Install REST API and Horizon CertificateΒΆ
About this task
For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.
Important
It is recommended to do this before applying stx-openstack. If you decide to configure the Rest API and Horizon certificates after the stx-openstack application is already applied, wait until all endpoints are automatically updated and fully configured.
To check if all endpoints have been updated and fully configured:
Run the following command to list the OpenStack endpoints:
~(keystone_admin)$ openstack endpoint list
Verify that the updated endpoints are showing the new domain name. Each service endpoint (e.g., Keystone, Glance, Nova) should reflect the domain specified in the
endpoint_domainparameter.Additionally, review the status of the Kubernetes pods to ensure that there are no pending pods.
~(keystone_admin)$ kubectl -n openstack get pods | grep -v Completed | grep -v Running
Prerequisites
Update the Domain Name:
The domain must be added to the service-parameter openstack. For details, see Update the Domain Name.
~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com +-------------+--------------------------------------+ | Property | Value | +-------------+--------------------------------------+ | uuid | 0459ede4-85e7-4767-aca9-d29e84f38bd4 | | service | openstack | | section | Helm | | name | endpoint_domain | | value | west2.us.example.com | | personality | None | | resource | None | +-------------+--------------------------------------+ ~(keystone_admin)$ system service-parameter-apply openstack Applying openstack service parameters
Obtain a certificate:
Obtain an Intermediate or Root CA-signed certificate and key from a trusted Intermediate or Root CA. The OpenStack certificate should be created with a wildcard SAN.
For example:
X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.west2.us.example.com
Procedure
Method 1 (Deprecation warning)
Warning
The following commands for installing the stx-openstack REST API and Horizon certificate will be removed in future releases. Refer to Method 2 for the recommended approach.
Put the PEM encoded versions of the OpenStack certificate and key in a single file (e.g.
openstack-cert-key.pem), and put the certificate of the Root CA in a separate file (e.g.openstack-ca-cert.pem), then copy the files to the controller host.Install the certificate as the OpenStack REST API / Horizon certificate.
This will automatically update the required OpenStack Helm charts.
~(keystone_admin)$ system ca-certificate-install openstack-ca-cert.pem ~(keystone_admin)$ system os-certificate-install -m server openstack-cert-key.pem ~(keystone_admin)$ system os-certificate-install -m ca openstack-ca-cert.pem
Apply the Helm chart overrides containing the certificate changes.
~(keystone_admin)$ system application-apply stx-openstack
Method 2 (Recommended)
Put the PEM encoded versions of the OpenStack certificate, key, and Root CA certificate into separate files (e.g.
openstack-cert.crt,openstack-cert.keyandopenstak-ca-cert.crt), and copy the files to the controller host. (e.g. /var/opt/openstack/certs/openstack-cert.crt, /var/opt/openstack/certs/openstack-cert.key, and /var/opt/openstack/certs/openstack-ca-cert.crt)Create a Helm overrides file to define the paths to the certificate, key, and Root CA certificate.
cat << EOF > openstack-cert-overrides.yaml openstackcertificateFile: /var/opt/openstack/certs/openstack-cert.crt openstackcertificateKeyFile: /var/opt/openstack/certs/openstack-cert.key openstackcertificateCAFile: /var/opt/openstack/certs/openstack-ca-cert.crt EOF ~(keystone_admin)$ system helm-override-update stx-openstack clients openstack --reuse-values --values openstack-cert-overrides.yaml
Apply the updated Helm overrides to the OpenStack application.
~(keystone_admin)$ system application-apply stx-openstack
Note
For both methods, ensure port 443 is open in StarlingX firewall. For details see Security Firewall Options.
