starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
Ron Stone 33e312acc2 Fix DS link 
Unresolvable refs fail when conditionalized out via .. only::
This change replaces inline condition with privately scoped
substitution.

Change-Id: Id33bbdc98381e123f2cf4bf31a6007760cb235ab
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2024-10-30 16:23:14 +00:00

5.2 KiB
Raw Blame History

Install REST API and Horizon Certificate

For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.

Important

It is recommended to do this before applying -openstack. If you decide to configure the Rest API and Horizon certificates after the -openstack application is already applied, wait until all endpoints are automatically updated and fully configured.

To check if all endpoints have been updated and fully configured:

  1. Run the following command to list the OpenStack endpoints:

    ~(keystone_admin)$ openstack endpoint list

  2. Verify that the updated endpoints are showing the new domain name. Each service endpoint (e.g., Keystone, Glance, Nova) should reflect the domain specified in the endpoint_domain parameter.

  3. Additionally, review the status of the Kubernetes pods to ensure that there are no pending pods.

    ~(keystone_admin)$ kubectl -n openstack get pods | grep -v Completed | grep -v Running

  • Update the Domain Name:

    The domain must be added to the service-parameter openstack. For details, see Update the Domain Name <update-the-domain-name>.

    ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com

+-------------+--------------------------------------+
| Property    | Value                                |
+-------------+--------------------------------------+
| uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
| service     | openstack                            |
| section     | Helm                                 |
| name        | endpoint_domain                      |
| value       | west2.us.example.com                 |
| personality | None                                 |
| resource    | None                                 |
+-------------+--------------------------------------+

~(keystone_admin)$ system service-parameter-apply openstack
Applying openstack service parameters

  • Obtain a certificate:

    Obtain an Intermediate or Root -signed certificate and key from a trusted Intermediate or Root . The OpenStack certificate should be created with a wildcard .

    For example:

    X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com

Method 1 (Deprecation warning)

Warning

The following commands for installing the -openstack REST API and Horizon certificate will be removed in future releases. Refer to Method 2 for the recommended approach.

  1. Put the encoded versions of the OpenStack certificate and key in a single file (e.g. openstack-cert-key.pem), and put the certificate of the Root in a separate file (e.g. openstack-ca-cert.pem), then copy the files to the controller host.

  2. Install the certificate as the OpenStack REST API / Horizon certificate.

    This will automatically update the required OpenStack Helm charts.

    ~(keystone_admin)$ system ca-certificate-install openstack-ca-cert.pem
~(keystone_admin)$ system os-certificate-install -m server openstack-cert-key.pem
~(keystone_admin)$ system os-certificate-install -m ca openstack-ca-cert.pem

  3. Apply the Helm chart overrides containing the certificate changes.

    ~(keystone_admin)$ system application-apply -openstack

Method 2 (Recommended)

  1. Put the encoded versions of the OpenStack certificate, key, and Root certificate into separate files (e.g. openstack-cert.crt, openstack-cert.key and openstak-ca-cert.crt), and copy the files to the controller host. (e.g. /var/opt/openstack/certs/openstack-cert.crt, /var/opt/openstack/certs/openstack-cert.key, and /var/opt/openstack/certs/openstack-ca-cert.crt)

  2. Create a Helm overrides file to define the paths to the certificate, key, and Root certificate.

    cat << EOF > openstack-cert-overrides.yaml openstackcertificateFile: /var/opt/openstack/certs/openstack-cert.crt openstackcertificateKeyFile: /var/opt/openstack/certs/openstack-cert.key openstackcertificateCAFile: /var/opt/openstack/certs/openstack-ca-cert.crt EOF

    ~(keystone_admin)$ system helm-override-update -openstack clients openstack --reuse-values --values openstack-cert-overrides.yaml

  3. Apply the updated Helm overrides to the OpenStack application.

    ~(keystone_admin)$ system application-apply -openstack

Note

For both methods, ensure port 443 is open in firewall. For details see .