Certificate Lifecycle Management Using Red Hat Identity Management
Contrail Networking Release 5.1 supports using Transport Layer Security (TLS) with RHOSP to perform lifecycle management, including renewal, expiration, and revocation, of certificates using Red Hat Identity Management (IdM). Because IdM uses fully qualified domain names (FQDNs) to manage endpoints instead of IP addresses, Contrail Networking services are also enhanced to use FQDNs.
Prior to Contrail Networking Release 5.1, lifecycle management of certificates was done manually.
Fully Qualified Domain Names
Contrail Networking Release 5.1 is integrated with IdM to perform lifecycle management of certificates. Contrail Networking services are also enhanced to use FQDNs in the following scenarios:
Establishing connections between Contrail Networking components
Input parameters for Contrail Docker container instead of IP addresses
Contrail TripleO Heat Templates pass FQDNs instead of IP addresses for configuration of Contrail Networking containers using only TLS. You can configure TripleO Heat Templates to pass FQDNs without TLS by setting the contrail_nodes_param_suffux: ‘node_names’ option.
Certificates are issued for every Contrail Networking node and stored in the /etc/contrail/ssl folder which is mounted on all Docker containers
Performing Lifecycle Management of Certificates using Identity Management
Perform the following steps to install the IdM server and manage certificates.
- Deploy and configure IdM server.
For information on installing an IdM server, see Installing an IdM Server: Introduction.
- Before deploying the undercloud, set up the novajoin plugin on the undercloud node.
$ sudo yum install python-novajoin
$ sudo /usr/libexec/novajoin-ipa-setup \
--principal admin \
--password <IdM admin password> \
--server <IdM server hostname> \
--realm <overcloud cloud domain (in upper case)> \
--domain <overcloud cloud domain> \
--hostname <undercloud hostname> \
--precreate
- Prepare the undercloud configuration.
[DEFAULT] enable_novajoin = true ipa_otp = <otp> # is returned at previous step undercloud_hostname = <undercloud FQDN> undercloud_nameservers = <IdM IP> overcloud_domain_name = <domain> …
- Check if firewalld is enabled on the IPA (Identity, Policy,
Audit) server and the required ports are allowed.
rpm -qa | grep firewalld
If firewalld is not installed, the undercloud installation will fail. To install firewalld, use the following command:
yum install firewalld firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp} firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,dns}
- Deploy the undercloud.
$ openstack undercloud install $ source stack rc
- (Optional) Check the following services:
(undercloud) [stack@queensa ~]$ systemctl |grep nova novajoin-notify.service loaded active running OpenStack Nova IPA Notification Service novajoin-server.service loaded active running OpenStack Nova IPA Join Service openstack-nova-api.service loaded active running OpenStack Nova API Server openstack-nova-compute.service loaded active running OpenStack Nova Compute Server openstack-nova-conductor.service loaded active running OpenStack Nova Conductor Server openstack-nova-scheduler.service loaded active running OpenStack Nova Scheduler Server
- Configure overcloud DNS and overcloud domain names.
$ openstack subnet set ctlplane-subnet --dns-nameserver <idm_server_address>
- Add overcloud domain names to the
contrail-net.yaml
environment file.DnsServers: ["<idm_server_address>"] CloudDomain: lab.local CloudName: overcloud.lab.local CloudNameInternal: overcloud.internalapi.lab.local CloudNameStorage: overcloud.storage.lab.local CloudNameStorageManagement: overcloud.storagemgmt.lab.local CloudNameCtlplane: overcloud.ctlplane.lab.local
- Deploy overcloud with the following environment files.
$ openstack overcloud deploy --templates ~/tripleo-heat-templates \ -e ~/overcloud_images.yaml \ -e ~/tripleo-heat-templates/environments/network-isolation.yaml \ -e ~/tripleo-heat-templates/environments/contrail/contrail-plugins.yaml \ -e ~/tripleo-heat-templates/environments/contrail/contrail-services.yaml \ -e ~/tripleo-heat-templates/environments/contrail/contrail-net.yaml \ -e ~/tripleo-heat-templates/environments/contrail/contrail-tls.yaml \ -e ~/tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \ -e ~/tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \ -e ~/tripleo-heat-templates/environments/services/haproxy-internal-tls-certmonger.yaml \ -e ~/tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \ --roles-file ~/tripleo-heat-templates/roles_data_contrail_aio.yaml
The contrail-net.yaml, enable-internal-tls.yaml, tls-everywhere-endpoints-dns.yaml, haproxy-internal-tls-certmonger.yaml, and haproxy-public-tls-certmonger.yaml files enable TLS.
- Check that the host is added to the IPA server.
# login to IPA (undercloud) [stack@undercloud ~]$ kinit admin (undercloud) [stack@undercloud ~]$ ipa host-find undercloud.my3domain -------------- 1 host matched -------------- Host name: undercloud.my3domain Description: Undercloud host Principal name: host/undercloud.my3domain@MY3DOMAIN Principal alias: host/undercloud.my3domain@MY3DOMAIN SSH public key fingerprint: SHA256:GAMClAFAgNN709Kb9AcFWfUG30Y06pcR0EdJBWXWIak (ssh-rsa), SHA256:KqTDfKQEoKKi7FMzuhBwcO+Y/O9t4rHXQcqPKglJPmI (ecdsa-sha2-nistp256), SHA256:QSIBCIiRW03eR6+PPyvDWiWEHXC1MewREAt8hMTUOgU (ssh-ed25519)
- View the list of monitored certificates on an overcloud
node.
[heat-admin@overcloud-novacompute-1 ~]$ sudo getcert list Number of certificates and requests being tracked: 4. Request ID 'contrail': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/contrail/ssl/private/server-privkey.pem’ certificate: type=FILE,location='/etc/contrail/ssl/certs/server.pem’ CA: IPA issuer: CN=Certificate Authority,O=MY3DOMAIN subject: CN=overcloud-novacompute-1.my3domain,O=MY3DOMAIN expires: 2021-04-20 14:18:21 UTC dns: overcloud-novacompute-1.ctlplane.my3domain,overcloud-novacompute-1.internalapi.my3domain,
overcloud-novacompute-1.tenant.my3domain,overcloud-novacompute-1.my3domain principal name: contrail/overcloud-novacompute-1.my3domain@MY3DOMAIN key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: "sudo docker ps -q --filter=name="contrail*" | xargs -i sudo docker restart {}” track: yes auto-renew: yes