Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Service endpoint encryption

Overview

The encryption of service API endpoints in an OpenStack cloud requires a method for the creation and distribution of TLS certificates. MicroStack supports enabling TLS via the Traefik application, which is the ingress point for all service endpoints.

Note: Currently, only the TLS CA feature method is supported. This feature only works with certificates signed by an external Certificate Authority.

TLS CA feature

The TLS CA feature is the method to use for deployments that use a third party CA for certificates.

Note: This feature is currently only supported in channel 2023.2/edge of the openstack snap.

Note: For a how-to on using the TLS CA feature see Implement TLS using a third-party CA.

Points of interest for this design:

  • Enabling the feature will deploy charm manual-tls-certificates operator. It will integrate the manual-tls-certificates application with the Traefik application. This step requires a third party CA certificate and a CA chain.

  • Certificate Signing Requests (CSRs) need to be retrieved for all Traefik units.

  • This method involves interfacing directly with the chosen Certificate Authority.

  • Each Traefik unit needs to be provided with a signed certificate. This updates endpoints with HTTPS and also distributes the CA certificates to all the application units across the cloud via Keystone.

Previous Deployment manifest Next Network traffic isolation with MAAS

Last updated 5 months ago. Help improve this document in the forum.