James Kirsch 7c2df87ded Add support for encrypting Ironic API
This patch introduces an optional backend encryption for the Ironic API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Ironic service.

Change-Id: I9edf7545c174ca8839ceaef877bb09f49ef2b451
Partially-Implements: blueprint add-ssl-internal-network
2020-09-24 10:09:13 -07:00

45 lines
1.6 KiB
Django/Jinja

{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{
"command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
"config_files": [
{
"source": "{{ container_config_directory }}/ironic.conf",
"dest": "/etc/ironic/ironic.conf",
"owner": "ironic",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/ironic-api-wsgi.conf",
"dest": "/etc/{{ apache_conf_dir }}/ironic-api-wsgi.conf",
"owner": "ironic",
"perm": "0600"
}{% if ironic_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
"dest": "/etc/ironic/{{ ironic_policy_file }}",
"owner": "ironic",
"perm": "0600"
}{% endif %}{% if ironic_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/ironic-cert.pem",
"dest": "/etc/ironic/certs/ironic-cert.pem",
"owner": "ironic",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/ironic-key.pem",
"dest": "/etc/ironic/certs/ironic-key.pem",
"owner": "ironic",
"perm": "0600"
}{% endif %}
],
"permissions": [
{
"path": "/var/log/kolla/ironic",
"owner": "ironic:ironic",
"recurse": true
}
]
}