Chapter 12. Deploying TLS for public endpoints using director Operator

Deploy the overcloud using TLS to create public endpoint IPs or DNS names for director Operator (OSPdO).

Prerequisites

  • You have installed OSPdO on an operational Red Hat OpenShift Container Platform (RHOCP) cluster.
  • You have installed the oc command line tool on your workstation.
  • You have created the certificate authority, key, and certificate. For more information, see Enabling SSL/TLS on overcloud public endpoints.

12.1. TLS for public endpoint IP addresses

To reference public endpoint IP addresses, add your CA certificates to the openstackclient pod by creating a ConfigMap resource to store the CA certificates, then referencing that ConfigMap resource in the OpenStackControlPlane resource.

Procedure

  1. Create a ConfigMap resource to store the CA certificates:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cacerts
      namespace: openstack
    data:
     local_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
      another_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
  2. Create the OpenStackControlPlane resource and reference the ConfigMap resource:

    apiVersion: osp-director.openstack.org/v1beta2
    kind: OpenStackControlPlane
    metadata:
      name: <overcloud>
      namespace: openstack
    spec:
      caConfigMap: cacerts
    • Replace <overcloud> with the name of your overcloud control plane.
  3. Create a file in the ~/custom_environment_files directory named tls-certs.yaml, that specifies the generated certificates for the deployment by using the SSLCertificate, SSLIntermediateCertificate, SSLKey, and CAMap parameters.
  4. Update the heatEnvConfigMap to add the tls-certs.yaml file:

    $ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -
  5. Create an OpenStackConfigGenerator resource and add the required heatEnvs configuration files to configure TLS for public endpoint IPs:

    apiVersion: osp-director.openstack.org/v1beta1
    kind: OpenStackConfigGenerator
    …
    spec:
      …
      heatEnvs:
        - ssl/tls-endpoints-public-ip.yaml
        - ssl/enable-tls.yaml
      …
      heatEnvConfigMap: heat-env-config
      tarballConfigMap: tripleo-tarball-config
  6. Generate the Ansible playbooks by using OpenStackConfigGenerator and apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.

12.2. TLS for public endpoint DNS names

To reference public endpoint DNS names, add your CA certificates to the openstackclient pod by creating a ConfigMap resource to store the CA certificates, then referencing that ConfigMap resource in the OpenStackControlPlane resource.

Procedure

  1. Create a ConfigMap resource to store the CA certificates:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cacerts
      namespace: openstack
    data:
     local_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
      another_CA: |
        -----BEGIN CERTIFICATE-----
        …
       -----END CERTIFICATE-----
  2. Create the OpenStackControlPlane resource and reference the ConfigMap resource:

    apiVersion: osp-director.openstack.org/v1beta2
    kind: OpenStackControlPlane
    metadata:
      name: <overcloud>
      namespace: openstack
    spec:
      caConfigMap: cacerts
    • Replace <overcloud> with the name of your overcloud control plane.
  3. Create a file in the ~/custom_environment_files directory named tls-certs.yaml, that specifies the generated certificates for the deployment by using the SSLCertificate, SSLIntermediateCertificate, SSLKey, and CAMap parameters.
  4. Update the heatEnvConfigMap to add the tls-certs.yaml file:

    $ oc create configmap -n openstack heat-env-config --from-file=~/custom_environment_files/ --dry-run=client -o yaml | oc apply -f -
  5. Create an OpenStackConfigGenerator resource and add the required heatEnvs configuration files to configure TLS for public endpoint DNS names:

    apiVersion: osp-director.openstack.org/v1beta1
    kind: OpenStackConfigGenerator
    …
    spec:
      …
      heatEnvs:
        - ssl/tls-endpoints-public-dns.yaml
        - ssl/enable-tls.yaml
      …
      heatEnvConfigMap: heat-env-config
      tarballConfigMap: tripleo-tarball-config
  6. Generate the Ansible playbooks by using OpenStackConfigGenerator and apply the overcloud configuration. For more information, see Configuring and deploying the overcloud with director Operator.