Adds support to the 'kolla-ansible certificates' command for generating
certificates for libvirt TLS, when libvirt_tls is true. The same
certificate and key are used for the libvirt client and server.
The certificates use the same root CA as the other generated
certificates, and are written to
{{ node_custom_config }}/nova/nova-libvirt/, ready to be picked up by
nova-libvirt and nova-compute.
Change-Id: I1bde9fa018f66037aec82dc74c61ad1f477a7c12
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.
The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.
RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.
Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.
Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
when run command "kolla-ansible -i multinode certificates",
the certificates file will generated in all nodes, it is
unnecessary, this ps to make it in deploy node.
Change-Id: I3e98ab498eeec3e6b8f170dd29c95f7ff9dbd6c0
Working towards the blueprint that will add TLS protection
for the external endpoints, kolla needs certificates.
When kolla deploys OpenStack, the external VIP will need
a server side certifcate. Clients that access those endpoints will
need the public CA certificate that signed that certificate.
This ansible script will create these two certificates to make
it easy to use TLS in a test environment. The generated
certificate files are:
/etc/kolla/certificates/haproxy.pem (server side certificate)
/etc/kolla/certificates/haproxy-ca.pem (CA certificate)
The generated certificates are not suitable for use in a
production environment, but will be useful for testing and
verifying operations.
Partially-implements: blueprint ssl-kolla
Change-Id: I208777f9e5eee3bfb06810c7b18a2727beda234d