-
Notifications
You must be signed in to change notification settings - Fork 390
SSL configuration for API, neutron server and openstack keystone in Contrail
Provisioning keystone, api-server and neutron-server with SSL. This is achieved by configuring keystone with native SSL and api-server/neutron-server through SSL termination using Haproxy.
# In Keystone Node,
mkdir -p /etc/keystone/ssl; chown keystone:keystone /etc/keystone/ssl
Download the script from github, if provisionig contrail release less than 3.0.3.2. otherwise the script will be available at /opt/contrail/bin/create-ssl-certs.sh when installing contrail-setup package.
wget https://raw.githubusercontent.com/Juniper/contrail-provisioning/master/contrail_provisioning/common/scripts/create-ssl-certs.sh
# In Keystone Node,
create-ssl-certs.sh <KeystoneNodeIP|VIP> /etc/keystone/ssl/ keystone
scp -R /etc/keystone/ssl/ <user>@<KeystoneNodeIp2>:/etc/keystone/ssl/
scp -R /etc/keystone/ssl/ <user>@<KeystoneNodeIp3>:/etc/keystone/ssl/
openstack-config --set /etc/keystone/keystone.conf ssl enable true
openstack-config --set /etc/keystone/keystone.conf ssl certfile /etc/keystone/ssl/certs/keystone.pem
openstack-config --set /etc/keystone/keystone.conf ssl keyfile /etc/keystone/ssl/private/keystone.key
openstack-config --set /etc/keystone/keystone.conf ssl ca_certs /etc/keystone/ssl/certs/keystone_ca.pem
openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl enable true
openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl certfile /etc/keystone/ssl/certs/keystone.pem
openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl keyfile /etc/keystone/ssl/private/keystone.key
openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl ca_certs /etc/keystone/ssl/certs/keystone_ca.pem
service keystone restart
Delete the existing keystone endpoint and replace it with endpoint using 'https' in url.
Delete the existing neutron endpoint and replace it with endpoint using 'https' in url.
# In api-server Node,
mkdir -p /etc/contrail/ssl; chown contrail:contrail /etc/contrail/ssl
Download the script from github, if provisioning contrail release less than 3.0.3.2. otherwise the script will be available at /opt/contrail/bin/create-ssl-certs.sh when installing contrail-setup package.
wget https://raw.githubusercontent.com/Juniper/contrail-provisioning/master/contrail_provisioning/common/scripts/create-ssl-certs.sh\
# In api-server Node,
create-ssl-certs.sh <ConfigNodeIP|VIP> /etc/contrail/ssl/ apiserver
Certificates bundle will be used in Haproxy for SSL termination,
# In api-server Node,
cd /etc/contrail/ssl/; cat certs/apiserver_ca.pem private/apiserver.key certs/apiserver.pem >> certs/apiservercertbundle.pem
keystone certificate and CA needs to be available in api-server node , so that api-server can talk to keystone securely using keystone certs/CA.
# From api-server node,
scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone.pem /etc/contrail/ssl/certs/
scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone_ca.pem /etc/contrail/ssl/certs/
chown -R contrail:contrail /etc/contrail/ssl/certs/
scp -R /etc/contrail/ssl/ <user>@<ConfigNodeIp2>:/etc/contrail/ssl/
scp -R /etc/contrail/ssl/ <user>@<ConfigNodeIp3>:/etc/contrail/ssl/
Ensure the api-server haproxy config looks like below in /etc/haproxy.cfg
frontend api-server
bind *:9696 ssl crt /etc/contrail/ssl/certs/apiservercertbundle.pem
default_backend api-server-backend
backend api-server-backend
option nolinger
option forwardfor
balance roundrobin
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server <ConfigHostIp1> <ConfigHostIp1>:9697 check inter 2000 rise 2 fall 3
server <ConfigHostIp2> <ConfigHostIp2>:9697 check inter 2000 rise 2 fall 3
server <ConfigHostIp3> <ConfigHostIp3>:9697 check inter 2000 rise 2 fall 3
Restart harproxy,
service haproxy restart
openstack-config --set /etc/contrail/contrail-keystone-auth.conf KEYSTONE auth_url https://<KeystoneIp>:<Port>/<version>
openstack-config --set /etc/contrail/contrail-keystone-auth.conf KEYSTONE auth_protocol https
openstack-config --set /etc/contrail/contrail-keystone-auth.conf KEYSTONE insecure False
openstack-config --set /etc/contrail/contrail-keystone-auth.conf KEYSTONE certfile /etc/contrail/ssl/certs/keystone.pem
openstack-config --set /etc/contrail/contrail-keystone-auth.conf KEYSTONE keyfile /etc/contrail/ssl/certs/keystone.pem
openstack-config --set /etc/contrail/contrail-keystone-auth.conf KEYSTONE cafile /etc/contrail/ssl/certs/keystone_ca.pem
chown contrail:contrail /etc/contrail/vnc_api_lib.ini
openstack-config --set /etc/contrail/vnc_api_lib.ini global insecure False
openstack-config --set /etc/contrail/vnc_api_lib.ini global certfile /etc/contrail/ssl/certs/apiserver.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini global keyfile /etc/contrail/ssl/certs/apiserver.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini global cafile /etc/contrail/ssl/certs/apiserver_ca.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini auth insecure False
openstack-config --set /etc/contrail/vnc_api_lib.ini auth AUTHN_PROTOCOL https
openstack-config --set /etc/contrail/vnc_api_lib.ini auth certfile /etc/contrail/ssl/certs/keystone.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini auth keyfile /etc/contrail/ssl/certs/keystone.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini auth cafile /etc/contrail/ssl/certs/keystone_ca.pem
service supervisor-conifg restart
# In neutron-server Node,
mkdir -p /etc/neutron/ssl; chown neutron:neutron /etc/neutron/ssl
# In api-server Node,
mkdir -p /etc/contrail/ssl; chown contrail:contrail /etc/contrail/ssl
Download the script from github, if provisionig contrail release less than 3.0.3.2. otherwise the script will be available at /opt/contrail/bin/create-ssl-certs.sh when installing contrail-setup package.
