starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
Ron Stone 4b29310c6f Support DS rel-linking from STX 
Change-Id: I5278866605ffd9b29ae2abe7d6e99606f6052423
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2024-03-12 11:45:42 +00:00

3.2 KiB
Raw Blame History

Install REST API and Horizon Certificate

For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.

  • Obtain an Intermediate or Root -signed certificate and key from a trusted Intermediate or Root . The OpenStack certificate should be created with a wildcard SAN.

    For example:

    X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com

    • To install an openstack certificate, the domain has to be added to the service-parameter openstack as prerequisite, for details see Update the Domain Name <update-the-domain-name>.

      ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com

+-------------+--------------------------------------+
| Property    | Value                                |
+-------------+--------------------------------------+
| uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
| service     | openstack                            |
| section     | Helm                                 |
| name        | endpoint_domain                      |
| value       | west2.us.example.com                 |
| personality | None                                 |
| resource    | None                                 |
+-------------+--------------------------------------+

~(keystone_admin)$ system service-parameter-apply openstack
Applying openstack service parameters

  • HTTPS must be enabled for , see Configure REST API Applications and Web Administration Server Certificate <configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f>.

  1. Put the encoded versions of the OpenStack certificate and key in a single file (e.g. openstack-cert-key.pem), and put the certificate of the Root in a separate file (e.g. openstack-ca-cert.pem), then copy the files to the controller host.

  2. Install the certificate as the OpenStack REST API / Horizon Certificate.

    This will automatically update the required openstack Helm charts.

    ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem

  3. Apply the Helm chart overrides containing the certificate changes.

    ~(keystone_admin)$ system application-apply -openstack

  4. Ensure port 443 is open in firewall. For details see Modify Firewall Options <security-firewall-options>.