HTTPS support for sahara-api
Most OpenStack services support running server supporting HTTPS connections.
Sahara must support such way too.
There are two common ways to enable HTTPS for the OpenStack service:
- TLS proxy. Proxy communicates with user via HTTPS and redirects all
requests to service via unsecured HTTP. Keystone is configured to point
on HTTPS port. Internal port is usually closed for outside using firewall.
No additional work to support HTTPS required on service side.
- Native support. Service can be configured to expect HTTPS connections. In
this case service handles all security aspects by itself.
Most OpenStack services support both types of enabling SSL. Sahara currently
can be secured only using TLS proxy.
Add ability to Sahara API to listen on HTTPS port.
Currently there is no unified way for OpenStack services to work with HTTPS.
Process of unification started with sslutils module in oslo-incubator. Sahara
could use this module to be on the same page with other services.
Copy-paste SSL-related code from other OpenStack project.
Other end user impact
- python-saharaclient should support SSL-related options
One more option to consider.
Sahara-dashboard / Horizon impact
Add SSL-related parameters to pass to python client.
- Primary assignee:
- alazarev (Andrew Lazarev)
- Other contributors:
- Implement feature in Sahara
- Import sslutils
- Configure WSGI server to HTTPS
- Add support to python-saharaclient
- Add support to devstack
- Add documentation
- sslutils module from oslo-incubator
Devstack doesn’t have HTTPS testing for now. It looks like manual testing is
the only option.
Need to be documented.