Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. Configuring a Single Keystone Multiple OpenStacks multi-region deployment to simplify user management and configuration

The Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment simplifies user management and configuration for multiple regions.

In standard multi-region RHOSO deployments, each region is isolated with its own Identity (keystone) and Dashboard (horizon) services. This requires separate user accounts for each region, making credential management and rotation difficult.

The Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment requires the following architecture to simplify the user management and configuration of multiple regions:

  • A single central region and multiple workload regions.

    Important

    When you deploy each workload region, you must define a unique RHOSO namespace, a unique region name, and unique Identity service user names for all the OpenStack services that communicate with the Identity service. For more information about the unique networking and configuration requirements of the SKMO deployment, see Plan your Single Keystone Multiple OpenStacks deployment.

  • The central region provides the Dashboard (horizon) service that is shared by all the regions of the SKMO deployment.

  • The central region provides a centralized Identity (keystone) service:

    • You must use the Identity service of the central region to create the default administrator user for each workload region.
    • You must use the Identity service of the central region to create the catalog entries for the public and private endpoints of the Identity service for each workload region.
  • The centralized Identity and Dashboard services provide a single pane of glass for the simplified configuration and management of the users. Each end user has a single set of credentials. You can enable or disable their access to every region in the central region. For more information, see Deploy Single Keystone Multiple OpenStacks.

The Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment adopts an interdependent regional architecture. The central region provides centralized Dashboard (horizon) and Identity (keystone) services that are relied upon by all the other workload regions. Therefore, you must implement the following requirements for a successful SKMO deployment:

  1. The interdependence between the workload and the central regions requires that every region must provide the following unique identifications for a successful SKMO deployment:

    • A unique namespace to differentiate the RHOSO deployment of each region. For more information, see Create a unique namespace for each workload region.

      Important

      The RHOSO deployment namespace forms part of the DNS name for each OpenStack service. If you do not use different RHOSO namespaces for every region, conflicts occur between services in your different regions.

    • A unique region name defined by the spec of their Identity (keystone) service in the OpenStackControlPlane custom resource (CR). For more information, see Modify the deployment of each workload region.

      Note

      When the central Red Hat OpenStack Services on OpenShift (RHOSO) region is deployed, this region is called regionOne by default. If you use a workload region naming convention, then you can rename the region name of the central region to make it more easily identifiable. For more information, see Rename the central region.

    • The OpenStack services that communicate with the Identity service must use uniquely named Identity service users to simplify the task of managing their individual credentials. For more information, see Modify the deployment of each workload region.

      Warning

      If you do not specify unique Identity service user names for all the OpenStack services that communicate with the Identity service, then changing the password for a service user disrupts this service in all the workload regions that use this same user - unless you schedule a maintenance window for all of these regions first.

  2. The interdependence between the workload and the central regions imposes the following restrictions that must be met by the logical networking topology of your DNS configuration:

    • Each workload region must resolve the DNS name of the Identity service in the central region and access it.
    • The data plane (EDPM) nodes in each workload region must resolve the DNS name of the Identity service in the central region and access it.
    • After deploying the workload regions, the Dashboard (horizon) service in the central region must resolve the DNS names in the service catalog of every workload region and access them.

  3. The interdependence between the Identity services in each workload region and the Identity service of the central region changes how the service-to-service communication for the workload regions are routed. For more information, see Create the public and private endpoints of each workload region.

    In a normal OpenStack deployment like the central region, the Identity service has both a public and internal endpoint. These endpoints exist in separate networks to keep the internal service-to-service communication separate from public traffic. However, the workload regions are forced to send all of their internal service-to-service communication traffic to the public endpoint and therefore the public network of the central region. Even though the internal service-to-service communication traffic of the workload regions is encrypted, it is more vulnerable to DDOS attacks because it is not isolated on a separate internal network making it easier for external attackers to intercept these messages.

