openstack/ironic
Code Issues Proposed changes

Allow configuring RPC client TLS separately from server

Browse Source 
When TLS is handled by a reverse proxy, use_ssl may be set to False
while clients are still supposed to use TLS. Add a new option for that.

Change-Id: Ie1be180ce36bbeb81427ea1ed4a2654c880aff2c
This commit is contained in:
Dmitry Tantsur
2025-03-25 17:20:36 +01:00
parent 86334496b0
commit 3a705a59db
4 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ironic/common/json_rpc/client.py
View File

@@ -198,7 +198,7 @@ class _CallContext(object):
or uuidutils.generate_uuid()) or uuidutils.generate_uuid())
scheme = 'http' scheme = 'http'
if CONF.json_rpc.use_ssl: if CONF.json_rpc.client_use_ssl or CONF.json_rpc.use_ssl:
scheme = 'https' scheme = 'https'
url = '%s://%s:%d' % (scheme, url = '%s://%s:%d' % (scheme,
netutils.escape_ipv6(self.host), netutils.escape_ipv6(self.host),

6
ironic/conf/json_rpc.py
View File

@@ -43,6 +43,12 @@ opts = [
cfg.BoolOpt('use_ssl', cfg.BoolOpt('use_ssl',
default=False, default=False,
help=_('Whether to use TLS for JSON RPC')), help=_('Whether to use TLS for JSON RPC')),
cfg.BoolOpt('client_use_ssl',
default=False,
help=_('Set to True for force TLS connections in the client '
'even if use_ssl is set to False. Only makes sense '
'if server-side TLS is provided outside of Ironic '
'(e.g. with httpd acting as a reverse proxy).')),
cfg.StrOpt('http_basic_username', cfg.StrOpt('http_basic_username',
deprecated_for_removal=True, deprecated_for_removal=True,
deprecated_reason=_("Use username instead"), deprecated_reason=_("Use username instead"),

18
ironic/tests/unit/common/test_json_rpc.py
View File

@@ -477,6 +477,24 @@ class TestClient(TestCase):
'params': {'answer': 42, 'context': self.ctx_json}, 'params': {'answer': 42, 'context': self.ctx_json},
'id': self.context.request_id}) 'id': self.context.request_id})
def test_call_with_client_ssl(self, mock_session):
self.config(use_ssl=False, client_use_ssl=True, group='json_rpc')
response = mock_session.return_value.post.return_value
response.json.return_value = {
'jsonrpc': '2.0',
'result': 42
}
cctx = self.client.prepare('foo.example.com')
self.assertEqual('example.com', cctx.host)
result = cctx.call(self.context, 'do_something', answer=42)
self.assertEqual(42, result)
mock_session.return_value.post.assert_called_once_with(
'https://example.com:8089',
json={'jsonrpc': '2.0',
'method': 'do_something',
'params': {'answer': 42, 'context': self.ctx_json},
'id': self.context.request_id})
def test_cast_success(self, mock_session): def test_cast_success(self, mock_session):
cctx = self.client.prepare('foo.example.com') cctx = self.client.prepare('foo.example.com')
self.assertEqual('example.com', cctx.host) self.assertEqual('example.com', cctx.host)

6
releasenotes/notes/rpc-client-ssl-63b0d8ccaf88dae5.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
features:
- |
Adds a new option ``[json_rpc]client_use_ssl``. It can be set to True in
situations where server-side TLS is handled by a reverse proxy, and thus
``[json_rpc]use_ssl`` is set to False.