Masakari: copy TLS certificates into containers

From Ussuri, if CA certificates are copied into
/etc/kolla/certificates/ca/, these should be copied into all containers.
This is not being done for masakari currently.

Additionally, we are not setting the [DEFAULT] nova_ca_certificates_file
option in masakari.conf. This depends on masakari bug 1873736 being
fixed to work.

This change fixes these issues.

Change-Id: I9a3633f58e5eb734fa32edc03a3022a500761bbb
Closes-Bug: #1888655

ansible/roles/masakari/tasks/config.yml

@@ -58,6 +58,10 @@
   notify:
     - Restart {{ item.key }} container
 
+- include_tasks: copy-certs.yml
+  when:
+    - kolla_copy_ca_into_containers | bool
+
 - name: Copying over masakari.conf
   vars:
     service: "{{ item.key }}"

ansible/roles/masakari/tasks/copy-certs.yml

@@ -0,0 +1,6 @@
+---
+- name: "Copy certificates and keys for {{ project_name }}"
+  import_role:
+    role: service-cert-copy
+  vars:
+    project_services: "{{ masakari_services }}"

ansible/roles/masakari/templates/masakari.conf.j2

@@ -12,6 +12,7 @@ os_privileged_user_tenant = service
 os_privileged_user_auth_url = {{ keystone_internal_url }}/v3
 os_privileged_user_name = {{ nova_keystone_user }}
 os_privileged_user_password = {{ nova_keystone_password }}
+nova_ca_certificates_file = {{ openstack_cacert }}
 
 [database]
 connection = mysql+pymysql://{{ masakari_database_user }}:{{ masakari_database_password }}@{{ masakari_database_address }}/{{ masakari_database_name }}

releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml

@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fixes an issue with Masakari and internal TLS where CA certificates were
+    not copied into containers, and the path to the CA file was not configured.
+    Depends on `masakari bug 1873736
+    <https://bugs.launchpad.net/masakari/+bug/1873736>`__ being fixed.
+    `LP#1888655 <https://bugs.launchpad.net/kolla-ansible/+bug/1888655>`__