  4. The barbican-keystone-listener service requires access to the RabbitMQ message queue so that when a project is deleted by the Identity service (keystone), it can tell the Key Manager service (barbican) to clean up the related secrets and the other artifacts that it manages.

    In an SKMO deployment, the RabbitMQ message queue of the central region and not the workload regions contain the necessary Identity service (keystone) messages. For this reason, the barbican-keystone-listener services in the workload regions cannot know when projects are deleted so that the Key Manager service can clean them up. Therefore you must implement a third-party application like Skupper and configure your SKMO deployment to allow the barbican-keystone-listener services in the workload regions to access the RabbitMQ message queue in the central region to clean up deleted projects. For more information, see Enable RabbitMQ access for barbican-keystone-listener in SKMO.

10.3. Deploy Single Keystone Multiple OpenStacks
Copy link

A Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment creates a centralized Dashboard (horizon) and Identity (keystone) service to provide a single pane of glass for the simplified configuration and management of the users. Each end user has a single set of credentials and their access to every workload region can be enabled or disabled in the central region.

Note

You must not manually configure the Dashboard (horizon) service of the central region to connect to the various workload regions because a Managing regions dropdown list is added to the UI automatically for a SKMO deployment to allow users to select the required workload regions. For more information, see SKMO Dashboard region configuration.

Prerequisites

Procedure

  1. Deploy the central region called regionOne by default, unless you rename it. For more information, see Rename the central region.

    The deployment of the central region does not require a data plane.

  2. Create the default administrator Identity service user for each workload region in the central region. These Identity service users must be granted the admin role in the admin project of the central region. For more information, see Create the default administrator user for each workload region.

  3. Create the catalog entries for the public and private endpoints of the Identity service in each workload region by using the Identity service in the central region. For more information, see Create the public and private endpoints of each workload region.

    Note

    Both the public and private endpoints of the Identity service in each workload region point to the public Identity service endpoint in the central region.

  4. Modify and deploy each workload region. An important part of this deployment modification involves creating a unique region name and unique Identity service users for each workload region. For more information, see Modify the deployment of each workload region.
  5. After you deploy a workload region of a multi-region Red Hat OpenStack Services on OpenShift (RHOSO) Single Keystone Multiple OpenStacks (SKMO) deployment you must configure the deployed central region to trust this workload region. For more information, see Configure the central region to trust a deployed workload region.

10.4. Rename the central region
Copy link

When the central Red Hat OpenStack Services on OpenShift (RHOSO) region of a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment is deployed this region is called regionOne by default. If you use a workload region naming convention when you name the workload regions you can rename the central region to make it more easily identifiable.

Prerequisites

  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.
  • You have the oc command line tool installed on your workstation.

Procedure

  1. In the central region, set the default RHOSO namespace: 

    $ oc project <central-region-namespace>

    where:

    <central-region-namespace>
    Specifies the name of the unique namespace for the central region, for example openstack.

  2. Edit the OpenStackControlPlane CR of your central region on your workstation: 

    $ oc edit openstackcontrolplane <name>

    where:

    <name>
    Specifies the name of your YAML OpenStackControlPlane CR. You can use the following command to retrieve this name: oc get openstackcontrolplane.

  3. Configure the region parameter of the Identity service (keystone): 

    ...
  spec:
    ...
    keystone:
      ...
      template:
        ...
        region: <central-region-name>

    where:

    <central-region-name>
    Specifies the region name for your central region.
  4. Save and close the editor to apply this change.

  5. Wait for the deployment of the control plane to reach the Ready status: 

    $ oc wait openstackcontrolplane <name> --for=condition=Ready --timeout=600s

You must use the Identity service (keystone) of the deployed Red Hat OpenStack Services on OpenShift (RHOSO) central region of a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment to create the default administrator user for each workload region. These workload administrator users must be granted the admin role in the admin project of the central region. For more information, see Deploy Single Keystone Multiple OpenStacks.

Prerequisites

  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.
  • You have the oc command line tool installed on your workstation.

