[Openstack] Devstack with SSL?

Jens Harbott j.harbott at x-ion.de
Tue Aug 29 16:39:36 UTC 2017

2017-08-29 15:40 GMT+00:00 Sean Dague <sean at dague.net>:
> On 08/29/2017 10:56 AM, Rob Crittenden wrote:
>> Ken D'Ambrosio wrote:
>>> Hey, all.  We want to proof something out with SSL-enabled endpoints,
>>> and don't want to go through the grief of setting up a whole multi-host
>>> cloud to do it.  Devstack with
>>> USE_SSL=True
>>> in its local.conf seemed to be just the ticket... except that when it
>>> gets done, "openstack show endpoints" only shows stock HTTP connections,
>>> no HTTPS.  Googling has -- somewhat to my surprise -- shown essentially
>>> nothing of value.  Should I give up on trying to teach Devstack new
>>> tricks, and fire up Mirantis or something, or is there a way to get this
>>> working?
>> It's been forever since I've poked at USE_SSL because most users don't
>> want to use SSL directly but put it behind usually haproxy. So I don't
>> know if this is broken or not.
>> I'd recommend you add tls-proxy to ENABLED_SERVICES instead. This will
>> configure stud to proxy the requests.
> Correct, USE_SSL was actually deleted in devstack last cycle, it was
> really confusing to have 2 different ssl paths. The prefered devstack
> way for doing SSL is with the tls-proxy, which is how we run in the gate
> now. All endpoints get set as https, and are sent through an apache
> proxy that terminates them.
> This maps much closer to production models of doing haproxy, or some
> other terminator.

Incidentally I was just working on this today and found some issues,
see https://bugs.launchpad.net/devstack/+bug/1713731 and
https://bugs.launchpad.net/cinder/+bug/1713732, which make me think
that the test coverage is still not as good as one would hope for.

More information about the Openstack mailing list