Ask Your Question
0

Kolla set intra and external tls communication

asked 2017-04-09 06:45:53 -0600

Nickdev gravatar image

updated 2017-04-10 03:29:23 -0600

Hi,

I am willing to enable an external and internal communication via tls in my openstack kolla environment.

Using haproxy, i spearated kolla_external_vip_address from the kolla_internal_vip_address and placed them on different interfaces.

meanwhile i achieved the following:

In the globals.yml i enabled the following:

Kolla_enable_tls_external: "yes"
Kolla_external_fqdn_cert: "{{ node_config_directory }}/os.pem"

note: the 'os.pem' file contains certificate and private.

Now, after running kolla-ansible reconfigure i can access my external vip via tls.

question - is kolla configuration has additional options that enables:

  1. Enable the openstack services to communicate via tls with haproxy via the internal_vip_address.
  2. Enable haproxy to communicate via tls with each one of the internal openstack endpoints.

note: i know that i can configure and manage it manually by editing each openstack service and haproxy's configuration, i am searching for more elegant solution using kolla's features.

Thanks!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2017-04-10 03:38:08 -0600

Hi NickDev,

Quick answer is not. At this moment Kolla ansible does not support configuring TLS for internal communication, only on external side (HAproxy SSL termination).

To achieve this you can do the following:

  • Use custom config to enable internal TLS for each service. (/etc/kolla/config/<service_name>/<service_config_file>)
  • Edit HAproxy to redirect TLS connections in internal interface.
  • Make an ansible task or during image building to copy certificates into containers.
  • Modify protocol variables to use https based endpoint:

    internal_protocol: "https"

    admin_protocol: "https"

Regards

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-04-09 06:45:53 -0600

Seen: 462 times

Last updated: Apr 10 '17