From 511ba9f6a2ff09c0f3b55a700696fca2004a9072 Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Wed, 18 Dec 2019 15:49:28 -0800 Subject: [PATCH] Copy CA into containers. When kolla_copy_ca_into_containers is set to "yes", the Certificate Authority in /etc/kolla/certificates will be copied into service containers to enable trust for that CA. This is especially useful when the CA is self signed, and would not be trusted by default. Partially-Implements: blueprint custom-cacerts Change-Id: I4368f8994147580460ebe7533850cf63a419d0b4 --- ansible/group_vars/all.yml | 2 +- ansible/roles/aodh/tasks/config.yml | 12 +++++++++ ansible/roles/barbican/tasks/config.yml | 12 +++++++++ ansible/roles/blazar/tasks/config.yml | 12 +++++++++ ansible/roles/ceilometer/tasks/config.yml | 12 +++++++++ ansible/roles/cinder/tasks/config.yml | 12 +++++++++ ansible/roles/cloudkitty/tasks/config.yml | 12 +++++++++ ansible/roles/common/tasks/config.yml | 11 ++++++++ ansible/roles/congress/tasks/config.yml | 12 +++++++++ ansible/roles/cyborg/tasks/config.yml | 12 +++++++++ ansible/roles/designate/tasks/config.yml | 12 +++++++++ ansible/roles/elasticsearch/tasks/config.yml | 11 ++++++++ ansible/roles/freezer/tasks/config.yml | 12 +++++++++ ansible/roles/glance/tasks/config.yml | 12 +++++++++ ansible/roles/gnocchi/tasks/config.yml | 12 +++++++++ ansible/roles/grafana/tasks/config.yml | 11 ++++++++ ansible/roles/heat/tasks/config.yml | 12 +++++++++ ansible/roles/ironic/tasks/config.yml | 12 +++++++++ ansible/roles/karbor/tasks/config.yml | 12 +++++++++ ansible/roles/keystone/tasks/config.yml | 12 +++++++++ ansible/roles/kibana/tasks/config.yml | 12 +++++++++ ansible/roles/kuryr/tasks/config.yml | 12 +++++++++ ansible/roles/magnum/tasks/config.yml | 12 +++++++++ ansible/roles/manila/tasks/config.yml | 12 +++++++++ ansible/roles/mistral/tasks/config.yml | 12 +++++++++ ansible/roles/monasca/tasks/config.yml | 12 +++++++++ ansible/roles/murano/tasks/config.yml | 12 +++++++++ ansible/roles/neutron/tasks/config.yml | 12 +++++++++ ansible/roles/nova-cell/tasks/config.yml | 12 +++++++++ ansible/roles/nova-hyperv/tasks/config.yml | 11 ++++++++ ansible/roles/nova/tasks/config.yml | 12 +++++++++ ansible/roles/octavia/tasks/config.yml | 12 +++++++++ ansible/roles/panko/tasks/config.yml | 12 +++++++++ ansible/roles/placement/tasks/config.yml | 12 +++++++++ ansible/roles/prometheus/tasks/config.yml | 12 +++++++++ ansible/roles/qinling/tasks/config.yml | 12 +++++++++ ansible/roles/rally/tasks/config.yml | 12 +++++++++ ansible/roles/sahara/tasks/config.yml | 12 +++++++++ ansible/roles/searchlight/tasks/config.yml | 12 +++++++++ ansible/roles/senlin/tasks/config.yml | 12 +++++++++ ansible/roles/skydive/tasks/config.yml | 12 +++++++++ ansible/roles/solum/tasks/config.yml | 12 +++++++++ ansible/roles/swift/tasks/config.yml | 12 +++++++++ ansible/roles/tacker/tasks/config.yml | 12 +++++++++ ansible/roles/telegraf/tasks/config.yml | 12 +++++++++ ansible/roles/tempest/tasks/config.yml | 12 +++++++++ ansible/roles/trove/tasks/config.yml | 12 +++++++++ ansible/roles/vitrage/tasks/config.yml | 12 +++++++++ ansible/roles/watcher/tasks/config.yml | 12 +++++++++ ansible/roles/zun/tasks/config.yml | 12 +++++++++ doc/source/admin/advanced-configuration.rst | 26 +++++++++++++++++++ etc/kolla/globals.yml | 1 + ...rity-into-containers-860cbda3384dd731.yaml | 21 +++++++++++++++ 53 files changed, 633 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 4e53d496a6..5ad1be8706 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -759,7 +759,7 @@ kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem" kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" - +kolla_copy_ca_into_containers: "no" #################### # Kibana options diff --git a/ansible/roles/aodh/tasks/config.yml b/ansible/roles/aodh/tasks/config.yml index dbcdace495..9fe60c3b72 100644 --- a/ansible/roles/aodh/tasks/config.yml +++ b/ansible/roles/aodh/tasks/config.yml @@ -45,6 +45,18 @@ notify: - "Restart {{ item.key }} container" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ aodh_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml index 7ea8170976..d28f667378 100644 --- a/ansible/roles/barbican/tasks/config.yml +++ b/ansible/roles/barbican/tasks/config.yml @@ -47,6 +47,18 @@ when: - barbican_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ barbican_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/blazar/tasks/config.yml b/ansible/roles/blazar/tasks/config.yml index 7ac5462a73..e96a51d069 