Permit user to define protocol to access IPA

If a user has configured HTTPS in their environment, we should allow them to have the capacity to choose with the generated URLs, if they have not already overriden the values via the inventory. Change-Id: I3bfd233c20fe37519916a2ffb6bb5f49a6e7e62e
2015-12-28 08:56:07 -05:00 · 2015-12-28 08:56:07 -05:00 · b2c9d301a2
commit b2c9d301a2
parent 1d2076891f
4 changed files with 33 additions and 4 deletions
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -20,11 +20,18 @@ ci_testing: false
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"

+# Normally this would setting would be http in a bifrost installation
+# without TLS. This setting allows a user to override the setting in case
+# the local webserver has been updated to support HTTPS.
+# Note: Users wishing to leverage HTTPS should reference the iPXE
+# documentation at http://ipxe.org/crypto
+ipa_file_protocol: "http"
+
 ipa_kernel: "{{http_boot_folder}}/ipa.vmlinuz"
 ipa_ramdisk: "{{http_boot_folder}}/ipa.initramfs"
-ipa_kernel_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
+ipa_kernel_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
 ipa_kernel_upstream_url: http://tarballs.openstack.org/ironic-python-agent/coreos/files/coreos_production_pxe.vmlinuz
-ipa_ramdisk_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
+ipa_ramdisk_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
 ipa_ramdisk_upstream_url: http://tarballs.openstack.org/ironic-python-agent/coreos/files/coreos_production_pxe_image-oem.cpio.gz
 deploy_image_filename: "deployment_image.qcow2"
 deploy_image: "{{http_boot_folder}}/{{deploy_image_filename}}"
--- a/playbooks/roles/ironic-enroll-dynamic/README.md
+++ b/playbooks/roles/ironic-enroll-dynamic/README.md
@ -26,6 +26,13 @@ ipa_ramdisk: The ramdisk url, image id, or file representing the ramdisk
             image to utilize to deploy this node. This should be the ramdisk
             used for the Ironic Python Agent.

+ipa_file_protocol: The protocol to utilize to access IPA files. The default is
+                   to utilize HTTP in generated HTTP URLs for bifrost, however
+                   this setting allows a user to change that default if they
+                   they have a modified local webserver configuration.
+                   Do note, that a user wishing to utilize HTTPS may wish to
+                   review the iPXE documentation: http://ipxe.org/crypto
+
 This role expects a data structure similar to the one below, however it should
 be understood that the individual entries under power can vary based on power
 driver required.
--- a/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
+++ b/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
@ -6,5 +6,12 @@ nginx_port: 8080
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"

-ipa_kernel_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
-ipa_ramdisk_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
+# Normally this would setting would be http in a bifrost installation
+# without TLS. This setting allows a user to override the setting in case
+# the local webserver has been updated to support HTTPS.
+# Note: Users wishing to leverage HTTPS should reference the iPXE
+# documentation at http://ipxe.org/crypto
+ipa_file_protocol: "http"
+
+ipa_kernel_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
+ipa_ramdisk_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
--- a/releasenotes/notes/generated-ipa-url-protocol-1a5a2bfc8e20db9b.yaml
+++ b/releasenotes/notes/generated-ipa-url-protocol-1a5a2bfc8e20db9b.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - Bifrost traditionally utilized a generated HTTP URL to
+    point ironic to the location of IPA, which is utilized
+    for the boot sequence of machines. A user may now override
+    that default and explicitly choose https if their
+    environment has been pre-configured such that HTTPS
+    support is in place.