You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Configure endpoints to use SSL natively or via proxy
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
# start_keystone() - Start running processes, including screen
496
521
function start_keystone {
497
522
# Get right service port for testing
498
523
local service_port=$KEYSTONE_SERVICE_PORT
524
+
local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
499
525
if is_service_enabled tls-proxy; then
500
526
service_port=$KEYSTONE_SERVICE_PORT_INT
527
+
auth_protocol="http"
501
528
fi
502
529
503
530
if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then
@@ -514,7 +541,7 @@ function start_keystone {
514
541
# Check that the keystone service is running. Even if the tls tunnel
515
542
# should be enabled, make sure the internal port is checked using
516
543
# unencryted traffic at this point.
517
-
if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -k -s http://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then
544
+
if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -k -s $auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then
0 commit comments