How to Enable TLS for OpenStack


Read along to learn how to enable TLS for OpenStack. Ensure you have an understanding of how to use Kolla Ansible before continuing with this guide.

Reference: https://docs.openstack.org/kolla-ansible/train/admin/advanced-configuration.html


How to Enable TLS using self-signed certificate

This section demonstrates how to enable TLS using a self-signed SSL. This is useful for development or testing environments and is not recommended for production.

Step 1 — Prepare Kolla Ansible

See the Kolla Ansible guide to ensure you have prepared the environment before proceeding.

 

Step 2 — Generate self-signed SSL

Generate a self-signed SSL using Kolla Ansible:

kolla-ansible -i /etc/fm-deploy/kolla-ansible-inventory certificates

 

Step 3 — Configure an FQDN

In /etc/kolla/globals.yml, ensure an FQDN for your cloud is set:

kolla_external_fqdn: host.mycloud.com

 

Step 4 — Enable TLS

Enable TLS configuration in /etc/kolla/globals.yml:

kolla_enable_tls_external: 'yes'

 

Step 5 — Deploy changes using Kolla Ansible

Use Kolla Ansible to reconfigure OpenStack:

kolla-ansible -i /etc/fm-deploy/kolla-ansible-inventory reconfigure

How to Enable TLS using CA-signed certificate

Follow along to learn how to enable TLS using a certificate signed by a Certificate Authority.

Step 1 — Prepare Kolla Ansible

See the Kolla Ansible guide to ensure you have prepared the environment before proceeding.

 

Step 2 — Place SSL certificate on server

Place the signed certificate on the node in /etc/kolla/certificates in .pem file format (includes the certificate and private key in one file) with 600 set for file permissions.

Example:

/etc/kolla/certificates/host_mycloud.pem

 

Step 3 — Configure an FQDN

In /etc/kolla/globals.yml, ensure an FQDN for your cloud is set:

kolla_external_fqdn: host.mycloud.com

 

Step 4 — Configure SSL path

In /etc/kolla/globals.yml, update kolla_external_fqdn_cert from:

kolla_external_fqdn_cert: '{{ node_config }}/certificates/haproxy.pem'

to:

kolla_external_fqdn_cert: '{{ node_config}}/certificates/host_mycloud.pem'

 

Step 5 — Enable TLS

Enable TLS configuration in /etc/kolla/globals.yml:

kolla_enable_tls_external: 'yes'

 

Step 6 — Deploy changes using Kolla Ansible

Use Kolla Ansible to reconfigure OpenStack:

kolla-ansible -i /etc/fm-deploy/kolla-ansible-inventory reconfigure
NW
Nick West Systems Engineer

Nick is an avid aggressive inline skater, nature enthusiast, and loves working with open source software in a Linux environment.

More Articles by Nick

Was this article helpful? Let us know!