From 48f0957a1c9c3ef0cac77642f058fa9cb47fbbc8 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 17 Mar 2021 09:32:33 +0000 Subject: [PATCH] magnum: Add CA certificate configuration for internal TLS Magnum has various sections in its configuration file for OpenStack clients. When internal TLS is enabled, these may need a CA certificate to be specified. This change adds a CA certificate configuration, based on openstack_cacert, for all clients using internal endpoints. Note: we are explicitly not adding the configuration for the [magnum_client] ca_file and [drivers] openstack_ca_file options, since these use the public endpoint by default. These options may be provided via custom configuration if necessary. Change-Id: Ie59b3777c0a2c142b580addd67e279bc4b2f2c90 Co-Authored-By: Kyle Dean Closes-Bug: #1919389 --- ansible/roles/magnum/templates/magnum.conf.j2 | 8 ++++++++ .../notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml | 5 +++++ 2 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2 index 06f08c2980..862c2e6842 100644 --- a/ansible/roles/magnum/templates/magnum.conf.j2 +++ b/ansible/roles/magnum/templates/magnum.conf.j2 @@ -32,30 +32,37 @@ endpoint_type = publicURL [heat_client] region_name = {{ openstack_region_name }} endpoint_type = internalURL +ca_file = {{ openstack_cacert }} [octavia_client] region_name = {{ openstack_region_name }} endpoint_type = internalURL +ca_file = {{ openstack_cacert }} [cinder_client] region_name = {{ openstack_region_name }} endpoint_type = internalURL +ca_file = {{ openstack_cacert }} [barbican_client] region_name = {{ openstack_region_name }} endpoint_type = internalURL +ca_file = {{ openstack_cacert }} [glance_client] region_name = {{ openstack_region_name }} endpoint_type = internalURL +ca_file = {{ openstack_cacert }} [neutron_client] region_name = {{ openstack_region_name }} endpoint_type = internalURL +ca_file = {{ openstack_cacert }} [nova_client] region_name = {{ openstack_region_name }} endpoint_type = internalURL +ca_file = {{ openstack_cacert }} [keystone_auth] auth_url = {{ keystone_internal_url }}/v3 @@ -78,6 +85,7 @@ user_domain_name = {{ default_user_domain_name }} project_name = service username = {{ magnum_keystone_user }} password = {{ magnum_keystone_password }} +cafile = {{ openstack_cacert }} region_name = {{ openstack_region_name }} memcache_security_strategy = ENCRYPT diff --git a/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml b/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml new file mode 100644 index 0000000000..a4e5cf2aa4 --- /dev/null +++ b/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes an issue with Magnum when TLS is enabled. `LP#781062 + `__