openstack-ansible-os_ironic/defaults/main.yml

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Defaults file for openstack-ansible-ironic

# Verbosity Options
debug: False

# python venv executable
ironic_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"

# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
ironic_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
ironic_service_setup_host_python_interpreter: >-
  {{
    openstack_service_setup_host_python_interpreter | default(
      (ironic_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
  }}  

# Set the package install state for distribution packages
# Options are 'present' and 'latest'
ironic_package_state: "{{ package_state | default('latest') }}"

ironic_git_repo: https://opendev.org/openstack/ironic
ironic_inspector_git_repo: https://opendev.org/openstack/ironic-inspector
ironic_git_install_branch: master
ironic_inspector_git_install_branch: master
ironic_upper_constraints_url: >-
  {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}  
ironic_git_constraints:
  - "--constraint {{ ironic_upper_constraints_url }}"

ironic_pip_install_args: "{{ pip_install_options | default('') }}"

# Name of the virtual env to deploy into
ironic_venv_tag: "{{ venv_tag | default('untagged') }}"
ironic_bin: "/openstack/venvs/ironic-{{ ironic_venv_tag }}/bin"

# System info
ironic_system_user_name: ironic
ironic_system_group_name: ironic
ironic_system_shell: /bin/bash
ironic_system_comment: ironic system user
ironic_system_home_folder: "/var/lib/{{ ironic_system_user_name }}"
ironic_system_slice_name: ironic
ironic_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"

# Ironic Program and Service names
python_ironic_client_program_name: ironic
ironic_services:
  ironic-api:
    group: ironic_api
    service_name: ironic-api
    init_config_overrides: "{{ ironic_api_init_config_overrides }}"
    wsgi_app: True
    wsgi_name: ironic-api-wsgi
    uwsgi_overrides: "{{ ironic_api_uwsgi_ini_overrides }}"
    uwsgi_port: "{{ ironic_service_port }}"
    uwsgi_bind_address: "{{ ironic_uwsgi_bind_address }}"
    uwsgi_tls: "{{ ironic_backend_ssl | ternary(ironic_uwsgi_tls, {}) }}"
  ironic-conductor:
    group: ironic_conductor
    service_name: ironic-conductor
    init_config_overrides: "{{ ironic_conductor_init_config_overrides }}"
    execstarts: "{{ ironic_bin }}/ironic-conductor"
  ironic-inspector:
    group: ironic_inspector
    service_name: ironic-inspector
    init_config_overrides: "{{ ironic_inspector_init_config_overrides }}"
    execstarts: "{{ ironic_bin }}/ironic-inspector"
  ironic-inspector-dnsmasq:
    group: ironic_inspector
    service_name: ironic-inspector-dnsmasq
    service_type: forking
    systemd_user_name: root
    systemd_group_name: root
    init_config_overrides: "{{ ironic_inspector_dnsmasq_init_config_overrides }}"
    execstarts: "/usr/sbin/dnsmasq --conf-file=/etc/ironic-inspector/inspector-dnsmasq.conf"
    after_targets:
      - openvswitch.service
      - network.target
    state: stopped

ironic_service_name: ironic
ironic_service_type: baremetal
ironic_service_proto: http
ironic_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(ironic_service_proto) }}"
ironic_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(ironic_service_proto) }}"
ironic_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(ironic_service_proto) }}"
ironic_service_port: 6385
ironic_service_description: "Ironic baremetal provisioning service"
ironic_service_publicuri: "{{ ironic_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ ironic_service_port }}"
ironic_service_publicurl: "{{ ironic_service_publicuri }}"
ironic_service_adminuri: "{{ ironic_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_service_port }}"
ironic_service_adminurl: "{{ ironic_service_adminuri }}"
ironic_service_internaluri: "{{ ironic_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_service_port }}"
ironic_service_internalurl: "{{ ironic_service_internaluri }}"
ironic_program_name: ironic-api
ironic_service_region: "{{ service_region | default('RegionOne') }}"
ironic_service_project_name: "service"
ironic_service_project_domain_id: default
ironic_service_user_domain_id: default
ironic_service_role_names:
  - admin
  - service
ironic_service_token_roles:
  - service
ironic_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
ironic_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"

