OpenStack

Base directory: environments/kolla

The documentation for kolla-ansible can be found at

https://docs.openstack.org/kolla-ansible/latest/.

Inventory

Add host-specific Kolla variables for network interfaces to the inventory.

  • inventory/host_vars/<hostname>.yml

---
[...]
##########################
# kolla

network_interface: eth0
storage_interface: eth1
tunnel_interface: eth2
api_interface: eth3

neutron_external_interface: eth4
kolla_external_vip_interface: eth5

Use a specific image version

  • environments/kolla/images.yml

---
[...]
##########################
# project: magnum

magnum_api_image: "{{ docker_registry }}/osism/magnum-api"
magnum_api_tag: "pike-latest"

magnum_conductor_image: "{{ docker_registry }}/osism/magnum-conductor"
magnum_conductor_tag: "pike-latest"

Enable service

  • make sure the necessary inventory groups are available in inventory/hosts

  • make sure the desired service is supported

  • enable the service in environments/kolla/configuration.yml (e.g. enable_freezer: "yes" to activate the service Freezer)

HAProxy

Set the kolla_internal_fqdn in environments/kolla/configuration.yml.

Existing certificates (<= Train)

Set kolla_enable_tls_external: "yes" in environments/kolla/configuration.yml and add the content of the existing signed certificate to the kolla_external_fqdn_cert parameter in the environments/kolla/secrets.yml file.

kolla_external_fqdn_cert: |
  -----BEGIN CERTIFICATE-----
  [...]
  -----END CERTIFICATE-----
  -----BEGIN RSA PRIVATE KEY-----
  [...]
  -----END RSA PRIVATE KEY-----

Key and certificates in PEM format are stored consecutively in the following order:

  • server certificate

  • server private key (without any password)

  • intermediate certificates

If the order is not followed, an error occurs when starting HAProxy: inconsistencies between private key and certificate loaded from PEM file '/etc/haproxy/haproxy.pem'.

Existing certificates (> Train)

Set kolla_enable_tls_external: "yes" in environments/kolla/configuration.yml and add certificate to file environments/kolla/certificates/haproxy.pem. You can encrypt the haproxy.pem with ansible vault password.

environments/kolla/certifcates/haproxy.pem
  -----BEGIN CERTIFICATE-----
  [...]
  -----END CERTIFICATE-----
  -----BEGIN RSA PRIVATE KEY-----
  [...]
  -----END RSA PRIVATE KEY-----

Key and certificates in PEM format are stored consecutively in the following order:

  • server certificate

  • server private key (without any password)

  • intermediate certificates

If the order is not followed, an error occurs when starting HAProxy: inconsistencies between private key and certificate loaded from PEM file '/etc/haproxy/haproxy.pem'.

Generate self-signed certificates (<= Train)

If no certificate has been created yet, use osism-kolla _ certificates command to generate a self signed certifacte on the manager node.

osism-kolla _ certificates

PLAY [Apply role certificates] ***********************************************************************************

TASK [certificates : include_tasks] ******************************************************************************
included: /ansible/roles/certificates/tasks/generate.yml for localhost

TASK [certificates : Ensuring config directories exist] **********************************************************
changed: [localhost]

TASK [certificates : Creating SSL configuration file] ************************************************************
changed: [localhost] => (item=openssl-kolla.cnf)

TASK [certificates : Creating Key] *******************************************************************************
changed: [localhost] => (item=/share/certificates/private/haproxy.key)

TASK [certificates : Setting permissions on key] *****************************************************************
ok: [localhost]

TASK [certificates : Creating Server Certificate] ****************************************************************
changed: [localhost] => (item=/share/certificates/private/haproxy.crt)

PLAY RECAP *******************************************************************************************************
localhost                  : ok=6    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

The self-signed certificate is located at /share/certificates/haproxy.pem inside the manager_kolla-ansible_1 container on the manager node.

docker exec -u root -ti manager_kolla-ansible_1 sh -c 'cat /share/certificates/private/haproxy.*'

Add the content of the output from the command above to kolla_external_fqdn_cert parameter at environments/kolla/secrets.yml of the configuration repository.

Set kolla_enable_tls_external: "yes" at environments/kolla/configuration.yml of the configuration repository.

You should also add the self-signed certificate to the list of trusted certifcates on every computer that uses the external API. The workflow is different for different Linux distributions. Many programs, such as OpenStackClient or cURL, also offer an --insecure parameter as a temporary solution.

Generate self-signed certificates (> Train)

If no certificate has been created yet, use osism-kolla _ certificates -e kolla_certificates_dir=/share command to generate a self signed certifacte on the manager node.

docker exec -it manager_kolla-ansible_1 cat /share/haproxy.pem > \
                /opt/configuration/environments/kolla/certificates/haproxy.pem

Add certificate into container

Using a self-signed or an customer certificate will result in adding this to containers.

environments/configuration.yml
##########################
# other stuff

kolla_copy_ca_into_containers: "yes"
openstack_cacert: /etc/ssl/certs/ca-certificates.crt

Insert the certificate part in environments/kolla/certificates/ca/customer.crt. You can encrypt this file with ansible vault password.

If you want to add more than one certificate, you can add more files. Please notice to use crt as filename, otherwise update-ca-certificates will not import the files.