Service endpoint encryption¶
Overview¶
The encryption of service API endpoints in an OpenStack cloud requires a method for the creation and distribution of TLS certificates. Canonical OpenStack supports enabling TLS via the Traefik application, which is the ingress point for all service endpoints.
Note
Currently, only the TLS CA feature method is supported. This feature only works with certificates signed by an external Certificate Authority.
TLS CA feature¶
The TLS CA feature is the method to use for deployments that use a third party CA for certificates.
Tip
For a how-to on using the TLS CA feature see Implement TLS using a third-party CA.
Points of interest for this design:
Enabling the feature will deploy charm manual-tls-certificates operator. It will integrate the manual-tls-certificates application with the Traefik application. This step requires a third party CA certificate and a CA chain.
Certificate Signing Requests (CSRs) need to be retrieved for all Traefik units.
This method involves interfacing directly with the chosen Certificate Authority.
Each Traefik unit needs to be provided with a signed certificate. This updates endpoints with HTTPS and also distributes the CA certificates to all the application units across the cloud via Keystone.