Enable SSL on Ironic internal API¶

You can enable SSL for all OpenStack components while generating a deployment metadata model using the Model Designer UI before deploying a new OpenStack environment. You can also enable SSL on Ironic internal API on an existing OpenStack environment.

The example instruction below describes the following Ironic configuration:

• The OpenStack Ironic API service runs on the OpenStack ctl nodes.
• The OpenStack Ironic deploy API and conductor services run on the bmt nodes.

You may need to modify this example configuration depending on the needs of your deployment.

To enable SSL on Ironic internal API on an existing MCP cluster:

1. Open your Git project repository with the Reclass model on the cluster level.

2. Modify ./openstack/baremetal.yml as follows:

   classes:
   - system.salt.minion.cert.openstack_api
   - system.apache.server.proxy
   - system.apache.server.proxy.openstack.ironic
   parameters:
     _param:
       apache_proxy_openstack_api_address: ${_param:cluster_baremetal_local_address}
       apache_proxy_openstack_api_host: ${_param:cluster_baremetal_local_address}
       ironic_conductor_api_url_protocol: https
       openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_baremetal_local_address},IP:${_param:cluster_baremetal_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:$  {_param:cluster_baremetal_local_address},DNS:${_param:cluster_baremetal_vip_address}
       apache_ssl:
         enabled: true
         authority: "${_param:salt_minion_ca_authority}"
         key_file: ${_param:openstack_api_cert_key_file}
         cert_file: ${_param:openstack_api_cert_cert_file}
         chain_file: ${_param:openstack_api_cert_all_file}
       apache_proxy_openstack_ironic_host: 127.0.0.1
       haproxy_https_check_options:
       - httpchk GET /
       - httpclose
       - tcplog
       haproxy_ironic_deploy_check_params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3 check-ssl verify none
     haproxy:
       proxy:
         listen:
           ironic_deploy:
             type: None
             mode: tcp
             options: ${_param:haproxy_https_check_options}
     ironic:
       api:
         bind:
           address: 127.0.0.1
   

3. Modify ./openstack/control.yml as follows:

   classes:
   - system.apache.server.proxy.openstack.ironic
   parameters:
     _param:
       apache_proxy_openstack_ironic_host: 127.0.0.1
       haproxy_ironic_check_params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3 check-ssl verify none
     haproxy:
       proxy:
         listen:
           ironic:
             type: None
             mode: tcp
             options: ${_param:haproxy_https_check_options}
     ironic:
       api:
         bind:
           address: 127.0.0.1
   

4. Modify ./openstack/control/init.yml as follows:

   parameters:
     _param:
       ironic_service_protocol: ${_param:cluster_internal_protocol}
   

5. Modify ./openstack/init.yml as follows:

   parameters:
     _param:
       ironic_service_host: ${_param:openstack_service_host}
       ironic_service_protocol: ${_param:cluster_internal_protocol}
   

6. Modify ./openstack/proxy.yml as follows:

   parameters:
     _param:
       nginx_proxy_openstack_ironic_protocol: https
   

7. Refresh pillars:

   salt '*' saltutil.refresh_pillar
   

8. Apply the following Salt states:

   salt 'bmt*' state.apply salt
   salt -C 'I@ironic:api' state.apply apache
   salt 'prx*' state.apply nginx
   salt -C 'I@ironic:api' state.apply haproxy
   salt -C 'I@ironic:api' state.apply ironic