a25589b20f
The extlink extension [1] ensures the urls have version-specific references to other projects. [1] https://docs.openstack.org/openstackdocstheme/latest/#external-link-helper Change-Id: I0d5d445fae8a7ec60f6a9caacede7cc77770b36e Story: 2006621 Task: 36825
3.2 KiB
Enabling HTTPS
Enabling HTTPS in Swift
The drivers using virtual media use swift for storing boot images and node configuration information (contains sensitive information for Ironic conductor to provision bare metal hardware). By default, HTTPS is not enabled in swift. HTTPS is required to encrypt all communication between swift and Ironic conductor and swift and bare metal (via virtual media). It can be enabled in one of the following ways:
- Using an SSL termination proxy
Using native SSL support in swift <deployment_guide.html>(recommended only for testing purpose by swift).
Enabling HTTPS in Image service
Ironic drivers usually use Image service during node provisioning. By
default, image service does not use HTTPS, but it is required for secure
communication. It can be enabled by making the following changes to
/etc/glance/glance-api.conf:
Configuring SSL support <configuration/configuring.html#configuring-ssl-support>Restart the glance-api service:
Fedora/RHEL7/CentOS7/SUSE: sudo systemctl restart openstack-glance-api Debian/Ubuntu: sudo service glance-api restart
See the Glance <> documentation, for more details
on the Image service.
Enabling HTTPS communication between Image service and Object storage
This section describes the steps needed to enable secure HTTPS communication between Image service and Object storage when Object storage is used as the Backend.
To enable secure HTTPS communication between Image service and Object storage follow these steps:
EnableHTTPSinSwiftConfigure Swift Storage Backend <configuration/configuring.html#configuring-the-swift-storage-backend>EnableHTTPSinGlance
Enabling HTTPS communication between Image service and Bare Metal service
This section describes the steps needed to enable secure HTTPS communication between Image service and Bare Metal service.
To enable secure HTTPS communication between Bare Metal service and Image service follow these steps:
Edit
/etc/ironic/ironic.conf:[glance] ... glance_cafile=/path/to/certfileNote
'glance_cafile' is an optional path to a CA certificate bundle to be used to validate the SSL certificate served by Image service.
If not using the keystone service catalog for the Image service API endpoint discovery, also edit the
endpoint_overrideoption to point to HTTPS URL of image service (replace<GLANCE_API_ADDRESS>with hostname[:port][path] of the Image service endpoint):[glance] ... endpoint_override = https://<GLANCE_API_ADDRESS>Restart ironic-conductor service:
Fedora/RHEL7/CentOS7/SUSE: sudo systemctl restart openstack-ironic-conductor Debian/Ubuntu: sudo service ironic-conductor restart