From 31f3f848597b7d26b67881ff1ff3794f334aa24a Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 19 Jun 2020 12:49:07 +0000 Subject: [PATCH] Support CA certificate for fluentd & Elasticsearch Currently there is no way to configure a CA certificate bundle file for fluentd to Elasticsearch communication. This change adds a new variable, 'fluentd_elasticsearch_cacert' with a default value set to the value of 'openstack_cacert. Closes-Bug: #1885109 Change-Id: I5bbf55a4dd4ccce9fa2635cee720139c088268e3 --- ansible/roles/common/defaults/main.yml | 1 + .../roles/common/templates/conf/output/00-local.conf.j2 | 6 ++++++ ansible/roles/common/templates/conf/output/01-es.conf.j2 | 3 +++ .../fluentd-elasticsearch-cacert-0e8824dd57052913.yaml | 8 ++++++++ 4 files changed, 18 insertions(+) create mode 100644 releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml index 9da9cc5b49..f50c325ec3 100644 --- a/ansible/roles/common/defaults/main.yml +++ b/ansible/roles/common/defaults/main.yml @@ -47,6 +47,7 @@ fluentd_elasticsearch_user: "" fluentd_elasticsearch_password: "" fluentd_elasticsearch_ssl_version: "TLSv1_2" fluentd_elasticsearch_ssl_verify: "true" +fluentd_elasticsearch_cacert: "{{ openstack_cacert }}" #################### # Docker diff --git a/ansible/roles/common/templates/conf/output/00-local.conf.j2 b/ansible/roles/common/templates/conf/output/00-local.conf.j2 index 2a826bc648..6d053513ee 100644 --- a/ansible/roles/common/templates/conf/output/00-local.conf.j2 +++ b/ansible/roles/common/templates/conf/output/00-local.conf.j2 @@ -21,6 +21,9 @@ {% if fluentd_elasticsearch_scheme == 'https' %} ssl_version {{ fluentd_elasticsearch_ssl_version }} ssl_verify {{ fluentd_elasticsearch_ssl_verify }} +{% if fluentd_elasticsearch_cacert | length > 0 %} + ca_file {{ fluentd_elasticsearch_cacert }} +{% endif %} {% endif %} {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%} user {{ fluentd_elasticsearch_user }} @@ -78,6 +81,9 @@ {% if fluentd_elasticsearch_scheme == 'https' %} ssl_version {{ fluentd_elasticsearch_ssl_version }} ssl_verify {{ fluentd_elasticsearch_ssl_verify }} +{% if fluentd_elasticsearch_cacert | length > 0 %} + ca_file {{ fluentd_elasticsearch_cacert }} +{% endif %} {% endif %} {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%} user {{ fluentd_elasticsearch_user }} diff --git a/ansible/roles/common/templates/conf/output/01-es.conf.j2 b/ansible/roles/common/templates/conf/output/01-es.conf.j2 index 38500e8e94..c586938668 100644 --- a/ansible/roles/common/templates/conf/output/01-es.conf.j2 +++ b/ansible/roles/common/templates/conf/output/01-es.conf.j2 @@ -11,6 +11,9 @@ {% if fluentd_elasticsearch_scheme == 'https' %} ssl_version {{ fluentd_elasticsearch_ssl_version }} ssl_verify {{ fluentd_elasticsearch_ssl_verify }} +{% if fluentd_elasticsearch_cacert | length > 0 %} + ca_file {{ fluentd_elasticsearch_cacert }} +{% endif %} {% endif %} {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%} user {{ fluentd_elasticsearch_user }} diff --git a/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml b/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml new file mode 100644 index 0000000000..61e014daf5 --- /dev/null +++ b/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Adds a new variable ``fluentd_elasticsearch_cacert``, which defaults to the + value of ``openstack_cacert``. If set, this will be used to set the path of + the CA certificate bundle used by Fluentd when communicating with + Elasticsearch. `LP#1885109 + `__