Chapter 12. Deploying TLS for public endpoints using director Operator
Deploy the overcloud using TLS to create public endpoint IPs or DNS names for director Operator (OSPdO).
Prerequisites
- You have installed OSPdO on an operational Red Hat OpenShift Container Platform (RHOCP) cluster.
-
You have installed the
oc
command line tool on your workstation. - You have created the certificate authority, key, and certificate. For more information, see Enabling SSL/TLS on overcloud public endpoints.
12.1. TLS for public endpoint IP addresses
To reference public endpoint IP addresses, add your CA certificates to the openstackclient
pod by creating a ConfigMap
resource to store the CA certificates, then referencing that ConfigMap
resource in the OpenStackControlPlane
resource.
Procedure
Create a
ConfigMap
resource to store the CA certificates:apiVersion: v1 kind: ConfigMap metadata: name: cacerts namespace: openstack data: local_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- another_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----
Create the
OpenStackControlPlane
resource and reference theConfigMap
resource:apiVersion: osp-director.openstack.org/v1beta2 kind: OpenStackControlPlane metadata: name: <overcloud> namespace: openstack spec: caConfigMap: cacerts
-
Replace
<overcloud>
with the name of your overcloud control plane.
-
Replace
-
Create a file in the
~/custom_environment_files
directory namedtls-certs.yaml
, that specifies the generated certificates for the deployment by using theSSLCertificate
,SSLIntermediateCertificate
,SSLKey
, andCAMap
parameters. Update the
heatEnvConfigMap
to add thetls-certs.yaml
file:$ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -
Create an
OpenStackConfigGenerator
resource and add the requiredheatEnvs
configuration files to configure TLS for public endpoint IPs:apiVersion: osp-director.openstack.org/v1beta1 kind: OpenStackConfigGenerator … spec: … heatEnvs: - ssl/tls-endpoints-public-ip.yaml - ssl/enable-tls.yaml … heatEnvConfigMap: heat-env-config tarballConfigMap: tripleo-tarball-config
-
Generate the Ansible playbooks by using
OpenStackConfigGenerator
and apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.
12.2. TLS for public endpoint DNS names
To reference public endpoint DNS names, add your CA certificates to the openstackclient
pod by creating a ConfigMap
resource to store the CA certificates, then referencing that ConfigMap
resource in the OpenStackControlPlane
resource.
Procedure
Create a
ConfigMap
resource to store the CA certificates:apiVersion: v1 kind: ConfigMap metadata: name: cacerts namespace: openstack data: local_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- another_CA: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----
Create the
OpenStackControlPlane
resource and reference theConfigMap
resource:apiVersion: osp-director.openstack.org/v1beta2 kind: OpenStackControlPlane metadata: name: <overcloud> namespace: openstack spec: caConfigMap: cacerts
-
Replace
<overcloud>
with the name of your overcloud control plane.
-
Replace
-
Create a file in the
~/custom_environment_files
directory namedtls-certs.yaml
, that specifies the generated certificates for the deployment by using theSSLCertificate
,SSLIntermediateCertificate
,SSLKey
, andCAMap
parameters. Update the
heatEnvConfigMap
to add thetls-certs.yaml
file:$ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -
Create an
OpenStackConfigGenerator
resource and add the requiredheatEnvs
configuration files to configure TLS for public endpoint DNS names:apiVersion: osp-director.openstack.org/v1beta1 kind: OpenStackConfigGenerator … spec: … heatEnvs: - ssl/tls-endpoints-public-dns.yaml - ssl/enable-tls.yaml … heatEnvConfigMap: heat-env-config tarballConfigMap: tripleo-tarball-config
-
Generate the Ansible playbooks by using
OpenStackConfigGenerator
and apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.