openstack/tripleo-docs
Code Issues Proposed changes

Merge "Update overcloud SSL docs"

Browse Source
This commit is contained in:
Jenkins 2016-08-01 09:25:25 +00:00 committed by Gerrit Code Review
commit a22d40a623
1 changed files with 29 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
doc/source/advanced_deployment/ssl.rst
View File

@ -2,22 +2,20 @@ Deploying with SSL
================== ==================
TripleO supports deploying with SSL on the public OpenStack endpoints. TripleO supports deploying with SSL on the public OpenStack endpoints.
The following explains how to enable that.
This document will focus on deployments using network isolation. For more
details on deploying that way, see
:doc:`../advanced_deployment/network_isolation`
Overcloud SSL Overcloud SSL
------------- -------------
Public VIP Details Certificate and Public VIP Configuration
~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To start, it is necessary to have a predictable public VIP. As of this
writing, that means using network isolation. With network isolation, the
first address in the external network allocation range will be assigned
as the public VIP. For details on deploying with network isolation, see
:doc:`../advanced_deployment/network_isolation`.
It is important that the public VIP be predictable because the SSL The public VIP of the deployed overcloud needs to be predictable in order for
certificate's Common Name must match the address of the configured the SSL certificate to be configured properly. There are two options for
overcloud public endpoints. There are two ways to accomplish this: configuring the certificate:
#. The certificate's Common Name can be set to the IP of the public #. The certificate's Common Name can be set to the IP of the public
VIP. In this case, the Common Name must match *exactly*. If the public VIP. In this case, the Common Name must match *exactly*. If the public
@ -30,6 +28,19 @@ overcloud public endpoints. There are two ways to accomplish this:
Note that this option also requires pre-configuration of the specified Note that this option also requires pre-configuration of the specified
DNS server with the appropriate FQDN and public VIP. DNS server with the appropriate FQDN and public VIP.
In either case, the public VIP must be explicitly specified as part of the
deployment configuration. This can be done by passing an environment file
like the following::
parameter_defaults:
PublicVirtualFixedIPs: [{'ip_address':'10.0.0.1'}]
.. note:: If network isolation is not in use, the ControlFixedIPs parameter
should be set instead.
The selected IP should fall in the specified allocation range for the public
network.
Certificate Details Certificate Details
~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
@ -79,11 +90,11 @@ An abbreviated version of how the file should look::
parameter_defaults: parameter_defaults:
SSLCertificate: | SSLCertificate: |
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
[snip] [snip]
sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQbIxEpIzrgvp sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQbIxEpIzrgvp
-----END CERTIFICATE----- -----END CERTIFICATE-----
[rest of file snipped] [rest of file snipped]
``SSLKey`` should look similar, except with the value of the private key. ``SSLKey`` should look similar, except with the value of the private key.
@ -127,7 +138,7 @@ To do so, create a new file named something like ``cloudname.yaml``::
parameter_defaults: parameter_defaults:
CloudName: my-overcloud.my-domain.com CloudName: my-overcloud.my-domain.com
DnsServers: 10.0.0.1 DnsServers: 10.0.0.100
Replace the values with ones appropriate for the target environment. Note that Replace the values with ones appropriate for the target environment. Note that
the configured DNS server(s) must have an entry for the configured ``CloudName`` the configured DNS server(s) must have an entry for the configured ``CloudName``