[kolla][ssl] Deploy third-party SSL for HAProxy

Satish Patel satish.txt at gmail.com
Thu Sep 29 09:22:22 UTC 2022 

Hi Radoslaw,

I meant the same ip address for internal/external vips. like the following
snippet. 10.73.0.180 is used for internal and external addresses.

kolla_internal_vip_address: "10.73.0.180"
kolla_external_vip_address: "{{ kolla_internal_vip_address }}"
network_interface: "eth0"
neutron_external_interface: "eth1"

I did the following in global.yml and ran "deploy" but it stuck somewhere
in nova. I am looking for errors to find out what happened. Am I missing
something in the following configuration?

kolla_enable_tls_internal: "yes"
kolla_certificates_dir: "/etc/kolla/certificates"
kolla_internal_fqdn_cert: "{{ kolla_certificates_dir
}}/my_company_certificate.pem"

Is the above going to enable SSL for all communications or just horizon web
GUI?



On Thu, Sep 29, 2022 at 5:08 AM Radosław Piliszek <
radoslaw.piliszek at gmail.com> wrote:

> On Thu, 29 Sept 2022 at 11:03, Satish Patel <satish.txt at gmail.com> wrote:
> > I have a similar ip address on both internal/external vip in that case
> how does it work?  I am seeing in doc which is saying.
>
> I don't know a good definition for a "similar" IP address so I assume
> you mean the *same* for the rest of the answer. If that is not the
> case, i.e., you have two addresses on the same network, then the
> sentence below does not apply. The docs could be worded better
> mayhaps...
>
> > "If there is only a single network configured in your topology (as
> opposed to separate internal and external networks), TLS can only be
> enabled using the internal network configuration variables."
> >
> > Based on the above sentence I should use only
> kolla_enable_tls_internal: "yes"  in global.yml correct? no need to use
> external.
>
> Yes, when addresses are the same, k-a detects that and simply
> configures everything to the kolla_enable_tls_internal and family
> settings. The external family of vars should be left unset (i.e. not
> included in your globals.yml).
>
> Radek
> -yoctozepto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220929/427125b7/attachment-0001.htm>

More information about the openstack-discuss mailing list