Merge "Fix setting kolla_admin_openrc_cacert"

2023-11-09 01:35:47 +00:00 · 2023-11-09 01:35:47 +00:00 · b31023ea54
commit b31023ea54
parent 1d2d03b76a 95729405a3
8 changed files with 37 additions and 19 deletions
--- a/ansible/inventory/group_vars/all/kolla
+++ b/ansible/inventory/group_vars/all/kolla
@ -652,7 +652,7 @@ kolla_external_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_external_fqdn_cacert:
+kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"

 # Internal API certificate bundle.
 #
@ -665,7 +665,7 @@ kolla_internal_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_internal_fqdn_cacert:
+kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"

 ###############################################################################
 # Proxy configuration
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@ -175,8 +175,8 @@ kolla_enable_tls_external:
 kolla_enable_tls_internal:
 kolla_external_fqdn_cert:
 kolla_internal_fqdn_cert:
-kolla_external_fqdn_cacert:
-kolla_internal_fqdn_cacert:
+kolla_public_openrc_cacert:
+kolla_admin_openrc_cacert:

 #############################
 # Ironic options
--- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml
+++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
@ -191,8 +191,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
 {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
 kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
 {% endif %}
-kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
-kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
+kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"

 ################
 # Region options
--- a/ansible/roles/kolla-ansible/tests/test-extras.yml
+++ b/ansible/roles/kolla-ansible/tests/test-extras.yml
@ -136,6 +136,7 @@
            kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
            kolla_internal_tls_cert: |
              bogus internal certificate
+            kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
            kolla_openstack_logging_debug: True
            grafana_local_admin_user_name: "grafana-admin"
            kolla_inspector_dhcp_pool_start: "1.2.3.4"
@ -255,6 +256,7 @@
              kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
              kolla_enable_tls_internal: True
              kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
+              kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
              openstack_logging_debug: True
              grafana_admin_username: "grafana-admin"
              ironic_dnsmasq_dhcp_ranges:
--- a/ansible/roles/public-openrc/templates/public-openrc.sh.j2
+++ b/ansible/roles/public-openrc/templates/public-openrc.sh.j2
@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
 export OS_MANILA_ENDPOINT_TYPE=publicURL
 {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
 export OS_MISTRAL_ENDPOINT_TYPE=publicURL
-{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
+export OS_CACERT={{ kolla_public_openrc_cacert }}
 {% else %}
 {{ line }}
 {% endif %}
--- a/doc/source/configuration/reference/kolla-ansible.rst
+++ b/doc/source/configuration/reference/kolla-ansible.rst
@ -264,10 +264,6 @@ The following variables affect TLS encryption of the public API.
    A TLS certificate bundle to use for the public API endpoints, if
    ``kolla_enable_tls_external`` is ``true``.  Note that this should be
    formatted as a literal style block scalar.
-``kolla_external_fqdn_cacert``
-    Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.

 The following variables affect TLS encryption of the internal API. Currently
 this requires all Kolla images to be built with the API's root CA trusted.
@ -278,10 +274,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
    A TLS certificate bundle to use for the internal API endpoints, if
    ``kolla_enable_tls_internal`` is ``true``.  Note that this should be
    formatted as a literal style block scalar.
-``kolla_internal_fqdn_cacert``
+
+The following variables affect the generated ``admin-openrc.sh`` and
+``public-openrc.sh`` environment files.
+
+``kolla_public_openrc_cacert``
    Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
+    variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
+    ``kolla_admin_openrc_cacert``.
+``kolla_admin_openrc_cacert``
+    Path to a CA certificate file to use for the ``OS_CACERT`` environment
+    variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
+    is enabled, instead of Kolla Ansible's default.

 Example: enabling TLS for the public API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -298,7 +302,7 @@ Here is an example:
     -----BEGIN CERTIFICATE-----
     ...
     -----END CERTIFICATE-----
-   kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle

 Example: enabling TLS for the internal API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -315,7 +319,7 @@ Here is an example:
     -----BEGIN CERTIFICATE-----
     ...
     -----END CERTIFICATE-----
-   kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle

 Other certificates
 ------------------
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@ -565,7 +565,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_external_fqdn_cacert:
+#kolla_public_openrc_cacert:

 # Internal API certificate bundle.
 #
@ -578,7 +578,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_internal_fqdn_cacert:
+#kolla_admin_openrc_cacert:

 ###############################################################################
 # Proxy configuration
--- a/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml
+++ b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml
@ -0,0 +1,13 @@
+---
+deprecates:
+  - |
+    Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert``
+    and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This
+    matches the Kolla Ansible variable name and better reflects their purpose.
+    The old variable names are still supported until the end of the deprecation
+    period (2024.2 "D" series release or later).
+fixes:
+  - |
+    Fixes an issue where the Kolla Ansible variable
+    ``kolla_admin_openrc_cacert`` was not set to the value of
+    ``kolla_internal_fqdn_cacert``.