openstack/ironic
Code Issues Proposed changes
0386a4f966
ironic/doc/source/install/enabling-https.rst
Pavlo Shchelokovskyy 63e0ff2f6c Rework keystone auth for glance 
this patch changes the way glance client is instantiated, using
keystoneauth sessions and adapters.

In order to support glance API endpoint discovery from keystone catalog
and more unified way of client loading,
many options in `[glance]` config sections are deprecated,
mostly those that specified a (set of) glance API endpoint(s)
or parts of glance API address.
Instead, a single option `[glance]endpoint_override` must be used when
required to access a specific (possibly load-balanced)
glance API endpoint without discovering it from keystone catalog.

Another set of deprecated options are those that are duplicating
keystoneauth session options in [glance] section.

Also, intrinsic support for parsing the glance API URL from image ref
set to the full glance REST path to the image is removed as it was not
working any way since an 'http(s)://' image ref is not treated
as a glance image.

Change-Id: I6a93b71ac097e951dfc93fd1ee4d7ef483514f2c
Partial-Bug: #1699547
Closes-Bug: #1699542
2017-11-17 11:40:14 -05:00

3.3 KiB
Raw Blame History

Enabling HTTPS

Enabling HTTPS in Swift

The drivers using virtual media use swift for storing boot images and node configuration information (contains sensitive information for Ironic conductor to provision bare metal hardware). By default, HTTPS is not enabled in swift. HTTPS is required to encrypt all communication between swift and Ironic conductor and swift and bare metal (via virtual media). It can be enabled in one of the following ways:

Enabling HTTPS in Image service

Ironic drivers usually use Image service during node provisioning. By default, image service does not use HTTPS, but it is required for secure communication. It can be enabled by making the following changes to /etc/glance/glance-api.conf:

  1. Configuring SSL support

  2. Restart the glance-api service:

    Fedora/RHEL7/CentOS7/SUSE:
    sudo systemctl restart openstack-glance-api

Debian/Ubuntu:
    sudo service glance-api restart

See the Glance documentation, for more details on the Image service.

Enabling HTTPS communication between Image service and Object storage

This section describes the steps needed to enable secure HTTPS communication between Image service and Object storage when Object storage is used as the Backend.

To enable secure HTTPS communication between Image service and Object storage follow these steps:

  1. EnableHTTPSinSwift
  2. Configure Swift Storage Backend
  3. EnableHTTPSinGlance

Enabling HTTPS communication between Image service and Bare Metal service

This section describes the steps needed to enable secure HTTPS communication between Image service and Bare Metal service.

To enable secure HTTPS communication between Bare Metal service and Image service follow these steps:

  1. Edit /etc/ironic/ironic.conf:

    [glance]
...
glance_cafile=/path/to/certfile

    Note

    'glance_cafile' is a optional path to a CA certificate bundle to be used to validate the SSL certificate served by Image service.

  2. If not using the keystone service catalog for the Image service API endpoint discovery, also edit the endpoint_override option to point to HTTPS URL of image service (replace <GLANCE_API_ADDRESS> with hostname[:port][path] of the Image service endpoint):

    [glance]
...
endpoint_override = https://<GLANCE_API_ADDRESS>

  3. Restart ironic-conductor service:

    Fedora/RHEL7/CentOS7/SUSE:
    sudo systemctl restart openstack-ironic-conductor

Debian/Ubuntu:
    sudo service ironic-conductor restart