ironic-inspector: Use non-standalone mode

The puppet-ironic module now supports deploying separate api and conductor for ironic-inspector. This uses that feature to switch the deployment architecture in CentOS. This allows us to enable SSL in ironic-inspector API. Depends-on: https://review.opendev.org/c/openstack/puppet-ironic/+/901423 Change-Id: I407332cf6794cd573bbf52b750d273f2027b87c8
2023-11-20 11:00:58 +09:00 · 2023-11-20 11:00:58 +09:00 · 6de4651195
commit 6de4651195
parent cb04476801
1 changed files with 32 additions and 9 deletions
--- a/manifests/ironic.pp
+++ b/manifests/ironic.pp
@ -4,10 +4,20 @@ class openstack_integration::ironic {
  include openstack_integration::params

  if $::openstack_integration::config::ssl {
+    if $facts['os']['family'] != 'RedHat' {
+      # TODO(tkajinam): ironic-inspector can enable ssl with use_ssl and
+      #                 ssl options from oslo.service
+      fail('ssl is supported only in CentOS and RHEL')
+    }
+
    openstack_integration::ssl_key { 'ironic':
      notify  => Service['httpd'],
      require => Package['ironic-common'],
    }
+    openstack_integration::ssl_key { 'ironic-inspector':
+      notify  => Service['httpd'],
+      require => Package['ironic-inspector'],
+    }
    Exec['update-ca-certificates'] ~> Service['httpd']
  }

@ -61,13 +71,6 @@ class openstack_integration::ironic {
    memcached_servers            => $::openstack_integration::config::memcached_servers,
    service_token_roles_required => true,
  }
-  class { 'ironic::keystone::auth_inspector':
-    public_url   => "http://${::openstack_integration::config::ip_for_url}:5050",
-    internal_url => "http://${::openstack_integration::config::ip_for_url}:5050",
-    admin_url    => "http://${::openstack_integration::config::ip_for_url}:5050",
-    roles        => ['admin', 'service'],
-    password     => 'a_big_secret',
-  }
  class { 'ironic::client': }
  class { 'ironic::api':
    service_name => 'httpd',
@ -90,8 +93,13 @@ class openstack_integration::ironic {
    enabled_vendor_interfaces     => ['fake', 'ipmitool', 'no-vendor'],
  }
  class { 'ironic::drivers::ipmi': }
-
-  # Ironic inspector resources
+  class { 'ironic::keystone::auth_inspector':
+    public_url   => "${::openstack_integration::config::base_url}:5050",
+    internal_url => "${::openstack_integration::config::base_url}:5050",
+    admin_url    => "${::openstack_integration::config::base_url}:5050",
+    roles        => ['admin', 'service'],
+    password     => 'a_big_secret',
+  }
  class { 'ironic::inspector::db::mysql':
    charset  => $::openstack_integration::params::mysql_charset,
    collate  => $::openstack_integration::params::mysql_collate,
@ -123,6 +131,19 @@ class openstack_integration::ironic {
    password => 'a_big_secret',
    auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3",
  }
+
+  if $facts['os']['family'] == 'RedHat' {
+    class { 'ironic::inspector::wsgi::apache':
+      bind_host => $::openstack_integration::config::host,
+      ssl       => $::openstack_integration::config::ssl,
+      ssl_key   => "/etc/ironic-inspector/ssl/private/${facts['networking']['fqdn']}.pem",
+      ssl_cert  => $::openstack_integration::params::cert_path,
+      workers   => 2,
+    }
+    $standalone = false
+  } else {
+    $standalone = true
+  }
  class { 'ironic::inspector':
    listen_address        => $::openstack_integration::config::host,
    default_transport_url => os_transport_url({
@ -133,6 +154,8 @@ class openstack_integration::ironic {
      'password'  => 'an_even_bigger_secret',
    }),
    rabbit_use_ssl        => $::openstack_integration::config::ssl,
+    standalone            => $standalone,
    dnsmasq_interface     => 'eth0',
  }
+  class { 'ironic::inspector::client': }
 }