Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 15. Enabling SSL/TLS on Internal and Public Endpoints with Identity Management

You can enable SSL/TLS on certain overcloud endpoints. Due to the number of certificates required, the director integrates with a Red Hat Identity Management (IdM) server to act as a certificate authority and manage the overcloud certificates. This process involves using novajoin to enroll overcloud nodes to the IdM server.

To check the status of TLS support across the OpenStack components, refer to the TLS Enablement status matrix.

15.1. Add the undercloud to the CA
复制链接

Before deploying the overcloud, you must add the undercloud to the Certificate Authority (CA):

  1. On the undercloud node, install the python-novajoin package: 

    $ sudo yum install python-novajoin
    Copy to Clipboard Toggle word wrap

  2. On the undercloud node, run the novajoin-ipa-setup script, adjusting the values to suit your deployment: 

    $ sudo /usr/libexec/novajoin-ipa-setup \
    --principal admin \
    --password <IdM admin password> \
    --server <IdM server hostname> \
    --realm <overcloud cloud domain (in upper case)> \
    --domain <overcloud cloud domain> \
    --hostname <undercloud hostname> \
    --precreate
    Copy to Clipboard Toggle word wrap

    In the following section, you will use the resulting One-Time Password (OTP) to enroll the undercloud.

15.2. Add the undercloud to IdM
复制链接

This procedure registers the undercloud with IdM and configures novajoin. Configure the following settings in undercloud.conf (within the [DEFAULT] section):

  1. The novajoin service is disabled by default. To enable it: 

    [DEFAULT]
enable_novajoin = true
    Copy to Clipboard Toggle word wrap

  2. You need set a One-Time Password (OTP) to register the undercloud node with IdM: 

    ipa_otp = <otp>
    Copy to Clipboard Toggle word wrap

  3. Ensure the overcloud’s domain name served by neutron’s DHCP server matches the IdM domain (your kerberos realm in lowercase): 

    overcloud_domain_name = <domain>
    Copy to Clipboard Toggle word wrap

  4. Set the appropriate hostname for the undercloud: 

    undercloud_hostname = <undercloud FQDN>
    Copy to Clipboard Toggle word wrap

  5. Set IdM as the nameserver for the undercloud: 

    undercloud_nameservers = <IdM IP>
    Copy to Clipboard Toggle word wrap

  6. For larger environments, you will need to review the novajoin connection timeout values. In undercloud.conf, add a reference to a new file called undercloud-timeout.yaml: 

    hieradata_override = /home/stack/undercloud-timeout.yaml
    Copy to Clipboard Toggle word wrap

    Add the following options to undercloud-timeout.yaml. You can specify the timeout value in seconds, for example, 5: 

    nova::api::vendordata_dynamic_connect_timeout: <timeout value>
nova::api::vendordata_dynamic_read_timeout: <timeout value>
    Copy to Clipboard Toggle word wrap
  7. Save the undercloud.conf file.

  8. Run the undercloud deployment command to apply the changes to your existing undercloud: 

    $ openstack undercloud install
    Copy to Clipboard Toggle word wrap

15.3. Configure overcloud DNS
复制链接

For automatic detection of your IdM environment, and easier enrollment, consider using IdM as your DNS server:

  1. Connect to your undercloud: 

    $ source ~/stackrc
    Copy to Clipboard Toggle word wrap

  2. Configure the control plane subnet to use IdM as the DNS name server: 

    $ openstack subnet set ctlplane-subnet --dns-nameserver  <idm_server_address>
    Copy to Clipboard Toggle word wrap

  3. Set the DnsServers parameter in an environment file to use your IdM server: 

    parameter_defaults:
  DnsServers: ["<idm_server_address>"]
    Copy to Clipboard Toggle word wrap

    This parameter is usually defined in a custom network-environment.yaml file.

15.4. Configure overcloud to use novajoin
复制链接

  1. To enable IdM integration, create a copy of the /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml environment file: 

    $ cp /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml \
  /home/stack/templates/custom-domain.yaml
    Copy to Clipboard Toggle word wrap

  2. Edit the /home/stack/templates/custom-domain.yaml environment file and set the CloudDomain and CloudName* values to suit your deployment. For example: 

    parameter_defaults:
  CloudDomain: lab.local
  CloudName: overcloud.lab.local
  CloudNameInternal: overcloud.internalapi.lab.local
  CloudNameStorage: overcloud.storage.lab.local
  CloudNameStorageManagement: overcloud.storagemgmt.lab.local
  CloudNameCtlplane: overcloud.ctlplane.lab.local
    Copy to Clipboard Toggle word wrap

  3. Include the following environment files in the overcloud deployment process:

    • /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
    • /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml

    • /home/stack/templates/custom-domain.yaml

      For example: 

      openstack overcloud deploy \
  --templates \
   -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
   -e /home/stack/templates/custom-domain.yaml \
      Copy to Clipboard Toggle word wrap

      As a result, the deployed overcloud nodes will be automatically enrolled with IdM.

  4. This only sets TLS for the internal endpoints. For the external endpoints you can use the normal means of adding TLS with the /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml environment file (which must be modified to add your custom certificate and key). Consequently, your openstack deploy command would be similar to this: 

    openstack overcloud deploy \
  --templates \
  -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
  -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
  -e /home/stack/templates/custom-domain.yaml \
  -e /home/stack/templates/enable-tls.yaml
    Copy to Clipboard Toggle word wrap

  5. Alternatively, you can also use IdM to issue your public certificates. In that case, you need to use the /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml environment file. For example: 

    openstack overcloud deploy \
  --templates \
   -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
   -e /home/stack/templates/custom-domain.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml
    Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat