Open Stack

Hi Andy,

Thank you for that, I will get straight onto that and make sure all of 
the public endpoints are HTTPS. Those are the ones that I care about for 
obvious reasons.

If I get stuck, I will be sure to chat in #openstack-ansible

Once again thanks for the speedy reply and help.

Grant


On 28/02/17 11:42, Andy McCrae wrote:
>
>
> On 28 February 2017 at 09:59, Grant Morley <grant at absolutedevops.io 
> <mailto:grant at absolutedevops.io>> wrote:
>
>     Hi All,
>
>     We have an OSA Mitaka deployment and for some reason all of the
>     end points ( keystone, neutron, glance etc.. ) are all reporting
>     as HTTP rather than HTTPS. The only thing that seems to have
>     worked with HTTPS is Horizon ( I know that isn't an api endpoint,
>     just for clarification).
>
>     We have placed our SSL certs in the correct directory for the
>     deployment "/etc/openstack_deploy/ssl/" but for some reason when
>     the setup has run it is only using HTTP as below:
>
>     +----------------------------------+-----------+--------------+----------------+---------+-----------+----------------------------------------------+
>     | ID    | Region    | Service Name | Service Type   | Enabled |
>     Interface | URL                |
>     +----------------------------------+-----------+--------------+----------------+---------+-----------+----------------------------------------------+
>     | 0b7ca91c06334207b3199eeca432d5fe | lon1      | cinder       |
>     volume         | True    | admin     |
>     http://10.6.0.3:8776/v1/%(tenant_id)s
>     <http://10.6.0.3:8776/v1/%%28tenant_id%29s> |
>     | 0f7440688cbc4d1f8f3c62158889729d | lon1      | keystone     |
>     identity       | True    | internal  | http://10.6.0.3:5000/v3 |
>
>     Is there something else I have missed or do I need to put our SSL
>     certs in a different directory for OSA to setup the endpoints with
>     HTTPS on haproxy?
>
>     Grateful for any help.
>
>     Regards,
>
>     Grant
>
> Hi Grant,
>
> I took a look back at the stable/mitaka branch for OSA - we do default 
> the value to be http, so if you don't override the setting it will be 
> setup as http.
> That's changed since, but you can overwrite this by setting 
> "openstack_service_publicuri_proto: https" which would then set the 
> public endpoints to be https.
> Although the paste you have above implies you want all endpoints to be 
> https - as it stands I don't believe there is support for that - that 
> is to say that
> internal traffic (internal/admin endpoints) would be http, and your 
> public endpoint (terminating at your LB - haproxy if you are using the 
> built in one) would be
> https.
>
> There are a few exceptions in keystone, rabbitmq, horizon and HAProxy: 
> https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-sslcertificates.html
>
> Here are some docs about securing haproxy with ssl-certificates that 
> may be helpful: 
> https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates
>
> If you're stuck or running into issues feel free to jump into the 
> #openstack-ansible channel on Freenode IRC, there are usually quite a 
> few people around to help and answer questions.
>
> Andy
>
>
>

-- 
Grant Morley
Cloud Lead
Absolute DevOps Ltd
Units H, J & K, Gateway 1000, Whittle Way, Stevenage, Herts, SG1 2FP
www.absolutedevops.io <http://www.absolutedevops.io/> 
grant at absolutedevops.io <mailto:grant at absolutedevops.i> 0845 874 0580
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170228/542cacd9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ado_new.png
Type: image/png
Size: 4369 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170228/542cacd9/attachment.png>