From 09e02ef8f1faa7a6aedfa6c97a1a3ac69c3ee775 Mon Sep 17 00:00:00 2001 From: Scott Solkhon Date: Thu, 15 Aug 2019 13:50:17 +0000 Subject: [PATCH] Support configuration of trusted CA certificate file This commit adds the functionality for an operator to specify their own trusted CA certificate file for interacting with the Keystone API. Implements: blueprint support-trusted-ca-certificate-file Change-Id: I84f9897cc8e107658701fb309ec318c0f805883b --- ansible/group_vars/all.yml | 4 ++++ ansible/roles/aodh/tasks/register.yml | 2 ++ ansible/roles/barbican/tasks/register.yml | 3 +++ ansible/roles/blazar/tasks/bootstrap.yml | 1 + ansible/roles/blazar/tasks/register.yml | 2 ++ ansible/roles/ceilometer/tasks/register.yml | 2 ++ ansible/roles/ceph/tasks/start_rgw_keystone.yml | 3 +++ ansible/roles/cinder/tasks/check.yml | 2 ++ ansible/roles/cinder/tasks/register.yml | 2 ++ ansible/roles/cloudkitty/tasks/register.yml | 3 +++ ansible/roles/congress/tasks/register.yml | 2 ++ ansible/roles/cyborg/tasks/register.yml | 2 ++ ansible/roles/designate/tasks/register.yml | 2 ++ ansible/roles/freezer/tasks/register.yml | 2 ++ ansible/roles/glance/tasks/check.yml | 2 ++ ansible/roles/glance/tasks/register.yml | 2 ++ ansible/roles/gnocchi/tasks/register.yml | 2 ++ ansible/roles/heat/tasks/register.yml | 5 +++++ ansible/roles/horizon/templates/local_settings.j2 | 4 ++++ ansible/roles/ironic/tasks/register.yml | 4 ++++ ansible/roles/karbor/tasks/register.yml | 2 ++ ansible/roles/keystone/tasks/check.yml | 1 + ansible/roles/keystone/tasks/register.yml | 2 ++ ansible/roles/kuryr/tasks/register.yml | 1 + ansible/roles/magnum/tasks/register.yml | 5 +++++ ansible/roles/manila/tasks/register.yml | 2 ++ ansible/roles/masakari/tasks/register.yml | 2 ++ ansible/roles/mistral/tasks/register.yml | 2 ++ ansible/roles/monasca/tasks/register.yml | 5 +++++ ansible/roles/murano/tasks/register.yml | 2 ++ ansible/roles/neutron/tasks/register.yml | 2 ++ ansible/roles/nova/tasks/discover_computes.yml | 1 + ansible/roles/nova/tasks/register.yml | 2 ++ ansible/roles/octavia/tasks/register.yml | 4 ++++ ansible/roles/panko/tasks/register.yml | 2 ++ ansible/roles/placement/tasks/register.yml | 2 ++ ansible/roles/qinling/tasks/register.yml | 2 ++ ansible/roles/sahara/tasks/register.yml | 2 ++ ansible/roles/searchlight/tasks/register.yml | 2 ++ ansible/roles/senlin/tasks/register.yml | 2 ++ ansible/roles/solum/tasks/register.yml | 3 +++ ansible/roles/swift/tasks/check.yml | 3 ++- ansible/roles/swift/tasks/register.yml | 3 +++ ansible/roles/tacker/tasks/register.yml | 2 ++ ansible/roles/trove/tasks/register.yml | 2 ++ ansible/roles/vitrage/tasks/register.yml | 3 +++ ansible/roles/watcher/tasks/register.yml | 2 ++ ansible/roles/zun/tasks/register.yml | 2 ++ releasenotes/notes/trusted-cacert-3c7061e974b5187d.yaml | 6 ++++++ 49 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/trusted-cacert-3c7061e974b5187d.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index f59803b66e..af053a28f0 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -493,6 +493,10 @@ nova_console: "novnc" # Valid options are [ public, internal, admin ] openstack_interface: "admin" +# Openstack CA certificate bundle file +# CA bundle file must be added to both the Horizon and Kolla Toolbox containers +openstack_cacert: "" + # Enable core OpenStack services. This includes: # glance, keystone, neutron, nova, heat, and horizon. enable_openstack_core: "yes" diff --git a/ansible/roles/aodh/tasks/register.yml b/ansible/roles/aodh/tasks/register.yml index ccab65f26f..4cc2bc1fb3 100644 --- a/ansible/roles/aodh/tasks/register.yml +++ b/ansible/roles/aodh/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_aodh_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ aodh_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_aodh_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/barbican/tasks/register.yml b/ansible/roles/barbican/tasks/register.yml index 6856bc4d35..75f0855d7e 100644 --- a/ansible/roles/barbican/tasks/register.yml +++ b/ansible/roles/barbican/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_barbican_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ barbican_admin_endpoint }}'} @@ -31,6 +32,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_barbican_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating default barbican roles @@ -41,6 +43,7 @@ name: "{{ item }}" auth: "{{ openstack_barbican_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - "{{ barbican_keymanager_role }}" diff --git a/ansible/roles/blazar/tasks/bootstrap.yml b/ansible/roles/blazar/tasks/bootstrap.yml index 5110a3e1df..b3dd1a3296 100644 --- a/ansible/roles/blazar/tasks/bootstrap.yml +++ b/ansible/roles/blazar/tasks/bootstrap.yml @@ -48,6 +48,7 @@ --os-password {{ keystone_admin_password }} --os-user-domain-name default --os-region-name {{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} aggregate create {{ blazar_aggregate_pool_name }} register: blazar_host_aggregate changed_when: blazar_host_aggregate is success diff --git a/ansible/roles/blazar/tasks/register.yml b/ansible/roles/blazar/tasks/register.yml index 31aff54ded..73b2164984 100644 --- a/ansible/roles/blazar/tasks/register.yml +++ b/ansible/roles/blazar/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_blazar_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ blazar_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_blazar_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/ceilometer/tasks/register.yml b/ansible/roles/ceilometer/tasks/register.yml index 9ceacbace5..76ee2b0d7a 100644 --- a/ansible/roles/ceilometer/tasks/register.yml +++ b/ansible/roles/ceilometer/tasks/register.yml @@ -11,6 +11,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ceilometer_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Associate the ResellerAdmin role and ceilometer user @@ -24,5 +25,6 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ceilometer_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" when: enable_swift | bool run_once: True diff --git a/ansible/roles/ceph/tasks/start_rgw_keystone.yml b/ansible/roles/ceph/tasks/start_rgw_keystone.yml index a510a30764..4027d341ea 100644 --- a/ansible/roles/ceph/tasks/start_rgw_keystone.yml +++ b/ansible/roles/ceph/tasks/start_rgw_keystone.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ceph_rgw_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ swift_admin_endpoint }}'} @@ -31,6 +32,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ceph_rgw_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating the ResellerAdmin role @@ -42,4 +44,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ceph_rgw_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/cinder/tasks/check.yml b/ansible/roles/cinder/tasks/check.yml index fb58e02470..635acac119 100644 --- a/ansible/roles/cinder/tasks/check.yml +++ b/ansible/roles/cinder/tasks/check.yml @@ -9,6 +9,7 @@ size: 1 display_name: kolla_test_volume endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True delegate_to: "{{ groups['cinder-api'][0] }}" when: kolla_enable_sanity_cinder | bool @@ -22,6 +23,7 @@ state: absent display_name: kolla_test_volume endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True delegate_to: "{{ groups['cinder-api'][0] }}" when: kolla_enable_sanity_cinder | bool diff --git a/ansible/roles/cinder/tasks/register.yml b/ansible/roles/cinder/tasks/register.yml index f013f89408..579b28b925 100644 --- a/ansible/roles/cinder/tasks/register.yml +++ b/ansible/roles/cinder/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_cinder_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ cinder_v2_admin_endpoint }}', 'service_name': 'cinderv2', 'service_type': 'volumev2'} @@ -34,4 +35,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_cinder_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/cloudkitty/tasks/register.yml b/ansible/roles/cloudkitty/tasks/register.yml index 7f7cd9e69c..7e487e68d6 100644 --- a/ansible/roles/cloudkitty/tasks/register.yml +++ b/ansible/roles/cloudkitty/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_cloudkitty_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ cloudkitty_admin_endpoint }}'} @@ -31,6 +32,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_cloudkitty_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating the rating role @@ -41,4 +43,5 @@ name: "{{ cloudkitty_openstack_keystone_default_role }}" auth: "{{ openstack_cloudkitty_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/congress/tasks/register.yml b/ansible/roles/congress/tasks/register.yml index bbbd39cac2..8602471976 100644 --- a/ansible/roles/congress/tasks/register.yml +++ b/ansible/roles/congress/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_congress_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ congress_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_congress_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/cyborg/tasks/register.yml b/ansible/roles/cyborg/tasks/register.yml index decd02d617..88280ea156 100644 --- a/ansible/roles/cyborg/tasks/register.yml +++ b/ansible/roles/cyborg/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_cyborg_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ cyborg_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_cyborg_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/designate/tasks/register.yml b/ansible/roles/designate/tasks/register.yml index 354f3503b0..40f2ce4a4a 100644 --- a/ansible/roles/designate/tasks/register.yml +++ b/ansible/roles/designate/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_designate_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ designate_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_designate_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/freezer/tasks/register.yml b/ansible/roles/freezer/tasks/register.yml index 5dfa960114..c0048f126d 100644 --- a/ansible/roles/freezer/tasks/register.yml +++ b/ansible/roles/freezer/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_freezer_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ freezer_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_freezer_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/glance/tasks/check.yml b/ansible/roles/glance/tasks/check.yml index 466681bf16..77d09d5e9a 100644 --- a/ansible/roles/glance/tasks/check.yml +++ b/ansible/roles/glance/tasks/check.yml @@ -8,6 +8,7 @@ name: "glance_sanity_check" filename: "/etc/hostname" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" delegate_to: "{{ groups['glance-api'][0] }}" run_once: True register: img_create @@ -25,6 +26,7 @@ name: "glance_sanity_check" state: absent endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" delegate_to: "{{ groups['glance-api'][0] }}" run_once: True when: kolla_enable_sanity_glance | bool diff --git a/ansible/roles/glance/tasks/register.yml b/ansible/roles/glance/tasks/register.yml index a94c34f8ff..43d922fff1 100644 --- a/ansible/roles/glance/tasks/register.yml +++ b/ansible/roles/glance/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_glance_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ glance_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_glance_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/gnocchi/tasks/register.yml b/ansible/roles/gnocchi/tasks/register.yml index 785267f803..417a13dc2d 100644 --- a/ansible/roles/gnocchi/tasks/register.yml +++ b/ansible/roles/gnocchi/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_gnocchi_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ gnocchi_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_gnocchi_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/heat/tasks/register.yml b/ansible/roles/heat/tasks/register.yml index b93f64e9bb..1441b36ede 100644 --- a/ansible/roles/heat/tasks/register.yml +++ b/ansible/roles/heat/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_heat_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ heat_admin_endpoint }}', 'service_name': 'heat', 'service_type': 'orchestration', 'description': 'Orchestration'} @@ -34,6 +35,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_heat_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating the heat_stack_user role @@ -44,6 +46,7 @@ name: "{{ heat_stack_user_role }}" auth: "{{ openstack_heat_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating the heat_stack_owner role @@ -54,6 +57,7 @@ name: "{{ heat_stack_owner_role }}" auth: "{{ openstack_heat_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Add the heat_stack_owner role to the admin project @@ -67,4 +71,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_heat_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/horizon/templates/local_settings.j2 b/ansible/roles/horizon/templates/local_settings.j2 index eab5185234..f7ab0c8016 100644 --- a/ansible/roles/horizon/templates/local_settings.j2 +++ b/ansible/roles/horizon/templates/local_settings.j2 @@ -247,7 +247,11 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ keystone_default_user_role }}" #OPENSTACK_SSL_NO_VERIFY = True # The CA certificate to use to verify SSL connections +{% if openstack_cacert == "" %} #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' +{% else %} +OPENSTACK_SSL_CACERT = '{{ openstack_cacert }}' +{% endif %} # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # capabilities of the auth backend for Keystone. diff --git a/ansible/roles/ironic/tasks/register.yml b/ansible/roles/ironic/tasks/register.yml index 07a141d57f..9183f8570d 100644 --- a/ansible/roles/ironic/tasks/register.yml +++ b/ansible/roles/ironic/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ironic_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True when: inventory_hostname in groups['ironic-api'] with_items: @@ -32,6 +33,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ironic_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True when: inventory_hostname in groups['ironic-api'] @@ -49,6 +51,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ironic_inspector_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True when: inventory_hostname in groups['ironic-inspector'] with_items: @@ -68,5 +71,6 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_ironic_inspector_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True when: inventory_hostname in groups['ironic-inspector'] diff --git a/ansible/roles/karbor/tasks/register.yml b/ansible/roles/karbor/tasks/register.yml index e1c33f70d5..d62cc2eb0d 100644 --- a/ansible/roles/karbor/tasks/register.yml +++ b/ansible/roles/karbor/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_karbor_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ karbor_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_karbor_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/keystone/tasks/check.yml