This is a blog with random OpenShift, Kubernetes, OpenStack and Linux related notes so I don't forget things. If you find something inaccurate or that could be fixed, please file a bug report here.

View on GitHub

Back to home

21 February 2017

Deploying a TLS everywhere environment with oooq and an existing FreeIPA server

by Juan Antonio Osorio Robles

As an attempt to make the “TLS everywhere” bits more usable and easier for people to try out, I added the deployment steps to tripleo-quickstart.

This currently works if you have an existing FreeIPA server installed somewhere accessible. Note that in this example, the IP is set to ‘’. this is because that’s the value that we use in CI. So use what suits your deployment.

The main things to be added to the configuration are the following:

# Main switch to enable all the workflow
enable_tls_everywhere: true

# Undercloud FQDN
undercloud_undercloud_hostname: undercloud.example.com

# Hostnames and domain relevant for the overcloud
overcloud_cloud_name: overcloud.example.com
overcloud_cloud_name_internal: overcloud.internalapi.example.com
overcloud_cloud_name_storage: overcloud.storage.example.com
overcloud_cloud_name_storage_management: overcloud.storagemgmt.example.com
overcloud_cloud_name_ctlplane: overcloud.ctlplane.example.com
overcloud_cloud_domain: example.com

# Nameservers for both the undercloud and the overcloud
overcloud_dns_servers: [""]
undercloud_undercloud_nameservers: [""]

freeipa_admin_password: FreeIPA4All

freeipa_server_hostname: ipa.example.com

The main things that are added to the deployment workflow are the following:

In some instances, you might not want to give your FreeIPA credentials to ansible. If this is the case, you’ll need to run the preparation script for novajoin yourself. If you want to do this, you will also need to set up the following flag:

prepare_novajoin: false

tags: tripleo - openstack

Back to home