Support configuration of trusted CA certificate file

This commit adds the functionality for an operator to specify their own trusted CA certificate file for interacting with the Keystone API. Implements: blueprint support-trusted-ca-certificate-file Change-Id: I84f9897cc8e107658701fb309ec318c0f805883b
2019-08-15 13:50:17 +00:00 · 2019-08-15 13:50:17 +00:00 · 09e02ef8f1
commit 09e02ef8f1
parent de2f7be981
49 changed files with 121 additions and 1 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -493,6 +493,10 @@ nova_console: "novnc"
 # Valid options are [ public, internal, admin ]
 openstack_interface: "admin"

+# Openstack CA certificate bundle file
+# CA bundle file must be added to both the Horizon and Kolla Toolbox containers
+openstack_cacert: ""
+
 # Enable core OpenStack services. This includes:
 # glance, keystone, neutron, nova, heat, and horizon.
 enable_openstack_core: "yes"
--- a/ansible/roles/aodh/tasks/register.yml
+++ b/ansible/roles/aodh/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_aodh_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ aodh_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_aodh_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/barbican/tasks/register.yml
+++ b/ansible/roles/barbican/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_barbican_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ barbican_admin_endpoint }}'}
@ -31,6 +32,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_barbican_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating default barbican roles
@ -41,6 +43,7 @@
      name: "{{ item }}"
      auth: "{{ openstack_barbican_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - "{{ barbican_keymanager_role }}"
--- a/ansible/roles/blazar/tasks/bootstrap.yml
+++ b/ansible/roles/blazar/tasks/bootstrap.yml
@ -48,6 +48,7 @@
    --os-password {{ keystone_admin_password }}
    --os-user-domain-name default
    --os-region-name {{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    aggregate create {{ blazar_aggregate_pool_name }}
  register: blazar_host_aggregate
  changed_when: blazar_host_aggregate is success
--- a/ansible/roles/blazar/tasks/register.yml
+++ b/ansible/roles/blazar/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_blazar_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ blazar_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_blazar_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/ceilometer/tasks/register.yml
+++ b/ansible/roles/ceilometer/tasks/register.yml
@ -11,6 +11,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ceilometer_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Associate the ResellerAdmin role and ceilometer user
@ -24,5 +25,6 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ceilometer_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  when: enable_swift | bool
  run_once: True
--- a/ansible/roles/ceph/tasks/start_rgw_keystone.yml
+++ b/ansible/roles/ceph/tasks/start_rgw_keystone.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ceph_rgw_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ swift_admin_endpoint }}'}
@ -31,6 +32,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ceph_rgw_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating the ResellerAdmin role
@ -42,4 +44,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ceph_rgw_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/cinder/tasks/check.yml
+++ b/ansible/roles/cinder/tasks/check.yml
@ -9,6 +9,7 @@
      size: 1
      display_name: kolla_test_volume
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  delegate_to: "{{ groups['cinder-api'][0] }}"
  when: kolla_enable_sanity_cinder | bool
@ -22,6 +23,7 @@
      state: absent
      display_name: kolla_test_volume
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  delegate_to: "{{ groups['cinder-api'][0] }}"
  when: kolla_enable_sanity_cinder | bool
--- a/ansible/roles/cinder/tasks/register.yml
+++ b/ansible/roles/cinder/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_cinder_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ cinder_v2_admin_endpoint }}', 'service_name': 'cinderv2', 'service_type': 'volumev2'}
@ -34,4 +35,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_cinder_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/cloudkitty/tasks/register.yml
+++ b/ansible/roles/cloudkitty/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_cloudkitty_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ cloudkitty_admin_endpoint }}'}
@ -31,6 +32,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_cloudkitty_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating the rating role
@ -41,4 +43,5 @@
      name: "{{ cloudkitty_openstack_keystone_default_role }}"
      auth: "{{ openstack_cloudkitty_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/congress/tasks/register.yml
+++ b/ansible/roles/congress/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_congress_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ congress_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_congress_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/cyborg/tasks/register.yml
+++ b/ansible/roles/cyborg/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_cyborg_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ cyborg_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_cyborg_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/designate/tasks/register.yml
+++ b/ansible/roles/designate/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_designate_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ designate_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_designate_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/freezer/tasks/register.yml
+++ b/ansible/roles/freezer/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_freezer_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ freezer_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_freezer_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/glance/tasks/check.yml
+++ b/ansible/roles/glance/tasks/check.yml
@ -8,6 +8,7 @@
      name: "glance_sanity_check"
      filename: "/etc/hostname"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  delegate_to: "{{ groups['glance-api'][0] }}"
  run_once: True
  register: img_create
@ -25,6 +26,7 @@
      name: "glance_sanity_check"
      state: absent
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  delegate_to: "{{ groups['glance-api'][0] }}"
  run_once: True
  when: kolla_enable_sanity_glance | bool
--- a/ansible/roles/glance/tasks/register.yml
+++ b/ansible/roles/glance/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_glance_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ glance_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_glance_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/gnocchi/tasks/register.yml
+++ b/ansible/roles/gnocchi/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_gnocchi_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ gnocchi_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_gnocchi_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/heat/tasks/register.yml
+++ b/ansible/roles/heat/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_heat_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ heat_admin_endpoint }}', 'service_name': 'heat', 'service_type': 'orchestration', 'description': 'Orchestration'}
@ -34,6 +35,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_heat_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating the heat_stack_user role
@ -44,6 +46,7 @@
      name: "{{ heat_stack_user_role }}"
      auth: "{{ openstack_heat_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating the heat_stack_owner role
@ -54,6 +57,7 @@
      name: "{{ heat_stack_owner_role }}"
      auth: "{{ openstack_heat_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Add the heat_stack_owner role to the admin project
@ -67,4 +71,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_heat_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/horizon/templates/local_settings.j2
+++ b/ansible/roles/horizon/templates/local_settings.j2
@ -247,7 +247,11 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ keystone_default_user_role }}"
 #OPENSTACK_SSL_NO_VERIFY = True

