Doc update to enable HTTPS in Glance and Ironic comm

Added the documentation to enable HTTPS endpoint in glance for enabling secure communication between Ironic and Glance. Related-Bug: #1548086 Change-Id: I7e7f98e6d5281ef030a35f29a10eab753e8a8568
2016-02-16 05:31:21 +00:00 · 2016-02-16 05:31:21 +00:00 · 2e62675f82
commit 2e62675f82
parent a188a31365
2 changed files with 83 additions and 17 deletions
--- a/doc/source/deploy/install-guide.rst
+++ b/doc/source/deploy/install-guide.rst
@ -2019,6 +2019,72 @@ of the following ways:
  <http://docs.openstack.org/developer/swift/deployment_guide.html>`_
  (recommended only for testing purpose by swift).
 .. _EnableHTTPSinGlance:
 Enabling HTTPS in Image service
 ===============================
 Ironic drivers usually use Image service during node provisioning. By default,
 image service does not use HTTPS, but it is required for secure communication.
 It can be enabled by making the following changes to ``/etc/glance/glance-api.conf``:
 #. `Configuring SSL support
   <http://docs.openstack.org/developer/glance/configuring.html#configuring-ssl-support>`_
 #. Restart the glance-api service::
    Fedora/RHEL7/CentOS7:
        sudo systemctl restart openstack-glance-api
    Debian/Ubuntu:
        sudo service glance-api restart
 See the `Glance <http://docs.openstack.org/developer/glance/>`_ documentation,
 for more details on the Image service.
 Enabling HTTPS communication between Image service and Object storage
 =====================================================================
 This section describes the steps needed to enable secure HTTPS communication between
 Image service and Object storage when Object storage is used as the Backend.
 To enable secure HTTPS communication between Image service and Object storage follow these steps:
 #. :ref:`EnableHTTPSinSwift`.
 #.  `Configure Swift Storage Backend
    <http://docs.openstack.org/developer/glance/configuring.html#configuring-the-swift-storage-backend>`_
 #. :ref:`EnableHTTPSinGlance`
 Enabling HTTPS communication between Image service and Bare Metal service
 =========================================================================
 This section describes the steps needed to enable secure HTTPS communication between
 Image service and Bare Metal service.
 To enable secure HTTPS communication between Bare Metal service and Image service follow these steps:
 #. Edit ``/etc/ironic/ironic.conf``::
    [glance]
    ...
    glance_cafile=/path/to/certfile
    glance_protocol=https
    glance_api_insecure=False
   .. note::
      'glance_cafile' is a optional path to a CA certificate bundle to be used to validate the SSL certificate
      served by Image service.
 #. Restart ironic-conductor service::
    Fedora/RHEL7/CentOS7:
        sudo systemctl restart openstack-ironic-conductor
    Debian/Ubuntu:
        sudo service ironic-conductor restart
 Using Bare Metal service as a standalone service
 ================================================
--- a/doc/source/drivers/ilo.rst
+++ b/doc/source/drivers/ilo.rst
@ -206,12 +206,12 @@ Target Users
  security enhanced PXE-less deployment mechanism.
  The PXE driver passes management information in clear-text to the
-  bare metal node.  However, if swift proxy server has an HTTPS
+  bare metal node.  However, if swift proxy server and glance have HTTPS
-  endpoint (See :ref:`EnableHTTPSinSwift` for more information), the
+  endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more
-  ``iscsi_ilo`` driver provides enhanced security by passing
+  information), the ``iscsi_ilo`` driver provides enhanced security by
-  management information to and from swift endpoint over HTTPS.  The
+  exchanging management information with swift and glance endpoints over HTTPS.
-  management information, deploy ramdisk and boot images for the instance will
+  The management information, deploy ramdisk and boot images for the instance
-  be retrieved over encrypted management network via iLO virtual media.
+  will be retrieved over encrypted management network via iLO virtual media.
 Tested Platforms
 ~~~~~~~~~~~~~~~~
@ -239,11 +239,11 @@ Features
 * UEFI Boot Support
 * UEFI Secure Boot Support
 * Passing management information via secure, encrypted management network
-  (virtual media) if swift proxy server has an HTTPS endpoint. See
+  (virtual media) if swift proxy server and glance have HTTPS endpoints. See
-  :ref:`EnableHTTPSinSwift` for more info.  User image provisioning is done
+  :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more info.  User
-  using iSCSI over data network, so this driver has the benefit
+  image provisioning is done using iSCSI over data network, so this driver has
-  of security enhancement with the same performance. It segregates management
+  the benefit of security enhancement with the same performance. It segregates
-  info from data channel.
+  management info from data channel.
 * Support for out-of-band cleaning operations.
 * Remote Console
 * HW Sensors
@ -350,12 +350,12 @@ Target Users
  want to have a security enhanced PXE-less deployment mechanism.
  The PXE based agent drivers pass management information in clear-text to
-  the bare metal node.  However, if swift proxy server has an HTTPS
+  the bare metal node.  However, if swift proxy server and glance have HTTPS
-  endpoint (See :ref:`EnableHTTPSinSwift` for more information),
+  endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more
-  the ``agent_ilo`` driver provides enhanced security by passing authtoken
+  information), the ``agent_ilo`` driver provides enhanced security by
-  and management information to and from swift endpoint over HTTPS.  The
+  exchanging authtoken and management information with swift and glance
-  management information and deploy ramdisk will be retrieved over encrypted
+  endpoints over HTTPS.  The management information and deploy ramdisk will be
-  management network via iLO.
+  retrieved over encrypted management network via iLO.
 Tested Platforms
 ~~~~~~~~~~~~~~~~