Read along to learn how to enable TLS for OpenStack. Ensure you have an understanding of how to use kolla-ansible before continuing with this guide.

Reference: https://docs.openstack.org/kolla-ansible/train/admin/advanced-configuration.html


How to Enable TLS using self-signed certificate

This section demonstrates how to enable TLS using a self-signed SSL. This is useful for development or testing environments and is not recommended for production.

Step 1 — Prepare kolla-ansible

See the kolla-ansible guide to ensure you have prepared the environment before proceeding.

 

Step 2 — Generate self-signed SSL

Generate a self-signed SSL using kolla-ansible:

kolla-ansible -i /etc/fm-deploy/kolla-ansible-inventory certificates

 

Step 3 — Configure an FQDN

In /etc/kolla/globals.yml, ensure an FQDN for your cloud is set:

kolla_external_fqdn: host.mycloud.com

 

Step 4 — Enable TLS

Enable TLS configuration in /etc/kolla/globals.yml:

kolla_enable_tls_external: 'yes'

 

Step 5 — Deploy changes using kolla-ansible

Use kolla-ansible to reconfigure OpenStack:

kolla-ansible -i /etc/fm-deploy/kolla-ansible-inventory reconfigure

How to Enable TLS using CA-signed certificate

Follow along to learn how to enable TLS using a certificate signed by a Certificate Authority.

Step 1 — Prepare kolla-ansible

See the kolla-ansible guide to ensure you have prepared the environment before proceeding.

 

Step 2 — Place SSL certificate on server

Place the signed certificate on the node in /etc/kolla/certificates in .pem file format (includes the certificate and private key in one file) with 600 set for file permissions.

Example:

/etc/kolla/certificates/host_mycloud.pem

 

Step 3 — Configure an FQDN

In /etc/kolla/globals.yml, ensure an FQDN for your cloud is set:

kolla_external_fqdn: host.mycloud.com

 

Step 4 — Configure SSL path

In /etc/kolla/globals.yml, update kolla_external_fqdn_cert from:

kolla_external_fqdn_cert: '{{ node_config }}/certificates/haproxy.pem'

to:

kolla_external_fqdn_cert: '{{ node_config}}/certificates/host_mycloud.pem'

 

Step 5 — Enable TLS

Enable TLS configuration in /etc/kolla/globals.yml:

kolla_enable_tls_external: 'yes'

 

Step 6 — Deploy changes using kolla-ansible

Use kolla-ansible to reconfigure OpenStack:

kolla-ansible -i /etc/fm-deploy/kolla-ansible-inventory reconfigure