diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 4e53d496a6..5ad1be8706 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -759,7 +759,7 @@ kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" - +kolla_copy_ca_into_containers: "no" #################### # Kibana options diff --git a/ansible/roles/aodh/tasks/config.yml b/ansible/roles/aodh/tasks/config.yml index dbcdace495..9fe60c3b72 100644 --- a/ansible/roles/aodh/tasks/config.yml +++ b/ansible/roles/aodh/tasks/config.yml @@ -45,6 +45,18 @@ notify: - "Restart {{ item.key }} container" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ aodh_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml index 7ea8170976..d28f667378 100644 --- a/ansible/roles/barbican/tasks/config.yml +++ b/ansible/roles/barbican/tasks/config.yml @@ -47,6 +47,18 @@ when: - barbican_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ barbican_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/blazar/tasks/config.yml b/ansible/roles/blazar/tasks/config.yml index 7ac5462a73..e96a51d069 100644 --- a/ansible/roles/blazar/tasks/config.yml +++ b/ansible/roles/blazar/tasks/config.yml @@ -31,6 +31,18 @@ when: - blazar_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ blazar_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/ceilometer/tasks/config.yml b/ansible/roles/ceilometer/tasks/config.yml index 1e3ba49a86..b726d0c81a 100644 --- a/ansible/roles/ceilometer/tasks/config.yml +++ b/ansible/roles/ceilometer/tasks/config.yml @@ -136,6 +136,18 @@ when: - ceilometer_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ ceilometer_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml index ec052f5152..9e9db41fd3 100644 --- a/ansible/roles/cinder/tasks/config.yml +++ b/ansible/roles/cinder/tasks/config.yml @@ -46,6 +46,18 @@ when: - cinder_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ cinder_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/cloudkitty/tasks/config.yml b/ansible/roles/cloudkitty/tasks/config.yml index 700803ccd3..f810d5a674 100644 --- a/ansible/roles/cloudkitty/tasks/config.yml +++ b/ansible/roles/cloudkitty/tasks/config.yml @@ -55,6 +55,18 @@ set_fact: cloudkitty_custom_metrics_used: "{{ cloudkitty_custom_metrics_file.stat.exists }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ cloudkitty_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/common/tasks/config.yml b/ansible/roles/common/tasks/config.yml index 83f1b3cc73..5734bd9864 100644 --- a/ansible/roles/common/tasks/config.yml +++ b/ansible/roles/common/tasks/config.yml @@ -52,6 +52,17 @@ fluentd_binary: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_binary }}" when: enable_fluentd | bool +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ common_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/congress/tasks/config.yml b/ansible/roles/congress/tasks/config.yml index 9f066c4edd..e4b1896761 100644 --- a/ansible/roles/congress/tasks/config.yml +++ b/ansible/roles/congress/tasks/config.yml @@ -31,6 +31,18 @@ when: - congress_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ congress_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/cyborg/tasks/config.yml b/ansible/roles/cyborg/tasks/config.yml index b6adeab877..d1492244b9 100644 --- a/ansible/roles/cyborg/tasks/config.yml +++ b/ansible/roles/cyborg/tasks/config.yml @@ -45,6 +45,18 @@ notify: - Restart {{ item.key }} container +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ cyborg_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/designate/tasks/config.yml b/ansible/roles/designate/tasks/config.yml index bf8f8d441b..07f73bb7b1 100644 --- a/ansible/roles/designate/tasks/config.yml +++ b/ansible/roles/designate/tasks/config.yml @@ -31,6 +31,18 @@ when: - designate_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ designate_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/elasticsearch/tasks/config.yml b/ansible/roles/elasticsearch/tasks/config.yml index c8fbc75eeb..c9660e113b 100644 --- a/ansible/roles/elasticsearch/tasks/config.yml +++ b/ansible/roles/elasticsearch/tasks/config.yml @@ -21,6 +21,17 @@ - item.value.enabled | bool with_dict: "{{ elasticsearch_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ elasticsearch_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/freezer/tasks/config.yml b/ansible/roles/freezer/tasks/config.yml index 648882e934..df24c8cdf8 100644 --- a/ansible/roles/freezer/tasks/config.yml +++ b/ansible/roles/freezer/tasks/config.yml @@ -31,6 +31,18 @@ when: - freezer_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ freezer_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml index 8fe21562b8..cdd589b520 100644 --- a/ansible/roles/glance/tasks/config.yml +++ b/ansible/roles/glance/tasks/config.yml @@ -41,6 +41,18 @@ when: - glance_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ glance_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/gnocchi/tasks/config.yml b/ansible/roles/gnocchi/tasks/config.yml index 85a9847fb8..aa4612028b 100644 --- a/ansible/roles/gnocchi/tasks/config.yml +++ b/ansible/roles/gnocchi/tasks/config.yml @@ -41,6 +41,18 @@ when: - gnocchi_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ gnocchi_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/grafana/tasks/config.yml b/ansible/roles/grafana/tasks/config.yml index 174f011f01..01d0f6dd92 100644 --- a/ansible/roles/grafana/tasks/config.yml +++ b/ansible/roles/grafana/tasks/config.yml @@ -20,6 +20,17 @@ run_once: True register: check_extra_conf_grafana +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ grafana_services }}" + - name: Copying over config.json files template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml index 1cb4638397..e51a78cb50 100644 --- a/ansible/roles/heat/tasks/config.yml +++ b/ansible/roles/heat/tasks/config.yml @@ -31,6 +31,18 @@ when: - heat_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ heat_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml index eea6b194c8..c337f924ca 100644 --- a/ansible/roles/ironic/tasks/config.yml +++ b/ansible/roles/ironic/tasks/config.yml @@ -38,6 +38,18 @@ when: - ironic_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ ironic_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/karbor/tasks/config.yml b/ansible/roles/karbor/tasks/config.yml index 1337c1013d..18a535e2f4 100644 --- a/ansible/roles/karbor/tasks/config.yml +++ b/ansible/roles/karbor/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ karbor_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ karbor_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index 1b4c2cf6bf..bc56b44cbb 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -38,6 +38,18 @@ run_once: True register: keystone_domain_directory +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ keystone_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/kibana/tasks/config.yml b/ansible/roles/kibana/tasks/config.yml index 023dbdddcf..a32c8d7576 100644 --- a/ansible/roles/kibana/tasks/config.yml +++ b/ansible/roles/kibana/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ kibana_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ kibana_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/kuryr/tasks/config.yml b/ansible/roles/kuryr/tasks/config.yml index 7ca0160d06..6f6077110e 100644 --- a/ansible/roles/kuryr/tasks/config.yml +++ b/ansible/roles/kuryr/tasks/config.yml @@ -31,6 +31,18 @@ when: - kuryr_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ kuryr_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/magnum/tasks/config.yml b/ansible/roles/magnum/tasks/config.yml index 5d4dea08d4..a3ecf85e25 100644 --- a/ansible/roles/magnum/tasks/config.yml +++ b/ansible/roles/magnum/tasks/config.yml @@ -31,6 +31,18 @@ when: - magnum_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ magnum_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/manila/tasks/config.yml b/ansible/roles/manila/tasks/config.yml index 0137548507..78eff7c59a 100644 --- a/ansible/roles/manila/tasks/config.yml +++ b/ansible/roles/manila/tasks/config.yml @@ -45,6 +45,18 @@ when: - manila_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ manila_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/mistral/tasks/config.yml b/ansible/roles/mistral/tasks/config.yml index 47e337954f..00e2096e9c 100644 --- a/ansible/roles/mistral/tasks/config.yml +++ b/ansible/roles/mistral/tasks/config.yml @@ -31,6 +31,18 @@ when: - mistral_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ mistral_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/monasca/tasks/config.yml b/ansible/roles/monasca/tasks/config.yml index 9b8b56ae53..d29aaf6d69 100644 --- a/ansible/roles/monasca/tasks/config.yml +++ b/ansible/roles/monasca/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ monasca_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ monasca_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}/{{ item.key }}.json.j2" diff --git a/ansible/roles/murano/tasks/config.yml b/ansible/roles/murano/tasks/config.yml index e6be02ca71..879b34c139 100644 --- a/ansible/roles/murano/tasks/config.yml +++ b/ansible/roles/murano/tasks/config.yml @@ -31,6 +31,18 @@ when: - murano_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ murano_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml index 0207f938a0..c28ef33a7f 100644 --- a/ansible/roles/neutron/tasks/config.yml +++ b/ansible/roles/neutron/tasks/config.yml @@ -47,6 +47,18 @@ changed_when: False register: check_extra_ml2_plugins +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - item.value.host_in_groups | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ neutron_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/nova-cell/tasks/config.yml b/ansible/roles/nova-cell/tasks/config.yml index b2cf9b9b4a..be5ef3c919 100644 --- a/ansible/roles/nova-cell/tasks/config.yml +++ b/ansible/roles/nova-cell/tasks/config.yml @@ -24,6 +24,18 @@ - item.value.enabled | bool with_dict: "{{ nova_cell_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ nova_cell_services }}" + - include_tasks: ceph.yml when: - enable_ceph | bool and nova_backend == "rbd" diff --git a/ansible/roles/nova-hyperv/tasks/config.yml b/ansible/roles/nova-hyperv/tasks/config.yml index 0893e6f50a..f50cb9a3d8 100644 --- a/ansible/roles/nova-hyperv/tasks/config.yml +++ b/ansible/roles/nova-hyperv/tasks/config.yml @@ -33,3 +33,14 @@ - "{{ node_custom_config }}/nova-hyperv/wsgate.ini" - "wsgate.ini.j2" notify: Restart FreeRDP-WebConnect + +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_custom_config }}/nova-hyperv/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml index cd910ed473..b9fc628dc7 100644 --- a/ansible/roles/nova/tasks/config.yml +++ b/ansible/roles/nova/tasks/config.yml @@ -31,6 +31,18 @@ when: - nova_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ nova_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml index c2dbbeedd1..21a2599160 100644 --- a/ansible/roles/octavia/tasks/config.yml +++ b/ansible/roles/octavia/tasks/config.yml @@ -45,6 +45,18 @@ notify: - "Restart {{ item.key }} container" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ octavia_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/panko/tasks/config.yml b/ansible/roles/panko/tasks/config.yml index 11b6e603e2..a71532e09f 100644 --- a/ansible/roles/panko/tasks/config.yml +++ b/ansible/roles/panko/tasks/config.yml @@ -31,6 +31,18 @@ when: - panko_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ panko_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml index 221c8ae53b..cf8e156ce9 100644 --- a/ansible/roles/placement/tasks/config.yml +++ b/ansible/roles/placement/tasks/config.yml @@ -31,6 +31,18 @@ when: - placement_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ placement_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/prometheus/tasks/config.yml b/ansible/roles/prometheus/tasks/config.yml index e8a0d921e2..31876f9c28 100644 --- a/ansible/roles/prometheus/tasks/config.yml +++ b/ansible/roles/prometheus/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ prometheus_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ prometheus_services }}" + - name: Copying over config.json files become: true template: diff --git a/ansible/roles/qinling/tasks/config.yml b/ansible/roles/qinling/tasks/config.yml index 1d5dd75376..5b807b80b5 100644 --- a/ansible/roles/qinling/tasks/config.yml +++ b/ansible/roles/qinling/tasks/config.yml @@ -36,6 +36,18 @@ when: - qinling_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ qinling_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/rally/tasks/config.yml b/ansible/roles/rally/tasks/config.yml index baa8f4064f..04535d13a2 100644 --- a/ansible/roles/rally/tasks/config.yml +++ b/ansible/roles/rally/tasks/config.yml @@ -31,6 +31,18 @@ when: - rally_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ rally_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/sahara/tasks/config.yml b/ansible/roles/sahara/tasks/config.yml index d3455b888b..fb2fe4e168 100644 --- a/ansible/roles/sahara/tasks/config.yml +++ b/ansible/roles/sahara/tasks/config.yml @@ -31,6 +31,18 @@ when: - sahara_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ sahara_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/searchlight/tasks/config.yml b/ansible/roles/searchlight/tasks/config.yml index a660cfb50a..d37f53e533 100644 --- a/ansible/roles/searchlight/tasks/config.yml +++ b/ansible/roles/searchlight/tasks/config.yml @@ -31,6 +31,18 @@ when: - searchlight_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ searchlight_config_jsons }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/senlin/tasks/config.yml b/ansible/roles/senlin/tasks/config.yml index e1220b31f9..62f69f2206 100644 --- a/ansible/roles/senlin/tasks/config.yml +++ b/ansible/roles/senlin/tasks/config.yml @@ -31,6 +31,18 @@ when: - senlin_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ senlin_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/skydive/tasks/config.yml b/ansible/roles/skydive/tasks/config.yml index 4069586016..9670eedc01 100644 --- a/ansible/roles/skydive/tasks/config.yml +++ b/ansible/roles/skydive/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ skydive_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ skydive_services }}" + - name: Copying over default config.json files template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/solum/tasks/config.yml b/ansible/roles/solum/tasks/config.yml index 6e6c8c56ae..4b3b842922 100644 --- a/ansible/roles/solum/tasks/config.yml +++ b/ansible/roles/solum/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ solum_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ solum_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/swift/tasks/config.yml b/ansible/roles/swift/tasks/config.yml index 8a70049192..7613ef6bc9 100644 --- a/ansible/roles/swift/tasks/config.yml +++ b/ansible/roles/swift/tasks/config.yml @@ -28,6 +28,18 @@ - "swift-proxy-server" - "swift-rsyncd" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ swift_services }}" + - name: Copying over config.json files for services template: src: "{{ item }}.json.j2" diff --git a/ansible/roles/tacker/tasks/config.yml b/ansible/roles/tacker/tasks/config.yml index 6995500fa4..0363db4432 100644 --- a/ansible/roles/tacker/tasks/config.yml +++ b/ansible/roles/tacker/tasks/config.yml @@ -31,6 +31,18 @@ when: - tacker_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ tacker_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/telegraf/tasks/config.yml b/ansible/roles/telegraf/tasks/config.yml index 9a80744580..95963a4dc7 