Enable TLS in Bifrost

Bifrost supports enabling TLS for the services it deploys, as well as generating a self-signed TLS certificate. Let's use it. Change-Id: I2a60ec780c37895e810cdba65bb485d0986a196d
2022-08-02 11:36:43 +01:00 · 2022-08-02 11:36:43 +01:00 · d6f4ef81f6
commit d6f4ef81f6
parent d95e237f3d
3 changed files with 15 additions and 0 deletions
--- a/ansible/roles/bifrost/tasks/start.yml
+++ b/ansible/roles/bifrost/tasks/start.yml
@ -18,3 +18,4 @@
      - "bifrost_mariadb:/var/lib/mysql/"
      - "bifrost_tftpboot:/tftpboot/"
      - "bifrost_config:/root/.config/bifrost/"
+      - "bifrost_certs:/etc/bifrost-certs/"
--- a/ansible/roles/bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/bifrost/templates/bifrost.yml.j2
@ -26,3 +26,10 @@ ironic_tftp_master_path: "/httpboot/master_images"
 # defaults. https://review.opendev.org/c/openstack/bifrost/+/822743
 tftp_boot_folder: "/tftpboot"
 http_boot_folder: "/httpboot"
+
+# Enable TLS and generate self-signed certificates.
+enable_tls: true
+generate_tls: true
+# NOTE: Needs to be world-readable, writeable by root, and persistent, which
+# the default /etc/bifrost is not.
+tls_root: "/etc/bifrost-certs"
--- a/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml
+++ b/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml
@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Enable TLS by default in Bifrost. Bifrost is now configured to enable TLS
+    for the services it deploys, and generate self-signed certificates for
+    them. TLS may be disabled by setting ``enable_tls`` to ``false`` in
+    ``/etc/kolla/config/bifrost/bifrost.yml``.