Encrypt internal API HTTP transport with TLS

Encrypt internal API HTTP transport with TLS

This section explains how to encrypt the internal OpenStack API HTTP with TLS.

To encrypt the internal API HTTP transport with TLS:

  1. Verify that the Keystone, Nova Placement, Cinder, Barbican, Gnocchi, Panko, and Manila API services, whose formulas support using Web Server Gateway Interface (WSGI) templates from Apache, are running under Apache by adding the following classes to your deployment model:

    • In openstack/control.yml:

      classes:
      ...
      - system.apache.server.site.barbican
      - system.apache.server.site.cinder
      - system.apache.server.site.gnocchi
      - system.apache.server.site.manila
      - system.apache.server.site.nova-placement
      - system.apache.server.site.panko
      
    • In openstack/telemetry.yml:

      classes:
      ...
      - system.apache.server.site.gnocchi
      - system.apache.server.site.panko
      
  2. Add SSL configuration for each WSGI template by specifying the following parameters:

    • In openstack/control.yml:

      parameters:
        _param:
        ...
          apache_proxy_ssl:
            enabled: true
            engine: salt
            authority: "${_param:salt_minion_ca_authority}"
            key_file: "/etc/ssl/private/internal_proxy.key"
             cert_file: "/etc/ssl/certs/internal_proxy.crt"
             chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
      
          apache_cinder_ssl: ${_param:apache_proxy_ssl}
          apache_keystone_ssl: ${_param:apache_proxy_ssl}
          apache_barbican_ssl: ${_param:apache_proxy_ssl}
          apache_manila_ssl: ${_param:apache_proxy_ssl}
          apache_nova_placement: ${_param:apache_proxy_ssl}
      
    • In openstack/telemetry.yml:

      parameters:
        _param:
        ...
        apache_gnocchi_api_address: ${_param:single_address}
        apache_panko_api_address: ${_param:single_address}
        apache_gnocchi_ssl: ${_param:nginx_proxy_ssl}
        apache_panko_ssl: ${_param:nginx_proxy_ssl}
      
  3. For services that are still running under Eventlet, configure TLS termination proxy. Such services include Nova, Neutron, Ironic, Glance, Heat, Aodh, and Designate.

    Depending on your use case, configure proxy on top of either Apache or NGINX by defining the following classes and parameters:

    • In openstack/control.yml:

      • To configure proxy on Apache:

        classes:
        ...
        - system.apache.server.proxy.openstack.designate
        - system.apache.server.proxy.openstack.glance
        - system.apache.server.proxy.openstack.heat
        - system.apache.server.proxy.openstack.ironic
        - system.apache.server.proxy.openstack.neutron
        - system.apache.server.proxy.openstack.nova
        
        parameters:
          _param:
          ...
            # Configure proxy to redirect request to locahost:
            apache_proxy_openstack_api_address: ${_param:cluster_local_host}
            apache_proxy_openstack_designate_host: 127.0.0.1
            apache_proxy_openstack_glance_host: 127.0.0.1
            apache_proxy_openstack_heat_host: 127.0.0.1
            apache_proxy_openstack_ironic_host: 127.0.0.1
            apache_proxy_openstack_neutron_host: 127.0.0.1
            apache_proxy_openstack_nova_host: 127.0.0.1
        
          ...
          apache:
            server:
              site:
                apache_proxy_openstack_api_glance_registry:
                  enabled: true
                  type: proxy
                  name: openstack_api_glance_registry
                  proxy:
                    host: ${_param:apache_proxy_openstack_glance_registry_host}
                    port: 9191
                    protocol: http
                  host:
                    name: ${_param:apache_proxy_openstack_api_host}
                    port: 9191
                    address: ${_param:apache_proxy_openstack_api_address}
                    ssl: ${_param:apache_proxy_ssl}
        
      • To configure proxy on NGINX:

        classes:
        ...
        - system.nginx.server.single
        - system.nginx.server.proxy.openstack_api
        - system.nginx.server.proxy.openstack.designate
        - system.nginx.server.proxy.openstack.ironic
        - system.nginx.server.proxy.openstack.placement
        
        # Delete proxy sites that are running under Apache:
        _param:
        ...
        nginx:
          server:
            site:
              nginx_proxy_openstack_api_keystone:
                enabled: false
              nginx_proxy_openstack_api_keystone_private:
                enabled: false
              ...
        
