← Back to team overview

fuel-dev team mailing list archive

Re: How to manage and shared a self-signed certificate for OSt public endpoint?

 

Hi Guillaume,

The solution should be pretty straight forward. Fuel uses VIP under
pacemaker control. Traffic goes through that VIP to HAProxy of active node.
The rest nodes don't serve the traffic. Fuel doesn't use any kind of
balancing. Recently, HAProxy 1.5 was released which introduces SSL
termination. This allows you to use it to secure user<->VIP traffic.
Additionally you may secure backend traffic though I think it's not so
important.

--
Best regards,
Sergii Golovatiuk,
Skype #golserge
IRC #holser


On Tue, Jul 8, 2014 at 3:26 PM, Guillaume Thouvenin <thouveng@xxxxxxxxx>
wrote:

> Hi folks,
>
>  I'm currently writing a specification to enable SSL for OSt public
> endpoint [1]. I'm using HAProxy to manage SSL and I have a question when we
> are in HA mode (I mean with more than one HAProxy). My first thought was to
> generate a self-signed certificate with puppet and put this certificate on
> the controller where it can be used by HAProxy. The problem is if we have
> several HAProxy. In my scenario there will be several different
> certificates. So another idea is to generate the self-signed certificate
> from the fuel master (using the CN of the VIP) and then distribute it to
> controller nodes through a mechanism like mcollective. Does it make sense
> to you? Who can help me to find where this can be done into fuel?
>
> Thanks a lot for your help,
> Best Regards,
> Guillaume
>
> [1] https://review.openstack.org/#/c/102273/
>
> --
> Mailing list: https://launchpad.net/~fuel-dev
> Post to     : fuel-dev@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~fuel-dev
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

References