# Enable interaction with Nova and Neutron from 2024.1 with default policy
# If more than one service project name is necessary, then you may need to
# override Ironic 'service_role' policy.
ironic_service_role_elevated_access: True

# The name of the entry in container_networks for the bmaas network
# This is the default provisioning / inspection / cleaning network for this role
ironic_container_network_name: "bmaas_address"

# The name of the bridge on the host for the bmaas network
ironic_bmaas_bridge: "{{ container_networks[ironic_container_network_name]['bridge'] | default('bridge_undefined') }}"

# The address of this host on the bmaas network
ironic_bmaas_address: >-
  {{
    (is_metal | default(False)) | ternary(
      ansible_facts[ironic_bmaas_bridge | replace('-','_')]['ipv4']['address'],
      container_networks[ironic_container_network_name]['address']) | default('address_undefined')
  }}  
# The name of the interface on the bmaas network
# This is the bmaas bridge name on metal, or the corresponding interface name in a container
ironic_bmaas_interface: >-
  {{
    (is_metal | default(False)) | ternary(
      ironic_bmaas_bridge, container_networks[ironic_container_network_name]['interface']) | default('interface_undefined')
  }}  

# Ironic image store information
#
### Hosted Web Server
#
# Set this to True to use http web server to host floppy
# images and generated boot ISO. This requires http_root and
# http_url to be configured in the [deploy] section of the
# config file. If this is set to False, then Ironic will use
# Swift to host the floppy images and generated boot_iso.
ironic_enable_web_server_for_images: False
ironic_http_bind_address: "{{ ironic_bmaas_address }}"
ironic_http_url: "{{ ironic_ipxe_proto }}://{{ ironic_http_bind_address }}:{{ ironic_ipxe_port }}"
ironic_http_root: "/httpboot"
#
### Swift Config
#
ironic_swift_image_container: glance_images
ironic_swift_api_version: v1
ironic_swift_url_endpoint_type: swift
# The ironic swift auth account and swift endpoints will be generated using the
#  known swift data as provided by swift stat. If you wish to set either of these
#  items to something else define these variables.
# ironic_swift_auth_account: AUTH_1234567890
# ironic_swift_endpoint: https://localhost:8080

# Is this Ironic installation working standalone?
# If you're wanting Ironic to work without being integrated to other OpenStack
# services, set this to True, and update the dhcp configuration appropriately
ironic_standalone: False

# Enables or disables automated cleaning. Automated cleaning
# is a configurable set of steps, such as erasing disk drives,
# that are performed on the node to ensure it is in a baseline
# state and ready to be deployed to.
ironic_automated_clean: false
# Set to 0 to disable erase devices on cleaning
ironic_erase_devices_priority: 10

# Database
ironic_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
ironic_db_setup_python_interpreter: >-
  {{
    openstack_db_setup_python_interpreter | default(
      (ironic_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
  }}  
ironic_galera_address: "{{ galera_address | default('127.0.0.1') }}"
ironic_galera_user: ironic
ironic_galera_database: ironic
ironic_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
ironic_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
ironic_galera_port: "{{ galera_port | default('3306') }}"
ironic_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
ironic_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
ironic_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
ironic_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"

## Keystone authentication middleware
ironic_keystone_auth_plugin: password

# Neutron network - Set these in a playbook/task - can be set manually.
# Only "name" or "uuid" is needed, uuid will take preference if both are specified.
# The cleaning and inspection network is not required to be set; they will default
# to the provisioning network if not specified.
# ironic_neutron_provisioning_network_uuid: "UUID for provisioning network in neutron"
# ironic_neutron_cleaning_network_uuid: "UUID for cleaning network in neutron"
# ironic_neutron_inspection_network_uuid: "UUID for inspection network in neutron"
# ironic_neutron_provisioning_network_name: "Name of provisioning network in neutron"
# ironic_neutron_cleaning_network_name: "Name of cleaning network in neutron"
# ironic_neutron_inspection_network_name: "Name of inspection network in neutron"

