SSL

Currently, Spinal Stack can terminate SSL only on the loadbalancer (HAProxy) (Since version I-1.1.0). It is in the current plan to provide also the possibility to terminate SSL on each node using an SSL Proxy.

Overview

Put an image here, with rows showing which part is https ans which part is not

Configuration

Certificates

Vendor Certificate

Generate the PEM file

Before moving forward with the SSL configuration, the operator needs to have a valid pem file.

There are two cases possible in order to generate a proper pem file :

  • The operator has a SSL chain file : The correct pem file is the concatenation, in this exact order of : chain file + private key + certificate authority
  • The operator has no SSL chain file : The correct pem file is the concatenation, in this exact order of : private key + certificate authority

Self-Signed Certificate

There are some limitations with a self-signed certificate. Most of openstack-client commands should use ‘’‘–insecure’‘’. Whithin the spinalstack deployment you must trust your certification authority on all the servers (openstack and install-server).

Generate CA and certificates
mkdir self-signed-cert && cd self-signed-cert
# change theses values to match your requirements
# country, 2 letters
country="my_country"
location="my_town"
organisation="my_organisation"
domain="my_domain.com"

# generate the CA
openssl req -days 3650 -out ca.pem -new -x509 -subj /C=$country/L=$location/O=$organisation

# generate a private key for your servers
openssl genrsa -out star_$domain.key 2048

# create csr
openssl req -key star_$domain.key -new -out star_$domain.req -subj /C=$country/L=$location/O=$organisation/CN=*.$domain
echo '00' > file.srl

# generate the crt file
openssl x509 -req -days 3650 -in star_$domain.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out star_$domain.crt

# generate the pem file for haproxy
cat star_$domain.key star_$domain.crt > star_$domain.pem

# you can rename star_my_domain.com.* star_my_domain_com.* if needed
Trust the CA

You have to add the ca on install-server and all the others servers, for Redhat systems:

cp ca.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust

Configure HAProxy

The Spinal Stack loadbalancer class, allows the operator to enable SSL for the public facing API endpoints. It does work the same way for internal’s and admin’s one.

To enable SSL for a specific service, the loadbalancer.pp parameter named SERVICENAME_bind_options should contain [‘ssl’, ‘crt’, ‘/path/to/pem’].

So for example if one wants to set the nova api, to only accept SSL, I would set the following in the matching hiera file :

---
cloud::loadbalancer::nova_bind_options:
  - ssl
  - crt
  - /patch/to/pem

Configure Endpoints

Configuring the HAProy is just the first part of an SSL configuration. Keystone should also be aware to use https when talking to a specific interface. Hence, when registring the various services, the ‘https’ protocol should be specified for the various SSL aware services.

To tell Spinal Stack that nova should be contacted via ‘https’ on its publicUrl, apply the following configuration in your hiera file :

---
cloud::identity::ks_nova_public_proto: https

To tell Spinal Stack that nova should be contacted via ‘https’ on its internalUrl, apply the following configuration in your hiera file :

---
cloud::identity::ks_nova_internal_proto: https

To tell Spinal Stack that nova should be contacted via ‘https’ on its adminUrl, apply the following configuration in your hiera file :

---
cloud::identity::ks_nova_admin_proto: https

Note

Do not enable SSL for Nova Metadata API and Neutron Metadata Agent. This feature is not supported yet.