From 6de4651195397caa210db6b891db141792f77e0b Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 20 Nov 2023 11:00:58 +0900 Subject: [PATCH] ironic-inspector: Use non-standalone mode The puppet-ironic module now supports deploying separate api and conductor for ironic-inspector. This uses that feature to switch the deployment architecture in CentOS. This allows us to enable SSL in ironic-inspector API. Depends-on: https://review.opendev.org/c/openstack/puppet-ironic/+/901423 Change-Id: I407332cf6794cd573bbf52b750d273f2027b87c8 --- manifests/ironic.pp | 41 ++++++++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/manifests/ironic.pp b/manifests/ironic.pp index 1a8f17ce8..b7c01f66f 100644 --- a/manifests/ironic.pp +++ b/manifests/ironic.pp @@ -4,10 +4,20 @@ class openstack_integration::ironic { include openstack_integration::params if $::openstack_integration::config::ssl { + if $facts['os']['family'] != 'RedHat' { + # TODO(tkajinam): ironic-inspector can enable ssl with use_ssl and + # ssl options from oslo.service + fail('ssl is supported only in CentOS and RHEL') + } + openstack_integration::ssl_key { 'ironic': notify => Service['httpd'], require => Package['ironic-common'], } + openstack_integration::ssl_key { 'ironic-inspector': + notify => Service['httpd'], + require => Package['ironic-inspector'], + } Exec['update-ca-certificates'] ~> Service['httpd'] } @@ -61,13 +71,6 @@ class openstack_integration::ironic { memcached_servers => $::openstack_integration::config::memcached_servers, service_token_roles_required => true, } - class { 'ironic::keystone::auth_inspector': - public_url => "http://${::openstack_integration::config::ip_for_url}:5050", - internal_url => "http://${::openstack_integration::config::ip_for_url}:5050", - admin_url => "http://${::openstack_integration::config::ip_for_url}:5050", - roles => ['admin', 'service'], - password => 'a_big_secret', - } class { 'ironic::client': } class { 'ironic::api': service_name => 'httpd', @@ -90,8 +93,13 @@ class openstack_integration::ironic { enabled_vendor_interfaces => ['fake', 'ipmitool', 'no-vendor'], } class { 'ironic::drivers::ipmi': } - - # Ironic inspector resources + class { 'ironic::keystone::auth_inspector': + public_url => "${::openstack_integration::config::base_url}:5050", + internal_url => "${::openstack_integration::config::base_url}:5050", + admin_url => "${::openstack_integration::config::base_url}:5050", + roles => ['admin', 'service'], + password => 'a_big_secret', + } class { 'ironic::inspector::db::mysql': charset => $::openstack_integration::params::mysql_charset, collate => $::openstack_integration::params::mysql_collate, @@ -123,6 +131,19 @@ class openstack_integration::ironic { password => 'a_big_secret', auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3", } + + if $facts['os']['family'] == 'RedHat' { + class { 'ironic::inspector::wsgi::apache': + bind_host => $::openstack_integration::config::host, + ssl => $::openstack_integration::config::ssl, + ssl_key => "/etc/ironic-inspector/ssl/private/${facts['networking']['fqdn']}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + workers => 2, + } + $standalone = false + } else { + $standalone = true + } class { 'ironic::inspector': listen_address => $::openstack_integration::config::host, default_transport_url => os_transport_url({ @@ -133,6 +154,8 @@ class openstack_integration::ironic { 'password' => 'an_even_bigger_secret', }), rabbit_use_ssl => $::openstack_integration::config::ssl, + standalone => $standalone, dnsmasq_interface => 'eth0', } + class { 'ironic::inspector::client': } }