starlingx/docs
Code Issues Proposed changes

Merge "Added prereq for Install REST API/Horizon Certificate. (r5, r6)"

Browse Source
This commit is contained in:
Zuul 2022-04-14 17:10:39 +00:00 committed by Gerrit Code Review
commit d365a4e02b
1 changed files with 46 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
View File

@ -8,35 +8,65 @@ Install REST API and Horizon Certificate
.. rubric:: |context|
This certificate must be valid for the domain configured for OpenStack, see the
sections on :ref:`Accessing the System <access-using-the-default-set-up>`.
For secure communications, HTTPS should be enabled for OpenStack REST API and
Horizon endpoints by configuring a certificate for these endpoints.
.. rubric:: |prereq|
Obtain an Intermediate or Root CA-signed certificate and key from a trusted
Intermediate or Root CA. The OpenStack certificate should be created with a
wildcard SAN, for example:
- Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted
Intermediate or Root |CA|. The OpenStack certificate should be created with a
wildcard SAN.
.. code-block:: none
For example:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com
.. code-block:: none
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com
- To install an openstack certificate, the domain has to be added to the
service-parameter openstack as prerequisite, for details see
:ref:`Update the Domain Name <update-the-domain-name>`.
.. code-block:: none
~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
| service | openstack |
| section | Helm |
| name | endpoint_domain |
| value | west2.us.example.com |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
~(keystone_admin)$ system service-parameter-apply openstack
Applying openstack service parameters
- HTTPS must be enabled for |prod|, see :ref:`Configure REST API Applications
and Web Administration Server Certificate
<configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f>`.
.. rubric:: |proc|
#. Put the |PEM| encoded versions of the OpenStack certificate and key in a
single file (e.g. **openstack-cert-key.pem**), and put the certificate of
the Root CA in a separate file (e.g. **openstack-ca-cert.pem**), and copy
the files to the controller host.
single file (e.g. ``openstack-cert-key.pem``), and put the certificate of
the Root |CA| in a separate file (e.g. ``openstack-ca-cert.pem``), then
copy the files to the controller host.
#. Install the certificate as the OpenStack REST API / Horizon Certificate.
This will automatically update the required openstack Helm charts.
.. code-block:: none
~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem
~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem
#. Apply the Helm chart overrides containing the certificate changes.
@ -45,3 +75,5 @@ wildcard SAN, for example:
~(keystone_admin)$ system application-apply |prefix|-openstack
#. Ensure port 443 is open in |prod| firewall. For details see :ref:`Modify
Firewall Options <security-firewall-options>`.