Revert "Add support for encrypting Ironic API"
This reverts commit 316b0496b3
, because
ironic-inspector is not ready to use WSGI. It would need to be split
into two separate containers, one running ironic-inspector-api-wsgi and
another running ironic-inspector-conductor.
Change-Id: I7e6c59dc8ad4fdee0cc6d96313fe66bc1d001bf7
This commit is contained in:
parent
e94f97399b
commit
3d30624cc1
@ -16,14 +16,12 @@ ironic_services:
|
||||
external: false
|
||||
port: "{{ ironic_api_port }}"
|
||||
listen_port: "{{ ironic_api_listen_port }}"
|
||||
tls_backend: "{{ ironic_enable_tls_backend }}"
|
||||
ironic_api_external:
|
||||
enabled: "{{ enable_ironic }}"
|
||||
mode: "http"
|
||||
external: true
|
||||
port: "{{ ironic_api_port }}"
|
||||
listen_port: "{{ ironic_api_listen_port }}"
|
||||
tls_backend: "{{ ironic_enable_tls_backend }}"
|
||||
ironic-conductor:
|
||||
container_name: ironic_conductor
|
||||
group: ironic-conductor
|
||||
@ -47,14 +45,12 @@ ironic_services:
|
||||
external: false
|
||||
port: "{{ ironic_inspector_port }}"
|
||||
listen_port: "{{ ironic_inspector_listen_port }}"
|
||||
tls_backend: "{{ ironic_enable_tls_backend }}"
|
||||
ironic_inspector_external:
|
||||
enabled: "{{ enable_ironic }}"
|
||||
mode: "http"
|
||||
external: true
|
||||
port: "{{ ironic_inspector_port }}"
|
||||
listen_port: "{{ ironic_inspector_listen_port }}"
|
||||
tls_backend: "{{ ironic_enable_tls_backend }}"
|
||||
ironic-pxe:
|
||||
container_name: ironic_pxe
|
||||
group: ironic-pxe
|
||||
@ -257,8 +253,3 @@ ironic_ks_users:
|
||||
user: "{{ ironic_inspector_keystone_user }}"
|
||||
password: "{{ ironic_inspector_keystone_password }}"
|
||||
role: "admin"
|
||||
|
||||
####################
|
||||
# TLS
|
||||
####################
|
||||
ironic_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
||||
|
@ -40,7 +40,6 @@
|
||||
module_name: uri
|
||||
module_args:
|
||||
url: "{{ ironic_internal_endpoint }}"
|
||||
validate_certs: false
|
||||
register: result
|
||||
until: result is success
|
||||
retries: 12
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
- include_tasks: copy-certs.yml
|
||||
when:
|
||||
- kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool
|
||||
- kolla_copy_ca_into_containers | bool
|
||||
|
||||
- name: Copying over config.json files for services
|
||||
template:
|
||||
@ -244,29 +244,5 @@
|
||||
notify:
|
||||
- "Restart {{ item.key }} container"
|
||||
|
||||
- name: Copying over ironic-api-wsgi.conf
|
||||
template:
|
||||
src: "ironic-api-wsgi.conf.j2"
|
||||
dest: "{{ node_config_directory }}/ironic-api/ironic-api-wsgi.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
when:
|
||||
- inventory_hostname in groups["ironic-api"]
|
||||
- ironic_services["ironic-api"].enabled | bool
|
||||
notify:
|
||||
- "Restart ironic-api container"
|
||||
|
||||
- name: Copying over ironic-inspector-wsgi.conf
|
||||
template:
|
||||
src: "ironic-inspector-wsgi.conf.j2"
|
||||
dest: "{{ node_config_directory }}/ironic-inspector/ironic-inspector-wsgi.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
when:
|
||||
- inventory_hostname in groups["ironic-inspector"]
|
||||
- ironic_services["ironic-inspector"].enabled | bool
|
||||
notify:
|
||||
- "Restart ironic-inspector container"
|
||||
|
||||
- import_tasks: check-containers.yml
|
||||
when: kolla_action != "config"
|
||||
|
@ -1,50 +0,0 @@
|
||||
{% set ironic_log_dir = '/var/log/kolla/ironic' %}
|
||||
{% set wsgi_directory = '/usr/bin' if ironic_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
||||
{% if ironic_enable_tls_backend | bool %}
|
||||
{% if kolla_base_distro in ['centos'] %}
|
||||
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||
{% else %}
|
||||
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_api_listen_port }}
|
||||
|
||||
ServerSignature Off
|
||||
ServerTokens Prod
|
||||
TraceEnable off
|
||||
KeepAliveTimeout {{ kolla_httpd_keep_alive }}
|
||||
|
||||
<Directory "{{ wsgi_directory }}">
|
||||
<FilesMatch "^ironic-api-wsgi$">
|
||||
Options None
|
||||
Require all granted
|
||||
</FilesMatch>
|
||||
</Directory>
|
||||
|
||||
ErrorLog "{{ ironic_log_dir }}/apache-error.log"
|
||||
<IfModule log_config_module>
|
||||
CustomLog "{{ ironic_log_dir }}/apache-access.log" common
|
||||
</IfModule>
|
||||
|
||||
{% if ironic_logging_debug | bool %}
|
||||
LogLevel info
|
||||
{% endif %}
|
||||
|
||||
<VirtualHost *:{{ ironic_api_listen_port }}>
|
||||
WSGIDaemonProcess ironic-api processes={{ openstack_service_workers }} threads=1 user=ironic group=ironic display-name=%{GROUP}
|
||||
WSGIProcessGroup ironic-api
|
||||
WSGIScriptAlias / {{ wsgi_directory }}/ironic-api-wsgi
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog "{{ ironic_log_dir }}/ironic-api-error.log"
|
||||
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
|
||||
CustomLog "{{ ironic_log_dir }}/ironic-api-access.log" logformat
|
||||
{% if ironic_enable_tls_backend | bool %}
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/ironic/certs/ironic-cert.pem
