[openstack-dev] [tripleo] TLS by default

Dmitry Tantsur dtantsur at redhat.com
Wed Mar 14 11:52:41 UTC 2018


Just to clarify: only for public endpoints, right? I don't think e.g. 
ironic-python-agent can talk to self-signed certificates yet.

On 03/14/2018 07:03 AM, Juan Antonio Osorio wrote:
> Hello,
> 
> As part of the proposed changed by the Security Squad [1], we'd like the 
> deployment to use TLS by default.
> 
> The first target is to get the undercloud to use it, so a patch has been 
> proposed recently [2] [3]. So, just wanted to give a heads up to people.
> 
> This should be just fine from a quickstart/testing point of view, since we 
> explicitly set the value for autogenerating certificates in the undercloud [4] [5].
> 
> Note that there are also plans to change these defaults for the containerized 
> undercloud and the overcloud.
> 
> BR
> 
> [1] https://etherpad.openstack.org/p/tripleo-security-squad
> [2] https://review.openstack.org/#/c/552382/
> [3] https://review.openstack.org/552781
> [4] 
> https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/extras-common/defaults/main.yml#L15
> [5] 
> https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/undercloud-deploy/templates/undercloud.conf.j2#L117
> -- 
> Juan Antonio Osorio R.
> e-mail: jaosorior at gmail.com <mailto:jaosorior at gmail.com>
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 




More information about the OpenStack-dev mailing list