        # Configure proxy to redirect request to locahost
        _param:
        ...
        nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
        nginx_proxy_openstack_cinder_host: 127.0.0.1
        nginx_proxy_openstack_designate_host: 127.0.0.1
        nginx_proxy_openstack_glance_host: 127.0.0.1
        nginx_proxy_openstack_heat_host: 127.0.0.1
        nginx_proxy_openstack_ironic_host: 127.0.0.1
        nginx_proxy_openstack_neutron_host: 127.0.0.1
        nginx_proxy_openstack_nova_host: 127.0.0.1
        
        # Add nginx SSL settings:
        _param:
        ...
        nginx_proxy_ssl:
          enabled: true
          engine: salt
          authority: "${_param:salt_minion_ca_authority}"
          key_file: "/etc/ssl/private/internal_proxy.key"
          cert_file: "/etc/ssl/certs/internal_proxy.crt"
          chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
        
    • In openstack/telemetry.yml:

      classes:
      ...
      - system.nginx.server.proxy.openstack_aodh
      ...
      parameters:
        _param:
        ...
          nginx_proxy_openstack_aodh_host: 127.0.0.1
      
  4. Edit the openstack/init.yml file:

    1. Add the following parameters to the cluster model:

      parameters:
        _param:
        ...
          cluster_public_protocol: https
          cluster_internal_protocol: https
          aodh_service_protocol: ${_param:cluster_internal_protocol}
          barbican_service_protocol: ${_param:cluster_internal_protocol}
          cinder_service_protocol: ${_param:cluster_internal_protocol}
          designate_service_protocol: ${_param:cluster_internal_protocol}
          glance_service_protocol: ${_param:cluster_internal_protocol}
          gnocchi_service_protocol: ${_param:cluster_internal_protocol}
          heat_service_protocol: ${_param:cluster_internal_protocol}
          ironic_service_protocol: ${_param:cluster_internal_protocol}
          keystone_service_protocol: ${_param:cluster_internal_protocol}
          manila_service_protocol: ${_param:cluster_internal_protocol}
          neutron_service_protocol: ${_param:cluster_internal_protocol}
          nova_service_protocol: ${_param:cluster_internal_protocol}
          panko_service_protocol: ${_param:cluster_internal_protocol}
      
    2. Depending on your use case, define the following parameters for the OpenStack services to verify that the services running behind TLS proxy are binded to the localhost:

      • In openstack/control.yml:

        OpenStack service

        Required configuration

        Barbican

        bind:
          address: 127.0.0.1
        identity:
          protocol: https
        

        Cinder

        identity:
          protocol: https
        osapi:
          host: 127.0.0.1
        glance:
          protocol: https
        

        Designate

        identity:
          protocol: https
        bind:
          api:
            address: 127.0.0.1
        

        Glance

        bind:
          address: 127.0.0.1
        identity:
          protocol: https
        registry:
          protocol: https
        

        Heat

        bind:
          api:
            address: 127.0.0.1
          api_cfn:
            address: 127.0.0.1
          api_cloudwatch:
            address: 127.0.0.1
        identity:
          protocol: https
        

        Horizon

        identity:
          encryption: ssl
        

        Ironic

        ironic:
          bind:
            api:
              address: 127.0.0.1
        

        Neutron

        bind:
          address: 127.0.0.1
        identity:
          protocol: https
        

        Nova

        controller:
           bind:
              private_address: 127.0.0.1
           identity:
              protocol: https
           network:
              protocol: https
           glance:
              protocol: https
           metadata:
              bind:
                address: ${_param:nova_service_host}
        

        Panko

        panko:
          server:
            bind:
              host: 127.0.0.1
        
      • In openstack/telemetry.yml:

        parameters:
          _param:
          ...
          aodh:
            server:
              bind:
                host: 127.0.0.1
              identity:
                protocol: http
        
          gnocchi:
            server:
              identity:
                protocol: http
        
          panko:
            server:
              identity:
               protocol: https
        
  5. For StackLight LMA, in stacklight/client.yml, enable Telegraf to correctly resolve the CA of the identity endpoint:

    docker:
      client:
        stack:
          monitoring:
            service:
              remote_agent:
                volumes:
                  - /etc/ssl/certs/:/etc/ssl/certs/
    
  6. For RADOS Gateway, specify the following pillar in ceph/rgw.yml:

    ceph:
      radosgw:
        identity:
          keystone_verify_ssl: True
          host: ${_param:cluster_internal_protocol}://${_param:ceph_radosgw_keystone_host}
    
  7. For the existing deployments, add the following pillar to openstack/control/init.yml to update Nova cells. Otherwise, nova-conductor will use a wrong port for AMQP connections.

    nova:
      controller:
        update_cells: true
    
  8. Select one of the following options:

    • If you are performing an initial deployment of your cluster, proceed with further configuration as required.

    • If you are making changes to an existing cluster:

      1. Log in to the Salt Master node.

      2. Refresh pillars:

        salt '*' saltutil.refresh_pillar
        
      3. Apply the Salt states depending on your use case. For example:

        salt -C 'I@haproxy' state.apply haproxy
        salt -C 'I@apache' state.apply apache
        salt 'ctl0*' state.apply keystone,nova,neutron,heat,glance,cinder,designate,manila,ironic
        salt 'mdb0*' state.apply aodh,ceilometer,panko,gnocchi
        salt -C 'I@ceph' state.apply ceph
        salt -C "I@docker:client" state.sls docker.client
        salt -C "I@nova:controller" state.sls nova.controller