Procedure

  1. In the central region, set the default RHOSO namespace: 

    $ oc project <central-region-namespace>

    where:

    <central-region-namespace>
    Specifies the name of the unique namespace for the central region, for example openstack.

  2. Access the remote shell for the OpenStackClient pod from your workstation to run OpenStack CLI commands: 

    $ oc rsh openstackclient

  3. Create the default administrator user for each workload region: 

    $ openstack user create --domain Default --project <central-region-admin-project> --project-domain Default --password <workload-region-admin-password> <workload-region-admin-name>

    where:

    <central-region-admin-project>
    Specifies the name of the admin project in the central region that is admin by default.
    <workload-region-admin-password>

    Specifies the password of the default administrator user of each`workload` region.

    Note

    Set this password as the value of the AdminPassword: parameter of the Secret custom resource (CR) file that you must create to provide secure access to the RHOSO service pods when you deploy each workload region.

    <workload-region-admin-name>
    Specifies the name of the default administrator user of each workload region, for example admin-two.

  4. Add the following roles to each default workload region administrator user: 

    $ openstack role add --project admin --project-domain Default --user <workload-region-admin-name> --user-domain Default admin
$ openstack role add --system all --user <workload-region-admin-name> --user-domain Default admin

You must use the Identity service (keystone) of the deployed Red Hat OpenStack Services on OpenShift (RHOSO) central region of a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment to create the catalog entries for the public and private endpoints of the Identity service in each workload region. For more information, see Deploy Single Keystone Multiple OpenStacks.

Both the public and private endpoints of the Identity service in each workload region must specify the public Identity service endpoint of the central region.

Therefore even though the internal service-to-service communication traffic of the workload regions is encrypted it is more vulnerable to DDOS attacks because it is not segregated on a separate internal network making it easier for external attackers to intercept these messages.

Prerequisites

  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.
  • You have the oc command line tool installed on your workstation.

Procedure

  1. In the central region, set the default RHOSO namespace: 

    $ oc project <central-region-namespace>

    where:

    <central-region-namespace>
    Specifies the name of the unique namespace for the central region, for example openstack.

  2. Access the remote shell for the OpenStackClient pod from your workstation to run OpenStack CLI commands: 

    $ oc rsh openstackclient

  3. Obtain the public Identity service endpoint of the central region: 

    $ openstack endpoint list --region <central-region-name> --service keystone --interface public

    where:

    <central-region-name>
    Specifies the name of your central region, which is regionOne by default.
  4. Copy this URL that is referenced in this procedure as <central-region-public-keystone-url>.

  5. Create the public and private endpoints of each workload region to specify the public Identity service endpoint of the central region: 

    $ openstack endpoint create --region <workload-region-name> keystone public <central-region-public-keystone-url>
$ openstack endpoint create --region <workload-region-name> keystone internal <central-region-public-keystone-url>

    where:

    <workload-region-name>
    Specifies the name of the required workload region, for example regionTwo.

    This creates the catalog entries for the public and private endpoints of the Identity service in each workload region in the Identity service catalog of the central region.

You must modify the deployment of each workload region of a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment because the Dashboard (horizon) and Identity (keystone) service of the central region is shared with all the workload regions. For more information, see Deploy Single Keystone Multiple OpenStacks.

An important part of this deployment modification involves creating a unique region name and unique Identity service users for each workload region. For more information, see Plan your Single Keystone Multiple OpenStacks deployment.

Procedure

  1. Create a unique RHOSO deployment namespace for each workload region to differentiate these RHOSO deployments from each other. For more information, see Create a unique namespace for each workload region.
  2. Specify the password of the administrator user that you manually created for each workload region as the value of the AdminPassword: parameter when you create the Secret custom resource (CR) to provide secure access to the RHOSO service pods in each workload region. For more information, see Create the default administrator user for each workload region and Provide secure access to RHOSO services in the Deploying Red Hat OpenStack Services on OpenShift guide.
  3. Obtain the CA certificate from the central region and add it to a secret in each workload region so it can be trusted. For more information, see Configure each workload region to trust the central region.

