I am for 2nd option for 7.0 and for 3rd for 8.0 But I would suggest that we add an option to astute.yaml that a user can set to true to force ssl and then he will need to install updated nailgun-agent for older environments. In this case user will do this concisely, knowing about potential caveats of forcing SSL.
On Tue, Aug 4, 2015 at 1:45 PM, Evgeniy L <[email protected]> wrote: > Hi, > > +1 to 2nd solution, in this case old environments will work without > additional > actions. Agents for new environments, CLI and UI will use SSL. > But probably for UI we will have to perform redirect on JS level. > > Thanks, > > On Tue, Aug 4, 2015 at 1:32 PM, Stanislaw Bogatkin <[email protected] > > wrote: > >> Hi guys, >> in overall movement of Fuel to use secure sockets we think about wrapping >> master node UI and API calls to SSL. But there are next caveat: >> >> a) fuel-nailgun-agent cannot work via SSL now and need to be rewritten a >> little. But if it will be rewritten in 7.0 and HTTPS on master node will be >> forced by default, it will break upgrade from previous releases to 7.0 due >> fact that after master node upgrade from 6.1 to 7.0 we will have HTTPS by >> default and fuel-nailgun-agent on all environments won't upgraded, so it >> won't be able to connect to master node after upgrade. It breaks seamless >> upgrade procedure. >> >> What options I see there: >> 1. We can forcedly enable SSL for master node and rewrite clients in 7.0 >> to be able to work over it. In release notes for 7.0 we will write >> forewarning that clients which want to upgrade master node from previous >> releases to 7.0 must also install new fuel-nailgun-agent to all nodes in >> all deployed environments. >> >> 2. We can have both SSL and non-SSL versions enabled by default and >> rewrite fuel-nailgun-client in 7.0 such way that it will check SSL >> availability and be able to work in plain HTTP for legacy mode. So, for all >> new environments SSL will be used by default and for old ones plain HTTP >> will continue to work too. Master node upgrade will not be broken in this >> case. >> >> 3. We can do some mixed way by gradually rewrite fuel-nailgun-client, >> save both HTTP and HTTPS for master node in 7.0 and drop plain HTTP in next >> releases. It is just postponed version of first clause, so it doesn't seems >> valid for me, actually. >> >> I would be really glad to hear what you think about this. Thank you in >> advance. >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Yours Faithfully, Vladimir Kuklin, Fuel Library Tech Lead, Mirantis, Inc. +7 (495) 640-49-04 +7 (926) 702-39-68 Skype kuklinvv 35bk3, Vorontsovskaya Str. Moscow, Russia, www.mirantis.com <http://www.mirantis.ru/> www.mirantis.ru [email protected]
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
