Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 7. Enabling SSL/TLS on overcloud public endpoints

By default, the overcloud uses unencrypted endpoints for the overcloud services. To enable SSL/TLS in your overcloud, Red Hat recommends that you use a certificate authority (CA) solution.

When you use a CA solution, you have production ready solutions such as a certificate renewals, certificate revocation lists (CRLs), and industry accepted cryptography. For information on using Red Hat Identity Manager (IdM) as a CA, see Implementing TLS-e with Ansible.

You can use the following manual process to enable SSL/TLS for Public API endpoints only, the Internal and Admin APIs remain unencrypted. You must also manually update SSL/TLS certificates if you do not use a CA. For more information, see Manually updating SSL/TLS certificates.

7.1. Prerequisites
Copier lien

  • Network isolation to define the endpoints for the Public API.
  • The openssl-perl package is installed.
  • You have an SSL/TLS certificate. For more information see Configuring custom SSL/TLS certificates.

7.2. Enabling SSL/TLS
Copier lien

To enable SSL/TLS in your overcloud, you must create an environment file that contains parameters for your SSL/TLS certiciates and private key.

Procedure

  1. Copy the enable-tls.yaml environment file from the heat template collection: 

    $ cp -r /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml ~/templates/.
    Copy to Clipboard Toggle word wrap

  2. Edit this file and make the following changes for these parameters:

    SSLCertificate

    Copy the contents of the certificate file (server.crt.pem) into the SSLCertificate parameter: 

    parameter_defaults:
  SSLCertificate: |
    -----BEGIN CERTIFICATE-----
    MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGS
    ...
    sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQ
    -----END CERTIFICATE-----
    Copy to Clipboard Toggle word wrap
    Important

    The certificate contents require the same indentation level for all new lines.

    SSLIntermediateCertificate

    If you have an intermediate certificate, copy the contents of the intermediate certificate into the SSLIntermediateCertificate parameter: 

    parameter_defaults:
  SSLIntermediateCertificate: |
    -----BEGIN CERTIFICATE-----
    sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQbIxEpIzrgvpBCwUAMFgxCzAJB
    ...
    MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGSIb3DQE
    -----END CERTIFICATE-----
    Copy to Clipboard Toggle word wrap
    Important

    The certificate contents require the same indentation level for all new lines.

    SSLKey

    Copy the contents of the private key (server.key.pem) into the SSLKey parameter: 

    parameter_defaults:
  ...
  SSLKey: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAqVw8lnQ9RbeI1EdLN5PJP0lVO
    ...
    ctlKn3rAAdyumi4JDjESAXHIKFjJNOLrBmpQyES4X
    -----END RSA PRIVATE KEY-----
    Copy to Clipboard Toggle word wrap
    Important

    The private key contents require the same indentation level for all new lines.

7.3. Injecting a root certificate
Copier lien

If the certificate signer is not in the default trust store on the overcloud image, you must inject the certificate authority into the overcloud image.

Procedure

  1. Copy the inject-trust-anchor-hiera.yaml environment file from the heat template collection: 

    $ cp -r /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor-hiera.yaml ~/templates/.
    Copy to Clipboard Toggle word wrap

  2. Edit this file and make the following changes for these parameters:

    CAMap

    Lists each certificate authority content (CA) to inject into the overcloud. The overcloud requires the CA files used to sign the certificates for both the undercloud and the overcloud. Copy the contents of the root certificate authority file (ca.crt.pem) into an entry. For example, your CAMap parameter might look like the following: 

    parameter_defaults:
  CAMap:
    ...
    undercloud-ca:
      content: |
        -----BEGIN CERTIFICATE-----
        MIIDlTCCAn2gAwIBAgIJAOnPtx2hHEhrMA0GCS
        BAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBw
        UmVkIEhhdDELMAkGA1UECwwCUUUxFDASBgNVBA
        -----END CERTIFICATE-----
    overcloud-ca:
      content: |
        -----BEGIN CERTIFICATE-----
        MIIDBzCCAe+gAwIBAgIJAIc75A7FD++DMA0GCS
        BAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xOTAxMz
        Um54yGCARyp3LpkxvyfMXX1DokpS1uKi7s6CkF
        -----END CERTIFICATE-----
    Copy to Clipboard Toggle word wrap
    Important

    The certificate authority contents require the same indentation level for all new lines.

    You can also inject additional CAs with the CAMap parameter.

7.4. Configuring DNS endpoints
Copier lien

If you use a DNS hostname to access the overcloud through SSL/TLS, copy the /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml file into the /home/stack/templates directory.

Note

It is not possible to redeploy with a TLS-everywhere architecture if this environment file is not included in the initial deployment.

Configure the host and domain names for all fields, adding parameters for custom networks if needed:

CloudDomain
the DNS domain for hosts.
CloudName
The DNS hostname of the overcloud endpoints.
CloudNameCtlplane
The DNS name of the provisioning network endpoint.
CloudNameInternal
The DNS name of the Internal API endpoint.
CloudNameStorage
The DNS name of the storage endpoint.
CloudNameStorageManagement
The DNS name of the storage management endpoint.
Tip

You can use the CloudName{network.name} definition to set the DNS name for an API endpoint on a composable network that uses a virtual IP.

For more information, see Adding a composable network in Installing and managing Red Hat OpenStack Platform with director.

Procedure

  • Use one of the following parameters to add the DNS servers to use:

    • DEFAULT/undercloud_nameservers
    • %SUBNET_SECTION%/dns_nameservers

7.5. Adding environment files during overcloud creation
Copier lien

Use the -e option with the deployment command openstack overcloud deploy to include environment files in the deployment process. Add the environment files from this section in the following order:

  • The environment file to enable SSL/TLS (enable-tls.yaml)
  • The environment file to set the DNS hostname (custom-domain.yaml)
  • The environment file to inject the root certificate authority (inject-trust-anchor-hiera.yaml)

  • The environment file to set the public endpoint mapping:

    • If you use a DNS name for accessing the public endpoints, use /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
    • If you use a IP address for accessing the public endpoints, use /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml

Procedure

  • Use the following deployment command snippet as an example of how to include your SSL/TLS environment files: 

    $ openstack overcloud deploy --templates \
[...]
-e /home/stack/templates/enable-tls.yaml \
-e ~/templates/custom-domain.yaml \
-e ~/templates/inject-trust-anchor-hiera.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
    Copy to Clipboard Toggle word wrap

7.6. Manually Updating SSL/TLS Certificates
Copier lien

Complete the following steps if you are using your own SSL/TLS certificates that are not auto-generated from the TLS everywhere (TLS-e) process.

Procedure

  1. Edit your heat templates with the following content:

    • Edit the enable-tls.yaml file and update the SSLCertificate, SSLKey, and SSLIntermediateCertificate parameters.
    • If your certificate authority has changed, edit the inject-trust-anchor-hiera.yaml file and update the CAMap parameter.

  2. Rerun the deployment command: 

    $ openstack overcloud deploy --templates \
[...]
 --limit Controller --tags facts,host_prep_steps \
-e /home/stack/templates/enable-tls.yaml \
-e ~/templates/custom-domain.yaml \
-e ~/templates/inject-trust-anchor-hiera.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
    Copy to Clipboard Toggle word wrap
    Note

    This procedure uses a combination of --limit and --tags in the openstack overcloud deploy command, in order to reduce impact and completion time.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat