[openstack-dev] [Fuel] SSL for master node API

Sheena Gregson sgregson at mirantis.com
Tue Aug 4 12:07:30 UTC 2015


+1 to #2



*From:* Vladimir Kuklin [mailto:vkuklin at mirantis.com]
*Sent:* Tuesday, August 04, 2015 6:25 AM
*To:* OpenStack Development Mailing List (not for usage questions) <
openstack-dev at lists.openstack.org>
*Subject:* Re: [openstack-dev] [Fuel] SSL for master node API



I am for 2nd option for 7.0 and for 3rd for 8.0



But I would suggest that we add an option to astute.yaml that a user can
set to true to force ssl and then he will need to install updated
nailgun-agent for older environments. In this case user will do this
concisely, knowing about potential caveats of forcing SSL.



On Tue, Aug 4, 2015 at 1:45 PM, Evgeniy L <eli at mirantis.com> wrote:

Hi,



+1 to 2nd solution, in this case old environments will work without
additional

actions. Agents for new environments, CLI and UI will use SSL.

But probably for UI we will have to perform redirect on JS level.



Thanks,



On Tue, Aug 4, 2015 at 1:32 PM, Stanislaw Bogatkin <sbogatkin at mirantis.com>
wrote:

Hi guys,

in overall movement of Fuel to use secure sockets we think about wrapping
master node UI and API calls to SSL. But there are next caveat:



a) fuel-nailgun-agent cannot work via SSL now and need to be rewritten a
little. But if it will be rewritten in 7.0 and HTTPS on master node will be
forced by default, it will break upgrade from previous releases to 7.0 due
fact that after master node upgrade from 6.1 to 7.0 we will have HTTPS by
default and fuel-nailgun-agent on all environments won't upgraded, so it
won't be able to connect to master node after upgrade. It breaks seamless
upgrade procedure.



What options I see there:

1. We can forcedly enable SSL for master node and rewrite clients in 7.0 to
be able to work over it. In release notes for 7.0 we will write forewarning
that clients which want to upgrade master node from previous releases to
7.0 must also install new fuel-nailgun-agent to all nodes in all deployed
environments.



2. We can have both SSL and non-SSL versions enabled by default and rewrite
fuel-nailgun-client in 7.0 such way that it will check SSL availability and
be able to work in plain HTTP for legacy mode. So, for all new environments
SSL will be used by default and for old ones plain HTTP will continue to
work too. Master node upgrade will not be broken in this case.



3. We can do some mixed way by gradually rewrite fuel-nailgun-client, save
both HTTP and HTTPS for master node in 7.0 and drop plain HTTP in next
releases. It is just postponed version of first clause, so it doesn't seems
valid for me, actually.



I would be really glad to hear what you think about this. Thank you in
advance.



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





-- 

Yours Faithfully,
Vladimir Kuklin,
Fuel Library Tech Lead,
Mirantis, Inc.
+7 (495) 640-49-04
+7 (926) 702-39-68
Skype kuklinvv
35bk3, Vorontsovskaya Str.
Moscow, Russia,
www.mirantis.com <http://www.mirantis.ru/>
www.mirantis.ru
vkuklin at mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150804/eeac10d3/attachment.html>


More information about the OpenStack-dev mailing list