the inclusion of SSL services on all public endpoints as
|
|
a default will help make deployments more secure without any
|
|
additional user interaction. More information on SSL and certificate
|
|
generation can be `found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates>`_.
|
|
upgrade:
|
|
- SSL termination is assumed enabled for all public endpoints by default.
|
|
If this is not needed it can be disabled by setting
|
|
the ``openstack_external_ssl`` option to **false** and the
|
|
``openstack_service_publicuri_proto`` to **http**.
|
|
- If HAProxy is used as the loadbalancer for a deployment it will generate
|
|
a self-signed certificate by default. If HAProxy is NOT used, an SSL
|
|
certificate should be installed on the external loadbalancer. The
|
|
installation of an SSL certificate on an external load balancer is not
|
|
covered by the deployment tooling.
|
|
- In previous releases connections to Horizon originally terminated SSL
|
|
at the Horizon container. While that is still an option, SSL is now
|
|
assumed to be terminated at the load balancer. If you wish to terminate
|
|
SSL at the horizon node change the ``horizon_external_ssl`` option to
|
|
**false**.
|
|
- Public endpoints will need to be updated using the Keystone admin API to
|
|
support secure endpoints. The Keystone ansible module will not recreate
|
|
the endpoints automatically. Documentation on the `Keystone service
|
|
catalog can be found here <http://docs.openstack.org/developer/keystone/configuration.html#service-catalog>`_.
|
|
security:
|
|
- A self-signed certificate will now be generated by default when HAproxy
|
|
is used as a load balancer. This certificate is used to terminate the
|
|
public endpoint for Horizon and all OpenStack API services.
|