|
||||
SSLCertificateKeyFile /etc/ironic/certs/ironic-key.pem
|
||||
{% endif %}
|
||||
</VirtualHost>
|
@ -1,37 +1,17 @@
|
||||
{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
||||
{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
|
||||
{
|
||||
"command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
|
||||
"command": "ironic-api",
|
||||
"config_files": [
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ironic.conf",
|
||||
"dest": "/etc/ironic/ironic.conf",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ironic-api-wsgi.conf",
|
||||
"dest": "/etc/{{ apache_conf_dir }}/ironic-api-wsgi.conf",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
}{% if ironic_policy_file is defined %},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
|
||||
"dest": "/etc/ironic/{{ ironic_policy_file }}",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
}{% endif %}{% if ironic_enable_tls_backend | bool %},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ironic-cert.pem",
|
||||
"dest": "/etc/ironic/certs/ironic-cert.pem",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ironic-key.pem",
|
||||
"dest": "/etc/ironic/certs/ironic-key.pem",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
}{% endif %}
|
||||
],
|
||||
"permissions": [
|
||||
|
@ -1,50 +0,0 @@
|
||||
{% set ironic_log_dir = '/var/log/kolla/ironic' %}
|
||||
{% set wsgi_directory = '/usr/bin' if ironic_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
||||
{% if ironic_enable_tls_backend | bool %}
|
||||
{% if kolla_base_distro in ['centos'] %}
|
||||
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||
{% else %}
|
||||
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ ironic_inspector_listen_port }}
|
||||
|
||||
ServerSignature Off
|
||||
ServerTokens Prod
|
||||
TraceEnable off
|
||||
KeepAliveTimeout {{ kolla_httpd_keep_alive }}
|
||||
|
||||
<Directory "{{ wsgi_directory }}">
|
||||
<FilesMatch "^ironic-inspector-wsgi$">
|
||||
Options None
|
||||
Require all granted
|
||||
</FilesMatch>
|
||||
</Directory>
|
||||
|
||||
ErrorLog "{{ ironic_log_dir }}/apache-error-ironic-inspector.log"
|
||||
<IfModule log_config_module>
|
||||
CustomLog "{{ ironic_log_dir }}/apache-access-ironic-inspector.log" common
|
||||
</IfModule>
|
||||
|
||||
{% if ironic_logging_debug | bool %}
|
||||
LogLevel info
|
||||
{% endif %}
|
||||
|
||||
<VirtualHost *:{{ ironic_inspector_listen_port }}>
|
||||
WSGIDaemonProcess ironic-inspector processes={{ openstack_service_workers }} threads=1 user=ironic group=ironic display-name=%{GROUP}
|
||||
WSGIProcessGroup ironic-inspector
|
||||
WSGIScriptAlias / {{ wsgi_directory }}/ironic-inspector-wsgi
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog "{{ ironic_log_dir }}/ironic-inspector-error.log"
|
||||
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
|
||||
CustomLog "{{ ironic_log_dir }}/ironic-inspector-access.log" logformat
|
||||
{% if ironic_enable_tls_backend | bool %}
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/ironic/certs/ironic-cert.pem
|
||||
SSLCertificateKeyFile /etc/ironic/certs/ironic-key.pem
|
||||
{% endif %}
|
||||
</VirtualHost>
|
@ -1,37 +1,17 @@
|
||||
{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
||||
{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
|
||||
{
|
||||
"command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
|
||||
"command": "ironic-inspector --config-file /etc/ironic-inspector/inspector.conf",
|
||||
"config_files": [
|
||||
{
|
||||
"source": "{{ container_config_directory }}/inspector.conf",
|
||||
"dest": "/etc/ironic-inspector/inspector.conf",
|
||||
"owner": "ironic-inspector",
|
||||
"perm": "0600"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ironic-inspector-wsgi.conf",
|
||||
"dest": "/etc/{{ apache_conf_dir }}/ironic-inspector-wsgi.conf",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
}{% if ironic_policy_file is defined %},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
|
||||
"dest": "/etc/ironic/{{ ironic_policy_file }}",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
}{% endif %}{% if ironic_enable_tls_backend | bool %},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ironic-cert.pem",
|
||||
"dest": "/etc/ironic/certs/ironic-cert.pem",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/ironic-key.pem",
|
||||
"dest": "/etc/ironic/certs/ironic-key.pem",
|
||||
"owner": "ironic",
|
||||
"perm": "0600"
|
||||
}{% endif %}
|
||||
]
|
||||
}
|
||||
|
@ -35,6 +35,13 @@ driver = noop
|
||||
policy_file = {{ ironic_policy_file }}
|
||||
{% endif %}
|
||||
|
||||
{% if service_name == 'ironic-api' %}
|
||||
[api]
|
||||
host_ip = {{ api_interface_address }}
|
||||
port = {{ ironic_api_listen_port }}
|
||||
api_workers = {{ openstack_service_workers }}
|
||||
{% endif %}
|
||||
|
||||
{% if service_name == 'ironic-conductor' %}
|
||||
[conductor]
|
||||
automated_clean=false
|
||||
|
Loading…
Reference in New Issue
Block a user