wget https://raw.githubusercontent.com/Juniper/contrail-provisioning/master/contrail_provisioning/common/scripts/create-ssl-certs.sh
# In neutron-server Node,
create-ssl-certs.sh <NeutronNodeIP|VIP> /etc/neutron/ssl/ neutron
Certificates bundle will be used in Haproxy for SSL termination,
# In neutron-server Node,
cd /etc/neutron/ssl/; cat certs/neutron_ca.pem private/neutron.key certs/neutron.pem >> certs/neutroncertbundle.pem
keystone certificate and CA needs to be available in neutron-server node , so that neutron-server can talk to keystone securely using keystone certs/CA.
# From neutron-server node,
scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone.pem /etc/neutron/ssl/certs/
scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone_ca.pem /etc/neutron/ssl/certs/
chown -R neutron:neutron /etc/neutron/ssl/certs/
api-server certificate and CA needs to be available in neutron-server node , so that neutron-server can talk to api-server securely using api-server certs/CA.
# From api-server node,
scp <user>@<ConfigNodeIp>:/etc/contrail/ssl/certs/apiserver.pem /etc/neutron/ssl/certs/
scp <user>@<ConfigNodeIp>:/etc/contrail/ssl/certs/apiserver_ca.pem /etc/neutron/ssl/certs/
chown -R contrail:contrail /etc/contrail/ssl/certs/
scp -R /etc/neutron/ssl/ <user>@<NeutronNodeIp2>:/etc/neutron/ssl/
scp -R /etc/neutron/ssl/ <user>@<NeutronNodeIp3>:/etc/neutron/ssl/
Ensure the neutron-server haproxy config looks like below in /etc/haproxy.cfg
frontend neutron-server
bind *:9696 ssl crt /etc/neutron/ssl/certs/neutroncertbundle.pem
default_backend neutron-server-backend
backend neutron-server-backend
option nolinger
option forwardfor
balance roundrobin
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server <NeutronHostIp1> <NeutronHostIp1>:9697 check inter 2000 rise 2 fall 3
server <NeutronHostIp2> <NeutronHostIp2>:9697 check inter 2000 rise 2 fall 3
server <NeutronHostIp3> <NeutronHostIp3>:9697 check inter 2000 rise 2 fall 3
Restart harproxy,
service haproxy restart
Add the keystone certificate information in keystone_authtoken section of neutron.conf
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_protocol https
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken certfile /etc/neutron/ssl/certs/keystone.pem
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken keyfile /etc/neutron/ssl/certs/keystone.pem
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken cafile /etc/neutron/ssl/certs/keystone_ca.pem
Add the api-server certificate information in APISERVER section of ContrailPlugin
openstack-config --set /etc/neutron/plugins/opencontrail/ContrailPlugin.ini APISERVER use_ssl True
openstack-config --set /etc/neutron/plugins/opencontrail/ContrailPlugin.ini APISERVER insecure False
openstack-config --set /etc/neutron/plugins/opencontrail/ContrailPlugin.ini APISERVER certfile /etc/neutron/ssl/certs/apiserver.pem
openstack-config --set /etc/neutron/plugins/opencontrail/ContrailPlugin.ini APISERVER keyfile /etc/neutron/ssl/certs/apiserver.pem
openstack-config --set /etc/neutron/plugins/opencontrail/ContrailPlugin.ini APISERVER cafile /etc/neutron/ssl/certs/apiserver_ca.pem
Configure vnc_api_lib.ini in neutron-server, which will be used by vnc_api client library to talk to api-server. vnc_api library is used by neutron contrail plugin.
chown contrail:contrail /etc/contrail/vnc_api_lib.ini
usermod -a -G contrail neutron
# SKIP below commands in (8. Configure vnc_api_lib.ini), if neutron-server/plugin is in same node as config node.
openstack-config --set /etc/contrail/vnc_api_lib.ini global insecure False
openstack-config --set /etc/contrail/vnc_api_lib.ini global certfile /etc/neutron/ssl/certs/apiserver.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini global keyfile /etc/neutron/ssl/certs/apiserver.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini global cafile /etc/neutron/ssl/certs/apiserver_ca.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini auth insecure False
openstack-config --set /etc/contrail/vnc_api_lib.ini auth AUTHN_PROTOCOL https
openstack-config --set /etc/contrail/vnc_api_lib.ini auth certfile /etc/neutron/ssl/certs/keystone.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini auth keyfile /etc/neutron/ssl/certs/keystone.pem
openstack-config --set /etc/contrail/vnc_api_lib.ini auth cafile /etc/neutron/ssl/certs/keystone_ca.pem
service neutron-server restart