Chapter 12. Enabling SSL/TLS on Internal and Public Endpoints with Identity Management

On the undercloud node, install the python-novajoin package:

$ sudo yum install python-novajoin

On the undercloud node, run the novajoin-ipa-setup script, adjusting the values to suit your deployment:

$ sudo /usr/libexec/novajoin-ipa-setup \
    --principal admin \
    --password <IdM admin password> \
    --server <IdM server hostname> \
    --realm <overcloud cloud domain (in upper case)> \
    --domain <overcloud cloud domain> \
    --hostname <undercloud hostname> \
    --precreate

In the following section, you will use the resulting One-Time Password (OTP) to enroll the undercloud.

The novajoin service is disabled by default. To enable it, add an entry to undercloud.conf:

enable_novajoin = true

You need set a One-Time Password (OTP) to register the undercloud node with IdM:

ipa_otp = <otp>

Ensure the overcloud’s domain name served by neutron’s DHCP server matches the IdM domain (your kerberos realm in lowercase):

overcloud_domain_name = <domain>

Set the appropriate hostname for the undercloud:

undercloud_hostname = <undercloud FQDN>

Set IdM as the nameserver for the undercloud:

undercloud_nameservers = <IdM IP>

For larger environments, you will need to review the novajoin connection timeout values. In undercloud.conf, add a reference to a new file called undercloud-timeout.yaml:

hieradata_override = /home/stack/undercloud-timeout.yaml

Add the following options to undercloud-timeout.yaml. You can specify the timeout value in seconds, for example, 5:

nova::api::vendordata_dynamic_connect_timeout: <timeout value>
nova::api::vendordata_dynamic_read_timeout: <timeout value>

Run the undercloud deployment command to apply the changes to your existing undercloud:

$ openstack undercloud install

Connect to your undercloud:

$ source ~/stackrc

Configure the control plane subnet to use IdM as the DNS name server:

$ openstack subnet set ctlplane-subnet --dns-nameserver  <idm_server_address>

Set the DnsServers parameter in an environment file to use your IdM server:

parameter_defaults:
  DnsServers: ["<idm_server_address>"]

This parameter is usually defined in a custom network-environment.yaml file.

To enable IdM integration, create a copy of the /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml environment file:

$ cp /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml \
  /home/stack/templates/custom-domain.yaml

Edit the /home/stack/templates/custom-domain.yaml environment file and set the CloudDomain and CloudName* values to suit your deployment. For example:

parameter_defaults:
  CloudDomain: lab.local
  CloudName: overcloud.lab.local
  CloudNameInternal: overcloud.internalapi.lab.local
  CloudNameStorage: overcloud.storage.lab.local
  CloudNameStorageManagement: overcloud.storagemgmt.lab.local
  CloudNameCtlplane: overcloud.ctlplane.lab.local

Include the following environment files in the overcloud deployment process:

This only sets TLS for the internal endpoints. For the external endpoints you can use the normal means of adding TLS with the ./tripleo-heat-templates/environments/enable-tls.yaml environment file (which must be modified to add your custom certificate and key). Consequently, your openstack deploy command would be similar to this:

openstack overcloud deploy \
  --templates \
  -e /usr/share/openstack-tripleo-heat-templates/environments/enable-internal-tls.yaml \
  -e /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml \
  -e /home/stack/templates/custom-domain.yaml \
  -e /home/stack/templates/enable-tls.yaml

Alternatively, you can also use IdM to issue your public certificates. In that case, you need to use the ./tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml environment file. For example:

openstack overcloud deploy \
  --templates \
   -e ./tripleo-heat-templates/environments/enable-internal-tls.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml \
   -e /home/stack/templates/custom-domain.yaml \
   -e ./tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml