openstack
/
openstack-ansible
Code Issues Proposed changes
openstack-ansible/releasenotes/notes/haproxy_ssl_terminiation-cd...

32 lines
2.0 KiB
YAML
Raw Blame History

---
features:
- The HAProxy role provided by OpenStack-Ansible now terminates SSL
using a self-signed certificate by default. While this can be
disabled the inclusion of SSL services on all public endpoints as
a default will help make deployments more secure without any
additional user interaction. More information on SSL and certificate
generation can be `found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates>`_.
upgrade:
- SSL termination is assumed enabled for all public endpoints by default.
If this is not needed it can be disabled by setting
the ``openstack_external_ssl`` option to **false** and the
``openstack_service_publicuri_proto`` to **http**.
- If HAProxy is used as the loadbalancer for a deployment it will generate
a self-signed certificate by default. If HAProxy is NOT used, an SSL
certificate should be installed on the external loadbalancer. The
installation of an SSL certificate on an external load balancer is not
covered by the deployment tooling.
- In previous releases connections to Horizon originally terminated SSL
at the Horizon container. While that is still an option, SSL is now
assumed to be terminated at the load balancer. If you wish to terminate
SSL at the horizon node change the ``horizon_external_ssl`` option to
**false**.
- Public endpoints will need to be updated using the Keystone admin API to
support secure endpoints. The Keystone ansible module will not recreate
the endpoints automatically. Documentation on the `Keystone service
catalog can be found here <http://docs.openstack.org/developer/keystone/configuration.html#service-catalog>`_.
security:
- A self-signed certificate will now be generated by default when HAproxy
is used as a load balancer. This certificate is used to terminate the
public endpoint for Horizon and all OpenStack API services.
View Git Blame Copy Permalink