https://blueprints.launchpad.net/fuel/+spec/ssl-endpoints
OpenStack public endpoints that provide APIs on public networks need to operate over SSL. Also such components on master node like Nginx, Keystone, RabbitMQ needs to operate over SSL.
OpenStack services receive requests from public networks that are untrusted area. As the network path between the end-users and the OpenStack services is untrusted, encryption is required to ensure confidentiality.
We achieve this by implementing Secure Sockets Layer as recommended in the OpenStack security guide.
Fuel master node after installation also operates via unsecure protocols only. We can achieve more security using access to Fuel UI via SSL. There will be different certificates for OpenStack endpoints and Fuel Master node.
OpenStack services can be configured to use SSL/TLS libraries. We propose to modify the puppet manifests to be able to use SSL/TLS and HTTP services.
This blueprint will focus on HTTP services that provide API endpoints on public networks. The configuration of HAProxy will also be modified to enable SSL for Horizon. Endpoints used for management and other services like messaging will not be done in this blueprint.
We will use HAProxy and its support of SSL. The endpoints of public URLs will be configured with the IP or the name of the HAProxy. It will handle incoming SSL connections, decryption of the SSL and passing the unencrypted request to the corresponding service. That means that the communication between the proxy and the endpoints will not be encrypted.
Here is a schema of the encryption of the traffic paths:
- Between client and OpenStack services:
+-------+ +---------------------+ +------+ Client +----+ HTTPS +----+ public API endpoint +----+ HTTP | +-------+ +---------------------+ +--+---+ | v OSt service
- Between OpenStack services:
+------+ +-----------------------+ +------+ OSt service +---+ HTTP +---+ internal API endpoint +---+ HTTP | +------+ +-----------------------+ +--+---+ | v OSt service
It is recommended that an OpenStack service communicate to another OpenStack service by using the internal API endpoint. Fuel is following this best practice. If we find a service that is not using the management network to communicate with another one we should file a bug about this and reconfigure it to use the internal API endpoint.
Here are the different steps needed to implement SSL with public API endpoints:
Fuel master node should operate over SSL. To achieve this, we should point UI web server to operate over HTTPS. Also some master components like Nginx, Keystone, RabbitMQ can use SSL by default.
Enable SSL for all OpenStack services.
New fields in DB will be created, as user uploaded certificates should be stored there.
The management of certificate with the REST API is not in the scope of this specification.
If the updated environment does not use SSL before the update, it will not use SSL after the update.
In the same way we will not support downgrade from SSL to non-SSL.
By using SSL/TLS over HTTP services, we will be able to provide a secure system with authentication (but it is not the case currently since you need a certificate generated by a CA) and confidentiality.
We need to notify that deployment is done and so you need to open your Horizon at https:// instead of http://
We need to notify that a self-signed certificate is used for SSL encryption.
We also need to notify where the certificate that contains the public key that is used by client can be downloaded. It can be done by showing the link to the certificate in the UI. This certificate can be used by OpenStack clients.
We need to track certificate expiration date and show a pop-up with warning prior 1 month to certificate expiration.
SSL is disabled by default.
As we are using a self-signed certificate by default, if a user is using a web browser to query OpenStack services there will be a popup to warn that the certificate can not be trusted.
The SSL-overhead is generally small. The major cost of HTTPS is the SSL handshaking so depending the typical session length and the caching behavior of clients the overhead may be different. For very short sessions you can see performance issue.
The internal communication between services involves many API calls for small tasks and this is why we will not implement SSL endpoints for the management network. OpenStack services need to be configure properly.
OpenStack services will only use internal/admin URLs. Thus we must be sure that all services can communicate through the management network.
The work flow is to deploy the cluster with a self-signed certificate that was generated by astute at the creation of the cluster. This certificate must be stored somewhere on the fuel master node in /var/lib/fuel/keys/<env_number>/haproxy/haproxy.{crt,key,pem} with the root:root as an owner and u=rw,go-rwx for files containing provate key and u=rw,go=r for all other files. When the cluster is created, if it is available (it is not in the scope of this specification) the user can download its own certificate for the given VIP. If it cannot download it or don’t want to use another certificate then everything will work fine with the self-signed certificate.
OSTF team (health check team) is going to be affected by changing OpenStack endpoints.
Primary assignee: - sbogatkin
Feature Lead: - assignee of this blueprint
Mandatory Design Reviewers: - Mike Scherbatov
Developers: - Stanislaw Bogatkin
QA: Alexander Kurenyshev
Generate a certificate from Fuel that will be used for authentication. It can be self-signed.
We need to provide the possibility to the user to deactivate SSL if he doesn’t want to use the one generated by Fuel.
Install HAProxy and configure it to handle SSL connections and forward requests to the corresponding service.
Check that the following services are configured to use internal URL for communicating with other OpenStack services.
- ceilometer
- ceph
- cinder
- glance
- heat
- horizon
- keystone
- murano
- neutron
- nova
- sahara
- swift
If the user wants to use its own certificate we need to give him such opportunity. Also we should provide a document about how he can manually install his own certificate for SSL endpoints.
Generate SSL keypair for master node nginx and apply it. Plain HTTP mode should be retained for backward compatibility.
Build a new fuel ISO and test if the deployment corresponds to what is expected. Acceptance criteria: For Fuel Master node: 1. After deploy, UI should be accessible via both plain http on port 8000 and SSL https on port 8443
For OpenStack controllers HAProxy: 1. After deploy with enabled SSL for OpenStack services, all OpenStack services should be accessible via https public endpoints 2. After deploy with enabled SSL for Horizon, it should be accessible both on http and https for public endpoint. 3. CN name in certificate should match to public name passed thru UI if self-signed certificates option selected 4. Keypair data should match to data passed thru UI if user-uploaded certificates option selected
As we will generate a certificate to allow the usage of SSL for API public endpoints, we need to document how to get the certificate that contains the public key to identify the service if an end-user want to use a CLI (for example nova CLI) to interact with OpenStack services.
If the user wants to use its own certificate we need to describe where and how it can manually upload its certificate.
We need to add a warning that if she/he uploads a certificate, she/he must manage the expiration date of the certificate.