[openstack-dev] [tripleo] TLS by default

Juan Antonio Osorio jaosorior at gmail.com
Wed Mar 14 12:07:52 UTC 2018


Correct, only public endpoints.

On Wed, Mar 14, 2018 at 1:52 PM, Dmitry Tantsur <dtantsur at redhat.com> wrote:

> Just to clarify: only for public endpoints, right? I don't think e.g.
> ironic-python-agent can talk to self-signed certificates yet.
>
>
> On 03/14/2018 07:03 AM, Juan Antonio Osorio wrote:
>
>> Hello,
>>
>> As part of the proposed changed by the Security Squad [1], we'd like the
>> deployment to use TLS by default.
>>
>> The first target is to get the undercloud to use it, so a patch has been
>> proposed recently [2] [3]. So, just wanted to give a heads up to people.
>>
>> This should be just fine from a quickstart/testing point of view, since
>> we explicitly set the value for autogenerating certificates in the
>> undercloud [4] [5].
>>
>> Note that there are also plans to change these defaults for the
>> containerized undercloud and the overcloud.
>>
>> BR
>>
>> [1] https://etherpad.openstack.org/p/tripleo-security-squad
>> [2] https://review.openstack.org/#/c/552382/
>> [3] https://review.openstack.org/552781
>> [4] https://github.com/openstack/tripleo-quickstart-extras/blob/
>> master/roles/extras-common/defaults/main.yml#L15
>> [5] https://github.com/openstack/tripleo-quickstart-extras/blob/
>> master/roles/undercloud-deploy/templates/undercloud.conf.j2#L117
>> --
>> Juan Antonio Osorio R.
>> e-mail: jaosorior at gmail.com <mailto:jaosorior at gmail.com>
>>
>>
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Juan Antonio Osorio R.
e-mail: jaosorior at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180314/0cf69bc5/attachment.html>


More information about the OpenStack-dev mailing list