  4. Create a modified OpenStackControlPlane custom resource (CR) for each workload region. For more information, see Modify the control plane CR of each workload region.

    This involves defining a unique region name defined in the spec of the Identity (keystone) service for each workload region and creating unique Identity service users.

You must create a unique namespace for every workload region of your Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment. This unique namespace is necessary to differentiate the RHOSO deployment of each region.

Important

The RHOSO deployment namespace forms part of the DNS name for each OpenStack service. If you do not use different namespaces for every region, conflicts occur between services in your different regions.

Prerequisites

  • You are logged on to a workstation that has access to the RHOCP cluster, as a user with cluster-admin privileges.
  • You have the oc command line tool installed on your workstation.

Procedure

  1. Create a project in your deployed RHOSO environment: 

    $ oc new-project <workload-region-namespace>

    where:

    <workload-region-namespace>
    Specifies the name of the unique namespace for each workload region, for example openstack-two.

  2. Ensure that this namespace is labeled to enable privileged pod creation by the OpenStack Operators: 

    $ oc get namespace <workload-region-namespace> -ojsonpath='{.metadata.labels}' | jq
{
  "kubernetes.io/metadata.name": "<workload-region-namespace>",
  "pod-security.kubernetes.io/enforce": "privileged",
  "security.openshift.io/scc.podSecurityLabelSync": "false"
}

  3. If the security context constraint (SCC) is not "privileged" use the following commands to change it: 

    $ oc label ns <workload-region-namespace> security.openshift.io/scc.podSecurityLabelSync=false --overwrite
$ oc label ns <workload-region-namespace> pod-security.kubernetes.io/enforce=privileged --overwrite

After you deploy the central region of a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment, you must configure each workload region to trust the central region. For more information, see Deploy Single Keystone Multiple OpenStacks.

In the following procedure, the Identity service region name of the central region is regionOne:

Prerequisites

  • You are logged on to a workstation that has access to your Red Hat OpenShift Container Platform (RHOCP) cluster as a user with cluster-admin privileges.
  • You have the oc command line tool installed on your workstation.

Procedure

  1. In the central region, set the default RHOSO namespace: 

    $ oc project <central-region-namespace>

    where:

    <central-region-namespace>
    Specifies the name of the unique namespace for the central region, for example openstack.

  2. Obtain the CA certificate in the central region and extract it into a file, for example regionOne-ca.crt :

    Note

    To decode the certificate before creating the output .crt file, add | base64 -d to this command. 

    $ oc get secret rootca-public -o yaml | yq '.data."ca.crt"' > regionOne-ca.crt
  3. Copy the regionOne-ca.crt file to a deployed workload region.

  4. In this workload region, set the default RHOSO namespace: 

    $ oc project <workload-region-namespace>

    where:

    <workload-region-namespace>
    Specifies the name of the unique namespace for this workload region, for example openstack-two.
  5. Create a PEM-formatted bundle in this workload region, for example custom-ca-certs.pem that includes the contents of this regionOne-ca.crt file and all the other custom CA certificates that you want each workload region to trust.

  6. Create a manifest file for a secret in this workload region that specifies the contents of the custom-ca-certs.pem bundle created in the previous step. In this example, this manifest file is called custom-ca-certs.yaml and the secret is called custom-ca-certs: 

    apiVersion: v1
data:
  custom-ca-certs.pem: <contents-of-PEM-bundle>
kind: Secret
metadata:
  annotations:
  name: custom-ca-certs
  namespace: <workload-region-namespace>
type: Opaque

    where:

    <contents-of-PEM-bundle>
    Specifies the base64 encoded string of the contents of the PEM-formatted bundle created in step 2 called custom-ca-certs.pem that includes the CA certificate from the central region. You can get this base64 encoded string by using the following command: cat custom-ca-certs.pem | base64 -w0.
    <workload-region-namespace>
    Specifies the name of the unique namespace that you created for this workload region, for example openstack-two.

