MicroStack Ussuri (242), can we disable TLS?

chris.asl · 30 November 2021 15:27

Hello,

We’re were using MicroStack Ussuri version 233 and we’ve updated to 242.
It seems that after this commit https://opendev.org/x/microstack/commit/064aae84589c8355dd283b6ce701c35a43d67c46 the OpenStack API endpoints are authenticated via self-signed TLS (SSL) certificates.

My question is since we’re deploying MicroStack on our workstations and developing against its API, is there any way to disable TLS verification (and communicate via HTTP)?

If this is not supported, then I presume we can use our own signed certificates by disabling the configuration flag config.tls.generate-self-signed and pointing to the proper CA cert, our cert and private key. Is this correct?

Thank you in advance!

pmatulis · 30 November 2021 19:20

Hi Chris,

The message of the commit you referenced includes the information you’re looking for. The documentation will soon be updated accordingly. Thank you for pointing that out.

Disable TLS:

config.tls.generate-cert=false

Enable TLS with self-signed certificate (default settings):

config.tls.generate-cert=true
config.tls.generate-self-signed=true

Enable TLS with a local certificate:

config.tls.generate-cert=true
config.tls.generate-self-signed=false
config.tls.cacert-path=XXX
config.tls.cert-path=YYY
config.tls.key-path=ZZZ

chris.asl · 30 November 2021 19:52

Thank you for the prompt reply @pmatulis!

I think I’m missing something because option config.tls.generate-cert is not on MicroStack sources.

I’ve checked out locally the latest master revision (via https://opendev.org/x/microstack/) and grepped for this configuration and found no results:

$ ag -aQ "config.tls.generate"
tools/init/init/questions/__init__.py
351:    config_key = 'config.tls.generate-self-signed'

tools/cluster/cluster/add_compute.py
38:    if config_get('config.tls.generate-self-signed'):

tools/cluster/cluster/daemon.py
220:            if config_get('config.tls.generate-self-signed'):

tools/cluster/cluster/client.py
140:    shell.config_set(**{'config.tls.generate-self-signed': False})

snap-overlay/bin/set-default-config.py
79:        'config.tls.generate-self-signed': True,

snap-overlay/snap-openstack.yaml
135:    tls_generate_self_signed: 'config.tls.generate-self-signed'

Is there something I am missing?

pmatulis · 30 November 2021 20:16

Apologies, that commit message has an error in it. In fact, TLS is enforced and cannot be disabled.

chris.asl · 1 December 2021 09:52

I see @pmatulis, thank you very much for your prompt reply!