With iPXE to use HTTPS, this has been long possible to configure, however you'll also need to manage your own iPXE binary with the HTTPS CA certificate compiled into the iPXE binary. The link [0] should help. As for Ironic configuration, you would just set the URLs in ironic.conf for the conductor to be reached to an HTTPS url. Ironic doesn't provide specific instructions as basically all of the work is with iPXE and then replacing the iPXE binary Ironic offers out with the file you craft.

As for UEFI HTTPS network boot, This is also a possibility after Ironic 24.1.0. There are two distinct forms though. The first is just a pure DHCP driven HTTP Network boot[1], and the second is where the URL is submitted to a redfish BMC out of band[2]. Similar to iPXE, the UEFI firmware has to have a certificate which is trusted, luckily it is not hard encoded and your going to have to research that a bit with your specific hardware. It might be that a pubic CA's signed certificate may be sufficient. Similar to using ipxe, you just need to then configure the URL for the ironic-conductor service and obviously the webserver hosting files to leverage HTTPS.

Specifically, in ironic.conf, you're looking for the [deploy]http_url setting. Ironic doesn't directly serve the files, so whatever web server you have hosting your httpboot (the folder defined by [deploy]http_root) folder, will need to have that certificate injected.

If you have any questions, please feel free to reach out on irc.oftc.net in #openstack-ironic and if you find anything that would help to change in the documentation to aid in clarity on this subject, patches are always welcome!

-Julia

[0]: https://ipxe.org/crypto

[1]: https://docs.openstack.org/ironic/latest/admin/interfaces/boot.html#http-boot

[2]: https://docs.openstack.org/ironic/latest/admin/drivers/redfish.html#redfish-https-boot