一 环境准备阶段
基本环境:
OS系统:Centos7.6
python: python2.7.5
openstack版本:train
1. 生成ssl需要的ca文件
openssl genrsa -out server.key 4096
openssl req -new -sha256 -out server.csr -key server.key -config ssl.conf
openssl x509 -req -days 10950 -in server.csr -signkey server.key -out server.crt -extensions req_ext -extfile ssl.conf
server.crt、server.key(如下图)
2. 查看本地是否安装mod_ssl
rpm -qa | grep mod_ssl
3. 查看openstack组件endpoint
二 各组件修改https
1. keystone组件升级至https
# 修改、/etc/keystone/keystone.conf文件,添加如下图内容
# 修改/etc/httpd/conf.d/wsgi-keystone.conf,添加如下图内容
# 删除原来endpoint
openstack service delete keystone
# 重启httpd服务
systemctl restart httpd memcached
# 创建endpoint
keystone-manage bootstrap --bootstrap-password admin_pass \
--bootstrap-admin-url https://controller:5000/v3/ \
--bootstrap-internal-url https://controller:5000/v3/ \
--bootstrap-public-url https://controller:5000/v3/ \
--bootstrap-region-id RegionOne
# 修改token加载文件 admin-rc
添加如下内容: export OS_CACERT=/mnt/ssl/server.crt
# 查看endpoint
source /root/admin-rc
2. glance组件升级至https
# 修改、/etc/glance/glance.conf文件,添加如下内容
[DEFAULT]
.............
cert_file=/mnt/ssl/server.crt
key_file=/mnt/ssl/server.key
..............
[keystone_authtoken]
www_authenticate_uri = https://controller:5000
auth_url = https://controller:5000
memcached_servers = controller:11211
insecure=True
cafile=/mnt/ssl/server.crt
auth_host=controller
auth_protocol=https
.................
[ssl]
use_ssl =true
ssl_version = +TLSv1.3
cert_file=/mnt/ssl/server.crt
key_file=/mnt/ssl/server.key
# 删除原来endpoint
openstack service delete glance
# 创建service、endpoint
openstack service create --name glance --description "OpenStack Image" image
openstack endpoint create --region RegionOne image public https://controller:9292
openstack endpoint create --region RegionOne image internal