From d6f4ef81f6d6c015812da594b5d652752ca8c3ba Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Tue, 2 Aug 2022 11:36:43 +0100
Subject: [PATCH] Enable TLS in Bifrost

Bifrost supports enabling TLS for the services it deploys, as well as
generating a self-signed TLS certificate. Let's use it.

Change-Id: I2a60ec780c37895e810cdba65bb485d0986a196d
---
 ansible/roles/bifrost/tasks/start.yml                | 1 +
 ansible/roles/bifrost/templates/bifrost.yml.j2       | 7 +++++++
 releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml | 7 +++++++
 3 files changed, 15 insertions(+)
 create mode 100644 releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml

diff --git a/ansible/roles/bifrost/tasks/start.yml b/ansible/roles/bifrost/tasks/start.yml
index eca4deb039..53446f9df6 100644
--- a/ansible/roles/bifrost/tasks/start.yml
+++ b/ansible/roles/bifrost/tasks/start.yml
@@ -18,3 +18,4 @@
       - "bifrost_mariadb:/var/lib/mysql/"
       - "bifrost_tftpboot:/tftpboot/"
       - "bifrost_config:/root/.config/bifrost/"
+      - "bifrost_certs:/etc/bifrost-certs/"
diff --git a/ansible/roles/bifrost/templates/bifrost.yml.j2 b/ansible/roles/bifrost/templates/bifrost.yml.j2
index 9c5c2dcc7d..07f5c3e57e 100644
--- a/ansible/roles/bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/bifrost/templates/bifrost.yml.j2
@@ -26,3 +26,10 @@ ironic_tftp_master_path: "/httpboot/master_images"
 # defaults. https://review.opendev.org/c/openstack/bifrost/+/822743
 tftp_boot_folder: "/tftpboot"
 http_boot_folder: "/httpboot"
+
+# Enable TLS and generate self-signed certificates.
+enable_tls: true
+generate_tls: true
+# NOTE: Needs to be world-readable, writeable by root, and persistent, which
+# the default /etc/bifrost is not.
+tls_root: "/etc/bifrost-certs"
diff --git a/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml b/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml
new file mode 100644
index 0000000000..15ff8fe476
--- /dev/null
+++ b/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Enable TLS by default in Bifrost. Bifrost is now configured to enable TLS
+    for the services it deploys, and generate self-signed certificates for
+    them. TLS may be disabled by setting ``enable_tls`` to ``false`` in
+    ``/etc/kolla/config/bifrost/bifrost.yml``.