Stop exposing JSON RPC to the whole network

It's an internal thing and should only be exposed externally in
a multi-node setting (which is rare with Bifrost).

Limiting it to localhost allows not using TLS on it, which helps
avoiding eventlet issues and improves performance.

Change-Id: I9dcefa386cda855f296100477aecc528a294048f

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -378,6 +378,8 @@ tls_certificate_path: "{{ tls_root }}/bifrost.crt"
 ironic_private_key_path: /etc/ironic/ironic.pem
 ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem
 httpboot_private_key_path: /etc/nginx/httpboot.pem
+# If true, the conductor's JSON RPC will be available globally (and with TLS)
+expose_json_rpc: false
 
 # Enable Ironic Prometheus Exporter
 enable_prometheus_exporter: false

playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2

@@ -28,6 +28,9 @@ default_boot_interface = {{ default_boot_interface }}
 default_resource_class = {{ default_resource_class }}
 
 rpc_transport = json-rpc
+{% if not expose_json_rpc | bool %}
+host = localhost
+{% endif %}
 
 {% if enable_keystone | bool %}
 auth_strategy = keystone
@@ -189,9 +192,13 @@ endpoint_override = {{ api_protocol }}://{{ internal_ip }}:6385
 
 [json_rpc]
 {% if enable_tls | bool %}
-use_ssl = True
 cafile = {{ tls_certificate_path }}
 {% endif %}
+{% if expose_json_rpc | bool %}
+use_ssl = {{ enable_tls | bool }}
+{% else %}
+host_ip = 127.0.0.1
+{% endif %}
 {% if enable_keystone | bool %}
 auth_strategy = keystone
 auth_url = {{ ironic.service_catalog.auth_url }}

releasenotes/notes/global-rpc-b399d65310367951.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    JSON RPC is now available only on localhost and without TLS. If you need
+    it exposed to the network (i.e. you're using Bifrost in a multi-node
+    setting), set ``expose_json_rpc`` to ``true``.