Revert "Add support for encrypting Ironic API"

This reverts commit 316b0496b3, because ironic-inspector is not ready to use WSGI. It would need to be split into two separate containers, one running ironic-inspector-api-wsgi and another running ironic-inspector-conductor. Change-Id: I7e6c59dc8ad4fdee0cc6d96313fe66bc1d001bf7
2020-09-09 21:33:26 +02:00 · 2020-09-09 21:33:26 +02:00 · 3d30624cc1
commit 3d30624cc1
parent e94f97399b
8 changed files with 10 additions and 177 deletions
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@ -16,14 +16,12 @@ ironic_services:
        external: false
        port: "{{ ironic_api_port }}"
        listen_port: "{{ ironic_api_listen_port }}"
-        tls_backend: "{{ ironic_enable_tls_backend }}"
      ironic_api_external:
        enabled: "{{ enable_ironic }}"
        mode: "http"
        external: true
        port: "{{ ironic_api_port }}"
        listen_port: "{{ ironic_api_listen_port }}"
-        tls_backend: "{{ ironic_enable_tls_backend }}"
  ironic-conductor:
    container_name: ironic_conductor
    group: ironic-conductor
@ -47,14 +45,12 @@ ironic_services:
        external: false
        port: "{{ ironic_inspector_port }}"
        listen_port: "{{ ironic_inspector_listen_port }}"
-        tls_backend: "{{ ironic_enable_tls_backend }}"
      ironic_inspector_external:
        enabled: "{{ enable_ironic }}"
        mode: "http"
        external: true
        port: "{{ ironic_inspector_port }}"
        listen_port: "{{ ironic_inspector_listen_port }}"
-        tls_backend: "{{ ironic_enable_tls_backend }}"
  ironic-pxe:
    container_name: ironic_pxe
    group: ironic-pxe
@ -257,8 +253,3 @@ ironic_ks_users:
    user: "{{ ironic_inspector_keystone_user }}"
    password: "{{ ironic_inspector_keystone_password }}"
    role: "admin"
-
-####################
-# TLS
-####################
-ironic_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
--- a/ansible/roles/ironic/handlers/main.yml
+++ b/ansible/roles/ironic/handlers/main.yml
@ -40,7 +40,6 @@
    module_name: uri
    module_args:
      url: "{{ ironic_internal_endpoint }}"
-      validate_certs: false
  register: result
  until: result is success
  retries: 12
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@ -33,7 +33,7 @@

 - include_tasks: copy-certs.yml
  when:
-    - kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool
+    - kolla_copy_ca_into_containers | bool

 - name: Copying over config.json files for services
  template:
@ -244,29 +244,5 @@
  notify:
    - "Restart {{ item.key }} container"