b/ansible/roles/keystone/tasks/check.yml index 58e9b42394..5a62096ce9 100644 --- a/ansible/roles/keystone/tasks/check.yml +++ b/ansible/roles/keystone/tasks/check.yml @@ -6,6 +6,7 @@ module_args: auth: "{{ openstack_keystone_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True delegate_to: "{{ groups['keystone'][0] }}" when: kolla_enable_sanity_keystone | bool diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml index 9915a84cfd..457e89ddfe 100644 --- a/ansible/roles/keystone/tasks/register.yml +++ b/ansible/roles/keystone/tasks/register.yml @@ -24,6 +24,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_keystone_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - { interface: admin, url: "{{ keystone_admin_url }}" } @@ -38,4 +39,5 @@ name: "{{ keystone_default_user_role }}" auth: "{{ openstack_keystone_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/kuryr/tasks/register.yml b/ansible/roles/kuryr/tasks/register.yml index 8f4baefdcc..28b24b2e6e 100644 --- a/ansible/roles/kuryr/tasks/register.yml +++ b/ansible/roles/kuryr/tasks/register.yml @@ -11,4 +11,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_kuryr_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/magnum/tasks/register.yml b/ansible/roles/magnum/tasks/register.yml index b0fdd5741b..40e1a01d5d 100644 --- a/ansible/roles/magnum/tasks/register.yml +++ b/ansible/roles/magnum/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_magnum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ magnum_admin_endpoint }}'} @@ -31,6 +32,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_magnum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating Magnum trustee domain @@ -42,6 +44,7 @@ description: "Owns users and projects created by magnum" auth: "{{ openstack_magnum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" register: trustee_domain run_once: True @@ -55,6 +58,7 @@ password: "{{ magnum_keystone_password }}" auth: "{{ openstack_magnum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating Magnum trustee user role @@ -67,4 +71,5 @@ role: "admin" auth: "{{ openstack_magnum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/manila/tasks/register.yml b/ansible/roles/manila/tasks/register.yml index 46850d17a7..944bb52f50 100644 --- a/ansible/roles/manila/tasks/register.yml +++ b/ansible/roles/manila/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_manila_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ manila_admin_endpoint }}', 'service_name': 'manila', 'service_type': 'share'} @@ -34,4 +35,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_manila_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/masakari/tasks/register.yml b/ansible/roles/masakari/tasks/register.yml index 71ad23d7b3..b74150ab5c 100644 --- a/ansible/roles/masakari/tasks/register.yml +++ b/ansible/roles/masakari/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_masakari_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ masakari_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_masakari_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/mistral/tasks/register.yml b/ansible/roles/mistral/tasks/register.yml index d057721b4c..8f3217dbc1 100644 --- a/ansible/roles/mistral/tasks/register.yml +++ b/ansible/roles/mistral/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_mistral_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ mistral_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_mistral_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/monasca/tasks/register.yml b/ansible/roles/monasca/tasks/register.yml index 6f609cff32..f6db499ddd 100644 --- a/ansible/roles/monasca/tasks/register.yml +++ b/ansible/roles/monasca/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ monasca_openstack_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ monasca_api_admin_endpoint }}'} @@ -33,6 +34,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ monasca_openstack_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ monasca_log_api_admin_endpoint }}'} @@ -51,6 +53,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ monasca_openstack_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating monasca roles @@ -62,6 +65,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ monasca_openstack_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - "{{ monasca_default_authorized_roles }}" @@ -81,4 +85,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ monasca_openstack_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/murano/tasks/register.yml b/ansible/roles/murano/tasks/register.yml index 5945c1a42c..2068a1843c 100644 --- a/ansible/roles/murano/tasks/register.yml +++ b/ansible/roles/murano/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_murano_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ murano_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_murano_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/neutron/tasks/register.yml b/ansible/roles/neutron/tasks/register.yml