32 lines
2.0 KiB
YAML
32 lines
2.0 KiB
YAML
---
|
|
features:
|
|
- The HAProxy role provided by OpenStack-Ansible now terminates SSL
|
|
using a self-signed certificate by default. While this can be
|
|
disabled the inclusion of SSL services on all public endpoints as
|
|
a default will help make deployments more secure without any
|
|
additional user interaction. More information on SSL and certificate
|
|
generation can be `found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates>`_.
|
|
upgrade:
|
|
- SSL termination is assumed enabled for all public endpoints by default.
|
|
If this is not needed it can be disabled by setting
|
|
the ``openstack_external_ssl`` option to **false** and the
|
|
``openstack_service_publicuri_proto`` to **http**.
|
|
- If HAProxy is used as the loadbalancer for a deployment it will generate
|
|
a self-signed certificate by default. If HAProxy is NOT used, an SSL
|
|
certificate should be installed on the external loadbalancer. The
|
|
installation of an SSL certificate on an external load balancer is not
|
|
covered by the deployment tooling.
|
|
- In previous releases connections to Horizon originally terminated SSL
|
|
at the Horizon container. While that is still an option, SSL is now
|
|
assumed to be terminated at the load balancer. If you wish to terminate
|
|
SSL at the horizon node change the ``horizon_external_ssl`` option to
|
|
**false**.
|
|
- Public endpoints will need to be updated using the Keystone admin API to
|
|
support secure endpoints. The Keystone ansible module will not recreate
|
|
the endpoints automatically. Documentation on the `Keystone service
|
|
catalog can be found here <http://docs.openstack.org/developer/keystone/configuration.html#service-catalog>`_.
|
|
security:
|
|
- A self-signed certificate will now be generated by default when HAproxy
|
|
is used as a load balancer. This certificate is used to terminate the
|
|
public endpoint for Horizon and all OpenStack API services.
|