Install REST API and Horizon Certificate

About this task

For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.

Important

It is recommended to do this before applying stx-openstack. If you decide to configure the Rest API and Horizon certificates after the stx-openstack application is already applied, wait until all endpoints are automatically updated and fully configured.

To check if all endpoints have been updated and fully configured:

1. Run the following command to list the OpenStack endpoints:

   ~(keystone_admin)$ openstack endpoint list
   

2. Verify that the updated endpoints are showing the new domain name. Each service endpoint (e.g., Keystone, Glance, Nova) should reflect the domain specified in the endpoint_domain parameter.

3. Additionally, review the status of the Kubernetes pods to ensure that there are no pending pods.

   ~(keystone_admin)$ kubectl -n openstack get pods | grep -v Completed | grep -v Running
   

Prerequisites

• Update the Domain Name:

  The domain must be added to the service-parameter openstack. For details, see Update the Domain Name.

  ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com
  
  +-------------+--------------------------------------+
  | Property    | Value                                |
  +-------------+--------------------------------------+
  | uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
  | service     | openstack                            |
  | section     | Helm                                 |
  | name        | endpoint_domain                      |
  | value       | west2.us.example.com                 |
  | personality | None                                 |
  | resource    | None                                 |
  +-------------+--------------------------------------+
  
  ~(keystone_admin)$ system service-parameter-apply openstack
  Applying openstack service parameters
  

• Obtain a certificate:

  Obtain an Intermediate or Root CA-signed certificate and key from a trusted Intermediate or Root CA. The OpenStack certificate should be created with a wildcard SAN.

  For example:

  X509v3 extensions:
  X509v3 Subject Alternative Name:
  DNS:*.west2.us.example.com
  

Procedure

1. Put the PEM encoded versions of the OpenStack certificate, key, and Root CA certificate into separate files (e.g. openstack-cert.crt, openstack-cert.key and openstak-ca-cert.crt), and copy the files to the controller host. (e.g. /var/opt/openstack/certs/openstack-cert.crt, /var/opt/openstack/certs/openstack-cert.key, and /var/opt/openstack/certs/openstack-ca-cert.crt)

2. Create a Helm overrides file to define the paths to the certificate, key, and Root CA certificate.

   cat << EOF > openstack-cert-overrides.yaml
   openstackcertificateFile: /var/opt/openstack/certs/openstack-cert.crt
   openstackcertificateKeyFile: /var/opt/openstack/certs/openstack-cert.key
   openstackcertificateCAFile: /var/opt/openstack/certs/openstack-ca-cert.crt
   EOF
   
   ~(keystone_admin)$ system helm-override-update stx-openstack clients openstack --reuse-values --values openstack-cert-overrides.yaml

3. Apply the updated Helm overrides to the OpenStack application.

   ~(keystone_admin)$ system application-apply stx-openstack

Note

Ensure that port 443 is open in StarlingX firewall. For details see Security Firewall Options.