On 1/7/2024 7:14 pm, Michel Jouvin wrote:
Hi,
We have reconfigured our cloud with a Nginx sever handling TLS in front of every API service, as described in https://docs.openstack.org/security-guide/secure-communication/secure-refere.... Previously we used to have Magnum/Heat/Barbican endpoints using http rather than https (not good!). Since this change, we have seen problems in Magnum (starting in Antelope when we did the change but still present in Caracal) where some "internal" requests to Barbican and Heat are done in http rather than https. We worked around this defining a redirect to https on 497 status code, as documented in Nginx documentation but it is not really satisfying as it means all clients, not only Magnum service, could use http on the https port and get serviced. I remember seing an issue on Launchpad about this issue but forgot the issue number.
Hi Michel, Can I clarify, do you mean Magnum is making HTTP call to Barbican, when in catalog the Barbican endpoints are all HTTPS? Can you dump your Barbican endpoints in `openstack catalog list`? Anonymised is fine. Also, What does your magnum.conf look like in terms of clients config? Regards, Jake