  7. Create the secret in this workload region from the manifest file. In this example, this manifest file is called custom-ca-certs.yaml: 

    $ oc apply -f custom-ca-certs.yaml
  8. Repeat steps 3 to 7 for every deployed workload region.

Next steps

You must modify the OpenStackControlPlane custom resource (CR) for each workload region of a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment because the Dashboard (horizon) and Identity (keystone) service of the central region is shared with all the workload regions.

Note

An important part of modifying the OpenStackControlPlane CR for each workload region involves creating a unique region name and unique Identity service users for each workload region.

Prerequisites

Procedure

  1. Create a file on your workstation in this workload region named openstack_control_plane.yaml to define the OpenStackControlPlane CR: 

    apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack-control-plane
  namespace: <workload-region-namespace>
spec:
  secret: <workload-region-secret>

    where:

    <workload-region-namespace>
    Specifies the name of the unique namespace for this workload region, in this example openstack-two.
    <workload-region-secret>
    Specifies the name of the Secret CR for this workload region, in this example osp-secret.
  2. Perform steps 3 to 6 of Creating the control plane in the Deploying Red Hat OpenStack Services on OpenShift guide.

  3. Edit the OpenStackControlPlane CR of this workload region and specify the name of the secret containing all the CA certificates for this workload region including the CA certificate from the central region, in this example custom-ca-certs:

    Note

    If this section does not exist then you must add it. 

    ...
  spec:
    ...
    tls:
      ...
      caBundleSecretName: custom-ca-certs

  4. Edit the OpenStackControlPlane CR of this workload region and disable the Dashboard (horizon) service: 

    ...
  spec:
    ...
    horizon:
      ...
      enabled: false

  5. Edit the OpenStackControlPlane CR of this workload region and configure the Identity (keystone) service:

    Note

    You might need to remove default service configuration such as metadata or if this Identity service is configured as a load balancer. 

    ...
  spec:
    ...
    keystone:
      ...
      template:
        ...
        externalKeystoneAPI: true
        adminProject: <central-region-admin-project>
        adminUser: <workload-region-admin-name>
        region: <workload-region-name>
        override:
          ...
          service:
            ...
            internal:
              endpointURL: <central-region-public-keystone-url>
            ...
            public:
              endpointURL: <central-region-public-keystone-url>

    where:

    <central-region-admin-project>
    Specifies the name of the admin project in the central region that is admin by default.
    <workload-region-admin-name>
    Specifies the name of the default administrator user of this workload region, for example admin-two.
    <workload-region-name>
    Specifies the name of this workload region, for example regionTwo.
    <central-region-public-keystone-url>
    Specifies the public Identity service endpoint of the central region.

  6. Edit the OpenStackControlPlane CR of this workload region to specify unique Identity service user names for all the OpenStack services that communicate with the Identity service.

    Note

    If you do not specify unique Identity service user names then changing the password for a service user disrupts this service in all the workload regions that use this same user, unless you schedule a maintenance window for all of these regions first.

    The following OpenStack services commonly communicate with the Identity service and require unique Identity service user names: 

    ...
  spec:
  ...
  barbican:
    ...
    template:
      ...
      serviceUser: <workload-region-barbican-serviceUser>
  ...
  cinder:
    ...
    template:
      ...
      serviceUser: <workload-region-cinder-serviceUser>
  ...
  glance:
    ...
    template:
      ...
      serviceUser: <workload-region-glance-serviceUser>
  ...
  neutron:
    ...
    template:
      ...
      serviceUser: <workload-region-neutron-serviceUser>
  ...
  nova:
    ...
    template:
      ...
      serviceUser: <workload-region-nova-serviceUser>
  ...
  placement:
    ...
    template:
      ...
      serviceUser: <workload-region-placement-serviceUser>
  ...
  swift:
    ...
    template:
      ...
      swiftProxy:
        ...
        serviceUser: <workload-region-swift-serviceUser>

    where:

