Our current openstack deployment uses the following API endpoints:
aborrero@cloudcontrol1005:~ $ sudo wmcs-openstack endpoint list -c URL -c 'Service Name' -c 'Service Type' -c Interface +--------------+--------------+-----------+------------------------------------------------------------------------+ | Service Name | Service Type | Interface | URL | +--------------+--------------+-----------+------------------------------------------------------------------------+ | placement | placement | internal | http://openstack.eqiad1.wikimediacloud.org:8778 | | neutron | network | admin | http://openstack.eqiad1.wikimediacloud.org:9696 | | keystone | identity | internal | http://openstack.eqiad1.wikimediacloud.org:5000/v3 | | nova | compute | admin | http://openstack.eqiad1.wikimediacloud.org:8774/v2.1 | | placement | placement | public | http://openstack.eqiad1.wikimediacloud.org:8778 | | glance | image | public | http://openstack.eqiad1.wikimediacloud.org:9292 | | glance | image | internal | http://openstack.eqiad1.wikimediacloud.org:9292 | | proxy | proxy | admin | http://proxy-eqiad1.wmflabs.org:5668/dynamicproxy-api/v1/$(tenant_id)s | | designate | dns | internal | http://openstack.eqiad1.wikimediacloud.org:9001 | | keystone | identity | public | http://openstack.eqiad1.wikimediacloud.org:5000/v3 | | glance | image | admin | http://openstack.eqiad1.wikimediacloud.org:9292 | | placement | placement | admin | http://openstack.eqiad1.wikimediacloud.org:8778 | | designate | dns | public | http://openstack.eqiad1.wikimediacloud.org:9001 | | nova | compute | public | http://openstack.eqiad1.wikimediacloud.org:8774/v2.1 | | neutron | network | public | http://openstack.eqiad1.wikimediacloud.org:9696 | | keystone | identity | admin | http://openstack.eqiad1.wikimediacloud.org:35357/v3 | | proxy | proxy | internal | http://proxy-eqiad1.wmflabs.org:5668/dynamicproxy-api/v1/$(tenant_id)s | | nova | compute | internal | http://openstack.eqiad1.wikimediacloud.org:8774/v2.1 | | neutron | network | internal | http://openstack.eqiad1.wikimediacloud.org:9696 | | designate | dns | admin | http://openstack.eqiad1.wikimediacloud.org:9001 | | proxy | proxy | public | http://proxy-eqiad1.wmflabs.org:5668/dynamicproxy-api/v1/$(tenant_id)s | +--------------+--------------+-----------+------------------------------------------------------------------------+
The openstack.eqiad1.wikimediacloud.org FQDN points to one of the cloudcontrol nodes, which runs HAproxy to load-balance request between the 3 cloudcontrol servers.
One of the things that we have to decide is where to do TLS termination. In HAproxy? in the openstack API service itself? In any case we should implement TLS by using acme-chief.
aborrero@cloudcontrol2001-dev:~ $ sudo wmcs-openstack endpoint list -c URL -c 'Service Name' -c 'Service Type' -c Interface +--------------+--------------+-----------+-------------------------------------------------------------------------------+ | Service Name | Service Type | Interface | URL | +--------------+--------------+-----------+-------------------------------------------------------------------------------+ | keystone | identity | internal | http://openstack.codfw1dev.wikimediacloud.org:5000/v3 | | proxy | proxy | admin | http://novaproxy.codfw1dev.wmcloud.org:5668/dynamicproxy-api/v1/$(tenant_id)s | | designate | dns | admin | http://openstack.codfw1dev.wikimediacloud.org:9001 | | neutron | network | internal | http://openstack.codfw1dev.wikimediacloud.org:9696 | | nova | compute | admin | http://openstack.codfw1dev.wikimediacloud.org:8774/v2.1 | | barbican | key-manager | admin | http://openstack.codfw1dev.wikimediacloud.org:9311 | | designate | dns | public | http://openstack.codfw1dev.wikimediacloud.org:9001 | | placement | placement | public | http://openstack.codfw1dev.wikimediacloud.org:8778 | | keystone | identity | admin | http://openstack.codfw1dev.wikimediacloud.org:35357/v3 | | glance | image | admin | http://openstack.codfw1dev.wikimediacloud.org:9292 | | barbican | key-manager | internal | http://openstack.codfw1dev.wikimediacloud.org:9311 | | nova | compute | internal | http://openstack.codfw1dev.wikimediacloud.org:8774/v2.1 | | placement | placement | internal | http://openstack.codfw1dev.wikimediacloud.org:8778 | | neutron | network | admin | http://openstack.codfw1dev.wikimediacloud.org:9696 | | nova | compute | public | http://openstack.codfw1dev.wikimediacloud.org:8774/v2.1 | | proxy | proxy | internal | http://novaproxy.codfw1dev.wmcloud.org:5668/dynamicproxy-api/v1/$(tenant_id)s | | neutron | network | public | http://openstack.codfw1dev.wikimediacloud.org:9696 | | barbican | key-manager | public | http://openstack.codfw1dev.wikimediacloud.org:9311 | | glance | image | public | http://openstack.codfw1dev.wikimediacloud.org:9292 | | proxy | proxy | public | http://novaproxy.codfw1dev.wmcloud.org:5668/dynamicproxy-api/v1/$(tenant_id)s | | keystone | identity | public | http://openstack.codfw1dev.wikimediacloud.org:5000/v3 | | designate | dns | internal | http://openstack.codfw1dev.wikimediacloud.org:9001 | | glance | image | internal | http://openstack.codfw1dev.wikimediacloud.org:9292 | | placement | placement | admin | http://openstack.codfw1dev.wikimediacloud.org:8778 | +--------------+--------------+-----------+-------------------------------------------------------------------------------+
Related documentation:
- CloudVPS HAproxy setup: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Haproxy
- About acme-chief: https://wikitech.wikimedia.org/wiki/Acme-chief
- Upstream docs on securing openstack API endpoints: https://docs.openstack.org/security-guide/secure-communication/introduction-to-ssl-and-tls.html
- Know which server is in which openstack deployment: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Deployments