Merge "Allow configuring RPC client TLS separately from server"

2025-05-16 01:20:44 +00:00 · 2025-05-16 01:20:44 +00:00 · 7650fca876
commit 7650fca876
parent c52b1a8745 3a705a59db
4 changed files with 31 additions and 1 deletions
--- a/ironic/common/json_rpc/client.py
+++ b/ironic/common/json_rpc/client.py
@ -198,7 +198,7 @@ class _CallContext(object):
                          or uuidutils.generate_uuid())

        scheme = 'http'
-        if CONF.json_rpc.use_ssl:
+        if CONF.json_rpc.client_use_ssl or CONF.json_rpc.use_ssl:
            scheme = 'https'
        url = '%s://%s:%d' % (scheme,
                              netutils.escape_ipv6(self.host),
--- a/ironic/conf/json_rpc.py
+++ b/ironic/conf/json_rpc.py
@ -43,6 +43,12 @@ opts = [
    cfg.BoolOpt('use_ssl',
                default=False,
                help=_('Whether to use TLS for JSON RPC')),
+    cfg.BoolOpt('client_use_ssl',
+                default=False,
+                help=_('Set to True for force TLS connections in the client '
+                       'even if use_ssl is set to False. Only makes sense '
+                       'if server-side TLS is provided outside of Ironic '
+                       '(e.g. with httpd acting as a reverse proxy).')),
    cfg.StrOpt('http_basic_username',
               deprecated_for_removal=True,
               deprecated_reason=_("Use username instead"),
--- a/ironic/tests/unit/common/test_json_rpc.py
+++ b/ironic/tests/unit/common/test_json_rpc.py
@ -477,6 +477,24 @@ class TestClient(TestCase):
                  'params': {'answer': 42, 'context': self.ctx_json},
                  'id': self.context.request_id})

+    def test_call_with_client_ssl(self, mock_session):
+        self.config(use_ssl=False, client_use_ssl=True, group='json_rpc')
+        response = mock_session.return_value.post.return_value
+        response.json.return_value = {
+            'jsonrpc': '2.0',
+            'result': 42
+        }
+        cctx = self.client.prepare('foo.example.com')
+        self.assertEqual('example.com', cctx.host)
+        result = cctx.call(self.context, 'do_something', answer=42)
+        self.assertEqual(42, result)
+        mock_session.return_value.post.assert_called_once_with(
+            'https://example.com:8089',
+            json={'jsonrpc': '2.0',
+                  'method': 'do_something',
+                  'params': {'answer': 42, 'context': self.ctx_json},
+                  'id': self.context.request_id})
+
    def test_cast_success(self, mock_session):
        cctx = self.client.prepare('foo.example.com')
        self.assertEqual('example.com', cctx.host)
--- a/releasenotes/notes/rpc-client-ssl-63b0d8ccaf88dae5.yaml
+++ b/releasenotes/notes/rpc-client-ssl-63b0d8ccaf88dae5.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a new option ``[json_rpc]client_use_ssl``. It can be set to True in
+    situations where server-side TLS is handled by a reverse proxy, and thus
+    ``[json_rpc]use_ssl`` is set to False.