OpenStack HTTPS Endpoints support Communication between services usually done via internal endpoints that are located in internal network. In some cases it is required to encrypt traffic even on internal network. This patch unhardcode communication protocol between Ironic and other services. Also adds possibility to specify ca_file to verify SSL certificates of remote peers. Related-Prod: PROD-16160 Change-Id: Ib441eb4b37f40ed6bf5209b9dcfbcf80480708a1

commit: 7402b0340caae734703c50200af7ef127976223f [log] [tgz]
author: Kirill Bespalov <kbespalov@mirantis.com> Tue Nov 21 12:17:20 2017 +0300
committer: Vasyl Saienko <vsaienko@mirantis.com> Wed Jan 03 12:30:36 2018 +0200
tree: 38f98daddcfd651bd2e31dc2540bbbcc951d15c3
parent: 5bcf555a3be867013076647df457c7989c59d511 [diff]
diff --git a/ironic/files/newton/ironic.conf b/ironic/files/newton/ironic.conf
index c68c59e..2d1b554 100644
--- a/ironic/files/newton/ironic.conf
+++ b/ironic/files/newton/ironic.conf

@@ -1189,6 +1189,9 @@
 # Authentication URL (string value)
 {%- if conductor.get('glance', {}).get('auth_strategy') == 'keystone' %}
 auth_url = {{ conductor.identity.protocol }}://{{ conductor.identity.host }}:{{ conductor.identity.port }}/identity
+{%- if conductor.identity.protocol == 'https' %}
+cafile={{ conductor.identity.get('cacert_file', conductor.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_url = <None>
 {%- endif %}
@@ -1762,6 +1765,9 @@
 # Authentication URL (string value)
 {%- if ironic.get('identity', {}).get('engine') == 'keystone' %}
 auth_url = {{ ironic.identity.protocol }}://{{ ironic.identity.host }}:{{ ironic.identity.port }}/identity
+{%- if ironic.identity.protocol == 'https' %}
+cafile={{ ironic.identity.get('cacert_file', ironic.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_uri = <None>
 {%- endif %}
@@ -2226,6 +2232,9 @@
 # Authentication URL (string value)
 {%- if conductor.get('neutron', {}).get('auth_strategy') == 'keystone' %}
 auth_url = {{ conductor.identity.protocol }}://{{ conductor.identity.host }}:{{ conductor.identity.port }}/identity
+{%- if conductor.identity.protocol == 'https' %}
+cafile={{ conductor.identity.get('cacert_file', conductor.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_url = <None>
 {%- endif %}
@@ -3353,6 +3362,9 @@
 # Authentication URL (string value)
 {%- if ironic.get('identity', {}).get('engine') == 'keystone' %}
 auth_url = {{ ironic.identity.protocol }}://{{ ironic.identity.host }}:{{ ironic.identity.port }}/identity
+{%- if ironic.identity.protocol == 'https' %}
+cafile={{ ironic.identity.get('cacert_file', ironic.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_url = <None>
 {%- endif %}

diff --git a/ironic/files/ocata/ironic.conf b/ironic/files/ocata/ironic.conf
index 672c413..a701d2a 100644
--- a/ironic/files/ocata/ironic.conf
+++ b/ironic/files/ocata/ironic.conf

@@ -1491,6 +1491,9 @@
 # Authentication URL (string value)
 {%- if conductor.get('glance', {}).get('auth_strategy') == 'keystone' %}
 auth_url = {{ conductor.identity.protocol }}://{{ conductor.identity.host }}:{{ conductor.identity.port }}/identity
+{%- if conductor.identity.protocol == 'https' %}
+cafile={{ conductor.identity.get('cacert_file', conductor.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_url = <None>
 {%- endif %}
@@ -2063,6 +2066,9 @@
 # Authentication URL (string value)
 {%- if ironic.get('identity', {}).get('engine') == 'keystone' %}
 auth_url = {{ ironic.identity.protocol }}://{{ ironic.identity.host }}:{{ ironic.identity.port }}/identity
+{%- if ironic.identity.protocol == 'https' %}
+cafile={{ ironic.identity.get('cacert_file', ironic.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_uri = <None>
 {%- endif %}
@@ -2527,6 +2533,9 @@
 # Authentication URL (string value)
 {%- if conductor.get('neutron', {}).get('auth_strategy') == 'keystone' %}
 auth_url = {{ conductor.identity.protocol }}://{{ conductor.identity.host }}:{{ conductor.identity.port }}/identity
+{%- if conductor.identity.protocol == 'https' %}
+cafile={{ conductor.identity.get('cacert_file', conductor.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_url = <None>
 {%- endif %}
@@ -3685,6 +3694,9 @@
 # Authentication URL (string value)
 {%- if ironic.get('identity', {}).get('engine') == 'keystone' %}
 auth_url = {{ ironic.identity.protocol }}://{{ ironic.identity.host }}:{{ ironic.identity.port }}/identity
+{%- if ironic.identity.protocol == 'https' %}
+cafile={{ ironic.identity.get('cacert_file', ironic.cacert_file) }}
+{%- endif %}
 {%- else %}
 #auth_url = <None>
 {%- endif %}
commit	7402b0340caae734703c50200af7ef127976223f	[log] [tgz]
author	Kirill Bespalov <kbespalov@mirantis.com>	Tue Nov 21 12:17:20 2017 +0300
committer	Vasyl Saienko <vsaienko@mirantis.com>	Wed Jan 03 12:30:36 2018 +0200
tree	38f98daddcfd651bd2e31dc2540bbbcc951d15c3
parent	5bcf555a3be867013076647df457c7989c59d511 [diff]