.. include:: /_stx-related-links/install-rest-api-and-horizon-certificate.rln .. RL strings .. include:: /_vendor/rl-strings.txt .. pmb1590001656644 .. _install-rest-api-and-horizon-certificate: ======================================== Install REST API and Horizon Certificate ======================================== .. rubric:: |context| For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints. .. important:: It is recommended to do this before applying |prefix|-openstack. If you decide to configure the Rest API and Horizon certificates after the |prefix|-openstack application is already applied, wait until all endpoints are automatically updated and fully configured. To check if all endpoints have been updated and fully configured: #. Run the following command to list the OpenStack endpoints: .. code-block:: none ~(keystone_admin)$ openstack endpoint list #. Verify that the updated endpoints are showing the new domain name. Each service endpoint (e.g., Keystone, Glance, Nova) should reflect the domain specified in the ``endpoint_domain`` parameter. #. Additionally, review the status of the Kubernetes pods to ensure that there are no pending pods. .. code-block:: none ~(keystone_admin)$ kubectl -n openstack get pods | grep -v Completed | grep -v Running .. rubric:: |prereq| - Update the Domain Name: The domain must be added to the service-parameter openstack. For details, see :ref:`Update the Domain Name `. .. code-block:: none ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com +-------------+--------------------------------------+ | Property | Value | +-------------+--------------------------------------+ | uuid | 0459ede4-85e7-4767-aca9-d29e84f38bd4 | | service | openstack | | section | Helm | | name | endpoint_domain | | value | west2.us.example.com | | personality | None | | resource | None | +-------------+--------------------------------------+ ~(keystone_admin)$ system service-parameter-apply openstack Applying openstack service parameters - Obtain a certificate: Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted Intermediate or Root |CA|. The OpenStack certificate should be created with a wildcard |SAN|. For example: .. code-block:: none X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.west2.us.example.com .. rubric:: |proc| #. Put the |PEM| encoded versions of the OpenStack certificate, key, and Root |CA| certificate into separate files (e.g. ``openstack-cert.crt``, ``openstack-cert.key`` and ``openstak-ca-cert.crt``), and copy the files to the controller host. (e.g. /var/opt/openstack/certs/openstack-cert.crt, /var/opt/openstack/certs/openstack-cert.key, and /var/opt/openstack/certs/openstack-ca-cert.crt) #. Create a Helm overrides file to define the paths to the certificate, key, and Root |CA| certificate. .. parsed-literal:: cat << EOF > openstack-cert-overrides.yaml openstackcertificateFile: /var/opt/openstack/certs/openstack-cert.crt openstackcertificateKeyFile: /var/opt/openstack/certs/openstack-cert.key openstackcertificateCAFile: /var/opt/openstack/certs/openstack-ca-cert.crt EOF ~(keystone_admin)$ system helm-override-update |prefix|-openstack clients openstack --reuse-values --values openstack-cert-overrides.yaml #. Apply the updated Helm overrides to the OpenStack application. .. parsed-literal:: ~(keystone_admin)$ system application-apply |prefix|-openstack .. note:: Ensure that port 443 is open in |prod| firewall. For details see |_security-firewall-options|.