diff --git a/dev/functions b/dev/functions index 0e9940238..bd319be89 100644 --- a/dev/functions +++ b/dev/functions @@ -404,6 +404,17 @@ function overcloud_deploy { if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then echo "Generate TLS certificates" run_kayobe kolla ansible run certificates --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates + # Add CA cert to trust store. + ca_cert=${KAYOBE_CONFIG_PATH}/kolla/certificates/ca/root.crt + if [[ -e /etc/debian_version ]]; then + # Ubuntu + sudo cp $ca_cert "/usr/local/share/ca-certificates/kayobe-customca.crt" + sudo update-ca-certificates + elif [[ -e /etc/redhat-release ]]; then + # CentOS + sudo cp $ca_cert "/etc/pki/ca-trust/source/anchors/kayobe-customca.crt" + sudo update-ca-trust + fi fi # Note: This must currently be before host configure, because host diff --git a/playbooks/kayobe-overcloud-base/globals.yml.j2 b/playbooks/kayobe-overcloud-base/globals.yml.j2 index 6ebb2af2d..7de112f61 100644 --- a/playbooks/kayobe-overcloud-base/globals.yml.j2 +++ b/playbooks/kayobe-overcloud-base/globals.yml.j2 @@ -20,6 +20,6 @@ nova_libvirt_logging_debug: False kolla_copy_ca_into_containers: "yes" kolla_enable_tls_backend: "yes" openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt" -kolla_admin_openrc_cacert: "{% raw %}{{ '{{' }} kolla_certificates_dir }}{% endraw %}/ca/root.crt" +kolla_admin_openrc_cacert: "/etc/pki/tls/certs/ca-bundle.crt" libvirt_tls: "yes" {% endif %} diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2 index ab14f9940..58ce039ac 100644 --- a/playbooks/kayobe-overcloud-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2 @@ -45,9 +45,6 @@ kolla_ironic_default_boot_interface: ipxe kolla_enable_tls_external: "yes" kolla_enable_tls_internal: "yes" -# FIXME: ipa-images fails to access OS_CACERT from /home/zuul. -kayobe_ansible_user: zuul - kolla_ironic_pxe_append_params_extra: - ipa-insecure=1 {% endif %}