Base directory: environments/kolla
The documentation for kolla-ansible
can be found at
https://docs.openstack.org/kolla-ansible/latest/.
openstack/ceilometer openstack/cinder openstack/freezer openstack/gnocchi openstack/heat openstack/horizon openstack/keystone openstack/mistral openstack/neutron openstack/nova openstack/skydive
Add host-specific Kolla variables for network interfaces to the inventory.
inventory/host_vars/<hostname>.yml
---
[...]
##########################
# kolla
network_interface: eth0
storage_interface: eth1
tunnel_interface: eth2
api_interface: eth3
neutron_external_interface: eth4
kolla_external_vip_interface: eth5
environments/kolla/images.yml
---
[...]
##########################
# project: magnum
magnum_api_image: "{{ docker_registry }}/osism/magnum-api"
magnum_api_tag: "pike-latest"
magnum_conductor_image: "{{ docker_registry }}/osism/magnum-conductor"
magnum_conductor_tag: "pike-latest"
- make sure the necessary inventory groups are available in
inventory/hosts
- make sure the desired service is supported
- enable the service in
environments/kolla/configuration.yml
(e.g.enable_freezer: "yes"
to activate the service Freezer)
Set the kolla_internal_fqdn
in environments/kolla/configuration.yml
.
Set kolla_enable_tls_external: "yes"
in environments/kolla/configuration.yml
and add the content of the existing signed certificate to the kolla_external_fqdn_cert
parameter in the environments/kolla/secrets.yml
file.
kolla_external_fqdn_cert: |
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
Key and certificates in PEM format are stored consecutively in the following order:
- server certificate
- server private key (without any password)
- intermediate certificates
If the order is not followed, an error occurs when starting HAProxy: inconsistencies between private key and certificate loaded from PEM file '/etc/haproxy/haproxy.pem'
.
Set kolla_enable_tls_external: "yes"
in environments/kolla/configuration.yml
and add certificate to file environments/kolla/certificates/haproxy.pem
. You can encrypt the haproxy.pem
with ansible vault password.
environments/kolla/certifcates/haproxy.pem
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
Key and certificates in PEM format are stored consecutively in the following order:
- server certificate
- server private key (without any password)
- intermediate certificates
If the order is not followed, an error occurs when starting HAProxy: inconsistencies between private key and certificate loaded from PEM file '/etc/haproxy/haproxy.pem'
.
If no certificate has been created yet, use osism-kolla _ certificates
command to generate a self signed certifacte on the manager node.
osism-kolla _ certificates
PLAY [Apply role certificates] ***********************************************************************************
TASK [certificates : include_tasks] ******************************************************************************
included: /ansible/roles/certificates/tasks/generate.yml for localhost
TASK [certificates : Ensuring config directories exist] **********************************************************
changed: [localhost]
TASK [certificates : Creating SSL configuration file] ************************************************************
changed: [localhost] => (item=openssl-kolla.cnf)
TASK [certificates : Creating Key] *******************************************************************************
changed: [localhost] => (item=/share/certificates/private/haproxy.key)
TASK [certificates : Setting permissions on key] *****************************************************************
ok: [localhost]
TASK [certificates : Creating Server Certificate] ****************************************************************
changed: [localhost] => (item=/share/certificates/private/haproxy.crt)
PLAY RECAP *******************************************************************************************************
localhost : ok=6 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The self-signed certificate is located at /share/certificates/haproxy.pem
inside the manager_kolla-ansible_1
container on the manager node.
docker exec -u root -ti manager_kolla-ansible_1 sh -c 'cat /share/certificates/private/haproxy.*'
Add the content of the output from the command above to kolla_external_fqdn_cert
parameter at environments/kolla/secrets.yml
of the configuration repository.
Set kolla_enable_tls_external: "yes"
at environments/kolla/configuration.yml
of the configuration repository.
You should also add the self-signed certificate to the list of trusted certifcates on every computer that uses the external API. The workflow is different for different Linux distributions. Many programs, such as OpenStackClient
or cURL
, also offer an --insecure
parameter as a temporary solution.
If no certificate has been created yet, use osism-kolla _ certificates -e kolla_certificates_dir=/share
command to generate a self signed certifacte on the manager node.
docker exec -it manager_kolla-ansible_1 cat /share/haproxy.pem > \
/opt/configuration/environments/kolla/certificates/haproxy.pem
Using a self-signed or an customer certificate will result in adding this to containers.
##########################
# other stuff
kolla_copy_ca_into_containers: "yes"
openstack_cacert: /etc/ssl/certs/ca-certificates.crt
Insert the certificate part in environments/kolla/certificates/ca/customer.crt
. You can encrypt this file with ansible vault password.
If you want to add more than one certificate, you can add more files. Please notice to use crt
as filename, otherwise update-ca-certificates
will not import the files.