Deploying a TLS everywhere environment with oooq and an existing FreeIPA server
by Juan Antonio Osorio Robles
As an attempt to make the “TLS everywhere” bits more usable and easier for people to try out, I added the deployment steps to tripleo-quickstart.
This currently works if you have an existing FreeIPA server installed somewhere accessible. Note that in this example, the IP is set to ‘192.168.24.250’. this is because that’s the value that we use in CI. So use what suits your deployment.
The main things to be added to the configuration are the following:
enable_tls_everywhere: This is the main switch that will enable the whole workflow. It defaults to false.
undercloud_undercloud_hostname: This will set the hostname for the undercloud node and will be used in this workflow to create the host principal for the undercloud.
The following are the hostnames for the overcloud VIPs. They will be used as the keystone endpoints. Please note that these values are network dependant, and the names should reflect it. The values are these:
overcloud_cloud_domain: This is the domain for the cloud deployment. It will be used for the overcloud nodes, and should match the FreeIPA kerberos realm.
overcloud_dns_servers: This is a list of servers that will be used as the nameservers for the overcloud nodes. It gets persisted in the DnsServers parameter in heat.
undercloud_undercloud_nameservers: This is a list of servers that will be used as the nameservers for the undercloud node.
freeipa_admin_password: This is the password for the admin user of your FreeIPA server.
freeipa_server_hostname: The FQDN of your FreeIPA server.
The main things that are added to the deployment workflow are the following:
Before installing the undercloud, we install the novajoin package, and use the FreeIPA credentials to set up the necessary permissions/privileges in FreeIPA, as well as create the undercloud service principal.
Before uploading the overcloud images to glance, we install a specific version of cloud-init for novajoin to work. This is because the version that’s currently in CentOS has a bug; and the newest version available has dependency issues that doesn’t let Heat software deployments work.
It adds the relevant environment files to the overcloud deploy script created by quickstart. These will in turn deploy the overcloud with TLS-everywhere enabled.
In some instances, you might not want to give your FreeIPA credentials to ansible. If this is the case, you’ll need to run the preparation script for novajoin yourself. If you want to do this, you will also need to set up the following flag:
tags: tripleo - openstack