openstack/kayobe
Code Issues Proposed changes

Merge "Fix setting kolla_admin_openrc_cacert"

Browse Source
This commit is contained in:
Zuul 2023-11-09 01:35:47 +00:00 committed by Gerrit Code Review
commit b31023ea54
8 changed files with 37 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/inventory/group_vars/all/kolla
View File

@ -652,7 +652,7 @@ kolla_external_tls_cert:
# Path to a CA certificate file to use for the OS_CACERT environment variable # Path to a CA certificate file to use for the OS_CACERT environment variable
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default. # default.
kolla_external_fqdn_cacert: kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
# Internal API certificate bundle. # Internal API certificate bundle.
# #
@ -665,7 +665,7 @@ kolla_internal_tls_cert:
# Path to a CA certificate file to use for the OS_CACERT environment variable # Path to a CA certificate file to use for the OS_CACERT environment variable
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default. # default.
kolla_internal_fqdn_cacert: kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
############################################################################### ###############################################################################
# Proxy configuration # Proxy configuration

4
ansible/roles/kolla-ansible/defaults/main.yml
View File

@ -175,8 +175,8 @@ kolla_enable_tls_external:
kolla_enable_tls_internal: kolla_enable_tls_internal:
kolla_external_fqdn_cert: kolla_external_fqdn_cert:
kolla_internal_fqdn_cert: kolla_internal_fqdn_cert:
kolla_external_fqdn_cacert: kolla_public_openrc_cacert:
kolla_internal_fqdn_cacert: kolla_admin_openrc_cacert:
############################# #############################
# Ironic options # Ironic options

3
ansible/roles/kolla-ansible/templates/kolla/globals.yml
View File

@ -191,8 +191,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %} {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}" kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
{% endif %} {% endif %}
kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}" kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"
kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
################ ################
# Region options # Region options

2
ansible/roles/kolla-ansible/tests/test-extras.yml
View File

@ -136,6 +136,7 @@
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
kolla_internal_tls_cert: | kolla_internal_tls_cert: |
bogus internal certificate bogus internal certificate
kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
kolla_openstack_logging_debug: True kolla_openstack_logging_debug: True
grafana_local_admin_user_name: "grafana-admin" grafana_local_admin_user_name: "grafana-admin"
kolla_inspector_dhcp_pool_start: "1.2.3.4" kolla_inspector_dhcp_pool_start: "1.2.3.4"
@ -255,6 +256,7 @@
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem" kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
kolla_enable_tls_internal: True kolla_enable_tls_internal: True
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
openstack_logging_debug: True openstack_logging_debug: True
grafana_admin_username: "grafana-admin" grafana_admin_username: "grafana-admin"
ironic_dnsmasq_dhcp_ranges: ironic_dnsmasq_dhcp_ranges:

4
ansible/roles/public-openrc/templates/public-openrc.sh.j2
View File

@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
export OS_MANILA_ENDPOINT_TYPE=publicURL export OS_MANILA_ENDPOINT_TYPE=publicURL
{% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %} {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
export OS_MISTRAL_ENDPOINT_TYPE=publicURL export OS_MISTRAL_ENDPOINT_TYPE=publicURL
{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %} {% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
export OS_CACERT={{ kolla_external_fqdn_cacert }} export OS_CACERT={{ kolla_public_openrc_cacert }}
{% else %} {% else %}
{{ line }} {{ line }}
{% endif %} {% endif %}

22
doc/source/configuration/reference/kolla-ansible.rst
View File

@ -264,10 +264,6 @@ The following variables affect TLS encryption of the public API.
A TLS certificate bundle to use for the public API endpoints, if A TLS certificate bundle to use for the public API endpoints, if
``kolla_enable_tls_external`` is ``true``. Note that this should be ``kolla_enable_tls_external`` is ``true``. Note that this should be
formatted as a literal style block scalar. formatted as a literal style block scalar.
``kolla_external_fqdn_cacert``
Path to a CA certificate file to use for the ``OS_CACERT`` environment
variable in openrc files when TLS is enabled, instead of Kolla Ansible's
default.
The following variables affect TLS encryption of the internal API. Currently The following variables affect TLS encryption of the internal API. Currently
this requires all Kolla images to be built with the API's root CA trusted. this requires all Kolla images to be built with the API's root CA trusted.
@ -278,10 +274,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
A TLS certificate bundle to use for the internal API endpoints, if A TLS certificate bundle to use for the internal API endpoints, if
``kolla_enable_tls_internal`` is ``true``. Note that this should be ``kolla_enable_tls_internal`` is ``true``. Note that this should be
formatted as a literal style block scalar. formatted as a literal style block scalar.
``kolla_internal_fqdn_cacert``
The following variables affect the generated ``admin-openrc.sh`` and
``public-openrc.sh`` environment files.
``kolla_public_openrc_cacert``
Path to a CA certificate file to use for the ``OS_CACERT`` environment Path to a CA certificate file to use for the ``OS_CACERT`` environment
variable in openrc files when TLS is enabled, instead of Kolla Ansible's variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
default. ``kolla_admin_openrc_cacert``.
``kolla_admin_openrc_cacert``
Path to a CA certificate file to use for the ``OS_CACERT`` environment
variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
is enabled, instead of Kolla Ansible's default.
Example: enabling TLS for the public API Example: enabling TLS for the public API
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -298,7 +302,7 @@ Here is an example:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
... ...
-----END CERTIFICATE----- -----END CERTIFICATE-----
kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
Example: enabling TLS for the internal API Example: enabling TLS for the internal API
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -315,7 +319,7 @@ Here is an example:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
... ...
-----END CERTIFICATE----- -----END CERTIFICATE-----
kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
Other certificates Other certificates
------------------ ------------------

4
etc/kayobe/kolla.yml
View File

@ -565,7 +565,7 @@
# Path to a CA certificate file to use for the OS_CACERT environment variable # Path to a CA certificate file to use for the OS_CACERT environment variable
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default. # default.
#kolla_external_fqdn_cacert: #kolla_public_openrc_cacert:
# Internal API certificate bundle. # Internal API certificate bundle.
# #
@ -578,7 +578,7 @@
# Path to a CA certificate file to use for the OS_CACERT environment variable # Path to a CA certificate file to use for the OS_CACERT environment variable
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default. # default.
#kolla_internal_fqdn_cacert: #kolla_admin_openrc_cacert:
############################################################################### ###############################################################################
# Proxy configuration # Proxy configuration

13
releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml Normal file
View File

@ -0,0 +1,13 @@
---
deprecates:
- |
Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert``
and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This
matches the Kolla Ansible variable name and better reflects their purpose.
The old variable names are still supported until the end of the deprecation
period (2024.2 "D" series release or later).
fixes:
- |
Fixes an issue where the Kolla Ansible variable
``kolla_admin_openrc_cacert`` was not set to the value of
``kolla_internal_fqdn_cacert``.