starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
Ngairangbam Mili d4f19b1fa8 WRO - Update Install REST API and Horizon Certificate with 2 methods (dsr10, dsr11, r10) 
Change-Id: I99901c32fc4e319bf62a7f11fc4774c964f54736
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2025-03-28 13:54:55 +00:00

108 lines
4.1 KiB
ReStructuredText
Raw Blame History

.. include:: /_stx-related-links/install-rest-api-and-horizon-certificate.rln
.. RL strings
.. include:: /_vendor/rl-strings.txt
.. pmb1590001656644
.. _install-rest-api-and-horizon-certificate:
========================================
Install REST API and Horizon Certificate
========================================
.. rubric:: |context|
For secure communications, HTTPS should be enabled for OpenStack REST API and
Horizon endpoints by configuring a certificate for these endpoints.
.. important::
It is recommended to do this before applying |prefix|-openstack. If you decide to configure the
Rest API and Horizon certificates after the |prefix|-openstack application is already applied,
wait until all endpoints are automatically updated and fully configured.
To check if all endpoints have been updated and fully configured:
#. Run the following command to list the OpenStack endpoints:
.. code-block:: none
~(keystone_admin)$ openstack endpoint list
#. Verify that the updated endpoints are showing the new domain name. Each service endpoint
(e.g., Keystone, Glance, Nova) should reflect the domain specified in the ``endpoint_domain`` parameter.
#. Additionally, review the status of the Kubernetes pods to ensure that there are no pending pods.
.. code-block:: none
~(keystone_admin)$ kubectl -n openstack get pods | grep -v Completed | grep -v Running
.. rubric:: |prereq|
- Update the Domain Name:
The domain must be added to the service-parameter openstack. For details, see
:ref:`Update the Domain Name <update-the-domain-name>`.
.. code-block:: none
~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
| service | openstack |
| section | Helm |
| name | endpoint_domain |
| value | west2.us.example.com |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
~(keystone_admin)$ system service-parameter-apply openstack
Applying openstack service parameters
- Obtain a certificate:
Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted Intermediate or Root |CA|.
The OpenStack certificate should be created with a wildcard |SAN|.
For example:
.. code-block:: none
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com
.. rubric:: |proc|
#. Put the |PEM| encoded versions of the OpenStack certificate, key, and Root |CA|
certificate into separate files (e.g. ``openstack-cert.crt``, ``openstack-cert.key``
and ``openstak-ca-cert.crt``), and copy the files to the controller host. (e.g.
/var/opt/openstack/certs/openstack-cert.crt, /var/opt/openstack/certs/openstack-cert.key,
and /var/opt/openstack/certs/openstack-ca-cert.crt)
#. Create a Helm overrides file to define the paths to the certificate, key, and Root
|CA| certificate.
.. parsed-literal::
cat << EOF > openstack-cert-overrides.yaml
openstackcertificateFile: /var/opt/openstack/certs/openstack-cert.crt
openstackcertificateKeyFile: /var/opt/openstack/certs/openstack-cert.key
openstackcertificateCAFile: /var/opt/openstack/certs/openstack-ca-cert.crt
EOF
~(keystone_admin)$ system helm-override-update |prefix|-openstack clients openstack --reuse-values --values openstack-cert-overrides.yaml
#. Apply the updated Helm overrides to the OpenStack application.
.. parsed-literal::
~(keystone_admin)$ system application-apply |prefix|-openstack
.. note::
Ensure that port 443 is open in |prod| firewall. For details see |_security-firewall-options|.
View Git Blame Copy Permalink