From e83c57f233de4c3e625d148922a7d31aff999c7e Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 22 Jan 2019 16:59:24 +0000 Subject: [PATCH] Add support for CA certificate parameter When using Ansible OpenStack modules, if OS_CACERT is defined, then this will be passed as the cacert module argument. This ensures that non-standard CA certificate paths can be used. Change-Id: I2a2575b1fb0f149cc13c44526fc0167e68e07aab Story: 2004911 Task: 29261 --- ansible/baremetal-compute-inspect.yml | 1 + ansible/baremetal-compute-manage.yml | 1 + ansible/baremetal-compute-provide.yml | 1 + ansible/group_vars/all/openstack | 4 ++++ ...overcloud-introspection-rules-dell-lldp-workaround.yml | 1 + ansible/overcloud-introspection-rules.yml | 1 + ansible/overcloud-ipa-images.yml | 1 + ansible/provision-net.yml | 1 + ansible/roles/ipa-images/defaults/main.yml | 3 +++ ansible/roles/ipa-images/tasks/main.yml | 3 +++ ansible/roles/ipa-images/tasks/set-driver-info.yml | 1 + ansible/roles/ironic-inspector-rules/README.md | 2 ++ ansible/roles/ironic-inspector-rules/defaults/main.yml | 3 +++ ansible/roles/ironic-inspector-rules/tasks/main.yml | 1 + releasenotes/notes/cacert-514b8645d6912bf9.yaml | 8 ++++++++ 15 files changed, 32 insertions(+) create mode 100644 releasenotes/notes/cacert-514b8645d6912bf9.yaml diff --git a/ansible/baremetal-compute-inspect.yml b/ansible/baremetal-compute-inspect.yml index 9474d2b54..aa029662a 100644 --- a/ansible/baremetal-compute-inspect.yml +++ b/ansible/baremetal-compute-inspect.yml @@ -34,6 +34,7 @@ os_ironic_inspect: auth_type: "{{ openstack_auth_type }}" auth: "{{ openstack_auth }}" + cacert: "{{ openstack_cacert | default(omit, true) }}" name: "{{ inventory_hostname }}" timeout: "{{ baremetal_compute_timeout }}" wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/baremetal-compute-manage.yml b/ansible/baremetal-compute-manage.yml index 7f9d1f7ef..279079381 100644 --- a/ansible/baremetal-compute-manage.yml +++ b/ansible/baremetal-compute-manage.yml @@ -32,6 +32,7 @@ - role: stackhpc.os-ironic-state os_ironic_state_auth_type: "{{ openstack_auth_type }}" os_ironic_state_auth: "{{ openstack_auth }}" + os_ironic_state_cacert: "{{ openstack_cacert }}" os_ironic_state_name: "{{ inventory_hostname }}" os_ironic_state_provision_state: "manage" os_ironic_state_wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/baremetal-compute-provide.yml b/ansible/baremetal-compute-provide.yml index b51a37c5b..bd5330944 100644 --- a/ansible/baremetal-compute-provide.yml +++ b/ansible/baremetal-compute-provide.yml @@ -32,6 +32,7 @@ - role: stackhpc.os-ironic-state os_ironic_state_auth_type: "{{ openstack_auth_type }}" os_ironic_state_auth: "{{ openstack_auth }}" + os_ironic_state_cacert: "{{ openstack_cacert }}" os_ironic_state_name: "{{ inventory_hostname }}" os_ironic_state_provision_state: "provide" os_ironic_state_wait: "{{ baremetal_compute_wait }}" diff --git a/ansible/group_vars/all/openstack b/ansible/group_vars/all/openstack index 85c69aae5..ac0d4870a 100644 --- a/ansible/group_vars/all/openstack +++ b/ansible/group_vars/all/openstack @@ -17,6 +17,9 @@ openstack_auth: password: "{{ lookup('env', 'OS_PASSWORD') }}" auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}" +# Overcloud CA certificate path. +openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}" + # Overcloud authentication environment variables. These should be compatible # with the openstack client. # By default we pull these from the environment of the shell executing Ansible. @@ -29,6 +32,7 @@ openstack_auth_env: OS_AUTH_URL: "{{ lookup('env', 'OS_AUTH_URL') }}" OS_INTERFACE: "{{ lookup('env', 'OS_INTERFACE') }}" OS_IDENTITY_API_VERSION: "{{ lookup('env', 'OS_IDENTITY_API_VERSION') }}" + OS_CACERT: "{{ lookup('env', 'OS_CACERT') }}" # List of parameters required in openstack_auth when openstack_auth_type is # password. diff --git a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml index 7257a3f18..0cd0ca9ea 100644 --- a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml +++ b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml @@ -127,3 +127,4 @@ ironic_inspector_venv: "{{ virtualenv_path }}/shade" ironic_inspector_auth_type: "{{ openstack_auth_type }}" ironic_inspector_auth: "{{ openstack_auth }}" + ironic_inspector_cacert: "{{ openstack_cacert }}" diff --git a/ansible/overcloud-introspection-rules.yml b/ansible/overcloud-introspection-rules.yml index 4b9626194..2fcf4d59a 100644 --- a/ansible/overcloud-introspection-rules.yml +++ b/ansible/overcloud-introspection-rules.yml @@ -59,6 +59,7 @@ ironic_inspector_venv: "{{ venv }}" ironic_inspector_auth_type: "{{ openstack_auth_type }}" ironic_inspector_auth: "{{ openstack_auth }}" + ironic_inspector_cacert: "{{ openstack_cacert }}" ironic_inspector_rules: "{{ inspector_rules }}" # These variables may be referenced in the introspection rules. inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}" diff --git a/ansible/overcloud-ipa-images.yml b/ansible/overcloud-ipa-images.yml index 35c64835e..2ff8d20fe 100644 --- a/ansible/overcloud-ipa-images.yml +++ b/ansible/overcloud-ipa-images.yml @@ -104,4 +104,5 @@ ipa_images_openstack_auth_type: "{{ openstack_auth_type }}" ipa_images_openstack_auth: "{{ openstack_auth }}" ipa_images_openstack_auth_env: "{{ openstack_auth_env }}" + ipa_images_openstack_cacert: "{{ openstack_cacert }}" ipa_images_cache_path: "{{ image_cache_path }}/{{ ipa_image_name }}" diff --git a/ansible/provision-net.yml b/ansible/provision-net.yml index 13a26c694..2294676e0 100644 --- a/ansible/provision-net.yml +++ b/ansible/provision-net.yml @@ -62,5 +62,6 @@ os_networks_venv: "{{ virtualenv_path }}/shade" os_networks_auth_type: "{{ openstack_auth_type }}" os_networks_auth: "{{ openstack_auth }}" + os_networks_cacert: "{{ openstack_cacert | default(omit, true) }}" # Network configuration. os_networks: "{{ network_registrations + ([] if cleaning_net_name == provision_wl_net_name else [cleaning_net]) }}" diff --git a/ansible/roles/ipa-images/defaults/main.yml b/ansible/roles/ipa-images/defaults/main.yml index 72a9d8991..cd5c6dbe9 100644 --- a/ansible/roles/ipa-images/defaults/main.yml +++ b/ansible/roles/ipa-images/defaults/main.yml @@ -14,6 +14,9 @@ ipa_images_openstack_auth: {} # openstack client. ipa_images_openstack_auth_env: {} +# CA certificate path. +ipa_images_openstack_caert: + # Path to directory in which to store downloaded images. ipa_images_cache_path: diff --git a/ansible/roles/ipa-images/tasks/main.yml b/ansible/roles/ipa-images/tasks/main.yml index fe2e9f8a9..a6cbe7f8a 100644 --- a/ansible/roles/ipa-images/tasks/main.yml +++ b/ansible/roles/ipa-images/tasks/main.yml @@ -68,6 +68,7 @@ os_image_facts: auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" + cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" image: "{{ ipa_images_kernel_name }}" - name: Set a fact containing the Ironic Python Agent (IPA) kernel image @@ -78,6 +79,7 @@ os_image_facts: auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" + cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" image: "{{ ipa_images_ramdisk_name }}" - name: Set a fact containing the Ironic Python Agent (IPA) ramdisk image @@ -109,6 +111,7 @@ os_image: auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" + cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" name: "{{ item.name }}" container_format: "{{ item.format }}" disk_format: "{{ item.format }}" diff --git a/ansible/roles/ipa-images/tasks/set-driver-info.yml b/ansible/roles/ipa-images/tasks/set-driver-info.yml index c47a61283..c4f4dbd52 100644 --- a/ansible/roles/ipa-images/tasks/set-driver-info.yml +++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml @@ -4,6 +4,7 @@ os_image_facts: auth_type: "{{ ipa_images_openstack_auth_type }}" auth: "{{ ipa_images_openstack_auth }}" + cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}" image: "{{ item.name }}" with_items: - name: "{{ ipa_images_kernel_name }}" diff --git a/ansible/roles/ironic-inspector-rules/README.md b/ansible/roles/ironic-inspector-rules/README.md index fd9bbefe8..eeaee662b 100644 --- a/ansible/roles/ironic-inspector-rules/README.md +++ b/ansible/roles/ironic-inspector-rules/README.md @@ -24,6 +24,8 @@ the `auth_type` argument of `os_*` Ansible modules. `ironic_inspector_auth` is a dict containing authentication information compatible with the `auth` argument of `os_*` Ansible modules. +`ironic_inspector_cacert` is an optional path to a CA certificate. + `ironic_inspector_url` is the URL of Ironic Inspector API endpoint, required if no authentication is used. diff --git a/ansible/roles/ironic-inspector-rules/defaults/main.yml b/ansible/roles/ironic-inspector-rules/defaults/main.yml index a23418082..2944208a7 100644 --- a/ansible/roles/ironic-inspector-rules/defaults/main.yml +++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml @@ -8,6 +8,9 @@ ironic_inspector_auth_type: # Authentication information. ironic_inspector_auth: {} +# CA certificate path. +ironic_inspector_cacert: + # URL of Ironic Inspector API endpoint. ironic_inspector_url: diff --git a/ansible/roles/ironic-inspector-rules/tasks/main.yml b/ansible/roles/ironic-inspector-rules/tasks/main.yml index 2ede1e114..1f6e405ef 100644 --- a/ansible/roles/ironic-inspector-rules/tasks/main.yml +++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml @@ -18,6 +18,7 @@ os_ironic_inspector_rule: auth_type: "{{ ironic_inspector_auth_type }}" auth: "{{ ironic_inspector_auth }}" + cacert: "{{ ironic_inspector_cacert | default(omit, true) }}" conditions: "{{ item.conditions }}" actions: "{{ item.actions }}" description: "{{ item.description | default(omit) }}" diff --git a/releasenotes/notes/cacert-514b8645d6912bf9.yaml b/releasenotes/notes/cacert-514b8645d6912bf9.yaml new file mode 100644 index 000000000..b3bad2bdd --- /dev/null +++ b/releasenotes/notes/cacert-514b8645d6912bf9.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Adds support for specifying a CA certificate when accessing APIs. The path + to the CA certificate may be specified via ``openstack_cacert`` , which + takes its default value from the ``OS_CACERT`` environment variable. See + `story 2004911 `__ for + details.