Enable SSL on Ironic internal API

Enable SSL on Ironic internal API

Note

This feature is available starting from the MCP 2019.2.6 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.

You can enable SSL for all OpenStack components while generating a deployment metadata model using the Model Designer UI before deploying a new OpenStack environment. You can also enable SSL on Ironic internal API on an existing OpenStack environment.

The example instruction below describes the following Ironic configuration:

  • The OpenStack Ironic API service runs on the OpenStack ctl nodes.

  • The OpenStack Ironic deploy API and conductor services run on the bmt nodes.

You may need to modify this example configuration depending on the needs of your deployment.

To enable SSL on Ironic internal API on an existing MCP cluster:

  1. Open your Git project repository with the Reclass model on the cluster level.

  2. Modify ./openstack/baremetal.yml as follows:

    classes:
    - system.salt.minion.cert.openstack_api
    - system.apache.server.proxy
    - system.apache.server.proxy.openstack.ironic
    parameters:
      _param:
        apache_proxy_openstack_api_address: ${_param:cluster_baremetal_local_address}
        apache_proxy_openstack_api_host: ${_param:cluster_baremetal_local_address}
        ironic_conductor_api_url_protocol: https
        openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_baremetal_local_address},IP:${_param:cluster_baremetal_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:$  {_param:cluster_baremetal_local_address},DNS:${_param:cluster_baremetal_vip_address}
        apache_ssl:
          enabled: true
          authority: "${_param:salt_minion_ca_authority}"
          key_file: ${_param:openstack_api_cert_key_file}
          cert_file: ${_param:openstack_api_cert_cert_file}
          chain_file: ${_param:openstack_api_cert_all_file}
        apache_proxy_openstack_ironic_host: 127.0.0.1
        haproxy_https_check_options:
        - httpchk GET /
        - httpclose
        - tcplog
        haproxy_ironic_deploy_check_params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3 check-ssl verify none
      haproxy:
        proxy:
          listen:
            ironic_deploy:
              type: None
              mode: tcp
              options: ${_param:haproxy_https_check_options}
      ironic:
        api:
          bind:
            address: 127.0.0.1
    
  3. Modify ./openstack/control.yml as follows:

    classes:
    - system.apache.server.proxy.openstack.ironic
    parameters:
      _param:
        apache_proxy_openstack_ironic_host: 127.0.0.1
        haproxy_ironic_check_params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3 check-ssl verify none
      haproxy:
        proxy:
          listen:
            ironic:
              type: None
              mode: tcp
              options: ${_param:haproxy_https_check_options}
      ironic:
        api:
          bind:
            address: 127.0.0.1
    
  4. Modify ./openstack/control/init.yml as follows:

    parameters:
      _param:
        ironic_service_protocol: ${_param:cluster_internal_protocol}
    
  5. Modify ./openstack/init.yml as follows:

    parameters:
      _param:
        ironic_service_host: ${_param:openstack_service_host}
        ironic_service_protocol: ${_param:cluster_internal_protocol}
    
  6. Modify ./openstack/proxy.yml as follows:

    parameters:
      _param:
        nginx_proxy_openstack_ironic_protocol: https
    
  7. Refresh pillars:

    salt '*' saltutil.refresh_pillar
    
  8. Apply the following Salt states:

    salt 'bmt*' state.apply salt
    salt -C 'I@ironic:api' state.apply apache
    salt 'prx*' state.apply nginx
    salt -C 'I@ironic:api' state.apply haproxy
    salt -C 'I@ironic:api' state.apply ironic