    <workload-region-barbican-serviceUser>
    Specifies the unique Identity service user name for the Key Manager service (barbican) of this workload region, for example barbican-two.
    <workload-region-cinder-serviceUser>
    Specifies the unique Identity service user name for the Block Storage service (cinder) of this workload region, for example cinder-two.
    <workload-region-glance-serviceUser>
    Specifies the unique Identity service user name for the Image service service (glance) of this workload region, for example glance-two.
    <workload-region-neutron-serviceUser>
    Specifies the unique Identity service user name for the Networking service (neutron) of this workload region, for example neutron-two.
    <workload-region-nova-serviceUser>
    Specifies the unique Identity service user name for the Compute service (nova) of this workload region, for example nova-two.
    <workload-region-placement-serviceUser>
    Specifies the unique Identity service user name for the Placement service (placement) of this workload region, for example placement-two.
    <workload-region-swift-serviceUser>
    Specifies the unique Identity service user name for the Object Storage service (swift) of this workload region, for example swift-two.

  7. If you use a back end that communicates to the Identity service (keystone) then you must specify the unique name of this workload region when configuring this back end.

    Note

    Back ends that do not communicate to the Identity service like Red Hat Ceph Storage do not require any additional configuration.

    For example the Object Storage service (swift) back end for the Image service (glance) communicates to the Identity service. Therefore, when you configure this back end you must specify the name of this workload region: 

    ...
  spec:
  ...
  glance:
    ...
    template:
      ...
      customServiceConfig:
          [DEFAULT]
          enabled_backends = default_backend:swift

          [glance_store]
          default_backend = default_backend

          [default_backend]
          swift_store_create_container_on_put = True
          swift_store_auth_version = 3
          swift_store_auth_address = {{ .KeystoneInternalURL }}
          swift_store_endpoint_type = internalURL
          swift_store_user = service:glance
          swift_store_key = {{ .ServicePassword }}
          swift_store_region = <workload-region-name>

    where:

    <workload-region-name>
    Specifies the name of this workload region, for example regionTwo.
  8. Perform all the remaining steps starting from step 7 of the Creating the control plane in the Deploying Red Hat OpenStack Services on OpenShift guide. But replace the openstack namespace of these commands specified as -n openstack with the name of the unique namespace you created for the workload region, in this example openstack-two. In this example, specify -n openstack-two for these commands.

After you deploy a workload region of a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment, you must configure the deployed central region to trust this workload region.

Prerequisites

  • You are logged on to a workstation that has access to your Red Hat OpenShift Container Platform (RHOCP) cluster as a user with cluster-admin privileges.
  • You have the oc command line tool installed on your workstation.

Procedure

  1. In the deployed workload region, set the default RHOSO namespace: 

    $ oc project <workload-region-namespace>

    where:

    <workload-region-namespace>
    Specifies the name of the unique namespace for this workload region, for example openstack-two.

  2. Obtain the CA certificate of this workload region and extract it into a file, for example regionTwo-ca.crt:

    Note

    To decode the certificate before creating the output .crt file add | base64 -d to this command. 

    $ oc get secret rootca-public -o yaml | yq '.data."ca.crt"' > regionTwo-ca.crt
  3. Copy the regionTwo-ca.crt file to the deployed central region.

  4. In the central region, set the default RHOSO namespace: 

    $ oc project <central-region-namespace>

    where:

    <central-region-namespace>
    Specifies the name of the unique namespace for the central region, for example openstack.

  5. Edit your OpenStackControlPlane CR of the central region: 

    $ oc edit openstackcontrolplane <name>

    where:

    <name>
    Specifies the name of your YAML OpenStackControlPlane CR. You can use the following command to retrieve this name: oc get openstackcontrolplane.

