This section explains how to encrypt the internal OpenStack API HTTP with TLS.
To encrypt the internal API HTTP transport with TLS:
Verify that the Keystone, Nova Placement, Cinder, Barbican, Gnocchi, Panko, and Manila API services, whose formulas support using Web Server Gateway Interface (WSGI) templates from Apache, are running under Apache by adding the following classes to your deployment model:
In openstack/control.yml
:
classes:
...
- system.apache.server.site.barbican
- system.apache.server.site.cinder
- system.apache.server.site.gnocchi
- system.apache.server.site.manila
- system.apache.server.site.nova-placement
- system.apache.server.site.panko
In openstack/telemetry.yml
:
classes:
...
- system.apache.server.site.gnocchi
- system.apache.server.site.panko
Add SSL configuration for each WSGI template by specifying the following parameters:
In openstack/control.yml
:
parameters:
_param:
...
apache_proxy_ssl:
enabled: true
engine: salt
authority: "${_param:salt_minion_ca_authority}"
key_file: "/etc/ssl/private/internal_proxy.key"
cert_file: "/etc/ssl/certs/internal_proxy.crt"
chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
apache_cinder_ssl: ${_param:apache_proxy_ssl}
apache_keystone_ssl: ${_param:apache_proxy_ssl}
apache_barbican_ssl: ${_param:apache_proxy_ssl}
apache_manila_ssl: ${_param:apache_proxy_ssl}
apache_nova_placement: ${_param:apache_proxy_ssl}
In openstack/telemetry.yml
:
parameters:
_param:
...
apache_gnocchi_api_address: ${_param:single_address}
apache_panko_api_address: ${_param:single_address}
apache_gnocchi_ssl: ${_param:nginx_proxy_ssl}
apache_panko_ssl: ${_param:nginx_proxy_ssl}
For services that are still running under Eventlet, configure TLS termination proxy. Such services include Nova, Neutron, Ironic, Glance, Heat, Aodh, and Designate.
Depending on your use case, configure proxy on top of either Apache or NGINX by defining the following classes and parameters:
In openstack/control.yml
:
To configure proxy on Apache:
classes:
...
- system.apache.server.proxy.openstack.designate
- system.apache.server.proxy.openstack.glance
- system.apache.server.proxy.openstack.heat
- system.apache.server.proxy.openstack.ironic
- system.apache.server.proxy.openstack.neutron
- system.apache.server.proxy.openstack.nova
parameters:
_param:
...
# Configure proxy to redirect request to locahost:
apache_proxy_openstack_api_address: ${_param:cluster_local_host}
apache_proxy_openstack_designate_host: 127.0.0.1
apache_proxy_openstack_glance_host: 127.0.0.1
apache_proxy_openstack_heat_host: 127.0.0.1
apache_proxy_openstack_ironic_host: 127.0.0.1
apache_proxy_openstack_neutron_host: 127.0.0.1
apache_proxy_openstack_nova_host: 127.0.0.1
...
apache:
server:
site:
apache_proxy_openstack_api_glance_registry:
enabled: true
type: proxy
name: openstack_api_glance_registry
proxy:
host: ${_param:apache_proxy_openstack_glance_registry_host}
port: 9191
protocol: http
host:
name: ${_param:apache_proxy_openstack_api_host}
port: 9191
address: ${_param:apache_proxy_openstack_api_address}
ssl: ${_param:apache_proxy_ssl}
To configure proxy on NGINX:
classes:
...
- system.nginx.server.single
- system.nginx.server.proxy.openstack_api
- system.nginx.server.proxy.openstack.designate
- system.nginx.server.proxy.openstack.ironic
- system.nginx.server.proxy.openstack.placement
# Delete proxy sites that are running under Apache:
_param:
...
nginx:
server:
site:
nginx_proxy_openstack_api_keystone:
enabled: false
nginx_proxy_openstack_api_keystone_private:
enabled: false
...
# Configure proxy to redirect request to locahost
_param:
...
nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
nginx_proxy_openstack_cinder_host: 127.0.0.1
nginx_proxy_openstack_designate_host: 127.0.0.1
nginx_proxy_openstack_glance_host: 127.0.0.1
nginx_proxy_openstack_heat_host: 127.0.0.1
nginx_proxy_openstack_ironic_host: 127.0.0.1
nginx_proxy_openstack_neutron_host: 127.0.0.1
nginx_proxy_openstack_nova_host: 127.0.0.1
# Add nginx SSL settings:
_param:
...
nginx_proxy_ssl:
enabled: true
engine: salt
authority: "${_param:salt_minion_ca_authority}"
key_file: "/etc/ssl/private/internal_proxy.key"
cert_file: "/etc/ssl/certs/internal_proxy.crt"
chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
In openstack/telemetry.yml
:
classes:
...
