Chapter 11. TLS-e for DCN
The content for this feature is available in this release as a Documentation Preview, and therefore is not fully verified by Red Hat. Use it only for testing, and do not use in a production environment.
You can enable TLS (transport layer security) on clouds designed for distributed compute node infrastructure. You have the option of either enabling TLS for public access only, or enabling TLS on every network with TLS-e, which allows for encryption on all internal and external dataflows.
You cannot enable public access on edge stacks as edge sites do not have public endpoints. For more information on TLS for public access, see Enabling SSL/TLS on Overcloud Public Endpoints.
11.1. Deploying distributed compute node architecture with TLS-e
Prerequisites
When you configure TLS-e on Red Hat OpenStack Platform (RHOSP) distributed compute node architecture with Red Hat Identity Manager (IdM), take the following actions based on the version of Red Hat Enterprise Linux deployed for Red Hat Identity Manager.
- Red Hat Enterprise Linux 8.4
-
On the Red Hat Identity Management node, allowed trusted subnets to an ACL In the
ipa-ext.conffile:
acl "trusted_network" { localnets; localhost; 192.168.24.0/24; 192.168.25.0/24; };In the
/etc/named/ipa-options-ext.conffile, allow recursion, and query cache:allow-recursion { trusted_network; }; allow-query-cache { trusted_network; };Restart the `named-pkcs11 service:
systemctl restart named-pkcs11
-
On the Red Hat Identity Management node, allowed trusted subnets to an ACL In the
- Red Hat Enterprise Linux 8.2
- If you have Red Hat Identity Manager (IdM) on Red Hat Enterprise Linux (RHEL) 8.2, you must upgrade Red Hat Enterprise Linux and then follow the directions for RHEL 8.4
- Red Hat Enterprise Linux 7.x
-
If you have Red Hat Identity Manager (IdM) on Red Hat Enterprise Linux (RHEL) 7.x, you must add an access control instruction (ACI) for your domain name manually. For example, if the domain name is
redhat.local, run the following commands on Red Hat Identity Manager to configure the ACI:
ADMIN_PASSWORD=redhat_01
DOMAIN_LEVEL_1=local
DOMAIN_LEVEL_2=redhat
cat << EOF | ldapmodify -x -D "cn=Directory Manager" -w ${ADMIN_PASSWORD}
dn: cn=dns,dc=${DOMAIN_LEVEL_2},dc=${DOMAIN_LEVEL_1}
changetype: modify
add: aci
aci: (targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=)(arecord=)(cnamerecord=)(ptrrecord=)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=${DOMAIN_LEVEL_2},dc=${DOMAIN_LEVEL_1}";)
EOFProcedure
For distributed compute node (DCN) architectures, it is required to use the ansible-based tripleo-ipa method of implementing TLS-e as opposed to the previous novajoin method. For more information on deploying TLS-e with tripleo-ipa see Implementing TLS-e with Ansible.
To deploy TLS-e with tripleo-ipa for DCN architectures, you will need to also complete the following steps:
If you are deploying storage at the edge, include the following parameters in your modified tripleo heat templates for edge stacks:
TEMPLATES=/usr/share/openstack-tripleo-heat-templates resource_registry: OS::TripleO::Services::IpaClient: ${TEMPLATES}/deployment/ipa/ipaservices-baremetal-ansible.yaml
Due to differences in design between the central and edge locations, do not include the following files in edge stacks:
- tls-everywhere-endpoints-dns.yaml
- This file is ignored at edge sites, the endpoints that it sets are overridden by the endpoints exported from the central stack.
- haproxy-public-tls-certmonger.yaml
- This file causes a failed deployment as there are no public endpoints at the edge.