100644 --- a/ansible/roles/telegraf/tasks/config.yml +++ b/ansible/roles/telegraf/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ telegraf_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ telegraf_services }}" + - name: Copying over default config.json files template: src: "telegraf.json.j2" diff --git a/ansible/roles/tempest/tasks/config.yml b/ansible/roles/tempest/tasks/config.yml index 6ffb5956cf..899e541fbb 100644 --- a/ansible/roles/tempest/tasks/config.yml +++ b/ansible/roles/tempest/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ tempest_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ tempest_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml index 7e38e5e462..28d744442e 100644 --- a/ansible/roles/trove/tasks/config.yml +++ b/ansible/roles/trove/tasks/config.yml @@ -31,6 +31,18 @@ when: - trove_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ trove_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/vitrage/tasks/config.yml b/ansible/roles/vitrage/tasks/config.yml index 8c8259401a..017d11ca8e 100644 --- a/ansible/roles/vitrage/tasks/config.yml +++ b/ansible/roles/vitrage/tasks/config.yml @@ -31,6 +31,18 @@ when: - vitrage_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ vitrage_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/watcher/tasks/config.yml b/ansible/roles/watcher/tasks/config.yml index 26aef59ab8..986338976e 100644 --- a/ansible/roles/watcher/tasks/config.yml +++ b/ansible/roles/watcher/tasks/config.yml @@ -31,6 +31,18 @@ when: - watcher_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ watcher_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/zun/tasks/config.yml b/ansible/roles/zun/tasks/config.yml index 1016b6c9fb..d5f841fab3 100644 --- a/ansible/roles/zun/tasks/config.yml +++ b/ansible/roles/zun/tasks/config.yml @@ -31,6 +31,18 @@ when: - zun_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ zun_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst index ecc2337b0f..9d5b52ed20 100644 --- a/doc/source/admin/advanced-configuration.rst +++ b/doc/source/admin/advanced-configuration.rst @@ -165,6 +165,32 @@ configuration file: The files haproxy.pem and haproxy-ca.pem will be generated and stored in the ``/etc/kolla/certificates/`` directory. +Adding CA Certificates to the Service Containers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To copy CA certificate files to the service containers + +.. code-block:: yaml + + kolla_copy_ca_into_containers: "yes" + +When ``kolla_copy_ca_into_containers`` is configured to "yes", the +CA certificate files in /etc/kolla/certificates/ca will be copied into +service containers to enable trust for those CA certificates. This is required +for any certificates that are either self-signed or signed by a private CA, +and are not already present in the service image trust store. + +All certificate file names will have the "kolla-customca-" prefix appended to +it when it is copied into the containers. For example, if a certificate file is +named "internal.crt", it will be named "kolla-customca-internal.crt" in the +containers. + +For Debian and Ubuntu containers, the certificate files will be copied to +the ``/usr/local/share/ca-certificates/`` directory. + +For Centos and Red Hat Linux containers, the certificate files will be copied +to the ``/etc/pki/ca-trust/source/anchors/`` directory. + .. _service-config: OpenStack Service Configuration in Kolla diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 9dc85f3f46..e661910b19 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -186,6 +186,7 @@ #kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" #kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" #kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" +#kolla_copy_ca_into_containers: "no" ################ # Region options diff --git a/releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml b/releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml new file mode 100644 index 0000000000..78c7e11db8 --- /dev/null +++ b/releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml @@ -0,0 +1,21 @@ +--- +features: + - | + When 'kolla_copy_ca_into_containers' is configured to 'yes', the + certificate authority files in /etc/kolla/certificates/ca will be copied + into service containers to enable trust for those CA certificates. This + is required for any certificates that are either self-signed or signed by + a private CA, and are not already present in the service image trust store. + Otherwise, either CA validation will need to be explicitly disabled or the + path to the CA certificate must be configured in the service using + the ``openstack_cacert`` parameter. + +issues: + - | + Python <= 2.7.9 will not trust self-signed or privately signed CAs even + if they are added into the OS trusted CA folder and update-ca-trust is + executed. This is also true for the Python Requests library, regardless of + Python version. For services that run Python <= 2.7.9 or rely on the + Python Requests library, either CA verification must be explicitly disabled + in the service or the path to the CA certificate must be configured using + the ``openstack_cacert`` parameter.