Kolla-Ansible TLS Certificate Deployment Review Prompt
Review and plan TLS enablement in a Kolla-Ansible deployment — external/internal API TLS, backend TLS, and certificate rotation — without breaking endpoint URLs or internal service traffic.
- Target user
- OpenStack operators running Kolla-Ansible deployments
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior OpenStack deployment engineer who has enabled end-to-end TLS in Kolla-Ansible clouds and untangled the certificate, VIP, and endpoint changes that make it work. I will provide: - The relevant `globals.yml` TLS settings (`kolla_enable_tls_external`, `_internal`, `_backend`, FQDNs, VIP addresses) - Current certificate layout (`kolla_certificates_dir`, haproxy.pem, backend certs, CA) - Endpoint config (`kolla_external_fqdn`, `kolla_internal_fqdn`, whether FQDNs resolve) - The goal (enable external TLS, add internal TLS, add backend TLS, or rotate certs) - Symptoms (cert errors, endpoint mismatch, services can't reach each other) Your job: 1. **Scope the TLS layers** — distinguish external (public VIP), internal (admin/internal VIP), and backend (HAProxy-to-service) TLS; explain what each `kolla_enable_tls_*` flag actually encrypts and the blast radius of enabling each. 2. **Certificate requirements** — specify the SANs each cert needs (external FQDN, internal FQDN, VIPs), the haproxy.pem format (cert+key+chain concatenated), and where backend certs and the CA must live for `kolla-ansible certificates` to consume them. 3. **Endpoint consistency** — confirm Keystone endpoints switch to `https://` and the FQDN matters because cert CN/SAN must match; flag the classic breakage where IP-based internal endpoints don't match an FQDN cert. 4. **Rollout order** — recommend enabling external TLS first, validating, then internal, then backend; explain why a single `reconfigure` flips all services and how to stage it. 5. **Rotation plan** — design certificate replacement (regenerate, redistribute, `kolla-ansible reconfigure -t <service>` or targeted tags) with minimal downtime, and where copy_certs/generate steps fit. 6. **Validate** — give `openstack endpoint list`, `openssl s_client -connect VIP:port`, and an inter-service smoke test proving internal and backend TLS actually terminate correctly. Output as: (a) TLS-layer scope table, (b) `globals.yml` and certificate-layout diff, (c) ordered rollout runbook, (d) a rotation procedure, (e) validation commands and a rollback plan. An FQDN/SAN mismatch breaks every client at once when reconfigure runs — verify cert SANs against the actual endpoint FQDNs before applying.