Chapter 15. Enabling SSL/TLS on internal and public endpoints with Identity Management
You can enable SSL/TLS on certain overcloud endpoints. Due to the number of certificates required, director integrates with a Red Hat Identity Management (IdM) server to act as a certificate authority and manage the overcloud certificates.
To check the status of TLS support across the OpenStack components, refer to the TLS Enablement status matrix.
15.1. Identity Management (IdM) server recommendations for OpenStack
Red Hat provides the following information to help you integrate your IdM server and OpenStack environment.
For information on preparing Red Hat Enterprise Linux for an IdM installation, see Installing Identity Management.
Run the ipa-server-install
command to install and configure IdM. You can use command parameters to skip interactive prompts. Use the following recommendations so that your IdM server can integrate with your Red Hat OpenStack Platform environment:
Option | Recommendation |
---|---|
| Note the value you provide. You will need this password when configuring Red Hat OpenStack Platform to work with IdM. |
| Note the value you provide. The undercloud and overcloud nodes require network access to this ip address. |
| Use this option to install an integrated DNS service on the IdM server. The undercloud and overcloud nodes use the IdM server for domain name resolution. |
|
Use this option to use the addresses in |
| Use this option to resolve reverse records and zones for the IdM server IP addresses. If neither reverse records or zones are resolvable, IdM creates the reverse zones. This simplifies the IdM deployment. |
| You can use both or either of these options to configure your NTP source. Both the IdM server and your OpenStack environment must have correct and synchronized time. |
You must open the firewall ports required by IdM to enable communication with Red Hat OpenStack Platform nodes. For more information, see Opening the ports required by IdM.
Additional resources
15.2. Implementing TLS-e with Ansible
You can use the new tripleo-ipa
method to enable SSL/TLS on overcloud endpoints, called TLS everywhere (TLS-e). Due to the number of certificates required, Red Hat OpenStack Platform integrates with Red Hat Identity management (IdM). When you use tripleo-ipa
to configure TLS-e, IdM is the certificate authority.
Prerequisites
Ensure that all configuration steps for the undercloud, such as the creation of the stack user, are complete. For more details, see Director Installation and Usage for more details
Procedure
Use the following procedure to implement TLS-e on a new installation of Red Hat OpenStack Platform, or an existing deployment that you want to configure with TLS-e. You must use this method if you deploy Red Hat OpenStack Platform with TLS-e on pre-provisioned nodes.
If you are implementing TLS-e for an existing environment, you are required to run commands such as openstack undercloud install
, and openstack overcloud deploy
. These procedures are idempotent and only adjust your existing deployment configuration to match updated templates and configuration files.
Configure the
/etc/resolv.conf
file:Set the appropriate search domains and the nameserver on the undercloud in
/etc/resolv.conf
. For example, if the deployment domain isexample.com
, and the domain of the FreeIPA server isbigcorp.com
, then add the following lines to /etc/resolv.conf:search example.com bigcorp.com nameserver $IDM_SERVER_IP_ADDR
Install required software:
sudo dnf install -y python3-ipalib python3-ipaclient krb5-devel
Export environmental variables with values specific to your environment.:
export IPA_DOMAIN=bigcorp.com export IPA_REALM=BIGCORP.COM export IPA_ADMIN_USER=$IPA_USER 1 export IPA_ADMIN_PASSWORD=$IPA_PASSWORD 2 export IPA_SERVER_HOSTNAME=ipa.bigcorp.com export UNDERCLOUD_FQDN=undercloud.example.com 3 export USER=stack export CLOUD_DOMAIN=example.com
Run the
undercloud-ipa-install.yaml
ansible playbook on the undercloud:ansible-playbook \ --ssh-extra-args "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \ /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml
Add the following parameters to undercloud.conf
undercloud_nameservers = $IDM_SERVER_IP_ADDR overcloud_domain_name = example.com
[Optional] If your IPA realm does not match your IPA domain, set the value of the
certmonger_krb_realm
parameter:Set the value of the
certmonger_krb_realm
in/home/stack/hiera_override.yaml
:parameter_defaults: certmonger_krb_realm: EXAMPLE.COMPANY.COM
Set the value of the
custom_env_files
parameter inundercloud.conf
to/home/stack/hiera_override.yaml
:custom_env_files = /home/stack/hiera_override.yaml
Deploy the undercloud:
openstack undercloud install
Verification
Verify that the undercloud was enrolled correctly by completing the following steps:
List the hosts in IdM:
$ kinit admin $ ipa host-find
Confirm that
/etc/novajoin/krb5.keytab
exists on the undercloud.ls /etc/novajoin/krb5.keytab
The novajoin
directory name is for legacy naming purposes only.
Configuring TLS-e on the overcloud
When you deploy the overcloud with TLS everywhere (TLS-e), IP addresses from the Undercloud and Overcloud will automatically be registered with IdM.
