Chapter 7. Enabling SSL/TLS on overcloud public endpoints
By default, the overcloud uses unencrypted endpoints for the overcloud services. To enable SSL/TLS in your overcloud, Red Hat recommends that you use a certificate authority (CA) solution.
When you use a CA solution, you have production ready solutions such as a certificate renewals, certificate revocation lists (CRLs), and industry accepted cryptography. For information on using Red Hat Identity Manager (IdM) as a CA, see Implementing TLS-e with Ansible.
You can use the following manual process to enable SSL/TLS for Public API endpoints only, the Internal and Admin APIs remain unencrypted. You must also manually update SSL/TLS certificates if you do not use a CA. For more information, see Manually updating SSL/TLS certificates.
Prerequisites
- Network isolation to define the endpoints for the Public API.
-
The
openssl-perl
package is installed. - You have an SSL/TLS certificate. For more information see Configuring custom SSL/TLS certificates.
7.1. Enabling SSL/TLS
To enable SSL/TLS in your overcloud, you must create an environment file that contains parameters for your SSL/TLS certiciates and private key.
Procedure
Copy the
enable-tls.yaml
environment file from the heat template collection:$ cp -r /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml ~/templates/.
Edit this file and make the following changes for these parameters:
- SSLCertificate
Copy the contents of the certificate file (
server.crt.pem
) into theSSLCertificate
parameter:parameter_defaults: SSLCertificate: | -----BEGIN CERTIFICATE----- MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGS ... sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQ -----END CERTIFICATE-----
ImportantThe certificate contents require the same indentation level for all new lines.
- SSLIntermediateCertificate
If you have an intermediate certificate, copy the contents of the intermediate certificate into the
SSLIntermediateCertificate
parameter:parameter_defaults: SSLIntermediateCertificate: | -----BEGIN CERTIFICATE----- sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQbIxEpIzrgvpBCwUAMFgxCzAJB ... MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGSIb3DQE -----END CERTIFICATE-----
ImportantThe certificate contents require the same indentation level for all new lines.
- SSLKey
Copy the contents of the private key (
server.key.pem
) into theSSLKey
parameter:parameter_defaults: ... SSLKey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAqVw8lnQ9RbeI1EdLN5PJP0lVO ... ctlKn3rAAdyumi4JDjESAXHIKFjJNOLrBmpQyES4X -----END RSA PRIVATE KEY-----
ImportantThe private key contents require the same indentation level for all new lines.
7.2. Injecting a root certificate
If the certificate signer is not in the default trust store on the overcloud image, you must inject the certificate authority into the overcloud image.
Procedure
Copy the
inject-trust-anchor-hiera.yaml
environment file from the heat template collection:$ cp -r /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor-hiera.yaml ~/templates/.
Edit this file and make the following changes for these parameters:
- CAMap
Lists each certificate authority content (CA) to inject into the overcloud. The overcloud requires the CA files used to sign the certificates for both the undercloud and the overcloud. Copy the contents of the root certificate authority file (
ca.crt.pem
) into an entry. For example, yourCAMap
parameter might look like the following:parameter_defaults: CAMap: ... undercloud-ca: content: | -----BEGIN CERTIFICATE----- MIIDlTCCAn2gAwIBAgIJAOnPtx2hHEhrMA0GCS BAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBw UmVkIEhhdDELMAkGA1UECwwCUUUxFDASBgNVBA -----END CERTIFICATE----- overcloud-ca: content: | -----BEGIN CERTIFICATE----- MIIDBzCCAe+gAwIBAgIJAIc75A7FD++DMA0GCS BAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xOTAxMz Um54yGCARyp3LpkxvyfMXX1DokpS1uKi7s6CkF -----END CERTIFICATE-----
ImportantThe certificate authority contents require the same indentation level for all new lines.
You can also inject additional CAs with the CAMap
parameter.
7.3. Configuring DNS endpoints
If you use a DNS hostname to access the overcloud through SSL/TLS, copy the /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml
file into the /home/stack/templates
directory.
It is not possible to redeploy with a TLS-everywhere architecture if this environment file is not included in the initial deployment.
Configure the host and domain names for all fields, adding parameters for custom networks if needed:
- CloudDomain
- the DNS domain for hosts.
- CloudName
- The DNS hostname of the overcloud endpoints.
- CloudNameCtlplane
- The DNS name of the provisioning network endpoint.
- CloudNameInternal
- The DNS name of the Internal API endpoint.
- CloudNameStorage
- The DNS name of the storage endpoint.
- CloudNameStorageManagement
- The DNS name of the storage management endpoint.
Procedure
Use one of the following parameters to add the DNS servers to use:
-
DEFAULT/undercloud_nameservers
-
%SUBNET_SECTION%/dns_nameservers
-
7.4. Adding environment files during overcloud creation
Use the -e
option with the deployment command openstack overcloud deploy
to include environment files in the deployment process. Add the environment files from this section in the following order:
-
The environment file to enable SSL/TLS (
enable-tls.yaml
) -
The environment file to set the DNS hostname (
custom-domain.yaml
) -
The environment file to inject the root certificate authority (
inject-trust-anchor-hiera.yaml
) The environment file to set the public endpoint mapping:
-
If you use a DNS name for accessing the public endpoints, use
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
-
If you use a IP address for accessing the public endpoints, use
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
-
If you use a DNS name for accessing the public endpoints, use
Procedure
- Use the following deployment command snippet as an example of how to include your SSL/TLS environment files:
$ openstack overcloud deploy --templates \ [...] -e /home/stack/templates/enable-tls.yaml \ -e ~/templates/custom-domain.yaml \ -e ~/templates/inject-trust-anchor-hiera.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
7.5. Manually Updating SSL/TLS Certificates
Complete the following steps if you are using your own SSL/TLS certificates that are not auto-generated from the TLS everywhere (TLS-e) process.
Procedure
Edit your heat templates with the following content:
-
Edit the
enable-tls.yaml
file and update theSSLCertificate
,SSLKey
, andSSLIntermediateCertificate
parameters. -
If your certificate authority has changed, edit the
inject-trust-anchor-hiera.yaml
file and update theCAMap
parameter.
-
Edit the
Rerun the deployment command:
$ openstack overcloud deploy --templates \ [...] -e /home/stack/templates/enable-tls.yaml \ -e ~/templates/custom-domain.yaml \ -e ~/templates/inject-trust-anchor-hiera.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
On the director, run the following command for each Controller:
ssh tripleo-admin@<controller> sudo podman \ restart $(podman ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')