fuel-dev team mailing list archive
-
fuel-dev team
-
Mailing list archive
-
Message #01311
Re: How to manage and shared a self-signed certificate for OSt public endpoint?
Hi Sergii,
So just to rephrase, generated a self-signed certificate from the fuel
master with the correct CN for the VIP and distributed the certificate to
all HAProxy should be easy. Cool :). Otherwise I'm using HAProxy >= 1.5 and
this version will be generated by OSCI fuel team I guess. Securing the
backend traffic will be done as a second step I think.
Thanks for your confirmation.
On Tue, Jul 8, 2014 at 10:20 PM, Sergii Golovatiuk <sgolovatiuk@xxxxxxxxxxxx
> wrote:
> Hi Guillaume,
>
> The solution should be pretty straight forward. Fuel uses VIP under
> pacemaker control. Traffic goes through that VIP to HAProxy of active node.
> The rest nodes don't serve the traffic. Fuel doesn't use any kind of
> balancing. Recently, HAProxy 1.5 was released which introduces SSL
> termination. This allows you to use it to secure user<->VIP traffic.
> Additionally you may secure backend traffic though I think it's not so
> important.
>
> --
> Best regards,
> Sergii Golovatiuk,
> Skype #golserge
> IRC #holser
>
>
> On Tue, Jul 8, 2014 at 3:26 PM, Guillaume Thouvenin <thouveng@xxxxxxxxx>
> wrote:
>
>> Hi folks,
>>
>> I'm currently writing a specification to enable SSL for OSt public
>> endpoint [1]. I'm using HAProxy to manage SSL and I have a question when we
>> are in HA mode (I mean with more than one HAProxy). My first thought was to
>> generate a self-signed certificate with puppet and put this certificate on
>> the controller where it can be used by HAProxy. The problem is if we have
>> several HAProxy. In my scenario there will be several different
>> certificates. So another idea is to generate the self-signed certificate
>> from the fuel master (using the CN of the VIP) and then distribute it to
>> controller nodes through a mechanism like mcollective. Does it make sense
>> to you? Who can help me to find where this can be done into fuel?
>>
>> Thanks a lot for your help,
>> Best Regards,
>> Guillaume
>>
>> [1] https://review.openstack.org/#/c/102273/
>>
>> --
>> Mailing list: https://launchpad.net/~fuel-dev
>> Post to : fuel-dev@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~fuel-dev
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
References