Chapter 12. Enabling SSL/TLS on Internal and Public Endpoints with Identity Management

You can enable SSL/TLS on all overcloud endpoints. Due to the number of certificate required, the director integrates with a Red Hat Identity Management (IdM) server to act as a certificate authority and manage the overcloud certificates. This process involves using novajoin to enroll overcloud nodes to the IdM server.

12.1. Add the undercloud to the CA

Before deploying the overcloud, you must add the undercloud to the Certificate Authority (CA):

  1. On the undercloud node, install the python-novajoin package: 

    $ sudo yum install python-novajoin

  2. On the undercloud node, run the novajoin-ipa-setup script, adjusting the values to suit your deployment: 

    $ sudo /usr/libexec/novajoin-ipa-setup \
    --principal admin \
    --password <IdM admin password> \
    --server <IdM server hostname> \
    --realm <overcloud cloud domain (in upper case)> \
    --domain <overcloud cloud domain> \
    --hostname <undercloud hostname> \
    --precreate

    In the following section, you will use the resulting One-Time Password (OTP) to enroll the undercloud.

12.2. Add the undercloud to IdM

This procedure registers the undercloud with IdM and configures novajoin.

  1. The novajoin service is disabled by default. To enable it, add an entry to undercloud.conf: 

    enable_novajoin = true

  2. You need set a One-Time Password (OTP) to register the undercloud node with IdM: 

    ipa_otp = <otp>

  3. Ensure the overcloud’s domain name served by neutron’s DHCP server matches the IdM domain (your kerberos realm in lowercase): 

    overcloud_domain_name = <domain>

  4. Set the appropriate hostname for the undercloud: 

    undercloud_hostname = <undercloud FQDN>

  5. Set IdM as the nameserver for the undercloud: 

    undercloud_nameservers = <IdM IP>

  6. For larger environments, you will need to review the novajoin connection timeout values. In undercloud.conf, add a reference to a new file called undercloud-timeout.yaml: 

    hieradata_override = /home/stack/undercloud-timeout.yaml

    Add the following options to undercloud-timeout.yaml. You can specify the timeout value in seconds, for example, 5: 

    nova::api::vendordata_dynamic_connect_timeout: <timeout value>
nova::api::vendordata_dynamic_read_timeout: <timeout value>
  7. Save the undercloud.conf file.

  8. Run the undercloud deployment command to apply the changes to your existing undercloud: 

    $ openstack undercloud install

12.3. Configure overcloud DNS

For automatic detection of your IdM environment, and easier enrollment, consider using IdM as your DNS server:

  1. Connect to your undercloud: 

    $ source ~/stackrc

  2. Configure the control plane subnet to use IdM as the DNS name server: 

    $ openstack subnet set ctlplane-subnet --dns-nameserver  <idm_server_address>

  3. Set the DnsServers parameter in an environment file to use your IdM server: 

    parameter_defaults:
  DnsServers: ["<idm_server_address>"]

    This parameter is usually defined in a custom network-environment.yaml file.

12.4. Configure overcloud to use novajoin

  1. To enable IdM integration, create a copy of the /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml environment file: 

    $ cp /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml \
  /home/stack/templates/custom-domain.yaml

  2. Edit the /home/stack/templates/custom-domain.yaml environment file and set the CloudDomain and CloudName* values to suit your deployment. For example: 

    parameter_defaults:
  CloudDomain: lab.local
  CloudName: overcloud.lab.local
  CloudNameInternal: overcloud.internalapi.lab.local
  CloudNameStorage: overcloud.storage.lab.local
  CloudNameStorageManagement: overcloud.storagemgmt.lab.local
  CloudNameCtlplane: overcloud.ctlplane.lab.local

  3. Include the following environment files in the overcloud deployment process:

    • /usr/share/openstack-tripleo-heat-templates/environments/enable-internal-tls.yaml
    • /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml

    • /home/stack/templates/custom-domain.yaml

      For example: 

      openstack overcloud deploy \
  --templates \
   -e /usr/share/openstack-tripleo-heat-templates/environments/enable-internal-tls.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml \
   -e /home/stack/templates/custom-domain.yaml \

      As a result, the deployed overcloud nodes will be automatically enrolled with IdM.

  4. This only sets TLS for the internal endpoints. For the external endpoints you can use the normal means of adding TLS with the ./tripleo-heat-templates/environments/enable-tls.yaml environment file (which must be modified to add your custom certificate and key). Consequently, your openstack deploy command would be similar to this: 

    openstack overcloud deploy \
  --templates \
  -e /usr/share/openstack-tripleo-heat-templates/environments/enable-internal-tls.yaml \
  -e /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml \
  -e /home/stack/templates/custom-domain.yaml \
  -e /home/stack/templates/enable-tls.yaml

  5. Alternatively, you can also use IdM to issue your public certificates. In that case, you need to use the ./tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml environment file. For example: 

    openstack overcloud deploy \
  --templates \
   -e ./tripleo-heat-templates/environments/enable-internal-tls.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml \
   -e /home/stack/templates/custom-domain.yaml \
   -e ./tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml