Mark Goddard d6f4ef81f6 Enable TLS in Bifrost
Bifrost supports enabling TLS for the services it deploys, as well as
generating a self-signed TLS certificate. Let's use it.

Change-Id: I2a60ec780c37895e810cdba65bb485d0986a196d
2022-08-02 13:07:39 +01:00

36 lines
1.3 KiB
Django/Jinja

---
# Ironic log directory.
ironic_log_dir: "/var/log/kolla/ironic"
# Ironic inspector log directory.
inspector_log_dir: "/var/log/kolla/ironic-inspector"
# Ironic Python Agent deploy logs directory
ironic_agent_deploy_logs_local_path: "/var/log/kolla/ironic/deploy"
# Nginx log directory.
nginx_log_dir: "/var/log/kolla/nginx"
ansible_python_interpreter: /var/lib/kolla/venv/bin/python
network_interface: "{{ bifrost_network_interface }}"
# Ironic creates hardlinks between the TFTP master image store and the
# HTTP root path when iPXE is enabled. With Docker volumes used for these
# locations we run into https://bugs.launchpad.net/ironic/+bug/1507894
# during deployment. If we use a directory under /httpboot to store the
# master images this issue is avoided.
ironic_tftp_master_path: "/httpboot/master_images"
# Bifrost in Yoga changed the default TFTP and HTTP boot directories to reside
# under /var/lib/ironic/. Avoid this breaking us by reverting to the previous
# defaults. https://review.opendev.org/c/openstack/bifrost/+/822743
tftp_boot_folder: "/tftpboot"
http_boot_folder: "/httpboot"
# Enable TLS and generate self-signed certificates.
enable_tls: true
generate_tls: true
# NOTE: Needs to be world-readable, writeable by root, and persistent, which
# the default /etc/bifrost is not.
tls_root: "/etc/bifrost-certs"