- name: Copying over ironic-api-wsgi.conf
-  template:
-    src: "ironic-api-wsgi.conf.j2"
-    dest: "{{ node_config_directory }}/ironic-api/ironic-api-wsgi.conf"
-    mode: "0660"
-  become: true
-  when:
-    - inventory_hostname in groups["ironic-api"]
-    - ironic_services["ironic-api"].enabled | bool
-  notify:
-    - "Restart ironic-api container"
-
- name: Copying over ironic-inspector-wsgi.conf
-  template:
-    src: "ironic-inspector-wsgi.conf.j2"
-    dest: "{{ node_config_directory }}/ironic-inspector/ironic-inspector-wsgi.conf"
-    mode: "0660"
-  become: true
-  when:
-    - inventory_hostname in groups["ironic-inspector"]
-    - ironic_services["ironic-inspector"].enabled | bool
-  notify:
-    - "Restart ironic-inspector container"
-
 - import_tasks: check-containers.yml
  when: kolla_action != "config"
--- a/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2
@ -1,50 +0,0 @@
-{% set ironic_log_dir = '/var/log/kolla/ironic' %}
-{% set wsgi_directory = '/usr/bin' if ironic_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
-{% if ironic_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos']  %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_api_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-<Directory "{{ wsgi_directory }}">
-    <FilesMatch "^ironic-api-wsgi$">
-        Options None
-        Require all granted
-    </FilesMatch>
-</Directory>
-
-ErrorLog "{{ ironic_log_dir }}/apache-error.log"
-<IfModule log_config_module>
-CustomLog "{{ ironic_log_dir }}/apache-access.log" common
-</IfModule>
-
-{% if ironic_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-<VirtualHost *:{{ ironic_api_listen_port }}>
-    WSGIDaemonProcess ironic-api processes={{ openstack_service_workers }} threads=1 user=ironic group=ironic display-name=%{GROUP}
-    WSGIProcessGroup ironic-api
-    WSGIScriptAlias / {{ wsgi_directory }}/ironic-api-wsgi
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-    ErrorLog "{{ ironic_log_dir }}/ironic-api-error.log"
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
-    CustomLog "{{ ironic_log_dir }}/ironic-api-access.log" logformat
-{% if ironic_enable_tls_backend | bool %}
-    SSLEngine on
-    SSLCertificateFile /etc/ironic/certs/ironic-cert.pem
-    SSLCertificateKeyFile /etc/ironic/certs/ironic-key.pem
-{% endif %}
-</VirtualHost>
--- a/ansible/roles/ironic/templates/ironic-api.json.j2
+++ b/ansible/roles/ironic/templates/ironic-api.json.j2
@ -1,37 +1,17 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
 {
-    "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
+    "command": "ironic-api",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/ironic.conf",
            "dest": "/etc/ironic/ironic.conf",
            "owner": "ironic",
            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/ironic-api-wsgi.conf",
-            "dest": "/etc/{{ apache_conf_dir }}/ironic-api-wsgi.conf",
-            "owner": "ironic",
-            "perm": "0600"
        }{% if ironic_policy_file is defined %},
        {
            "source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
            "dest": "/etc/ironic/{{ ironic_policy_file }}",
            "owner": "ironic",
            "perm": "0600"
-        }{% endif %}{% if ironic_enable_tls_backend | bool %},
-        {
-            "source": "{{ container_config_directory }}/ironic-cert.pem",
-            "dest": "/etc/ironic/certs/ironic-cert.pem",
-            "owner": "ironic",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/ironic-key.pem",
-            "dest": "/etc/ironic/certs/ironic-key.pem",
-            "owner": "ironic",
-            "perm": "0600"
        }{% endif %}
    ],
    "permissions": [
--- a/ansible/roles/ironic/templates/ironic-inspector-wsgi.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector-wsgi.conf.j2
@ -1,50 +0,0 @@
-{% set ironic_log_dir = '/var/log/kolla/ironic' %}
-{% set wsgi_directory = '/usr/bin' if ironic_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
-{% if ironic_enable_tls_backend | bool %}
-{% if kolla_base_distro in ['centos']  %}
-LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
-{% else %}
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-{% endif %}
-{% endif %}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_inspector_listen_port }}
-
-ServerSignature Off
-ServerTokens Prod
-TraceEnable off
-KeepAliveTimeout {{ kolla_httpd_keep_alive }}
-
-<Directory "{{ wsgi_directory }}">
-    <FilesMatch "^ironic-inspector-wsgi$">
-        Options None
-        Require all granted
-    </FilesMatch>
-</Directory>
-
-ErrorLog "{{ ironic_log_dir }}/apache-error-ironic-inspector.log"
-<IfModule log_config_module>
-CustomLog "{{ ironic_log_dir }}/apache-access-ironic-inspector.log" common
-</IfModule>
-
-{% if ironic_logging_debug | bool %}
-LogLevel info
-{% endif %}
-
-<VirtualHost *:{{ ironic_inspector_listen_port }}>
-    WSGIDaemonProcess ironic-inspector processes={{ openstack_service_workers }} threads=1 user=ironic group=ironic display-name=%{GROUP}
-    WSGIProcessGroup ironic-inspector
-    WSGIScriptAlias / {{ wsgi_directory }}/ironic-inspector-wsgi
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-    ErrorLog "{{ ironic_log_dir }}/ironic-inspector-error.log"
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
-    CustomLog "{{ ironic_log_dir }}/ironic-inspector-access.log" logformat
-{% if ironic_enable_tls_backend | bool %}
-    SSLEngine on
-    SSLCertificateFile /etc/ironic/certs/ironic-cert.pem
-    SSLCertificateKeyFile /etc/ironic/certs/ironic-key.pem
-{% endif %}
-</VirtualHost>
--- a/ansible/roles/ironic/templates/ironic-inspector.json.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.json.j2
@ -1,37 +1,17 @@
-{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
-{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
 {
-    "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
+    "command": "ironic-inspector --config-file /etc/ironic-inspector/inspector.conf",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/inspector.conf",
            "dest": "/etc/ironic-inspector/inspector.conf",
            "owner": "ironic-inspector",
            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/ironic-inspector-wsgi.conf",
-            "dest": "/etc/{{ apache_conf_dir }}/ironic-inspector-wsgi.conf",
-            "owner": "ironic",
-            "perm": "0600"
        }{% if ironic_policy_file is defined %},
        {
            "source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
            "dest": "/etc/ironic/{{ ironic_policy_file }}",
            "owner": "ironic",
            "perm": "0600"
-        }{% endif %}{% if ironic_enable_tls_backend | bool %},
-        {
-            "source": "{{ container_config_directory }}/ironic-cert.pem",
-            "dest": "/etc/ironic/certs/ironic-cert.pem",
-            "owner": "ironic",
-            "perm": "0600"
-        },
-        {
-            "source": "{{ container_config_directory }}/ironic-key.pem",
-            "dest": "/etc/ironic/certs/ironic-key.pem",
-            "owner": "ironic",
-            "perm": "0600"
        }{% endif %}
    ]
 }
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@ -35,6 +35,13 @@ driver = noop
 policy_file = {{ ironic_policy_file }}
 {% endif %}

+{% if service_name == 'ironic-api' %}
+[api]
+host_ip = {{ api_interface_address }}
+port = {{ ironic_api_listen_port }}
+api_workers = {{ openstack_service_workers }}
+{% endif %}
+
 {% if service_name == 'ironic-conductor' %}
 [conductor]
 automated_clean=false