  6. If your OpenStackControlPlane CR in the central region contains the spec.tls.caBundleSecretName parameter:

    1. Obtain the name of the secret that contains the PEM-formatted bundle containing all the other custom CA certificates in chains of trust if applicable that the central region trusts, for example custom-ca-certs: 

      ...
  spec:
    ...
    tls:
      ...
      caBundleSecretName: custom-ca-certs

    2. Edit the specified secret, in this example custom-ca-certs 

      $ oc edit secret custom-ca-certs
    3. Append the contents of the CA certificate of the deployed workload region, for example regionTwo-ca.crt to the PEM-formatted bundle containing all the other custom CA certificates that the central region trusts.
    4. Save and exit the editor to automatically apply the changes to the secret, in this example custom-ca-certs.

  7. If your OpenStackControlPlane CR in the central region does not contain the spec.tls.caBundleSecretName parameter:

    1. Create a PEM-formatted bundle, for example custom-ca-certs.pem that includes the contents of this regionTwo-ca.crt file.

    2. Create a manifest file for the secret in the central region that specifies the contents of the custom-ca-certs.pem bundle created in the previous step. In this example the manifest file is called custom-ca-certs.yaml and the secret is called custom-ca-certs: 

      apiVersion: v1
data:
  custom-ca-certs.pem: <contents-of-PEM-bundle>
kind: Secret
metadata:
  annotations:
  name: custom-ca-certs
  namespace: <namespace>
type: Opaque

      where:

      <namespace>
      Specifies the namespace of the central region, in this example openstack.
      <contents-of-PEM-bundle>
      Specifies the base64 encoded string of the contents of the PEM-formatted bundle you created called custom-ca-certs.pem that includes the CA certificate from regionTwo. You can get this base64 encoded string by using the following command: cat custom-ca-certs.pem | base64 -w0.

  1. Create the secret in the central region from the manifest file. In this example the manifest file is called custom-ca-certs.yaml: 

    $ oc apply -f custom-ca-certs.yaml

  2. Edit your OpenStackControlPlane CR of the central region: 

    $ oc edit openstackcontrolplane <name>

    where:

    <name>
    Specifies with the name of your YAML OpenStackControlPlane CR. You can use the following command to retrieve this name: oc get openstackcontrolplane.

  3. Add the secret that you have created, in this example custom-ca-certs: 

    ...
  spec:
    ...
    tls:
      ...
      caBundleSecretName: custom-ca-certs
  4. Save and close the editor to automatically apply this change.

  5. Wait for the deployment of the control plane of the central region to reach the Ready status: 

    $ oc wait openstackcontrolplane <name> --for=condition=Ready --timeout=600s

Next steps

  • Extract the catalog entries for this workload region and make sure that the Dashboard (horizon) service in the central region can resolve the DNS names in the service catalog of this workload region and access them.

10.9. SKMO Dashboard region configuration
Copy link

When deploying a Single Keystone Multiple OpenStacks (SKMO) multi-region Red Hat OpenStack Services on OpenShift (RHOSO) deployment you must not configure the Dashboard (horizon) service of the central region to select which region a user wants to log into.

In a standard multi-region OpenStack deployment, each region is an isolated OpenStack deployment with their own Dashboard (horizon) and Identity (keystone) service. For this reason, you must configure the Dashboard (horizon) service to log into the Identity (keystone) service of each region. This configuration creates a dropdown list on the Login page for users to select the required isolated region or more specifically the Identity (keystone) service of this region.

In the SKMO deployment, the central region provides a centralized Identity (keystone) service that is used for logging into the entire multi-region deployment. Therefore, the dropdown list of regions must not be configured on the Login page of the Dashboard because no matter what workload region a user selects, the central region is always selected, confusing your users.

Note

The SKMO Dashboard automatically provides the Managing regions dropdown list in the UI to allow users to select the required workload region.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top