openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/ironic/tasks/config.yml
James Kirsch 7c2df87ded Add support for encrypting Ironic API 
This patch introduces an optional backend encryption for the Ironic API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Ironic service.

Change-Id: I9edf7545c174ca8839ceaef877bb09f49ef2b451
Partially-Implements: blueprint add-ssl-internal-network
2020-09-24 10:09:13 -07:00

261 lines
7.9 KiB
YAML
Raw Blame History

---
- name: Ensuring config directories exist
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
- name: Check if policies shall be overwritten
stat:
path: "{{ item }}"
delegate_to: localhost
run_once: True
register: ironic_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/ironic/"
skip: true
- name: Set ironic policy file
set_fact:
ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}"
ironic_policy_file_path: "{{ ironic_policy.results.0.stat.path }}"
when:
- ironic_policy.results
- include_tasks: copy-certs.yml
when:
- kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool
- name: Copying over config.json files for services
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
mode: "0660"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
notify:
- "Restart {{ item.key }} container"
- name: Copying over ironic.conf
vars:
service_name: "{{ item.key }}"
merge_configs:
sources:
- "{{ role_path }}/templates/ironic.conf.j2"
- "{{ node_custom_config }}/global.conf"
- "{{ node_custom_config }}/ironic.conf"
- "{{ node_custom_config }}/ironic/{{ item.key }}.conf"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/ironic.conf"
mode: "0660"
become: true
when:
- item.key in [ "ironic-api", "ironic-conductor" ]
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
notify:
- "Restart {{ item.key }} container"
- name: Copying over inspector.conf
vars:
service: "{{ ironic_services['ironic-inspector'] }}"
merge_configs:
sources:
- "{{ role_path }}/templates/ironic-inspector.conf.j2"
- "{{ node_custom_config }}/global.conf"
- "{{ node_custom_config }}/ironic-inspector.conf"
- "{{ node_custom_config }}/ironic-inspector/inspector.conf"
- "{{ node_custom_config }}/ironic-inspector/{{ inventory_hostname }}/inspector.conf"
dest: "{{ node_config_directory }}/ironic-inspector/inspector.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart ironic-inspector container
- name: Copying over dnsmasq.conf
vars:
service: "{{ ironic_services['ironic-dnsmasq'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-dnsmasq/dnsmasq.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_first_found:
- "{{ node_custom_config }}/ironic/ironic-dnsmasq.conf"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic-dnsmasq.conf"
- "ironic-dnsmasq.conf.j2"
notify:
- Restart ironic-dnsmasq container
- name: Copying pxelinux.cfg default
vars:
service: "{{ ironic_services['ironic-pxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/default"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/pxelinux.default"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/pxelinux.default"
- "pxelinux.default.j2"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
- not enable_ironic_pxe_uefi | bool
- not enable_ironic_ipxe | bool
notify:
- Restart ironic-pxe container
- name: Copying ironic_pxe_uefi.cfg default
vars:
service: "{{ ironic_services['ironic-pxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/default"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/ironic_pxe_uefi.default"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic_pxe_uefi.default"
- "ironic_pxe_uefi.default.j2"
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
- enable_ironic_pxe_uefi | bool
notify:
- Restart ironic-pxe container
- name: Copying ironic-agent kernel and initramfs (PXE)
vars:
service: "{{ ironic_services['ironic-pxe'] }}"
copy:
src: "{{ node_custom_config }}/ironic/{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/{{ item }}"
mode: "0660"
become: true
with_items:
- "ironic-agent.kernel"
- "ironic-agent.initramfs"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
- not enable_ironic_pxe_uefi | bool
- not enable_ironic_ipxe | bool
notify:
- Restart ironic-pxe container
- name: Copying ironic-agent kernel and initramfs (iPXE)
vars:
service: "{{ ironic_services['ironic-ipxe'] }}"
copy:
src: "{{ node_custom_config }}/ironic/{{ item }}"
dest: "{{ node_config_directory }}/ironic-ipxe/{{ item }}"
mode: "0660"
become: true
with_items:
- "ironic-agent.kernel"
- "ironic-agent.initramfs"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart ironic-ipxe container
- name: Copying inspector.ipxe
vars:
service: "{{ ironic_services['ironic-ipxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-ipxe/inspector.ipxe"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/inspector.ipxe"
- "{{ node_custom_config }}/ironic/inspector.ipxe"
- "inspector.ipxe.j2"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart ironic-ipxe container
- name: Copying iPXE apache config
vars:
service: "{{ ironic_services['ironic-ipxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-ipxe/httpd.conf"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/ironic-ipxe-httpd.conf"
- "ironic-ipxe-httpd.conf.j2"
when:
- service.enabled | bool
- inventory_hostname in groups[service.group]
notify:
- Restart ironic-ipxe container
- name: Copying over existing policy file
vars:
services_require_policy_json:
- ironic-api
- ironic-conductor
- ironic-inspector
template:
src: "{{ ironic_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_policy_file }}"
mode: "0660"
become: true
when:
- ironic_policy_file is defined
- item.key in services_require_policy_json
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
notify:
- "Restart {{ item.key }} container"
- name: Copying over ironic-api-wsgi.conf
template:
src: "ironic-api-wsgi.conf.j2"
dest: "{{ node_config_directory }}/ironic-api/ironic-api-wsgi.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups["ironic-api"]
- ironic_services["ironic-api"].enabled | bool
notify:
- "Restart ironic-api container"
- import_tasks: check-containers.yml
when: kolla_action != "config"
View Git Blame Copy Permalink