Before deploying the overcloud, create a YAML file
tls-parameters.yaml
with contents similar to the following. The values you select will be specific for your environment:parameter_defaults: DnsSearchDomains: ["example.com"] DnsServers: ["192.168.1.13"] CloudDomain: example.com CloudName: overcloud.example.com CloudNameInternal: overcloud.internalapi.example.com CloudNameStorage: overcloud.storage.example.com CloudNameStorageManagement: overcloud.storagemgmt.example.com CloudNameCtlplane: overcloud.ctlplane.example.com IdMServer: freeipa-0.redhat.local IdMDomain: redhat.local IdMInstallClientPackages: False resource_registry: OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml
-
The shown value of the
OS::TripleO::Services::IpaClient
parameter overrides the default setting in theenable-internal-tls.yaml
file. You must ensure thetls-parameters.yaml
file followsenable-internal-tls.yaml
in theopenstack overcloud deploy
command.
-
The shown value of the
[Optional] If your IPA realm does not match your IPA domain, you must also include value of the
CertmongerKerberosRealm
parameter in thetls-parameters.yaml
file:CertmongerKerberosRealm: EXAMPLE.COMPANY.COM
Deploy the overcloud. You will need to include the tls-parameters.yaml in the deployment command:
DEFAULT_TEMPLATES=/usr/share/openstack-tripleo-heat-templates/ CUSTOM_TEMPLATES=/home/stack/templates openstack overcloud deploy \ -e ${DEFAULT_TEMPLATES}/environments/ssl/tls-everywhere-endpoints-dns.yaml \ -e ${DEFAULT_TEMPLATES}/environments/services/haproxy-public-tls-certmonger.yaml \ -e ${DEFAULT_TEMPLATES}/environments/ssl/enable-internal-tls.yaml \ -e ${CUSTOM_TEMPLATES}/tls-parameters.yaml \ ...
Confirm each endpoint is using HTTPS by querying keystone for a list of endpoints:
openstack endpoint list
15.3. Enrolling nodes in Red Hat Identity Manager (IdM) with novajoin
Novajoin is the default tool that you use to enroll your nodes with Red Hat Identity Manager (IdM) as part of the deployment process. Red Hat recommends the new ansible-based tripleo-ipa
solution over the default novajoin
solution to configure your undercloud and overcloud with TLS-e. For more information see Implementing TLS-e with Ansible.
You must perform the enrollment process before you proceed with the rest of the IdM integration. The enrollment process includes the following steps:
- Adding the undercloud node to the certificate authority (CA)
- Adding the undercloud node to IdM
- Optional: Setting the IdM server as the DNS server for the overcloud
- Preparing the environment files and deploying the overcloud
- Testing the overcloud enrollment in IdM and in RHOSP
- Optional: Adding DNS entries for novajoin in IdM
IdM enrollment with novajoin is currently only available for the undercloud and overcloud nodes. Novajoin integration for overcloud instances is expected to be supported in a later release.
15.4. Adding the undercloud node to the certificate authority
Before you deploy the overcloud, add the undercloud to the certificate authority (CA) by installing the python3-novajoin
package on the undercloud node and running the novajoin-ipa-setup
script.
Procedure
On the undercloud node, install the
python3-novajoin
package:$ sudo dnf install python3-novajoin
On the undercloud node, run the
novajoin-ipa-setup
script, and adjust the values to suit your deployment:$ sudo /usr/libexec/novajoin-ipa-setup \ --principal admin \ --password <IdM admin password> \ --server <IdM server hostname> \ --realm <realm> \ --domain <overcloud cloud domain> \ --hostname <undercloud hostname> \ --precreate
Use the resulting One-Time Password (OTP) to enroll the undercloud.
15.5. Adding the undercloud node to Red Hat Identity Manager (IdM)
After you add the undercloud node to the certificate authority (CA), register the undercloud with IdM and configure novajoin. Configure the following settings in the [DEFAULT]
section of the undercloud.conf
file.
Procedure
Enable the
novajoin
service:[DEFAULT] enable_novajoin = true
Set a One-Time Password (OTP) so that you can register the undercloud node with IdM:
ipa_otp = <otp>
Set the overcloud’s domain name to be served by neutron’s DHCP server:
overcloud_domain_name = <domain>
Set the hostname for the undercloud:
undercloud_hostname = <undercloud FQDN>
Set IdM as the nameserver for the undercloud:
undercloud_nameservers = <IdM IP>
For larger environments, review the novajoin connection timeout values. In the
undercloud.conf
file, add a reference to a new file calledundercloud-timeout.yaml
:hieradata_override = /home/stack/undercloud-timeout.yaml
Add the following options to
undercloud-timeout.yaml
. You can specify the timeout value in seconds, for example,5
:nova::api::vendordata_dynamic_connect_timeout: <timeout value> nova::api::vendordata_dynamic_read_timeout: <timeout value>
Optional: If you want the local openSSL certificate authority to generate the SSL certificates for the public endpoints in director, set the
generate_service_certificate
parameter totrue
:generate_service_certificate = true
-
Save the
undercloud.conf
file. Run the undercloud deployment command to apply the changes to your existing undercloud:
$ openstack undercloud install
Verification
Verify that the undercloud was enrolled correctly by completing the following steps:
List the hosts in IdM:
$ kinit admin $ ipa host-find
Confirm that
/etc/novajoin/krb5.keytab
exists on the undercloud.ls /etc/novajoin/krb5.keytab
15.6. Setting Red Hat Identity Manager (IdM) as the DNS server for the overcloud
To enable automatic detection of your IdM environment and easier enrollment, set IdM as your DNS server. This procedure is optional but recommended.
