.. include:: /_stx-related-links/install-rest-api-and-horizon-certificate.rln
.. RL strings
.. include:: /_vendor/rl-strings.txt
.. pmb1590001656644
.. _install-rest-api-and-horizon-certificate:

========================================
Install REST API and Horizon Certificate
========================================

.. rubric:: |context|

For secure communications, HTTPS should be enabled for OpenStack REST API and
Horizon endpoints by configuring a certificate for these endpoints.

.. important::

      It is recommended to do this before applying |prefix|-openstack. If you decide to configure the
      Rest API and Horizon certificates after the |prefix|-openstack application is already applied,
      wait until all endpoints are automatically updated and fully configured.

      To check if all endpoints have been updated and fully configured:

      #. Run the following command to list the OpenStack endpoints:

         .. code-block:: none

             ~(keystone_admin)$ openstack endpoint list

      #. Verify that the updated endpoints are showing the new domain name. Each service endpoint
         (e.g., Keystone, Glance, Nova) should reflect the domain specified in the ``endpoint_domain`` parameter.

      #. Additionally, review the status of the Kubernetes pods to ensure that there are no pending pods.

         .. code-block:: none

             ~(keystone_admin)$ kubectl -n openstack get pods | grep -v Completed | grep -v Running

.. rubric:: |prereq|

- Update the Domain Name:

  The domain must be added to the service-parameter openstack. For details, see
  :ref:`Update the Domain Name <update-the-domain-name>`.

  .. code-block:: none

      ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com

      +-------------+--------------------------------------+
      | Property    | Value                                |
      +-------------+--------------------------------------+
      | uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
      | service     | openstack                            |
      | section     | Helm                                 |
      | name        | endpoint_domain                      |
      | value       | west2.us.example.com                 |
      | personality | None                                 |
      | resource    | None                                 |
      +-------------+--------------------------------------+

      ~(keystone_admin)$ system service-parameter-apply openstack
      Applying openstack service parameters

- Obtain a certificate:

  Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted Intermediate or Root |CA|.
  The OpenStack certificate should be created with a wildcard |SAN|.

  For example:

  .. code-block:: none

      X509v3 extensions:
      X509v3 Subject Alternative Name:
      DNS:*.west2.us.example.com

.. rubric:: |proc|

**Method 1 (Deprecation warning)**

.. warning::

      The following commands for installing the |prefix|-openstack
      REST API and Horizon certificate will be removed in future releases. Refer
      to Method 2 for the recommended approach.

#.  Put the |PEM| encoded versions of the OpenStack certificate and key in
    a single file (e.g. ``openstack-cert-key.pem``), and put the certificate of
    the Root |CA| in a separate file (e.g. ``openstack-ca-cert.pem``), then
    copy the files to the controller host.

#.  Install the certificate as the OpenStack REST API / Horizon certificate.

    This will automatically update the required OpenStack Helm charts.

    .. code-block:: none

        ~(keystone_admin)$ system ca-certificate-install openstack-ca-cert.pem
        ~(keystone_admin)$ system os-certificate-install -m server openstack-cert-key.pem
        ~(keystone_admin)$ system os-certificate-install -m ca openstack-ca-cert.pem

#.  Apply the Helm chart overrides containing the certificate changes.

    .. parsed-literal::

        ~(keystone_admin)$ system application-apply |prefix|-openstack

**Method 2 (Recommended)**

#.  Put the |PEM| encoded versions of the OpenStack certificate, key, and Root |CA|
    certificate into separate files (e.g. ``openstack-cert.crt``, ``openstack-cert.key``
    and ``openstak-ca-cert.crt``), and copy the files to the controller host. (e.g.
    /var/opt/openstack/certs/openstack-cert.crt, /var/opt/openstack/certs/openstack-cert.key,
    and /var/opt/openstack/certs/openstack-ca-cert.crt)

#.  Create a Helm overrides file to define the paths to the certificate, key, and Root
    |CA| certificate.

    .. parsed-literal::

        cat << EOF > openstack-cert-overrides.yaml
        openstackcertificateFile: /var/opt/openstack/certs/openstack-cert.crt
        openstackcertificateKeyFile: /var/opt/openstack/certs/openstack-cert.key
        openstackcertificateCAFile: /var/opt/openstack/certs/openstack-ca-cert.crt
        EOF

        ~(keystone_admin)$ system helm-override-update |prefix|-openstack clients openstack --reuse-values --values openstack-cert-overrides.yaml

#.  Apply the updated Helm overrides to the OpenStack application.

    .. parsed-literal::

        ~(keystone_admin)$ system application-apply |prefix|-openstack


.. note::
   
    For both methods, ensure port 443 is open in |prod| firewall. For
    details see |_security-firewall-options|.