Enable TLS in Bifrost

Bifrost supports enabling TLS for the services it deploys, as well as
generating a self-signed TLS certificate. Let's use it.

Change-Id: I2a60ec780c37895e810cdba65bb485d0986a196d

ansible/roles/bifrost/tasks/start.yml

@@ -18,3 +18,4 @@
       - "bifrost_mariadb:/var/lib/mysql/"
       - "bifrost_tftpboot:/tftpboot/"
       - "bifrost_config:/root/.config/bifrost/"
+      - "bifrost_certs:/etc/bifrost-certs/"

ansible/roles/bifrost/templates/bifrost.yml.j2

@@ -26,3 +26,10 @@ ironic_tftp_master_path: "/httpboot/master_images"
 # defaults. https://review.opendev.org/c/openstack/bifrost/+/822743
 tftp_boot_folder: "/tftpboot"
 http_boot_folder: "/httpboot"
+
+# Enable TLS and generate self-signed certificates.
+enable_tls: true
+generate_tls: true
+# NOTE: Needs to be world-readable, writeable by root, and persistent, which
+# the default /etc/bifrost is not.
+tls_root: "/etc/bifrost-certs"

releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml

@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Enable TLS by default in Bifrost. Bifrost is now configured to enable TLS
+    for the services it deploys, and generate self-signed certificates for
+    them. TLS may be disabled by setting ``enable_tls`` to ``false`` in
+    ``/etc/kolla/config/bifrost/bifrost.yml``.