[kolla][ssl] Deploy third-party SSL for HAProxy

Satish Patel satish.txt at gmail.com
Thu Sep 29 09:03:06 UTC 2022


Thanks Radosław,

I figured out later that "certificates" are used to generate self-signed
certificates. I have a similar ip address on both internal/external vip in
that case how does it work?  I am seeing in doc which is saying.

"If there is only a single network configured in your topology (as opposed
to separate internal and external networks), TLS can only be enabled using
the internal network configuration variables."

Based on the above sentence I should use only  kolla_enable_tls_internal:
"yes"  in global.yml correct? no need to use external. I am trying to find
a good working example to deploy third party SSL which is not in the
official doc.


On Thu, Sep 29, 2022 at 4:01 AM Radosław Piliszek <
radoslaw.piliszek at gmail.com> wrote:

> The ``certificates`` command is for generating certificates (the help
> is explicit on it).
> For all-things-deployment one just needs to run ``deploy`` again.
>
> Radek
> -yoctozepto
>
> On Wed, 28 Sept 2022 at 23:02, Satish Patel <satish.txt at gmail.com> wrote:
> >
> > Folks,
> >
> > I have GoDaddy SSL cert and trying to deploy with kolla but little big
> confused with this doc
> https://docs.openstack.org/kolla-ansible/latest/admin/tls.html
> >
> > I have a single interface for internal/external vip and try following
> config to deploy SSL/TLS for haproxy and other services.
> >
> > ---
> > openstack_release: "wallaby"
> > kolla_internal_vip_address: "10.73.0.180"
> > kolla_external_vip_address: "{{ kolla_internal_vip_address }}"
> > network_interface: "eth0"
> > neutron_external_interface: "eth1"
> >
> > # TLS
> > kolla_enable_tls_internal: "yes"
> > kolla_certificates_dir: "/etc/kolla/certificates"
> > kolla_internal_fqdn_cert: "{{ kolla_certificates_dir
> }}/my_company_cert.pem"
> >
> >
> > When i run "kolla-ansible -i multinode certificates" command it deploy
> something but then i found it generated certificate itself (self-sign) in
> /etc/kolla/cacertificates directory and override my third-party cert
> >
> > When I tried in the browser https://foobar.com it didn't connect to 443
> port that means it did not enable SSL. Am I missing something here?
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220929/9bad4817/attachment.htm>


More information about the openstack-discuss mailing list