index 7938774fb2..dc575d9ba5 100644 --- a/ansible/roles/neutron/tasks/register.yml +++ b/ansible/roles/neutron/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_neutron_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ neutron_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_neutron_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/nova/tasks/discover_computes.yml b/ansible/roles/nova/tasks/discover_computes.yml index 9dd8dded5a..860364ef45 100644 --- a/ansible/roles/nova/tasks/discover_computes.yml +++ b/ansible/roles/nova/tasks/discover_computes.yml @@ -40,6 +40,7 @@ --os-password {{ keystone_admin_password }} --os-user-domain-name {{ openstack_auth.domain_name }} --os-region-name {{ openstack_region_name }} + {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} compute service list --format json --column Host --service nova-compute register: nova_compute_services changed_when: false diff --git a/ansible/roles/nova/tasks/register.yml b/ansible/roles/nova/tasks/register.yml index 4c540f8f97..b80ff579d8 100644 --- a/ansible/roles/nova/tasks/register.yml +++ b/ansible/roles/nova/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_nova_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'name': 'nova_legacy', 'service_type': 'compute_legacy', 'interface': 'admin', 'url': '{{ nova_legacy_admin_endpoint }}', 'description': 'OpenStack Compute Service (Legacy 2.0)'} @@ -34,4 +35,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_nova_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/octavia/tasks/register.yml b/ansible/roles/octavia/tasks/register.yml index c89cf0c1ff..cefead8ca5 100644 --- a/ansible/roles/octavia/tasks/register.yml +++ b/ansible/roles/octavia/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_octavia_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ octavia_admin_endpoint }}'} @@ -31,6 +32,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_octavia_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Adding octavia user into admin project @@ -43,6 +45,7 @@ project: admin auth: "{{ openstack_octavia_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Adding octavia related roles @@ -53,5 +56,6 @@ name: "{{ item }}" auth: "{{ openstack_octavia_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: "{{ octavia_required_roles }}" diff --git a/ansible/roles/panko/tasks/register.yml b/ansible/roles/panko/tasks/register.yml index 579da88f44..115bbee835 100644 --- a/ansible/roles/panko/tasks/register.yml +++ b/ansible/roles/panko/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_panko_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ panko_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_panko_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/placement/tasks/register.yml b/ansible/roles/placement/tasks/register.yml index 3ccd87c404..ab0678511c 100644 --- a/ansible/roles/placement/tasks/register.yml +++ b/ansible/roles/placement/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_placement_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'name': 'placement', 'service_type': 'placement', 'interface': 'admin', 'url': '{{ placement_admin_endpoint }}', 'description': 'Placement Service'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_placement_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/qinling/tasks/register.yml b/ansible/roles/qinling/tasks/register.yml index f1a8914ab2..fc2ca0428a 100644 --- a/ansible/roles/qinling/tasks/register.yml +++ b/ansible/roles/qinling/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_qinling_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ qinling_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_qinling_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/sahara/tasks/register.yml b/ansible/roles/sahara/tasks/register.yml index 2bf18582c9..c4624d9f4f 100644 --- a/ansible/roles/sahara/tasks/register.yml +++ b/ansible/roles/sahara/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_sahara_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ sahara_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_sahara_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/searchlight/tasks/register.yml b/ansible/roles/searchlight/tasks/register.yml index 4902aa11e1..d227ebe138 100644 --- a/ansible/roles/searchlight/tasks/register.yml +++ b/ansible/roles/searchlight/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_searchlight_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ searchlight_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_searchlight_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/senlin/tasks/register.yml b/ansible/roles/senlin/tasks/register.yml index 0a4be59240..8b22b84011 100644 --- a/ansible/roles/senlin/tasks/register.yml +++ b/ansible/roles/senlin/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_senlin_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ senlin_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_senlin_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/solum/tasks/register.yml b/ansible/roles/solum/tasks/register.yml index f31415739e..9ed1bb5039 100644 --- a/ansible/roles/solum/tasks/register.yml +++ b/ansible/roles/solum/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_solum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ solum_image_builder_admin_endpoint }}'} @@ -33,6 +34,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_solum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ solum_application_deployment_admin_endpoint }}'} @@ -51,4 +53,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_solum_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/swift/tasks/check.yml b/ansible/roles/swift/tasks/check.yml index ac26b20abc..9259f2dbf1 100644 --- a/ansible/roles/swift/tasks/check.yml +++ b/ansible/roles/swift/tasks/check.yml @@ -9,7 +9,8 @@ password={{ swift_keystone_password }} role=admin region_name={{ openstack_region_name }} - auth={{ '{{ openstack_swift_auth }}' }}" + auth={{ '{{ openstack_swift_auth }}' }} + {% if openstack_cacert != '' %}cacert={{ openstack_cacert }}{% endif %}" -e "{'openstack_swift_auth':{{ openstack_swift_auth }}}" register: swift_sanity changed_when: swift_sanity.stdout.find('localhost | SUCCESS => ') != -1 and (swift_sanity.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed diff --git a/ansible/roles/swift/tasks/register.yml b/ansible/roles/swift/tasks/register.yml index 04f7d958c9..b6c709cb53 100644 --- a/ansible/roles/swift/tasks/register.yml +++ b/ansible/roles/swift/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_swift_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ swift_admin_endpoint }}'} @@ -31,6 +32,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_swift_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Creating the ResellerAdmin role @@ -42,4 +44,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_swift_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/tacker/tasks/register.yml b/ansible/roles/tacker/tasks/register.yml index 0bb38a7792..f8336d11bb 100644 --- a/ansible/roles/tacker/tasks/register.yml +++ b/ansible/roles/tacker/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_tacker_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ tacker_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_tacker_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/trove/tasks/register.yml b/ansible/roles/trove/tasks/register.yml index c24d42db9b..996e0c7529 100644 --- a/ansible/roles/trove/tasks/register.yml +++ b/ansible/roles/trove/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_trove_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ trove_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_trove_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/vitrage/tasks/register.yml b/ansible/roles/vitrage/tasks/register.yml index 0be3f1bdb5..53afab62ad 100644 --- a/ansible/roles/vitrage/tasks/register.yml +++ b/ansible/roles/vitrage/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_vitrage_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ vitrage_admin_endpoint }}'} @@ -31,6 +32,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_vitrage_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True - name: Adding vitrage user into admin project @@ -43,4 +45,5 @@ project: "admin" auth: "{{ openstack_vitrage_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/watcher/tasks/register.yml b/ansible/roles/watcher/tasks/register.yml index 70b4997004..619aab4514 100644 --- a/ansible/roles/watcher/tasks/register.yml +++ b/ansible/roles/watcher/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_watcher_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ watcher_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_watcher_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/ansible/roles/zun/tasks/register.yml b/ansible/roles/zun/tasks/register.yml index f6d5e8de39..c5d402b38f 100644 --- a/ansible/roles/zun/tasks/register.yml +++ b/ansible/roles/zun/tasks/register.yml @@ -13,6 +13,7 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_zun_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True with_items: - {'interface': 'admin', 'url': '{{ zun_admin_endpoint }}'} @@ -31,4 +32,5 @@ region_name: "{{ openstack_region_name }}" auth: "{{ openstack_zun_auth }}" endpoint_type: "{{ openstack_interface }}" + cacert: "{{ openstack_cacert }}" run_once: True diff --git a/releasenotes/notes/trusted-cacert-3c7061e974b5187d.yaml b/releasenotes/notes/trusted-cacert-3c7061e974b5187d.yaml new file mode 100644 index 0000000000..d873f204d9 --- /dev/null +++ b/releasenotes/notes/trusted-cacert-3c7061e974b5187d.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add support for configuration of trusted CA certificate file. + CA bundle file must be added to both the Horizon and Kolla Toolbox + containers for this to work correctly.