 # The CA certificate to use to verify SSL connections
+{% if openstack_cacert == "" %}
 #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
+{% else %}
+OPENSTACK_SSL_CACERT = '{{ openstack_cacert }}'
+{% endif %}

 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.
--- a/ansible/roles/ironic/tasks/register.yml
+++ b/ansible/roles/ironic/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ironic_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  when: inventory_hostname in groups['ironic-api']
  with_items:
@ -32,6 +33,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ironic_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  when: inventory_hostname in groups['ironic-api']

@ -49,6 +51,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ironic_inspector_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  when: inventory_hostname in groups['ironic-inspector']
  with_items:
@ -68,5 +71,6 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_ironic_inspector_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  when: inventory_hostname in groups['ironic-inspector']
--- a/ansible/roles/karbor/tasks/register.yml
+++ b/ansible/roles/karbor/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_karbor_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ karbor_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_karbor_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/keystone/tasks/check.yml
+++ b/ansible/roles/keystone/tasks/check.yml
@ -6,6 +6,7 @@
    module_args:
      auth: "{{ openstack_keystone_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  delegate_to: "{{ groups['keystone'][0] }}"
  when: kolla_enable_sanity_keystone | bool
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@ -24,6 +24,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_keystone_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - { interface: admin, url: "{{ keystone_admin_url }}" }
@ -38,4 +39,5 @@
      name: "{{ keystone_default_user_role }}"
      auth: "{{ openstack_keystone_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/kuryr/tasks/register.yml
+++ b/ansible/roles/kuryr/tasks/register.yml
@ -11,4 +11,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_kuryr_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/magnum/tasks/register.yml
+++ b/ansible/roles/magnum/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_magnum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ magnum_admin_endpoint }}'}
@ -31,6 +32,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_magnum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating Magnum trustee domain
@ -42,6 +44,7 @@
      description: "Owns users and projects created by magnum"
      auth: "{{ openstack_magnum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  register: trustee_domain
  run_once: True

