Page MenuHomePhabricator

support ssl for openstack REST endpoints
Open, NormalPublic

Description

Now that acme-chief makes cert generation easy, let's investigate supporting ssl/tls for our openstack services.

I don't know much about how this would work. In the near term we probably want to support both http and https for the endpoints (to keep existing use cases working) and I'm unclear if there are defined alternative ports or what the standard practice is for this.

Event Timeline

Andrew created this task.Jun 17 2019, 12:29 PM
Andrew triaged this task as Normal priority.Jun 17 2019, 12:34 PM
Andrew removed Andrew as the assignee of this task.Jun 17 2019, 1:05 PM
JHedden added a subscriber: JHedden.EditedJun 17 2019, 2:26 PM

Standard practice is to use the same ports, as there's only one endpoint entry per service + region + interface.

openstack endpoint list --service image
+----------------------------------+----------+--------------+--------------+---------+-----------+--------------------------------------------+
| ID                               | Region   | Service Name | Service Type | Enabled | Interface | URL                                        |
+----------------------------------+----------+--------------+--------------+---------+-----------+--------------------------------------------+
| 0ed1b6c32ec9433f842cd31ba1f11a48 | eqiad1-r | glance       | image        | True    | public    | http://cloudcontrol1003.wikimedia.org:9292 |
| 3ed2c8aba1e648e2be01423a00b3b6b2 | eqiad1-r | glance       | image        | True    | admin     | http://cloudcontrol1003.wikimedia.org:9292 |
| 88c39643619a4244b39861e2ee309999 | eqiad1-r | glance       | image        | True    | internal  | http://cloudcontrol1003.wikimedia.org:9292 |
+----------------------------------+----------+--------------+--------------+---------+-----------+--------------------------------------------+

In order to support both http and https we'll need to terminate SSL/TLS at the load balancer. Once that's in place we can update the service endpoints and configure the LB to redirect http to https for everything except what we fear might break. (Will need some testing to verify this!)