Chapter 12. Deploying TLS for public endpoints using director Operator


Deploy the overcloud using TLS to create public endpoint IPs or DNS names for director Operator (OSPdO).

Prerequisites

  • You have installed OSPdO on an operational Red Hat OpenShift Container Platform (RHOCP) cluster.
  • You have installed the oc command line tool on your workstation.
  • You have created the certificate authority, key, and certificate. For more information, see Enabling SSL/TLS on overcloud public endpoints.

12.1. TLS for public endpoint IP addresses

To reference public endpoint IP addresses, add your CA certificates to the openstackclient pod by creating a ConfigMap resource to store the CA certificates, then referencing that ConfigMap resource in the OpenStackControlPlane resource.

Procedure

  1. Create a ConfigMap resource to store the CA certificates:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cacerts
      namespace: openstack
    data:
     local_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
      another_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
  2. Create the OpenStackControlPlane resource and reference the ConfigMap resource:

    apiVersion: osp-director.openstack.org/v1beta2
    kind: OpenStackControlPlane
    metadata:
      name: <overcloud>
      namespace: openstack
    spec:
      caConfigMap: cacerts
    • Replace <overcloud> with the name of your overcloud control plane.
  3. Create a file in the ~/custom_environment_files directory named tls-certs.yaml, that specifies the generated certificates for the deployment by using the SSLCertificate, SSLIntermediateCertificate, SSLKey, and CAMap parameters.
  4. Update the heatEnvConfigMap to add the tls-certs.yaml file:

    $ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -
  5. Create an OpenStackConfigGenerator resource and add the required heatEnvs configuration files to configure TLS for public endpoint IPs:

    apiVersion: osp-director.openstack.org/v1beta1
    kind: OpenStackConfigGenerator
    …
    spec:
      …
      heatEnvs:
        - ssl/tls-endpoints-public-ip.yaml
        - ssl/enable-tls.yaml
      …
      heatEnvConfigMap: heat-env-config
      tarballConfigMap: tripleo-tarball-config
  6. Generate the Ansible playbooks by using OpenStackConfigGenerator and apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.

12.2. TLS for public endpoint DNS names

To reference public endpoint DNS names, add your CA certificates to the openstackclient pod by creating a ConfigMap resource to store the CA certificates, then referencing that ConfigMap resource in the OpenStackControlPlane resource.

Procedure

  1. Create a ConfigMap resource to store the CA certificates:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cacerts
      namespace: openstack
    data:
     local_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
      another_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
  2. Create the OpenStackControlPlane resource and reference the ConfigMap resource:

    apiVersion: osp-director.openstack.org/v1beta2
    kind: OpenStackControlPlane
    metadata:
      name: <overcloud>
      namespace: openstack
    spec:
      caConfigMap: cacerts
    • Replace <overcloud> with the name of your overcloud control plane.
  3. Create a file in the ~/custom_environment_files directory named tls-certs.yaml, that specifies the generated certificates for the deployment by using the SSLCertificate, SSLIntermediateCertificate, SSLKey, and CAMap parameters.
  4. Update the heatEnvConfigMap to add the tls-certs.yaml file:

    $ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -
  5. Create an OpenStackConfigGenerator resource and add the required heatEnvs configuration files to configure TLS for public endpoint DNS names:

    apiVersion: osp-director.openstack.org/v1beta1
    kind: OpenStackConfigGenerator
    …
    spec:
      …
      heatEnvs:
        - ssl/tls-endpoints-public-dns.yaml
        - ssl/enable-tls.yaml
      …
      heatEnvConfigMap: heat-env-config
      tarballConfigMap: tripleo-tarball-config
  6. Generate the Ansible playbooks by using OpenStackConfigGenerator and apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.