starlingx/docs
Code Issues Proposed changes

Added prereq for Install REST API/Horizon Certificate. (r5, r6)

Browse Source 
Moved the " HTTPS must be enabled for..." prereq to the last item in the list.

Added blank line above Install the certificate.

Minor formatting updates.

Added more one prereq and procedure. Updated domain name.

Updated <domain name> and minor formatting updates.

Fixed merge conflict.

Fixed reference.

Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f
(cherry picked from commit 88cae73927)
This commit is contained in:
Elaine Fonaro
2022-03-28 20:35:52 -03:00
committed by Elisamara Aoki Goncalves
parent d9ffcfe9c5
commit c28e15a38b
1 changed files with 57 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
View File

@@ -8,12 +8,60 @@ Install REST API and Horizon Certificate
.. rubric:: |context| .. rubric:: |context|
This certificate must be valid for the domain configured for OpenStack, see the For secure communications, HTTPS should be enabled for OpenStack REST API and
sections on :ref:`Accessing the System <access-using-the-default-set-up>`. Horizon endpoints by configuring a certificate for these endpoints.
.. rubric:: |prereq|
- Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted
Intermediate or Root |CA|. The OpenStack certificate should be created with a
wildcard SAN.
For example:
.. code-block:: none
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com
- To install an openstack certificate, the domain has to be added to the
service-parameter openstack as prerequisite, for details see
:ref:`Update the Domain Name <update-the-domain-name>`.
.. code-block:: none
~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
| service | openstack |
| section | Helm |
| name | endpoint_domain |
| value | west2.us.example.com |
| personality | None |
| resource | None |
+-------------+--------------------------------------+
~(keystone_admin)$ system service-parameter-apply openstack
Applying openstack service parameters
- HTTPS must be enabled for |prod|, see :ref:`Enable HTTPS Access for
StarlingX REST and Web Server Endpoints
<enable-https-access-for-starlingx-rest-and-web-server-endpoints>`.
.. rubric:: |proc| .. rubric:: |proc|
#. Install the certificate for OpenStack as Helm chart overrides. #. Put the |PEM| encoded versions of the OpenStack certificate and key in a
single file (e.g. ``openstack-cert-key.pem``), and put the certificate of
the Root |CA| in a separate file (e.g. ``openstack-ca-cert.pem``), then
copy the files to the controller host.
#. Install the certificate as the OpenStack REST API / Horizon Certificate.
This will automatically update the required openstack Helm charts.
.. code-block:: none .. code-block:: none
@@ -34,10 +82,15 @@ sections on :ref:`Accessing the System <access-using-the-default-set-up>`.
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com DNS:*.west2.us.example.com
~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem
#. Apply the Helm chart overrides containing the certificate changes. #. Apply the Helm chart overrides containing the certificate changes.
.. parsed-literal:: .. parsed-literal::
~(keystone_admin)$ system application-apply |prefix|-openstack ~(keystone_admin)$ system application-apply |prefix|-openstack
#. Ensure port 443 is open in |prod| firewall. For details see :ref:`Modify
Firewall Options <security-firewall-options>`.