Merge "Adapt to Octavia Certificate Configuration Guide."

ansible/roles/octavia/tasks/config.yml

@@ -94,9 +94,10 @@
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
   with_items:
-    - cakey.pem
+    - client.cert-and-key.pem
-    - ca_01.pem
+    - client_ca.cert.pem
-    - client.pem
+    - server_ca.cert.pem
+    - server_ca.key.pem
   notify:
     - Restart octavia-worker container
 
@@ -112,9 +113,10 @@
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
   with_items:
-    - cakey.pem
+    - client.cert-and-key.pem
-    - ca_01.pem
+    - client_ca.cert.pem
-    - client.pem
+    - server_ca.cert.pem
+    - server_ca.key.pem
   notify:
     - Restart octavia-housekeeping container
 
@@ -130,9 +132,10 @@
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
   with_items:
-    - cakey.pem
+    - client.cert-and-key.pem
-    - ca_01.pem
+    - client_ca.cert.pem
-    - client.pem
+    - server_ca.cert.pem
+    - server_ca.key.pem
   notify:
     - Restart octavia-health-manager container
 

ansible/roles/octavia/tasks/precheck.yml

@@ -35,6 +35,13 @@
     - container_facts['octavia_health_manager'] is not defined
     - inventory_hostname in groups['octavia-health-manager']
 
+- name: Warn about certificate changes
+  debug:
+    msg: >-
+      Octavia's certificate configuration has been changed since Train. The new
+      configuration requires 4 PEM files. Please check certificate configuration
+      guide at https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
+
 - name: Checking certificate files exist for octavia
   stat:
     path: "{{ node_custom_config }}/octavia/{{ item }}"
@@ -44,6 +51,7 @@
   failed_when: not result.stat.exists
   when: inventory_hostname in groups['octavia-worker']
   with_items:
-    - cakey.pem
+    - client.cert-and-key.pem
-    - ca_01.pem
+    - client_ca.cert.pem
-    - client.pem
+    - server_ca.cert.pem
+    - server_ca.key.pem

ansible/roles/octavia/templates/octavia-health-manager.json.j2

@@ -8,20 +8,26 @@
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/cakey.pem",
+            "source": "{{ container_config_directory }}/client.cert-and-key.pem",
-            "dest": "/etc/octavia/certs/private/cakey.pem",
+            "dest": "/etc/octavia/certs/client.cert-and-key.pem",
             "owner": "octavia",
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/ca_01.pem",
+            "source": "{{ container_config_directory }}/client_ca.cert.pem",
-            "dest": "/etc/octavia/certs/ca_01.pem",
+            "dest": "/etc/octavia/certs/client_ca.cert.pem",
             "owner": "octavia",
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/client.pem",
+            "source": "{{ container_config_directory }}/server_ca.cert.pem",
-            "dest": "/etc/octavia/certs/client.pem",
+            "dest": "/etc/octavia/certs/server_ca.cert.pem",
+            "owner": "octavia",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/server_ca.key.pem",
+            "dest": "/etc/octavia/certs/server_ca.key.pem",
             "owner": "octavia",
             "perm": "0600"
         }

ansible/roles/octavia/templates/octavia-housekeeping.json.j2

@@ -8,20 +8,26 @@
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/cakey.pem",
+            "source": "{{ container_config_directory }}/client.cert-and-key.pem",
-            "dest": "/etc/octavia/certs/private/cakey.pem",
+            "dest": "/etc/octavia/certs/client.cert-and-key.pem",
             "owner": "octavia",
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/ca_01.pem",
+            "source": "{{ container_config_directory }}/client_ca.cert.pem",
-            "dest": "/etc/octavia/certs/ca_01.pem",
+            "dest": "/etc/octavia/certs/client_ca.cert.pem",
             "owner": "octavia",
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/client.pem",
+            "source": "{{ container_config_directory }}/server_ca.cert.pem",
-            "dest": "/etc/octavia/certs/client.pem",
+            "dest": "/etc/octavia/certs/server_ca.cert.pem",
+            "owner": "octavia",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/server_ca.key.pem",
+            "dest": "/etc/octavia/certs/server_ca.key.pem",
             "owner": "octavia",
             "perm": "0600"
         }

ansible/roles/octavia/templates/octavia-worker.json.j2

@@ -8,20 +8,26 @@
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/cakey.pem",
+            "source": "{{ container_config_directory }}/client.cert-and-key.pem",
-            "dest": "/etc/octavia/certs/private/cakey.pem",
+            "dest": "/etc/octavia/certs/client.cert-and-key.pem",
             "owner": "octavia",
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/ca_01.pem",
+            "source": "{{ container_config_directory }}/client_ca.cert.pem",
-            "dest": "/etc/octavia/certs/ca_01.pem",
+            "dest": "/etc/octavia/certs/client_ca.cert.pem",
             "owner": "octavia",
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/client.pem",
+            "source": "{{ container_config_directory }}/server_ca.cert.pem",
-            "dest": "/etc/octavia/certs/client.pem",
+            "dest": "/etc/octavia/certs/server_ca.cert.pem",
+            "owner": "octavia",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/server_ca.key.pem",
+            "dest": "/etc/octavia/certs/server_ca.key.pem",
             "owner": "octavia",
             "perm": "0600"
         }

ansible/roles/octavia/templates/octavia.conf.j2

@@ -11,8 +11,8 @@ bind_port = {{ octavia_api_listen_port }}
 
 [certificates]
 ca_private_key_passphrase = {{ octavia_ca_password }}
-ca_private_key = /etc/octavia/certs/private/cakey.pem
+ca_private_key = /etc/octavia/certs/server_ca.key.pem
-ca_certificate = /etc/octavia/certs/ca_01.pem
+ca_certificate = /etc/octavia/certs/server_ca.cert.pem
 {% if enable_barbican | bool %}
 region_name = {{ openstack_region_name }}
 endpoint_type = internal
@@ -20,8 +20,8 @@ ca_certificates_file = {{ openstack_cacert }}
 {% endif %}
 
 [haproxy_amphora]
-server_ca = /etc/octavia/certs/ca_01.pem
+server_ca = /etc/octavia/certs/server_ca.cert.pem
-client_cert = /etc/octavia/certs/client.pem
+client_cert = /etc/octavia/certs/client.cert-and-key.pem
 
 [database]
 connection = mysql+pymysql://{{ octavia_database_user }}:{{ octavia_database_password }}@{{ octavia_database_address }}/{{ octavia_database_name }}
@@ -68,6 +68,7 @@ amp_image_tag = amphora
 amp_secgroup_list = {{ octavia_amp_secgroup_list }}
 amp_flavor_id = {{ octavia_amp_flavor_id }}
 amp_ssh_key_name = octavia_ssh_key
+client_ca = /etc/octavia/certs/client_ca.cert.pem
 network_driver = allowed_address_pairs_driver
 compute_driver = compute_nova_driver
 amphora_driver = amphora_haproxy_rest_driver

releasenotes/notes/fix-octavia-cert-config-28f0ef2799406957.yaml

@@ -0,0 +1,14 @@
+---
+fixes:
+  - |
+    Adapt Octavia to the latest dual CA certificate configuration. The
+    following files should exist in ``/etc/kolla/config/octavia/``:
+
+    * ``client.cert-and-key.pem``
+    * ``client_ca.cert.pem``
+    * ``server_ca.cert.pem``
+    * ``server_ca.key.pem``
+
+    See the `Octavia documentation
+    <https://docs.openstack.org/octavia/latest/admin/guides/certificates.html>`__
+    for details on generating these files.