# Integrated Openstack configuration
ironic_enabled_network_interfaces_list: "flat,noop{{ (ironic_neutron_provisioning_network_uuid is defined) | ternary(',neutron', '') }}"
ironic_default_network_interface: "{{ (ironic_neutron_provisioning_network_uuid is defined) | ternary('neutron', 'flat') }}"
ironic_auth_strategy: keystone
ironic_dhcp_provider: "{{ (ironic_standalone | bool) | ternary('none', 'neutron') }}"
ironic_sync_power_state_interval: "{{ (ironic_standalone | bool) | ternary('-1', '60') }}"
ironic_db_connection_string: >-
  mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_container_mysql_password }}@{{ ironic_galera_address }}:{{ ironic_galera_port
    }}/ironic?charset=utf8{% if ironic_galera_use_ssl | bool %}&ssl_verify_cert=true{%
      if ironic_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ ironic_galera_ssl_ca_cert }}{% endif %}{% endif %}  

# Common configuration
ironic_node_name: ironic

ironic_tftp_server_address: "{{ ironic_bmaas_address }}"

# Use this variable to add extra files into the ironic_tftp_root directory
# ironic_tftp_extra_content:
#   - path: /some/local/dir/local-file.txt
#     name: local-file.txt
#   - url: http://boot.ipxe.org/arm64-efi/ipxe.efi
#     name: ipxe_aa64.efi
ironic_tftp_extra_content: []

ironic_pip_packages:
  - "git+{{ ironic_git_repo }}@{{ ironic_git_install_branch }}#egg=ironic"
  - cryptography
  - osprofiler
  - proliantutils
  - PyMySQL
  - pymemcache
  - pysnmp
  - python-dracclient
  - python-ilorest-library
  - python-ironicclient
  - python-memcached
  - python-scciclient
  - python-swiftclient
  - python-xclarityclient
  - sushy
  - systemd-python

# ipmitool-socat console settings
ironic_socat_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
ironic_socat_port_range: "10000:10099"

# Specific pip packages provided by the user for the ironic service
ironic_user_pip_packages: []

ironic_inspector_pip_packages:
  - "git+{{ ironic_inspector_git_repo }}@{{ ironic_inspector_git_install_branch }}#egg=ironic-inspector"
  - python-ironic-inspector-client

# Specific pip packages provided by the user for the ironic inspector service
ironic_inspector_user_pip_packages: []

# Memcached override
ironic_memcached_servers: "{{ memcached_servers }}"

## Oslo Messaging Info
# RPC
ironic_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
ironic_oslomsg_rpc_setup_host: "{{ (ironic_oslomsg_rpc_host_group in groups) | ternary(groups[ironic_oslomsg_rpc_host_group][0], 'localhost') }}"
ironic_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
ironic_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
ironic_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
ironic_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
ironic_oslomsg_rpc_userid: ironic
ironic_oslomsg_rpc_policies: []
# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues
# are not used - vhost name will be prefixed with leading `/`.
ironic_oslomsg_rpc_vhost:
  - name: /ironic
    state: "{{ ironic_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
  - name: ironic
    state: "{{ ironic_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"

ironic_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
ironic_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"

# Notify
ironic_oslomsg_notify_configure: "{{ oslomsg_notify_configure | default(False) }}"
ironic_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
ironic_oslomsg_notify_setup_host: "{{ (ironic_oslomsg_notify_host_group in groups) | ternary(groups[ironic_oslomsg_notify_host_group][0], 'localhost') }}"
ironic_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
ironic_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
ironic_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
ironic_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
ironic_oslomsg_notify_userid: "{{ ironic_oslomsg_rpc_userid }}"
ironic_oslomsg_notify_password: "{{ ironic_oslomsg_rpc_password }}"
ironic_oslomsg_notify_vhost: "{{ ironic_oslomsg_rpc_vhost }}"
ironic_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
ironic_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
ironic_oslomsg_notify_policies: []

## RabbitMQ integration
ironic_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
ironic_oslomsg_rabbit_stream_fanout: "{{ oslomsg_rabbit_stream_fanout | default(ironic_oslomsg_rabbit_quorum_queues) }}"
ironic_oslomsg_rabbit_transient_quorum_queues: "{{ oslomsg_rabbit_transient_quorum_queues | default(ironic_oslomsg_rabbit_stream_fanout) }}"
ironic_oslomsg_rabbit_qos_prefetch_count: "{{ oslomsg_rabbit_qos_prefetch_count | default(ironic_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}"
ironic_oslomsg_rabbit_queue_manager: "{{ oslomsg_rabbit_queue_manager | default(ironic_oslomsg_rabbit_quorum_queues) }}"
ironic_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
ironic_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"

## (Qdrouterd) integration
# TODO(ansmith): Change structure when more backends will be supported
ironic_oslomsg_amqp1_enabled: "{{ ironic_oslomsg_rpc_transport == 'amqp' }}"

ironic_optional_oslomsg_amqp1_pip_packages:
  - oslo.messaging[amqp1]

# Auth
ironic_service_user_name: "ironic"

# WSGI settings
ironic_wsgi_threads: 1
ironic_wsgi_processes_max: 16
ironic_wsgi_processes: >-
  {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, ironic_wsgi_processes_max] | min }}  
ironic_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
ironic_uwsgi_tls:
  crt: "{{ ironic_ssl_cert }}"
  key: "{{ ironic_ssl_key }}"

### OpenStack Services to integrate with

# Glance
ironic_glance_auth_strategy: "{{ ironic_auth_strategy }}"
ironic_glance_service_project_name: "{{ glance_service_project_name | default('service') }}"
ironic_glance_service_project_domain_id: "{{ glance_service_project_domain_id | default('default') }}"
ironic_glance_keystone_auth_plugin: "{{ glance_keystone_auth_plugin | default('password') }}"
ironic_glance_service_user_name: "{{ glance_service_user_name | default('glance') }}"
ironic_glance_service_user_domain_id: "{{ glance_service_user_domain_id | default('default') }}"
ironic_glance_keystone_auth_url: "{{ keystone_service_internalurl | default('http://localhost:5000/v3') }}"

# Neutron
ironic_neutron_auth_strategy: "{{ ironic_auth_strategy }}"

### Config Overrides
ironic_ironic_conf_overrides: {}
ironic_rootwrap_conf_overrides: {}
ironic_policy_overrides: {}
ironic_api_uwsgi_ini_overrides: {}

# pxe boot
ironic_kernel_append_params: "ipa-debug=1 systemd.journald.forward_to_console=yes"

ironic_api_init_config_overrides: {}
ironic_conductor_init_config_overrides: {}

# driver definitions
ironic_drivers_enabled:
  - no_driver
  - agent_ipmitool
  - pxe_ipmitool

# extra driver types defined by user
ironic_user_driver_types: {}

ironic_inspector_developer_mode: false
ironic_inspector_venv_python_executable: "{{ openstack_venv_python_executable | default('python2') }}"

# System info
ironic_inspector_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
ironic_inspector_service_name: ironic-inspector
ironic_inspector_service_type: baremetal-introspection
ironic_inspector_service_description: "Ironic Baremetal Introspection Service"
ironic_inspector_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(ironic_service_proto) }}"
ironic_inspector_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(ironic_service_proto) }}"
ironic_inspector_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(ironic_service_proto) }}"
ironic_inspector_service_address: "{{ openstack_service_bind_address }}"
ironic_inspector_service_port: 5050
ironic_inspector_service_publicuri: "{{ ironic_inspector_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ ironic_inspector_service_port }}"
ironic_inspector_service_publicurl: "{{ ironic_inspector_service_publicuri }}"
ironic_inspector_service_adminuri: "{{ ironic_inspector_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}"
ironic_inspector_service_adminurl: "{{ ironic_inspector_service_adminuri }}"
ironic_inspector_service_internaluri: "{{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}"
ironic_inspector_service_internalurl: "{{ ironic_inspector_service_internaluri }}"
ironic_inspector_service_role_names:
  - admin
  - service
ironic_inspector_service_token_roles:
  - service
ironic_inspector_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
ironic_inspector_service_project_name: "service"
ironic_inspector_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
ironic_inspector_service_domain_id: default
ironic_inspector_callback_url: >-
  {{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}/v1/continue  

# Database
ironic_inspector_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
ironic_inspector_db_setup_python_interpreter: >-
  {{
    openstack_db_setup_python_interpreter | default(
      (ironic_inspector_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
  }}  
ironic_inspector_galera_address: "{{ galera_address | default('127.0.0.1') }}"
ironic_inspector_galera_user: ironic-inspector
ironic_inspector_galera_database: ironic_inspector
ironic_inspector_galera_port: 3306
ironic_inspector_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
ironic_inspector_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
ironic_inspector_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
ironic_inspector_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
ironic_inspector_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
ironic_inspector_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"

ironic_inspector_pip_install_args: "{{ pip_install_options | default('') }}"

