bifrost/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
Dmitry Tantsur ddafc94e30 TLS support for API services
Change-Id: I084da313eda17435c095ade7cb1b92981f5341dc
2020-09-02 18:23:40 +02:00

201 lines
6.4 KiB
Django/Jinja

# {{ ansible_managed }}
[DEFAULT]
debug = {{ testing | bool }}
# NOTE(TheJulia): Until Bifrost supports neutron or some other network
# configuration besides a flat network where bifrost orchustrates the
# control instead of ironic, noop is the only available network driver.
enabled_network_interfaces = noop
default_deploy_interface = {{ default_deploy_interface }}
{% if enable_inspector | bool == true %}
enabled_inspect_interfaces = no-inspect,inspector
default_inspect_interface = inspector
{% endif %}
enabled_bios_interfaces = {{ enabled_bios_interfaces }}
enabled_boot_interfaces = {{ enabled_boot_interfaces }}
enabled_management_interfaces = {{ enabled_management_interfaces }}
enabled_power_interfaces = {{ enabled_power_interfaces }}
enabled_deploy_interfaces = {{ enabled_deploy_interfaces }}
enabled_hardware_types = {{ enabled_hardware_types }}
default_resource_class = {{ default_resource_class }}
{% if use_rabbitmq is defined and use_rabbitmq | bool == true %}
transport_url = rabbit://ironic:{{ironic_db_password }}@{{ message_queue_host | default('127.0.0.1') }}:{{ message_queue_port | default('5672') }}/{{ rabbit_virtual_host | default('') }}
{% else %}
rpc_transport = json-rpc
{% endif %}
{% if enable_keystone | bool %}
auth_strategy = keystone
{% elif noauth_mode | bool %}
auth_strategy = noauth
{% else %}
auth_strategy = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd
{% endif %}
{% if ironic_log_dir | default("") != "" %}
log_dir = {{ ironic_log_dir }}
{% endif %}
{% if enable_tls | bool %}
[api]
enable_ssl_api = True
[ssl]
cert_file = {{ tls_certificate_path }}
key_file = {{ ironic_private_key_path }}
{% endif %}
[agent]
{% if ironic_store_ramdisk_logs | bool %}
deploy_logs_collect = always
{% endif %}
{% if ironic_agent_deploy_logs_local_path | default("") != "" %}
deploy_logs_local_path = {{ ironic_agent_deploy_logs_local_path }}
{% endif %}
[pxe]
{% if testing | bool %}
pxe_append_params = console=ttyS0 ipa-insecure=1
{% else %}
pxe_append_params = systemd.journald.forward_to_console=yes ipa-insecure=1 {{ extra_kernel_options | default('') }}
{% endif %}
pxe_config_template = $pybasedir/drivers/modules/ipxe_config.template
tftp_server = {{ internal_ip }}
tftp_root = /tftpboot
pxe_bootfile_name = undionly.kpxe
ipxe_enabled = true
ipxe_boot_script = /etc/ironic/boot.ipxe
tftp_master_path = {{ ironic_tftp_master_path }}
{% if enable_uefi_ipxe | bool %}
uefi_pxe_bootfile_name = {{ ipxe_efi_binary }}
uefi_pxe_config_template = $pybasedir/drivers/modules/ipxe_config.template
{% endif %}
enable_netboot_fallback = true
[deploy]
http_url = http://{{ internal_ip }}:{{ file_url_port }}/
http_root = {{ http_boot_folder }}
default_boot_option = local
{% if default_boot_mode | default('') != '' %}
default_boot_mode = {{ default_boot_mode }}
{% endif %}
fast_track = {{ fast_track }}
{% if cleaning_disk_erase | bool %}
erase_devices_priority = 10
erase_devices_metadata_priority = 0
{% else %}
erase_devices_priority = 0
erase_devices_metadata_priority = 10
{% endif %}
[conductor]
automated_clean = {{ cleaning | lower }}
deploy_kernel = {{ ipa_kernel_url }}
deploy_ramdisk = {{ ipa_ramdisk_url }}
rescue_kernel = {{ ipa_kernel_url }}
rescue_ramdisk = {{ ipa_ramdisk_url }}
[database]
connection = mysql+pymysql://{{ ironic.database.username }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8
[dhcp]
dhcp_provider = none
{% if enable_cors | bool == true %}
[cors]
allowed_origin = {{ cors_allowed_origin | default('allowed_origin=http://localhost:8000') }}
allow_credentials = {{ enable_cors_credential_support | default('true') }}
{% endif %}
[ilo]
use_web_server_for_images = true
{% if enable_inspector | bool == true %}
[inspector]
power_off = {{ power_off_after_inspection }}
extra_kernel_params = ipa-insecure=1 {{ inspector_extra_kernel_options | default('') }}
{% if enable_keystone | bool %}
auth_type = password
auth_url = {{ ironic.service_catalog.auth_url }}
username = {{ ironic.service_catalog.username }}
password = {{ ironic.service_catalog.password }}
user_domain_id = default
project_name = {{ ironic.service_catalog.project_name }}
project_domain_id = default
region_name = {{ keystone.bootstrap.region_name | default('RegionOne')}}
# NOTE(dtantsur): this has to be on internal IP even if public IPs are used
callback_endpoint_override = {{ api_protocol }}://{{ internal_ip }}:5050
{% elif noauth_mode | bool %}
auth_type=none
endpoint_override = {{ ironic_inspector_api_url }}
{% else %}
auth_type = http_basic
endpoint_override = {{ ironic_inspector_api_url }}
username = {{ admin_username }}
password = {{ admin_password }}
{% endif %}
{% if enable_tls | bool %}
cafile = {{ tls_certificate_path }}
{% endif %}
{% endif %}
{% if enable_keystone is defined and enable_keystone | bool == true %}
[keystone_authtoken]
auth_plugin = password
auth_url = {{ ironic.service_catalog.auth_url }}
username = {{ ironic.service_catalog.username }}
password = {{ ironic.service_catalog.password }}
user_domain_id = default
project_name = {{ ironic.service_catalog.project_name }}
project_domain_id = default
{% if enable_tls | bool %}
cafile = {{ tls_certificate_path }}
{% endif %}
{% endif %}
[service_catalog]
{% if enable_keystone | bool %}
auth_url = {{ ironic.service_catalog.auth_url }}
auth_type = password
project_name = {{ ironic.service_catalog.project_name }}
username = {{ ironic.service_catalog.username }}
password = {{ ironic.service_catalog.password }}
user_domain_id = default
project_domain_id = default
region_name = {{ keystone.bootstrap.region_name | default('RegionOne')}}
{% elif noauth_mode | bool %}
auth_type = none
{% else %}
auth_type = http_basic
username = {{ admin_username }}
password = {{ admin_password }}
{% endif %}
# NOTE(dtantsur): this has to be on internal IP even if public IPs are used
endpoint_override = {{ api_protocol }}://{{ internal_ip }}:6385
[json_rpc]
{% if enable_tls | bool %}
use_ssl = True
cafile = {{ tls_certificate_path }}
{% endif %}
{% if enable_keystone | bool %}
auth_strategy = keystone
auth_url = {{ ironic.service_catalog.auth_url }}
auth_type = password
project_name = {{ ironic.service_catalog.project_name }}
username = {{ ironic.service_catalog.username }}
password = {{ ironic.service_catalog.password }}
user_domain_id = default
project_domain_id = default
{% else %}
auth_strategy = http_basic
auth_type = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd
username = {{ admin_username }}
password = {{ admin_password }}
{% endif %}