From 0b4c8a3c3d73f5eade2b61730e74e672573ee13b Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 17 Jul 2020 14:20:22 +0000 Subject: [PATCH] Masakari: copy TLS certificates into containers From Ussuri, if CA certificates are copied into /etc/kolla/certificates/ca/, these should be copied into all containers. This is not being done for masakari currently. Additionally, we are not setting the [DEFAULT] nova_ca_certificates_file option in masakari.conf. This depends on masakari bug 1873736 being fixed to work. This change fixes these issues. Change-Id: I9a3633f58e5eb734fa32edc03a3022a500761bbb Closes-Bug: #1888655 --- ansible/roles/masakari/tasks/config.yml | 4 ++++ ansible/roles/masakari/tasks/copy-certs.yml | 6 ++++++ ansible/roles/masakari/templates/masakari.conf.j2 | 1 + releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml | 8 ++++++++ 4 files changed, 19 insertions(+) create mode 100644 ansible/roles/masakari/tasks/copy-certs.yml create mode 100644 releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml diff --git a/ansible/roles/masakari/tasks/config.yml b/ansible/roles/masakari/tasks/config.yml index f81109d346..047814dcb1 100644 --- a/ansible/roles/masakari/tasks/config.yml +++ b/ansible/roles/masakari/tasks/config.yml @@ -58,6 +58,10 @@ notify: - Restart {{ item.key }} container +- include_tasks: copy-certs.yml + when: + - kolla_copy_ca_into_containers | bool + - name: Copying over masakari.conf vars: service: "{{ item.key }}" diff --git a/ansible/roles/masakari/tasks/copy-certs.yml b/ansible/roles/masakari/tasks/copy-certs.yml new file mode 100644 index 0000000000..84e7656a56 --- /dev/null +++ b/ansible/roles/masakari/tasks/copy-certs.yml @@ -0,0 +1,6 @@ +--- +- name: "Copy certificates and keys for {{ project_name }}" + import_role: + role: service-cert-copy + vars: + project_services: "{{ masakari_services }}" diff --git a/ansible/roles/masakari/templates/masakari.conf.j2 b/ansible/roles/masakari/templates/masakari.conf.j2 index bba3704b3a..92dc06b1ed 100644 --- a/ansible/roles/masakari/templates/masakari.conf.j2 +++ b/ansible/roles/masakari/templates/masakari.conf.j2 @@ -12,6 +12,7 @@ os_privileged_user_tenant = service os_privileged_user_auth_url = {{ keystone_internal_url }}/v3 os_privileged_user_name = {{ nova_keystone_user }} os_privileged_user_password = {{ nova_keystone_password }} +nova_ca_certificates_file = {{ openstack_cacert }} [database] connection = mysql+pymysql://{{ masakari_database_user }}:{{ masakari_database_password }}@{{ masakari_database_address }}/{{ masakari_database_name }} diff --git a/releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml b/releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml new file mode 100644 index 0000000000..9a82cb4fac --- /dev/null +++ b/releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes an issue with Masakari and internal TLS where CA certificates were + not copied into containers, and the path to the CA file was not configured. + Depends on `masakari bug 1873736 + `__ being fixed. + `LP#1888655 `__