Red Hat SummitChapter 12. Deploying TLS for public endpoints using director Operator
Deploy the overcloud using TLS to create public endpoint IPs or DNS names for director Operator (OSPdO).
Prerequisites
- You have installed OSPdO on an operational Red Hat OpenShift Container Platform (RHOCP) cluster.
-
You have installed the
occommand line tool on your workstation. - You have created the certificate authority, key, and certificate. For more information, see Enabling SSL/TLS on overcloud public endpoints.
12.1. TLS for public endpoint IP addresses
To reference public endpoint IP addresses, add your CA certificates to the openstackclient pod by creating a ConfigMap resource to store the CA certificates, then referencing that ConfigMap resource in the OpenStackControlPlane resource.
Procedure
Create a
ConfigMapresource to store the CA certificates:apiVersion: v1 kind: ConfigMap metadata: name: cacerts namespace: openstack data: local_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- another_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----Create the
OpenStackControlPlaneresource and reference theConfigMapresource:apiVersion: osp-director.openstack.org/v1beta2 kind: OpenStackControlPlane metadata: name: <overcloud> namespace: openstack spec: caConfigMap: cacerts-
Replace
<overcloud>with the name of your overcloud control plane.
-
Replace
-
Create a file in the
~/custom_environment_filesdirectory namedtls-certs.yaml, that specifies the generated certificates for the deployment by using theSSLCertificate,SSLIntermediateCertificate,SSLKey, andCAMapparameters. Update the
heatEnvConfigMapto add thetls-certs.yamlfile:$ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -Create an
OpenStackConfigGeneratorresource and add the requiredheatEnvsconfiguration files to configure TLS for public endpoint IPs:apiVersion: osp-director.openstack.org/v1beta1 kind: OpenStackConfigGenerator … spec: … heatEnvs: - ssl/tls-endpoints-public-ip.yaml - ssl/enable-tls.yaml … heatEnvConfigMap: heat-env-config tarballConfigMap: tripleo-tarball-config-
Generate the Ansible playbooks by using
OpenStackConfigGeneratorand apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.
12.2. TLS for public endpoint DNS names
To reference public endpoint DNS names, add your CA certificates to the openstackclient pod by creating a ConfigMap resource to store the CA certificates, then referencing that ConfigMap resource in the OpenStackControlPlane resource.
Procedure
Create a
ConfigMapresource to store the CA certificates:apiVersion: v1 kind: ConfigMap metadata: name: cacerts namespace: openstack data: local_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- another_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----Create the
OpenStackControlPlaneresource and reference theConfigMapresource:apiVersion: osp-director.openstack.org/v1beta2 kind: OpenStackControlPlane metadata: name: <overcloud> namespace: openstack spec: caConfigMap: cacerts-
Replace
<overcloud>with the name of your overcloud control plane.
-
Replace
-
Create a file in the
~/custom_environment_filesdirectory namedtls-certs.yaml, that specifies the generated certificates for the deployment by using theSSLCertificate,SSLIntermediateCertificate,SSLKey, andCAMapparameters. Update the
heatEnvConfigMapto add thetls-certs.yamlfile:$ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -Create an
OpenStackConfigGeneratorresource and add the requiredheatEnvsconfiguration files to configure TLS for public endpoint DNS names:apiVersion: osp-director.openstack.org/v1beta1 kind: OpenStackConfigGenerator … spec: … heatEnvs: - ssl/tls-endpoints-public-dns.yaml - ssl/enable-tls.yaml … heatEnvConfigMap: heat-env-config tarballConfigMap: tripleo-tarball-config-
Generate the Ansible playbooks by using
OpenStackConfigGeneratorand apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}