- system.nginx.server.proxy.openstack_aodh
...
parameters:
_param:
...
nginx_proxy_openstack_aodh_host: 127.0.0.1
Edit the openstack/init.yml
file:
Add the following parameters to the cluster model:
parameters:
_param:
...
cluster_public_protocol: https
cluster_internal_protocol: https
aodh_service_protocol: ${_param:cluster_internal_protocol}
barbican_service_protocol: ${_param:cluster_internal_protocol}
cinder_service_protocol: ${_param:cluster_internal_protocol}
designate_service_protocol: ${_param:cluster_internal_protocol}
glance_service_protocol: ${_param:cluster_internal_protocol}
gnocchi_service_protocol: ${_param:cluster_internal_protocol}
heat_service_protocol: ${_param:cluster_internal_protocol}
ironic_service_protocol: ${_param:cluster_internal_protocol}
keystone_service_protocol: ${_param:cluster_internal_protocol}
manila_service_protocol: ${_param:cluster_internal_protocol}
neutron_service_protocol: ${_param:cluster_internal_protocol}
nova_service_protocol: ${_param:cluster_internal_protocol}
panko_service_protocol: ${_param:cluster_internal_protocol}
Depending on your use case, define the following parameters
for the OpenStack services to verify that the services
running behind TLS proxy are binded to the localhost
:
In openstack/control.yml
:
OpenStack service | Required configuration |
---|---|
Barbican | bind:
address: 127.0.0.1
identity:
protocol: https
|
Cinder | identity:
protocol: https
osapi:
host: 127.0.0.1
glance:
protocol: https
|
Designate | identity:
protocol: https
bind:
api:
address: 127.0.0.1
|
Glance | bind:
address: 127.0.0.1
identity:
protocol: https
registry:
protocol: https
|
Heat | bind:
api:
address: 127.0.0.1
api_cfn:
address: 127.0.0.1
api_cloudwatch:
address: 127.0.0.1
identity:
protocol: https
|
Horizon | identity:
encryption: ssl
|
Ironic | ironic:
bind:
api:
address: 127.0.0.1
|
Neutron | bind:
address: 127.0.0.1
identity:
protocol: https
|
Nova | controller:
bind:
private_address: 127.0.0.1
identity:
protocol: https
network:
protocol: https
glance:
protocol: https
metadata:
bind:
address: ${_param:nova_service_host}
|
Panko | panko:
server:
bind:
host: 127.0.0.1
|
In openstack/telemetry.yml
:
parameters:
_param:
...
aodh:
server:
bind:
host: 127.0.0.1
identity:
protocol: http
gnocchi:
server:
identity:
protocol: http
panko:
server:
identity:
protocol: https
For StackLight LMA, in stacklight/client.yml
, enable Telegraf to
correctly resolve the CA of the identity endpoint:
docker:
client:
stack:
monitoring:
service:
remote_agent:
volumes:
- /etc/ssl/certs/:/etc/ssl/certs/
For RADOS Gateway, specify the following pillar in ceph/rgw.yml
:
ceph:
radosgw:
identity:
keystone_verify_ssl: True
host: ${_param:cluster_internal_protocol}://${_param:ceph_radosgw_keystone_host}
For the existing deployments, add the following pillar to
openstack/control/init.yml
to update Nova cells. Otherwise,
nova-conductor
will use a wrong port for AMQP connections.
nova:
controller:
update_cells: true
Select one of the following options:
If you are performing an initial deployment of your cluster, proceed with further configuration as required.
If you are making changes to an existing cluster:
Log in to the Salt Master node.
Refresh pillars:
salt '*' saltutil.refresh_pillar
Apply the Salt states depending on your use case. For example:
salt -C 'I@haproxy' state.apply haproxy
salt -C 'I@apache' state.apply apache
salt 'ctl0*' state.apply keystone,nova,neutron,heat,glance,cinder,designate,manila,ironic
salt 'mdb0*' state.apply aodh,ceilometer,panko,gnocchi
salt -C 'I@ceph' state.apply ceph
salt -C "I@docker:client" state.sls docker.client
salt -C "I@nova:controller" state.sls nova.controller