openstack/openstack-ansible-os_ironic
Code Issues Proposed changes

Define ipa-insecure=1 in LXC example

Browse Source 
In LXC example, the BMAAS network is not routable to any other networks
nor to the internal VIP.
It means that Ironic Python Agent(IPA) is not able to communicate with
ironic API and ironic inspector over haproxy.
To solve that issue, `ironic_inspector_callback_url` and
`ironic_ironic_conf_overrides.service_catalog.endpoint_override` values
were overriden to instruct IPA to communicate with ironic api/inspector
backends directly on BMAAS network(instead of going via HAProxy on
management network).
It may cause a problem with certificate verification if these backends
are listening on https because most likely they are using self-signed
certificate.
As a workaround, `ipa-insecure=1` kernel parameter[1] is added to IPA
for both inspection and deployment.

[1] https://docs.openstack.org/ironic-python-agent/latest/install/index.html#ipa-and-tls

Change-Id: Idfb5a4e9bf4f39441fc99b5aa78500d6195e6da0
This commit is contained in:
Damian Dabrowski 2023-05-23 18:57:22 +02:00
parent e1aea9e9fd
commit 36468adfac
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/source/configure-lxc-example.rst
View File

@ -429,6 +429,10 @@ In ``/etc/openstack_deploy/user_variables_ironic.yml``
# as well as the mgmt interface for the loadbalancer
ironic_uwsgi_bind_address: 0.0.0.0
# Add ipa-insecure=1 to kernel parameters
# Needed when ironic endpoint is available over https with self-signed cert.
ironic_kernel_append_params: "ipa-debug=1 systemd.journald.forward_to_console=yes ipa-insecure=1"
# INI file overrides
ironic_ironic_conf_overrides:
# Disable full device erasure (slow) and just metadata erasure, and replace with "Express erasure"
@ -455,6 +459,10 @@ In ``/etc/openstack_deploy/user_variables_ironic.yml``
# instead of going via HAProxy on mgmt network. Only applies when bmaas network is isolated.
ironic_inspector_callback_url: "{{ ironic_inspector_service_internaluri_proto }}://{{ container_networks['bmaas_address']['address'] }}:{{ ironic_inspector_service_port }}/v1/continue"
# Add ipa-insecure=1 to kernel parameters
# Needed when inspector is available over https with self-signed cert.
ironic_inspector_extra_callback_parameters: "ipa-collect-lldp=1 ipa-insecure=1"
# Ensure inspector API (using uwsgi) listens on br-bmaas for agent callbacks
# as well as the mgmt interface for the loadbalancer
ironic_inspector_service_address: "0.0.0.0"