From 6bae6da36c069387632a12788c8493b336b109de Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Fri, 21 Feb 2020 10:14:50 +0000
Subject: [PATCH] Fix kibana deployment with openstack_cacert unset

When deploying Kibana with the default configuration of openstack_cacert
being unset, it fails due to an invalid configuration. The error message
is both unfriendly and useful:

"message":"child \"elasticsearch\" fails because [child \"ssl\" fails
because [child \"certificateAuthorities\" fails because [single value of
\"certificateAuthorities\" fails because [\"certificateAuthorities\"
must be a string]]]]"}

This is because we set elasticsearch.ssl.certificateAuthorities even
when there is no CA cert configured.

This change fixes the issue by only setting
elasticsearch.ssl.certificateAuthorities when a CA cert is configured.

Change-Id: I5954751451b7c931e8a9d79c713a2798522d8b81
Closes-Bug: #1864180
---
 ansible/roles/kibana/templates/kibana.yml.j2              | 2 ++
 releasenotes/notes/kibana-no-cacert-1994d03bc915dfc0.yaml | 6 ++++++
 2 files changed, 8 insertions(+)
 create mode 100644 releasenotes/notes/kibana-no-cacert-1994d03bc915dfc0.yaml

diff --git a/ansible/roles/kibana/templates/kibana.yml.j2 b/ansible/roles/kibana/templates/kibana.yml.j2
index bf0043a700..d613c3c980 100644
--- a/ansible/roles/kibana/templates/kibana.yml.j2
+++ b/ansible/roles/kibana/templates/kibana.yml.j2
@@ -6,4 +6,6 @@ elasticsearch.url: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_addre
 elasticsearch.requestTimeout: {{ kibana_elasticsearch_request_timeout }}
 elasticsearch.shardTimeout: {{ kibana_elasticsearch_shard_timeout }}
 elasticsearch.ssl.verificationMode: "{{ 'full' if kibana_elasticsearch_ssl_verify | bool else 'none' }}"
+{% if openstack_cacert | length > 0 %}
 elasticsearch.ssl.certificateAuthorities: {{ openstack_cacert }}
+{% endif %}
diff --git a/releasenotes/notes/kibana-no-cacert-1994d03bc915dfc0.yaml b/releasenotes/notes/kibana-no-cacert-1994d03bc915dfc0.yaml
new file mode 100644
index 0000000000..c7376fbef4
--- /dev/null
+++ b/releasenotes/notes/kibana-no-cacert-1994d03bc915dfc0.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue with Kibana deployment when ``openstack_cacert`` is unset.
+    See `bug 1864180 <https://bugs.launchpad.net/kolla-ansible/+bug/1864180>`_
+    for details.