# Ironic iPXE support
ironic_ipxe_enabled: False
ironic_ipxe_port: 8051
ironic_ipxe_proto: "http"

# Auth
ironic_inspector_service_user_name: "ironic_inspector"

### OpenStack Services to integrate with
# Ironic swift store information
ironic_inspector_swift_user_name: swift-inspector
ironic_inspector_swift_role_names:
  - member
  - swiftoperator

# Ironic deploy images need to be uploaded to glance.
ironic_deploy_image_glance_upload: True

# Set the directory where the downloaded image will be stored
# on the ironic_service_setup_host host. If the host is localhost,
# then the user running the playbook must have access to it.
ironic_deploy_image_path: "/root/openstack-ansible/ironic"
ironic_deploy_image_path_owner: "root"

# The default download URL is like https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.initramfs
# Allow various parts of this to be overidden to local mirrors, or replaced completely with custom settings
ironic_deploy_image_server: "https://tarballs.opendev.org/"
ironic_deploy_image_server_path: "openstack/ironic-python-agent/dib/files/"
ironic_deploy_image_base_name: "ipa-centos9-stable-2023.1"
ironic_deploy_image_kernel_name: "{{ ironic_deploy_image_base_name + '.kernel' }}"
ironic_deploy_image_initramfs_name: "{{ ironic_deploy_image_base_name + '.initramfs' }}"
ironic_deploy_image_list:
  - url: "{{ ironic_deploy_image_server ~ ironic_deploy_image_server_path ~ ironic_deploy_image_kernel_name }}"
    sha_url: "{{ ironic_deploy_image_server ~ ironic_deploy_image_server_path ~ ironic_deploy_image_kernel_name ~ '.sha256' }}"
    container_format: 'aki'
    disk_format: 'aki'
    name: "{{ ironic_deploy_image_kernel_name }}"
  - url: "{{ ironic_deploy_image_server ~ ironic_deploy_image_server_path ~ ironic_deploy_image_initramfs_name }}"
    sha_url: "{{ ironic_deploy_image_server ~ ironic_deploy_image_server_path ~ ironic_deploy_image_initramfs_name ~ '.sha256' }}"
    container_format: 'ari'
    disk_format: 'ari'
    name: "{{ ironic_deploy_image_initramfs_name }}"

# allow user defined extra images to upload
ironic_extra_deploy_image_list: []

# Ironic inspector
ironic_inspector_enable_discovery: True
ironic_inspector_openstack_db_connection_string: >-
  mysql+pymysql://{{ ironic_inspector_galera_user }}:{{ ironic_inspector_container_mysql_password }}@{{ ironic_inspector_galera_address -}}:{{
    ironic_inspector_galera_port }}/{{ ironic_inspector_galera_database }}?charset=utf8{%
     if ironic_inspector_galera_use_ssl | bool %}&ssl_verify_cert=true{%
       if ironic_inspector_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ ironic_inspector_galera_ssl_ca_cert }}{% endif %}{% endif %}  

# define this to adjust the inspector processing hooks
# Example:
# ironic_inspector_processing_hooks: "$default_processing_hooks,lldp_basic,local_link_connection"

# pass additional kernel paramters to the deploy image
ironic_inspector_extra_callback_parameters: ''

# Ironic inspector dhcp
ironic_inspector_dhcp_address: "{{ ironic_bmaas_address }}"
ironic_inspector_dhcp_pool_range: 192.168.0.51 192.168.0.150
ironic_inspector_dhcp_subnet: 192.168.0.0/22
ironic_inspector_dhcp_subnet_mask: 255.255.252.0
ironic_insepctor_dhcp_enable_gateway: True
ironic_inspector_dhcp_gateway: 192.168.0.1
ironic_inspector_dhcp_enable_nameservers: True
ironic_inspector_dhcp_nameservers: 192.168.0.1
ironic_inspector_dhcp_lease_time: 600

ironic_inspector_dhcp_type: dnsmasq # isc_dhcp
ironic_inspector_boot_mode: http # tftp
ironic_inspector_pxe_boot_mode: "{{ ironic_inspector_boot_mode }}"
ironic_inspector_httpboot_dir: "{{ ironic_http_root }}"
ironic_inspector_tftpboot_dir: "{{ ironic_tftpd_root }}"

ironic_inspector_dhcp_interface: "{{ ironic_bmaas_interface }}"
ironic_inspector_valid_interfaces: internal,public

