enable external and internal communication via tls in my openstack kolla environment

asked 2018-08-02 14:21:44 -0500

sravan gravatar image

Currently i see that tls support is available only on external VIP interface in kolla deployment.

In my kolla openstack setup, both internal and external are using the same public VIP and i Wanted to enable TLS on it.

I have enabled TLS in globals.yml and generated self-signed certificate using "kolla-ansible certificates" command. I have made the following changes in globals.yml

kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"

haproxy_enable_external_vip: "yes"
internal_protocol: "https"

With these changes i have deployed and i'm seeing following error while accessing horizon dashboard.

"An error occurred authenticating. Please try again later."

I have verified the haproxy.cfg file having two entries for each openstack service with <same ip="">:<same port="">
For example haproxy.cfg:

listen glance_api
  bind 169.62.157.185:9292
  timeout client 6h
  timeout server 6h

  server nfvosprodcontr01 169.48.108.34:9292 check inter 2000 rise 2 fall 5

  server nfvosprodcontr02 169.48.108.36:9292 check inter 2000 rise 2 fall 5

  server nfvosprodcontr03 169.62.135.24:9292 check inter 2000 rise 2 fall 5

listen glance_api_external
  bind 169.62.157.185:9292 ssl crt /etc/haproxy/haproxy.pem
  timeout client 6h
  timeout server 6h

  server nfvosprodcontr01 169.48.108.34:9292 check inter 2000 rise 2 fall 5

  server nfvosprodcontr02 169.48.108.36:9292 check inter 2000 rise 2 fall 5

  server nfvosprodcontr03 169.62.135.24:9292 check inter 2000 rise 2 fall 5

Question:

  1. How do i solve the above error and access horizon dashboard? Provide me some debugging steps as i'm blocked on this issue
  2. I saw a similar question asked April '17 (https://ask.openstack.org/en/question/105249/kolla-set-intra-and-external-tls-communication/ (https://ask.openstack.org/en/question...)) But i wanted to know if there is any update on this Is there any elegant way of enabling tls on both internal as well as external VIP interface? Can you provide high level steps that need to be done
edit retag flag offensive close merge delete