[openstack-dev] [TripleO] FFE: TLS everywhere in the overcloud

Juan Antonio Osorio jaosorior at gmail.com
Thu Sep 1 09:22:50 UTC 2016


I've been working on TLS everywhere in the majority of this newton cycle.
And proposed this blueprint https://review.openstack.org/#/c/282307/ (which
has been approved in launchpad) somewhere around May.

There has been a lot of work trying to tackle blockers and doing a lot of
pre-work that needed to happen before this (such as the keystone endpoints
parts) but I think we're in a good track. The composable services/roles
work also slowed this down, as some of that needed to land before this work
could continue.

Here's the topic to follow the on-going work:

The main remaining pieces of work are:
* Getting the services to listen to FQDNs instead of IP addresses (this
will also help us tackle of IPv6 issues)
* TLS for internal endpoints in HAProxy
  - we need to figure out a way to get different internal certificates (one
per network) and get haproxy to choose which to use. This should be easier
thanks to Shardy's work.
* TLS for apache-based services
* TLS for non-apache based services (we might end up proxying this via
apache or something else since we don't want to do crypto in python)

This is certainly not low-risk; but I think it is achievable and would
bring great value to TripleO, as it would allow deployers that were
previously blocked by regulations in their industry to start considering
actually using TripleO.

I was also working on TLS everywhere in the undercloud, but did not get
enough time to figure out some parts of it. So that work will not be
included here.


Juan Antonio Osorio R.
e-mail: jaosorior at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160901/fef61a2b/attachment.html>

More information about the OpenStack-dev mailing list