Home
Products
Red Hat OpenStack Platform
16.2
RHOSP director Operator for OpenShift Container Platform
Chapter 12. Deploying TLS for public endpoints using director Operator

Chapter 12. Deploying TLS for public endpoints using director Operator

Deploy the overcloud using TLS to create public endpoint IPs or DNS names for RHOSP Director Operator.

Prerequisites

Your OpenShift Container Platform cluster is operational.
You have installed director Operator correctly.
You have installed the oc command line tool on your workstation.

12.1. TLS for public endpoint IP addresses
Copy link

To reference public endpoint IP addresses, add certificates to the openstackclient pod.

Prerequisites

Create the certificate authority, key, and certificate using the procedure: Enabling SSL/TLS on overcloud public endpoints.

Procedure

Create a ConfigMap to store the CA certificates. The ConfigMap is the interface used to add CA certificates to the openstackclient pod, using the OpenStackControlPlane object:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cacerts
  namespace: openstack
data:
 local_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----
  another_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----

apiVersion: v1
kind: ConfigMap
metadata:
  name: cacerts
  namespace: openstack
data:
 local_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----
  another_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----

Copy to Clipboard

Toggle word wrap

Create the OpenStackControlPlane and reference the ConfigMap:

apiVersion: osp-director.openstack.org/v1beta2
kind: OpenStackControlPlane
metadata:
  name: <overcloud>
  namespace: openstack
spec:
  caConfigMap: cacerts

apiVersion: osp-director.openstack.org/v1beta2
kind: OpenStackControlPlane
metadata:
  name: <overcloud>
  namespace: openstack
spec:
  caConfigMap: cacerts

Copy to Clipboard

Toggle word wrap

Replace <overcloud> with the name of your stack.

In the ~/custom_environment_files directory create a file called tls-certs.yaml containing the generated certificates for the deployment using SSLCertificate, SSLIntermediateCertificate, SSLKey, and CAMap parameters.
Note
For more information on creating a certificate file, see Enabling SSL/TLS.

Update the heatEnvConfigMap to add the tls-certs.yaml file:

oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -

$ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -

Copy to Clipboard

Toggle word wrap

Create an OpenStackConfigGenerator and add the required heatEnvs configuration files to configure TLS for public endpoint IPs:

apiVersion: osp-director.openstack.org/v1beta1
kind: OpenStackConfigGenerator
…
spec:
  …
  heatEnvs:
    - ssl/tls-endpoints-public-ip.yaml
    - ssl/enable-tls.yaml
  …
  heatEnvConfigMap: heat-env-config
  tarballConfigMap: tripleo-tarball-config

apiVersion: osp-director.openstack.org/v1beta1
kind: OpenStackConfigGenerator
…
spec:
  …
  heatEnvs:
    - ssl/tls-endpoints-public-ip.yaml
    - ssl/enable-tls.yaml
  …
  heatEnvConfigMap: heat-env-config
  tarballConfigMap: tripleo-tarball-config

Copy to Clipboard

Toggle word wrap

The OpenStackConfigGenerator and a new OpenStackConfigVersion are created, run the Ansible playbooks against the overcloud using the OpenStackDeploy resource:

12.2. TLS for public endpoint DNS names
Copy link

To reference public endpoint DNS names add certificates to the openstackclient pod.

Prerequisites

Create the certificate authority, key, and certificate following the procedure in, Enabling SSL/TLS on overcloud public endpoints.

Procedure

Create a ConfigMap to store the CA certificates. The ConfigMap is the interface used to add additional CA certificates to the openstackclient pod, using the OpenStackControlPlane object:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cacerts
  namespace: openstack
data:
 local_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----
  another_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----

apiVersion: v1
kind: ConfigMap
metadata:
  name: cacerts
  namespace: openstack
data:
 local_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----
  another_CA: |
    -----BEGIN CERTIFICATE-----
    …
   -----END CERTIFICATE-----

Copy to Clipboard

Toggle word wrap

Create the OpenStackControlPlane and reference the ConfigMap:

apiVersion: osp-director.openstack.org/v1beta2
kind: OpenStackControlPlane
metadata:
  name: <overcloud>
  namespace: openstack
spec:
  caConfigMap: cacerts

apiVersion: osp-director.openstack.org/v1beta2
kind: OpenStackControlPlane
metadata:
  name: <overcloud>
  namespace: openstack
spec:
  caConfigMap: cacerts

Copy to Clipboard

Toggle word wrap

Replace <overcloud> with the name of your stack.

In the ~/custom_environment_files directory create a file called tls-certs.yaml containing the generated certificates for the deployment using SSLCertificate, SSLIntermediateCertificate, SSLKey, and CAMap parameters.
Note
For more information on creating a certificate file, see Enabling SSL/TLS.

Update the heatEnvConfigMap to add the tls-certs.yaml file:

oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -

$ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -

Copy to Clipboard

Toggle word wrap

Create an OpenStackConfigGenerator and add the required heatEnvs configuration files to configure TLS for public endpoint DNS names:

apiVersion: osp-director.openstack.org/v1beta1
kind: OpenStackConfigGenerator
…
spec:
  …
  heatEnvs:
    - ssl/tls-endpoints-public-dns.yaml
    - ssl/enable-tls.yaml
  …
  heatEnvConfigMap: heat-env-config
  tarballConfigMap: tripleo-tarball-config

apiVersion: osp-director.openstack.org/v1beta1
kind: OpenStackConfigGenerator
…
spec:
  …
  heatEnvs:
    - ssl/tls-endpoints-public-dns.yaml
    - ssl/enable-tls.yaml
  …
  heatEnvConfigMap: heat-env-config
  tarballConfigMap: tripleo-tarball-config

Copy to Clipboard

Toggle word wrap

The OpenStackConfigGenerator and a new OpenStackConfigVersion are created, run the Ansible playbooks against the overcloud using the OpenStackDeploy resource:

Chapter 12. Deploying TLS for public endpoints using director Operator

12.1. TLS for public endpoint IP addresses
Copy link

12.2. TLS for public endpoint DNS names
Copy link

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Chapter 12. Deploying TLS for public endpoints using director Operator

12.1. TLS for public endpoint IP addressesCopy linkLink copied to clipboard!

12.2. TLS for public endpoint DNS namesCopy linkLink copied to clipboard!

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

12.1. TLS for public endpoint IP addresses
Copy link

12.2. TLS for public endpoint DNS names
Copy link