Doc update to enable HTTPS in Glance and Ironic comm

Added the documentation to enable HTTPS endpoint in
glance for enabling secure communication between
Ironic and Glance.

Related-Bug: #1548086
Change-Id: I7e7f98e6d5281ef030a35f29a10eab753e8a8568

doc/source/deploy/install-guide.rst

@@ -2019,6 +2019,72 @@ of the following ways:
   <http://docs.openstack.org/developer/swift/deployment_guide.html>`_
   (recommended only for testing purpose by swift).
 
+.. _EnableHTTPSinGlance:
+
+Enabling HTTPS in Image service
+===============================
+
+Ironic drivers usually use Image service during node provisioning. By default,
+image service does not use HTTPS, but it is required for secure communication.
+It can be enabled by making the following changes to ``/etc/glance/glance-api.conf``:
+
+#. `Configuring SSL support
+   <http://docs.openstack.org/developer/glance/configuring.html#configuring-ssl-support>`_
+
+#. Restart the glance-api service::
+
+    Fedora/RHEL7/CentOS7:
+        sudo systemctl restart openstack-glance-api
+
+    Debian/Ubuntu:
+        sudo service glance-api restart
+
+See the `Glance <http://docs.openstack.org/developer/glance/>`_ documentation,
+for more details on the Image service.
+
+Enabling HTTPS communication between Image service and Object storage
+=====================================================================
+
+This section describes the steps needed to enable secure HTTPS communication between
+Image service and Object storage when Object storage is used as the Backend.
+
+To enable secure HTTPS communication between Image service and Object storage follow these steps:
+
+#. :ref:`EnableHTTPSinSwift`.
+
+#.  `Configure Swift Storage Backend
+    <http://docs.openstack.org/developer/glance/configuring.html#configuring-the-swift-storage-backend>`_
+
+#. :ref:`EnableHTTPSinGlance`
+
+Enabling HTTPS communication between Image service and Bare Metal service
+=========================================================================
+
+This section describes the steps needed to enable secure HTTPS communication between
+Image service and Bare Metal service.
+
+To enable secure HTTPS communication between Bare Metal service and Image service follow these steps:
+
+#. Edit ``/etc/ironic/ironic.conf``::
+
+    [glance]
+    ...
+    glance_cafile=/path/to/certfile
+    glance_protocol=https
+    glance_api_insecure=False
+
+   .. note::
+      'glance_cafile' is a optional path to a CA certificate bundle to be used to validate the SSL certificate
+      served by Image service.
+
+#. Restart ironic-conductor service::
+
+    Fedora/RHEL7/CentOS7:
+        sudo systemctl restart openstack-ironic-conductor
+
+    Debian/Ubuntu:
+        sudo service ironic-conductor restart
+
 Using Bare Metal service as a standalone service
 ================================================
 

doc/source/drivers/ilo.rst

@@ -206,12 +206,12 @@ Target Users
   security enhanced PXE-less deployment mechanism.
 
   The PXE driver passes management information in clear-text to the
-  bare metal node.  However, if swift proxy server has an HTTPS
-  endpoint (See :ref:`EnableHTTPSinSwift` for more information), the
-  ``iscsi_ilo`` driver provides enhanced security by passing
-  management information to and from swift endpoint over HTTPS.  The
-  management information, deploy ramdisk and boot images for the instance will
-  be retrieved over encrypted management network via iLO virtual media.
+  bare metal node.  However, if swift proxy server and glance have HTTPS
+  endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more
+  information), the ``iscsi_ilo`` driver provides enhanced security by
+  exchanging management information with swift and glance endpoints over HTTPS.
+  The management information, deploy ramdisk and boot images for the instance
+  will be retrieved over encrypted management network via iLO virtual media.
 
 Tested Platforms
 ~~~~~~~~~~~~~~~~
@@ -239,11 +239,11 @@ Features
 * UEFI Boot Support
 * UEFI Secure Boot Support
 * Passing management information via secure, encrypted management network
-  (virtual media) if swift proxy server has an HTTPS endpoint. See
-  :ref:`EnableHTTPSinSwift` for more info.  User image provisioning is done
-  using iSCSI over data network, so this driver has the benefit
-  of security enhancement with the same performance. It segregates management
-  info from data channel.
+  (virtual media) if swift proxy server and glance have HTTPS endpoints. See
+  :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more info.  User
+  image provisioning is done using iSCSI over data network, so this driver has
+  the benefit of security enhancement with the same performance. It segregates
+  management info from data channel.
 * Support for out-of-band cleaning operations.
 * Remote Console
 * HW Sensors
@@ -350,12 +350,12 @@ Target Users
   want to have a security enhanced PXE-less deployment mechanism.
 
   The PXE based agent drivers pass management information in clear-text to
-  the bare metal node.  However, if swift proxy server has an HTTPS
-  endpoint (See :ref:`EnableHTTPSinSwift` for more information),
-  the ``agent_ilo`` driver provides enhanced security by passing authtoken
-  and management information to and from swift endpoint over HTTPS.  The
-  management information and deploy ramdisk will be retrieved over encrypted
-  management network via iLO.
+  the bare metal node.  However, if swift proxy server and glance have HTTPS
+  endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more
+  information), the ``agent_ilo`` driver provides enhanced security by
+  exchanging authtoken and management information with swift and glance
+  endpoints over HTTPS.  The management information and deploy ramdisk will be
+  retrieved over encrypted management network via iLO.
 
 Tested Platforms
 ~~~~~~~~~~~~~~~~