### Config Overrides
ironic_inspector_conf_overrides: {}
ironic_inspector_rootwrap_conf_overrides: {}
ironic_inspector_init_config_overrides: {}
ironic_inspector_dnsmasq_init_config_overrides: {}
# pxe boot
ironic_inspector_pxe_append_params: "ipa-debug=1 systemd.journald.forward_to_console=yes" # ipa-inspection-collectors=default,logs,extra_hardware

ironic_inspector_pxe_filter: dnsmasq # iptables

ironic_inspector_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
ironic_inspector_oslomsg_rpc_setup_host: "{{ (ironic_oslomsg_rpc_host_group in groups) | ternary(groups[ironic_oslomsg_rpc_host_group][0], 'localhost') }}"
ironic_inspector_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
ironic_inspector_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
ironic_inspector_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
ironic_inspector_oslomsg_rpc_use_ssl: "True"
ironic_inspector_oslomsg_rpc_userid: ironic
ironic_inspector_oslomsg_rpc_vhost: /ironic
ironic_inspector_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
ironic_inspector_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"

ironic_inspector_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
ironic_inspector_oslomsg_notify_setup_host: >-
  {{ (ironic_inspector_oslomsg_notify_host_group in groups) | ternary(groups[ironic_inspector_oslomsg_notify_host_group][0], 'localhost') }}  
ironic_inspector_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
ironic_inspector_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
ironic_inspector_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
ironic_inspector_oslomsg_notify_use_ssl: "False"
ironic_inspector_oslomsg_notify_userid: "{{ ironic_inspector_oslomsg_rpc_userid }}"
ironic_inspector_oslomsg_notify_password: "{{ ironic_oslomsg_rpc_password }}"
ironic_inspector_oslomsg_notify_vhost: "{{ ironic_inspector_oslomsg_rpc_vhost }}"
ironic_inspector_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
ironic_inspector_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"

ironic_inspector_optional_oslomsg_amqp1_pip_packages:
  - oslo.messaging[amqp1]
ironic_inspector_oslomsg_amqp1_enabled: True

###
### Backend TLS
###

# Define if communication between haproxy and service backends should be
# encrypted with TLS.
ironic_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

# Storage location for SSL certificate authority
ironic_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"

# Delegated host for operating the certificate authority
ironic_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# ironic server certificate
ironic_pki_keys_path: "{{ ironic_pki_dir ~ '/certs/private/' }}"
ironic_pki_certs_path: "{{ ironic_pki_dir ~ '/certs/certs/' }}"
ironic_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
ironic_pki_regen_cert: ''
ironic_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
ironic_pki_certificates:
  - name: "ironic_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ ironic_pki_san }}"
    signed_by: "{{ ironic_pki_intermediate_cert_name }}"

# ironic destination files for SSL certificates
ironic_ssl_cert: /etc/ironic/ironic.pem
ironic_ssl_key: /etc/ironic/ironic.key

# Installation details for SSL certificates
ironic_pki_install_certificates:
  - src: "{{ ironic_user_ssl_cert | default(ironic_pki_certs_path ~ 'ironic_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
    dest: "{{ ironic_ssl_cert }}"
    owner: "{{ ironic_system_user_name }}"
    group: "{{ ironic_system_user_name }}"
    mode: "0644"
  - src: "{{ ironic_user_ssl_key | default(ironic_pki_keys_path ~ 'ironic_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ ironic_ssl_key }}"
    owner: "{{ ironic_system_user_name }}"
    group: "{{ ironic_system_user_name }}"
    mode: "0600"

# Define user-provided SSL certificates
# ironic_user_ssl_cert: <path to cert on ansible deployment host>
# ironic_user_ssl_key: <path to cert on ansible deployment host>