openstack/kolla-ansible
Code Issues Proposed changes
88418cbaa9
kolla-ansible/ansible/roles/ironic/tasks/config.yml
James Kirsch 511ba9f6a2 Copy CA into containers. 
When kolla_copy_ca_into_containers is set to "yes", the Certificate
Authority in /etc/kolla/certificates will be copied into service
containers to enable trust for that CA. This is especially useful when
the CA is self signed, and would not be trusted by default.

Partially-Implements: blueprint custom-cacerts

Change-Id: I4368f8994147580460ebe7533850cf63a419d0b4
2020-01-28 14:03:32 -08:00

264 lines
7.9 KiB
YAML
Raw Blame History

---
- name: Load and persist iscsi_tcp module
import_role:
role: module-load
vars:
modules:
- {'name': iscsi_tcp}
- name: Ensuring config directories exist
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
- name: Check if policies shall be overwritten
stat:
path: "{{ item }}"
delegate_to: localhost
run_once: True
register: ironic_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/ironic/"
skip: true
- name: Set ironic policy file
set_fact:
ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}"
ironic_policy_file_path: "{{ ironic_policy.results.0.stat.path }}"
when:
- ironic_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ ironic_services }}"
- name: Copying over config.json files for services
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
mode: "0660"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
notify:
- "Restart {{ item.key }} container"
- name: Copying over ironic.conf
vars:
service_name: "{{ item.key }}"
merge_configs:
sources:
- "{{ role_path }}/templates/ironic.conf.j2"
- "{{ node_custom_config }}/global.conf"
- "{{ node_custom_config }}/ironic.conf"
- "{{ node_custom_config }}/ironic/{{ item.key }}.conf"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/ironic.conf"
mode: "0660"
become: true
when:
- item.key in [ "ironic-api", "ironic-conductor" ]
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
notify:
- "Restart {{ item.key }} container"
- name: Copying over inspector.conf
vars:
service: "{{ ironic_services['ironic-inspector'] }}"
merge_configs:
sources:
- "{{ role_path }}/templates/ironic-inspector.conf.j2"
- "{{ node_custom_config }}/global.conf"
- "{{ node_custom_config }}/ironic-inspector.conf"
- "{{ node_custom_config }}/ironic-inspector/inspector.conf"
- "{{ node_custom_config }}/ironic-inspector/{{ inventory_hostname }}/inspector.conf"
dest: "{{ node_config_directory }}/ironic-inspector/inspector.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart ironic-inspector container
- name: Copying over dnsmasq.conf
vars:
service: "{{ ironic_services['ironic-dnsmasq'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-dnsmasq/dnsmasq.conf"
mode: "0660"
become: true
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
with_first_found:
- "{{ node_custom_config }}/ironic/ironic-dnsmasq.conf"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic-dnsmasq.conf"
- "ironic-dnsmasq.conf.j2"
notify:
- Restart ironic-dnsmasq container
- name: Copying pxelinux.cfg default
vars:
service: "{{ ironic_services['ironic-pxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/default"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/pxelinux.default"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/pxelinux.default"
- "pxelinux.default.j2"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
- not enable_ironic_pxe_uefi | bool
- not enable_ironic_ipxe | bool
notify:
- Restart ironic-pxe container
- name: Copying ironic_pxe_uefi.cfg default
vars:
service: "{{ ironic_services['ironic-pxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/default"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/ironic_pxe_uefi.default"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic_pxe_uefi.default"
- "ironic_pxe_uefi.default.j2"
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
- enable_ironic_pxe_uefi | bool
notify:
- Restart ironic-pxe container
- name: Copying ironic-agent kernel and initramfs (PXE)
vars:
service: "{{ ironic_services['ironic-pxe'] }}"
copy:
src: "{{ node_custom_config }}/ironic/{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/{{ item }}"
mode: "0660"
become: true
with_items:
- "ironic-agent.kernel"
- "ironic-agent.initramfs"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
- not enable_ironic_pxe_uefi | bool
- not enable_ironic_ipxe | bool
notify:
- Restart ironic-pxe container
- name: Copying ironic-agent kernel and initramfs (iPXE)
vars:
service: "{{ ironic_services['ironic-ipxe'] }}"
copy:
src: "{{ node_custom_config }}/ironic/{{ item }}"
dest: "{{ node_config_directory }}/ironic-ipxe/{{ item }}"
mode: "0660"
become: true
with_items:
- "ironic-agent.kernel"
- "ironic-agent.initramfs"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart ironic-ipxe container
- name: Copying inspector.ipxe
vars:
service: "{{ ironic_services['ironic-ipxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-ipxe/inspector.ipxe"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/inspector.ipxe"
- "{{ node_custom_config }}/ironic/inspector.ipxe"
- "inspector.ipxe.j2"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart ironic-ipxe container
- name: Copying iPXE apache config
vars:
service: "{{ ironic_services['ironic-ipxe'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-ipxe/httpd.conf"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/ironic-ipxe-httpd.conf"
- "ironic-ipxe-httpd.conf.j2"
when:
- service.enabled | bool
- inventory_hostname in groups[service.group]
notify:
- Restart ironic-ipxe container
- name: Copying over existing policy file
vars:
services_require_policy_json:
- ironic-api
- ironic-conductor
- ironic-inspector
template:
src: "{{ ironic_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_policy_file }}"
mode: "0660"
become: true
when:
- ironic_policy_file is defined
- item.key in services_require_policy_json
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
with_dict: "{{ ironic_services }}"
notify:
- "Restart {{ item.key }} container"
- include_tasks: check-containers.yml
when: kolla_action != "config"
View Git Blame Copy Permalink