[openstack-dev] [Fuel] SSL for master node API

Vladimir Kuklin vkuklin at mirantis.com
Tue Aug 4 11:24:30 UTC 2015


I am for 2nd option for 7.0 and for 3rd for 8.0

But I would suggest that we add an option to astute.yaml that a user can
set to true to force ssl and then he will need to install updated
nailgun-agent for older environments. In this case user will do this
concisely, knowing about potential caveats of forcing SSL.

On Tue, Aug 4, 2015 at 1:45 PM, Evgeniy L <eli at mirantis.com> wrote:

> Hi,
>
> +1 to 2nd solution, in this case old environments will work without
> additional
> actions. Agents for new environments, CLI and UI will use SSL.
> But probably for UI we will have to perform redirect on JS level.
>
> Thanks,
>
> On Tue, Aug 4, 2015 at 1:32 PM, Stanislaw Bogatkin <sbogatkin at mirantis.com
> > wrote:
>
>> Hi guys,
>> in overall movement of Fuel to use secure sockets we think about wrapping
>> master node UI and API calls to SSL. But there are next caveat:
>>
>> a) fuel-nailgun-agent cannot work via SSL now and need to be rewritten a
>> little. But if it will be rewritten in 7.0 and HTTPS on master node will be
>> forced by default, it will break upgrade from previous releases to 7.0 due
>> fact that after master node upgrade from 6.1 to 7.0 we will have HTTPS by
>> default and fuel-nailgun-agent on all environments won't upgraded, so it
>> won't be able to connect to master node after upgrade. It breaks seamless
>> upgrade procedure.
>>
>> What options I see there:
>> 1. We can forcedly enable SSL for master node and rewrite clients in 7.0
>> to be able to work over it. In release notes for 7.0 we will write
>> forewarning that clients which want to upgrade master node from previous
>> releases to 7.0 must also install new fuel-nailgun-agent to all nodes in
>> all deployed environments.
>>
>> 2. We can have both SSL and non-SSL versions enabled by default and
>> rewrite fuel-nailgun-client in 7.0 such way that it will check SSL
>> availability and be able to work in plain HTTP for legacy mode. So, for all
>> new environments SSL will be used by default and for old ones plain HTTP
>> will continue to work too. Master node upgrade will not be broken in this
>> case.
>>
>> 3. We can do some mixed way by gradually rewrite fuel-nailgun-client,
>> save both HTTP and HTTPS for master node in 7.0 and drop plain HTTP in next
>> releases. It is just postponed version of first clause, so it doesn't seems
>> valid for me, actually.
>>
>> I would be really glad to hear what you think about this. Thank you in
>> advance.
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Yours Faithfully,
Vladimir Kuklin,
Fuel Library Tech Lead,
Mirantis, Inc.
+7 (495) 640-49-04
+7 (926) 702-39-68
Skype kuklinvv
35bk3, Vorontsovskaya Str.
Moscow, Russia,
www.mirantis.com <http://www.mirantis.ru/>
www.mirantis.ru
vkuklin at mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/a784f6e2/attachment.html>


More information about the OpenStack-dev mailing list