7c2df87ded
This patch introduces an optional backend encryption for the Ironic API service. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Ironic service. Change-Id: I9edf7545c174ca8839ceaef877bb09f49ef2b451 Partially-Implements: blueprint add-ssl-internal-network
45 lines
1.6 KiB
Django/Jinja
45 lines
1.6 KiB
Django/Jinja
{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
|
{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
|
|
{
|
|
"command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
|
|
"config_files": [
|
|
{
|
|
"source": "{{ container_config_directory }}/ironic.conf",
|
|
"dest": "/etc/ironic/ironic.conf",
|
|
"owner": "ironic",
|
|
"perm": "0600"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/ironic-api-wsgi.conf",
|
|
"dest": "/etc/{{ apache_conf_dir }}/ironic-api-wsgi.conf",
|
|
"owner": "ironic",
|
|
"perm": "0600"
|
|
}{% if ironic_policy_file is defined %},
|
|
{
|
|
"source": "{{ container_config_directory }}/{{ ironic_policy_file }}",
|
|
"dest": "/etc/ironic/{{ ironic_policy_file }}",
|
|
"owner": "ironic",
|
|
"perm": "0600"
|
|
}{% endif %}{% if ironic_enable_tls_backend | bool %},
|
|
{
|
|
"source": "{{ container_config_directory }}/ironic-cert.pem",
|
|
"dest": "/etc/ironic/certs/ironic-cert.pem",
|
|
"owner": "ironic",
|
|
"perm": "0600"
|
|
},
|
|
{
|
|
"source": "{{ container_config_directory }}/ironic-key.pem",
|
|
"dest": "/etc/ironic/certs/ironic-key.pem",
|
|
"owner": "ironic",
|
|
"perm": "0600"
|
|
}{% endif %}
|
|
],
|
|
"permissions": [
|
|
{
|
|
"path": "/var/log/kolla/ironic",
|
|
"owner": "ironic:ironic",
|
|
"recurse": true
|
|
}
|
|
]
|
|
}
|