@ -55,6 +58,7 @@
      password: "{{ magnum_keystone_password }}"
      auth: "{{ openstack_magnum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating Magnum trustee user role
@ -67,4 +71,5 @@
      role: "admin"
      auth: "{{ openstack_magnum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/manila/tasks/register.yml
+++ b/ansible/roles/manila/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_manila_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ manila_admin_endpoint }}', 'service_name': 'manila', 'service_type': 'share'}
@ -34,4 +35,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_manila_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/masakari/tasks/register.yml
+++ b/ansible/roles/masakari/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_masakari_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ masakari_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_masakari_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/mistral/tasks/register.yml
+++ b/ansible/roles/mistral/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_mistral_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ mistral_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_mistral_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/monasca/tasks/register.yml
+++ b/ansible/roles/monasca/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ monasca_openstack_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ monasca_api_admin_endpoint }}'}
@ -33,6 +34,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ monasca_openstack_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ monasca_log_api_admin_endpoint }}'}
@ -51,6 +53,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ monasca_openstack_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating monasca roles
@ -62,6 +65,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ monasca_openstack_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - "{{ monasca_default_authorized_roles }}"
@ -81,4 +85,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ monasca_openstack_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/murano/tasks/register.yml
+++ b/ansible/roles/murano/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_murano_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ murano_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_murano_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/neutron/tasks/register.yml
+++ b/ansible/roles/neutron/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_neutron_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ neutron_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_neutron_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/nova/tasks/discover_computes.yml
+++ b/ansible/roles/nova/tasks/discover_computes.yml
@ -40,6 +40,7 @@
    --os-password {{ keystone_admin_password }}
    --os-user-domain-name {{ openstack_auth.domain_name }}
    --os-region-name {{ openstack_region_name }}
+    {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %}
    compute service list --format json --column Host --service nova-compute
  register: nova_compute_services
  changed_when: false
--- a/ansible/roles/nova/tasks/register.yml
+++ b/ansible/roles/nova/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_nova_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'name': 'nova_legacy', 'service_type': 'compute_legacy', 'interface': 'admin', 'url': '{{ nova_legacy_admin_endpoint }}', 'description': 'OpenStack Compute Service (Legacy 2.0)'}
@ -34,4 +35,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_nova_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/octavia/tasks/register.yml
+++ b/ansible/roles/octavia/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_octavia_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ octavia_admin_endpoint }}'}
@ -31,6 +32,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_octavia_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Adding octavia user into admin project
@ -43,6 +45,7 @@
      project: admin
      auth: "{{ openstack_octavia_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Adding octavia related roles
@ -53,5 +56,6 @@
      name: "{{ item }}"
      auth: "{{ openstack_octavia_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items: "{{ octavia_required_roles }}"
--- a/ansible/roles/panko/tasks/register.yml
+++ b/ansible/roles/panko/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_panko_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ panko_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_panko_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/placement/tasks/register.yml
+++ b/ansible/roles/placement/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_placement_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'name': 'placement', 'service_type': 'placement', 'interface': 'admin', 'url': '{{ placement_admin_endpoint }}', 'description': 'Placement Service'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_placement_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/qinling/tasks/register.yml
+++ b/ansible/roles/qinling/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_qinling_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ qinling_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_qinling_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/sahara/tasks/register.yml
+++ b/ansible/roles/sahara/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_sahara_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ sahara_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_sahara_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/searchlight/tasks/register.yml
+++ b/ansible/roles/searchlight/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_searchlight_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ searchlight_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_searchlight_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/senlin/tasks/register.yml
+++ b/ansible/roles/senlin/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_senlin_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ senlin_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_senlin_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/solum/tasks/register.yml
+++ b/ansible/roles/solum/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_solum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ solum_image_builder_admin_endpoint }}'}
@ -33,6 +34,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_solum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ solum_application_deployment_admin_endpoint }}'}
@ -51,4 +53,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_solum_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/swift/tasks/check.yml
+++ b/ansible/roles/swift/tasks/check.yml
@ -9,7 +9,8 @@
        password={{ swift_keystone_password }}
        role=admin
        region_name={{ openstack_region_name }}
-        auth={{ '{{ openstack_swift_auth }}' }}"
+        auth={{ '{{ openstack_swift_auth }}' }}
+        {% if openstack_cacert != '' %}cacert={{ openstack_cacert }}{% endif %}"
    -e "{'openstack_swift_auth':{{ openstack_swift_auth }}}"
  register: swift_sanity
  changed_when: swift_sanity.stdout.find('localhost | SUCCESS => ') != -1 and (swift_sanity.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed
--- a/ansible/roles/swift/tasks/register.yml
+++ b/ansible/roles/swift/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_swift_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ swift_admin_endpoint }}'}
@ -31,6 +32,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_swift_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Creating the ResellerAdmin role
@ -42,4 +44,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_swift_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/tacker/tasks/register.yml
+++ b/ansible/roles/tacker/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_tacker_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ tacker_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_tacker_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/trove/tasks/register.yml
+++ b/ansible/roles/trove/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_trove_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ trove_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_trove_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/vitrage/tasks/register.yml
+++ b/ansible/roles/vitrage/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_vitrage_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ vitrage_admin_endpoint }}'}
@ -31,6 +32,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_vitrage_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True

 - name: Adding vitrage user into admin project
@ -43,4 +45,5 @@
      project: "admin"
      auth: "{{ openstack_vitrage_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/watcher/tasks/register.yml
+++ b/ansible/roles/watcher/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_watcher_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ watcher_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_watcher_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/ansible/roles/zun/tasks/register.yml
+++ b/ansible/roles/zun/tasks/register.yml
@ -13,6 +13,7 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_zun_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
  with_items:
    - {'interface': 'admin', 'url': '{{ zun_admin_endpoint }}'}
@ -31,4 +32,5 @@
      region_name: "{{ openstack_region_name }}"
      auth: "{{ openstack_zun_auth }}"
      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
  run_once: True
--- a/releasenotes/notes/trusted-cacert-3c7061e974b5187d.yaml
+++ b/releasenotes/notes/trusted-cacert-3c7061e974b5187d.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Add support for configuration of trusted CA certificate file.
+    CA bundle file must be added to both the Horizon and Kolla Toolbox
+    containers for this to work correctly.