Procedure
Connect to your undercloud:
$ source ~/stackrc
Configure the control plane subnet to use IdM as the DNS name server:
$ openstack subnet set ctlplane-subnet --dns-nameserver <idm_server_address>
Set the
DnsServers
parameter in an environment file to use your IdM server:parameter_defaults: DnsServers: ["<idm_server_address>"]
This parameter is usually defined in a custom
network-environment.yaml
file.
15.7. Preparing environment files and deploying the overcloud with novajoin enrollment
To deploy the overcloud with IdM integration, you create and edit environment files to configure the overcloud to use the custom domain parameters CloudDomain
and CloudName
based on the domains that you define in the overcloud. You then deploy the overcloud with all the environment files and any additional environment files that you need for the deployment.
Procedure
Create a copy of the
/usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml
environment file:$ cp /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml \ /home/stack/templates/custom-domain.yaml
Edit the
/home/stack/templates/custom-domain.yaml
environment file and set theCloudDomain
andCloudName*
values to suit your deployment:parameter_defaults: CloudDomain: lab.local CloudName: overcloud.lab.local CloudNameInternal: overcloud.internalapi.lab.local CloudNameStorage: overcloud.storage.lab.local CloudNameStorageManagement: overcloud.storagemgmt.lab.local CloudNameCtlplane: overcloud.ctlplane.lab.local
Choose the implementation of TLS appropriate for your environment:
Use the
enable-tls.yaml
environment file to protect external endpoints with your custom certificate:-
Copy
/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml
to/home/stack/templates
. -
Modify the
/home/stack/enable-tls.yaml
environment file to include your custom certificate and key. Include the following environment files in your deployment to protect internal and external endpoints:
- enable-internal-tls.yaml
- tls-every-endpoints-dns.yaml
- custom-domain.yaml
enable-tls.yaml
openstack overcloud deploy \ --templates \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \ -e /home/stack/templates/custom-domain.yaml \ -e /home/stack/templates/enable-tls.yaml
-
Copy
Use the
haproxy-public-tls-certmonger.yaml
environment file to protect external endpoints with an IdM issued certificate. For this implementation, you must create DNS entries for the VIP endpoints used by novajoin:You must create DNS entries for the VIP endpoints used by novajoin. Identify the overcloud networks located in your custom
network-environment.yaml file in `/home/stack/templates
:parameter_defaults: ControlPlaneDefaultRoute: 192.168.24.1 ExternalAllocationPools: - end: 10.0.0.149 start: 10.0.0.101 InternalApiAllocationPools: - end: 172.17.1.149 start: 172.17.1.10 StorageAllocationPools: - end: 172.17.3.149 start: 172.17.3.10 StorageMgmtAllocationPools: - end: 172.17.4.149 start: 172.17.4.10
Create a list of virtual IP addresses for each overcloud network in a heat template, for example,
/home/stack/public_vip.yaml
.parameter_defaults: ControlFixedIPs: [{'ip_address':'192.168.24.101'}] PublicVirtualFixedIPs: [{'ip_address':'10.0.0.101'}] InternalApiVirtualFixedIPs: [{'ip_address':'172.17.1.101'}] StorageVirtualFixedIPs: [{'ip_address':'172.17.3.101'}] StorageMgmtVirtualFixedIPs: [{'ip_address':'172.17.4.101'}] RedisVirtualFixedIPs: [{'ip_address':'172.17.1.102'}]
Add DNS entries to the IdM for each of the VIPs, and zones as needed:
ipa dnsrecord-add lab.local overcloud --a-rec 10.0.0.101 ipa dnszone-add ctlplane.lab.local ipa dnsrecord-add ctlplane.lab.local overcloud --a-rec 192.168.24.101 ipa dnszone-add internalapi.lab.local ipa dnsrecord-add internalapi.lab.local overcloud --a-rec 172.17.1.101 ipa dnszone-add storage.lab.local ipa dnsrecord-add storage.lab.local overcloud --a-rec 172.17.3.101 ipa dnszone-add storagemgmt.lab.local ipa dnsrecord-add storagemgmt.lab.local overcloud --a-rec 172.17.4.101
Include the following environment files in your deployment to protect internal and external endpoints:
- enable-internal-tls.yaml
- tls-everywhere-endpoints-dns.yaml
- haproxy-public-tls-certmonger.yaml
- custom-domain.yaml
public_vip.yaml
openstack overcloud deploy \ --templates \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \ -e /home/stack/templates/custom-domain.yaml \ -e /home/stack/templates/public-vip.yaml
You cannot use novajoin to implement TLS everywhere (TLS-e) on a pre-existing deployment.
Additional resources