Note
This feature is available starting from the MCP 2019.2.6 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.
You can enable SSL for all OpenStack components while generating a deployment metadata model using the Model Designer UI before deploying a new OpenStack environment. You can also enable SSL on Ironic internal API on an existing OpenStack environment.
The example instruction below describes the following Ironic configuration:
ctl
nodes.bmt
nodes.You may need to modify this example configuration depending on the needs of your deployment.
To enable SSL on Ironic internal API on an existing MCP cluster:
Open your Git project repository with the Reclass model
on the cluster
level.
Modify ./openstack/baremetal.yml
as follows:
classes:
- system.salt.minion.cert.openstack_api
- system.apache.server.proxy
- system.apache.server.proxy.openstack.ironic
parameters:
_param:
apache_proxy_openstack_api_address: ${_param:cluster_baremetal_local_address}
apache_proxy_openstack_api_host: ${_param:cluster_baremetal_local_address}
ironic_conductor_api_url_protocol: https
openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_baremetal_local_address},IP:${_param:cluster_baremetal_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:$ {_param:cluster_baremetal_local_address},DNS:${_param:cluster_baremetal_vip_address}
apache_ssl:
enabled: true
authority: "${_param:salt_minion_ca_authority}"
key_file: ${_param:openstack_api_cert_key_file}
cert_file: ${_param:openstack_api_cert_cert_file}
chain_file: ${_param:openstack_api_cert_all_file}
apache_proxy_openstack_ironic_host: 127.0.0.1
haproxy_https_check_options:
- httpchk GET /
- httpclose
- tcplog
haproxy_ironic_deploy_check_params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3 check-ssl verify none
haproxy:
proxy:
listen:
ironic_deploy:
type: None
mode: tcp
options: ${_param:haproxy_https_check_options}
ironic:
api:
bind:
address: 127.0.0.1
Modify ./openstack/control.yml
as follows:
classes:
- system.apache.server.proxy.openstack.ironic
parameters:
_param:
apache_proxy_openstack_ironic_host: 127.0.0.1
haproxy_ironic_check_params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3 check-ssl verify none
haproxy:
proxy:
listen:
ironic:
type: None
mode: tcp
options: ${_param:haproxy_https_check_options}
ironic:
api:
bind:
address: 127.0.0.1
Modify ./openstack/control/init.yml
as follows:
parameters:
_param:
ironic_service_protocol: ${_param:cluster_internal_protocol}
Modify ./openstack/init.yml
as follows:
parameters:
_param:
ironic_service_host: ${_param:openstack_service_host}
ironic_service_protocol: ${_param:cluster_internal_protocol}
Modify ./openstack/proxy.yml
as follows:
parameters:
_param:
nginx_proxy_openstack_ironic_protocol: https
Refresh pillars:
salt '*' saltutil.refresh_pillar
Apply the following Salt states:
salt 'bmt*' state.apply salt
salt -C 'I@ironic:api' state.apply apache
salt 'prx*' state.apply nginx
salt -C 'I@ironic:api' state.apply haproxy
salt -C 'I@ironic:api' state.apply ironic