100644 --- a/ansible/roles/blazar/tasks/config.yml +++ b/ansible/roles/blazar/tasks/config.yml @@ -31,6 +31,18 @@ when: - blazar_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ blazar_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/ceilometer/tasks/config.yml b/ansible/roles/ceilometer/tasks/config.yml index 1e3ba49a86..b726d0c81a 100644 --- a/ansible/roles/ceilometer/tasks/config.yml +++ b/ansible/roles/ceilometer/tasks/config.yml @@ -136,6 +136,18 @@ when: - ceilometer_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ ceilometer_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml index ec052f5152..9e9db41fd3 100644 --- a/ansible/roles/cinder/tasks/config.yml +++ b/ansible/roles/cinder/tasks/config.yml @@ -46,6 +46,18 @@ when: - cinder_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ cinder_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/cloudkitty/tasks/config.yml b/ansible/roles/cloudkitty/tasks/config.yml index 700803ccd3..f810d5a674 100644 --- a/ansible/roles/cloudkitty/tasks/config.yml +++ b/ansible/roles/cloudkitty/tasks/config.yml @@ -55,6 +55,18 @@ set_fact: cloudkitty_custom_metrics_used: "{{ cloudkitty_custom_metrics_file.stat.exists }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ cloudkitty_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/common/tasks/config.yml b/ansible/roles/common/tasks/config.yml index 83f1b3cc73..5734bd9864 100644 --- a/ansible/roles/common/tasks/config.yml +++ b/ansible/roles/common/tasks/config.yml @@ -52,6 +52,17 @@ fluentd_binary: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_binary }}" when: enable_fluentd | bool +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ common_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/congress/tasks/config.yml b/ansible/roles/congress/tasks/config.yml index 9f066c4edd..e4b1896761 100644 --- a/ansible/roles/congress/tasks/config.yml +++ b/ansible/roles/congress/tasks/config.yml @@ -31,6 +31,18 @@ when: - congress_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ congress_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/cyborg/tasks/config.yml b/ansible/roles/cyborg/tasks/config.yml index b6adeab877..d1492244b9 100644 --- a/ansible/roles/cyborg/tasks/config.yml +++ b/ansible/roles/cyborg/tasks/config.yml @@ -45,6 +45,18 @@ notify: - Restart {{ item.key }} container +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ cyborg_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/designate/tasks/config.yml b/ansible/roles/designate/tasks/config.yml index bf8f8d441b..07f73bb7b1 100644 --- a/ansible/roles/designate/tasks/config.yml +++ b/ansible/roles/designate/tasks/config.yml @@ -31,6 +31,18 @@ when: - designate_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ designate_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/elasticsearch/tasks/config.yml b/ansible/roles/elasticsearch/tasks/config.yml index c8fbc75eeb..c9660e113b 100644 --- a/ansible/roles/elasticsearch/tasks/config.yml +++ b/ansible/roles/elasticsearch/tasks/config.yml @@ -21,6 +21,17 @@ - item.value.enabled | bool with_dict: "{{ elasticsearch_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ elasticsearch_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/freezer/tasks/config.yml b/ansible/roles/freezer/tasks/config.yml index 648882e934..df24c8cdf8 100644 --- a/ansible/roles/freezer/tasks/config.yml +++ b/ansible/roles/freezer/tasks/config.yml @@ -31,6 +31,18 @@ when: - freezer_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ freezer_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml index 8fe21562b8..cdd589b520 100644 --- a/ansible/roles/glance/tasks/config.yml +++ b/ansible/roles/glance/tasks/config.yml @@ -41,6 +41,18 @@ when: - glance_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ glance_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/gnocchi/tasks/config.yml b/ansible/roles/gnocchi/tasks/config.yml index 85a9847fb8..aa4612028b 100644 --- a/ansible/roles/gnocchi/tasks/config.yml +++ b/ansible/roles/gnocchi/tasks/config.yml @@ -41,6 +41,18 @@ when: - gnocchi_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ gnocchi_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/grafana/tasks/config.yml b/ansible/roles/grafana/tasks/config.yml index 174f011f01..01d0f6dd92 100644 --- a/ansible/roles/grafana/tasks/config.yml +++ b/ansible/roles/grafana/tasks/config.yml @@ -20,6 +20,17 @@ run_once: True register: check_extra_conf_grafana +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ grafana_services }}" + - name: Copying over config.json files template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml index 1cb4638397..e51a78cb50 100644 --- a/ansible/roles/heat/tasks/config.yml +++ b/ansible/roles/heat/tasks/config.yml @@ -31,6 +31,18 @@ when: - heat_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - inventory_hostname in groups[item.value.group] + - item.value.enabled | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ heat_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml index eea6b194c8..c337f924ca 100644 --- a/ansible/roles/ironic/tasks/config.yml +++ b/ansible/roles/ironic/tasks/config.yml @@ -38,6 +38,18 @@ when: - ironic_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ ironic_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/karbor/tasks/config.yml b/ansible/roles/karbor/tasks/config.yml index 1337c1013d..18a535e2f4 100644 --- a/ansible/roles/karbor/tasks/config.yml +++ b/ansible/roles/karbor/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ karbor_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ karbor_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index 1b4c2cf6bf..bc56b44cbb 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -38,6 +38,18 @@ run_once: True register: keystone_domain_directory +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ keystone_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/kibana/tasks/config.yml b/ansible/roles/kibana/tasks/config.yml index 023dbdddcf..a32c8d7576 100644 --- a/ansible/roles/kibana/tasks/config.yml +++ b/ansible/roles/kibana/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ kibana_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ kibana_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/kuryr/tasks/config.yml b/ansible/roles/kuryr/tasks/config.yml index 7ca0160d06..6f6077110e 100644 --- a/ansible/roles/kuryr/tasks/config.yml +++ b/ansible/roles/kuryr/tasks/config.yml @@ -31,6 +31,18 @@ when: - kuryr_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ kuryr_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/magnum/tasks/config.yml b/ansible/roles/magnum/tasks/config.yml index 5d4dea08d4..a3ecf85e25 100644 --- a/ansible/roles/magnum/tasks/config.yml +++ b/ansible/roles/magnum/tasks/config.yml @@ -31,6 +31,18 @@ when: - magnum_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ magnum_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/manila/tasks/config.yml b/ansible/roles/manila/tasks/config.yml index 0137548507..78eff7c59a 100644 --- a/ansible/roles/manila/tasks/config.yml +++ b/ansible/roles/manila/tasks/config.yml @@ -45,6 +45,18 @@ when: - manila_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ manila_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/mistral/tasks/config.yml b/ansible/roles/mistral/tasks/config.yml index 47e337954f..00e2096e9c 100644 --- a/ansible/roles/mistral/tasks/config.yml +++ b/ansible/roles/mistral/tasks/config.yml @@ -31,6 +31,18 @@ when: - mistral_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ mistral_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/monasca/tasks/config.yml b/ansible/roles/monasca/tasks/config.yml index 9b8b56ae53..d29aaf6d69 100644 --- a/ansible/roles/monasca/tasks/config.yml +++ b/ansible/roles/monasca/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ monasca_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ monasca_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}/{{ item.key }}.json.j2" diff --git a/ansible/roles/murano/tasks/config.yml b/ansible/roles/murano/tasks/config.yml index e6be02ca71..879b34c139 100644 --- a/ansible/roles/murano/tasks/config.yml +++ b/ansible/roles/murano/tasks/config.yml @@ -31,6 +31,18 @@ when: - murano_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ murano_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml index 0207f938a0..c28ef33a7f 100644 --- a/ansible/roles/neutron/tasks/config.yml +++ b/ansible/roles/neutron/tasks/config.yml @@ -47,6 +47,18 @@ changed_when: False register: check_extra_ml2_plugins +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - item.value.host_in_groups | bool + - kolla_copy_ca_into_containers | bool + with_dict: "{{ neutron_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/nova-cell/tasks/config.yml b/ansible/roles/nova-cell/tasks/config.yml index b2cf9b9b4a..be5ef3c919 100644 --- a/ansible/roles/nova-cell/tasks/config.yml +++ b/ansible/roles/nova-cell/tasks/config.yml @@ -24,6 +24,18 @@ - item.value.enabled | bool with_dict: "{{ nova_cell_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ nova_cell_services }}" + - include_tasks: ceph.yml when: - enable_ceph | bool and nova_backend == "rbd" diff --git a/ansible/roles/nova-hyperv/tasks/config.yml b/ansible/roles/nova-hyperv/tasks/config.yml index 0893e6f50a..f50cb9a3d8 100644 --- a/ansible/roles/nova-hyperv/tasks/config.yml +++ b/ansible/roles/nova-hyperv/tasks/config.yml @@ -33,3 +33,14 @@ - "{{ node_custom_config }}/nova-hyperv/wsgate.ini" - "wsgate.ini.j2" notify: Restart FreeRDP-WebConnect + +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_custom_config }}/nova-hyperv/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml index cd910ed473..b9fc628dc7 100644 --- a/ansible/roles/nova/tasks/config.yml +++ b/ansible/roles/nova/tasks/config.yml @@ -31,6 +31,18 @@ when: - nova_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ nova_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml index c2dbbeedd1..21a2599160 100644 --- a/ansible/roles/octavia/tasks/config.yml +++ b/ansible/roles/octavia/tasks/config.yml @@ -45,6 +45,18 @@ notify: - "Restart {{ item.key }} container" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ octavia_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/panko/tasks/config.yml b/ansible/roles/panko/tasks/config.yml index 11b6e603e2..a71532e09f 100644 --- a/ansible/roles/panko/tasks/config.yml +++ b/ansible/roles/panko/tasks/config.yml @@ -31,6 +31,18 @@ when: - panko_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ panko_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml index 221c8ae53b..cf8e156ce9 100644 --- a/ansible/roles/placement/tasks/config.yml +++ b/ansible/roles/placement/tasks/config.yml @@ -31,6 +31,18 @@ when: - placement_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ placement_services }}" + - name: Copying over config.json files for services become: true template: diff --git a/ansible/roles/prometheus/tasks/config.yml b/ansible/roles/prometheus/tasks/config.yml index e8a0d921e2..31876f9c28 100644 --- a/ansible/roles/prometheus/tasks/config.yml +++ b/ansible/roles/prometheus/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ prometheus_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ prometheus_services }}" + - name: Copying over config.json files become: true template: diff --git a/ansible/roles/qinling/tasks/config.yml b/ansible/roles/qinling/tasks/config.yml index 1d5dd75376..5b807b80b5 100644 --- a/ansible/roles/qinling/tasks/config.yml +++ b/ansible/roles/qinling/tasks/config.yml @@ -36,6 +36,18 @@ when: - qinling_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ qinling_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/rally/tasks/config.yml b/ansible/roles/rally/tasks/config.yml index baa8f4064f..04535d13a2 100644 --- a/ansible/roles/rally/tasks/config.yml +++ b/ansible/roles/rally/tasks/config.yml @@ -31,6 +31,18 @@ when: - rally_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ rally_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/sahara/tasks/config.yml b/ansible/roles/sahara/tasks/config.yml index d3455b888b..fb2fe4e168 100644 --- a/ansible/roles/sahara/tasks/config.yml +++ b/ansible/roles/sahara/tasks/config.yml @@ -31,6 +31,18 @@ when: - sahara_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ sahara_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/searchlight/tasks/config.yml b/ansible/roles/searchlight/tasks/config.yml index a660cfb50a..d37f53e533 100644 --- a/ansible/roles/searchlight/tasks/config.yml +++ b/ansible/roles/searchlight/tasks/config.yml @@ -31,6 +31,18 @@ when: - searchlight_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ searchlight_config_jsons }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/senlin/tasks/config.yml b/ansible/roles/senlin/tasks/config.yml index e1220b31f9..62f69f2206 100644 --- a/ansible/roles/senlin/tasks/config.yml +++ b/ansible/roles/senlin/tasks/config.yml @@ -31,6 +31,18 @@ when: - senlin_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ senlin_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/skydive/tasks/config.yml b/ansible/roles/skydive/tasks/config.yml index 4069586016..9670eedc01 100644 --- a/ansible/roles/skydive/tasks/config.yml +++ b/ansible/roles/skydive/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ skydive_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ skydive_services }}" + - name: Copying over default config.json files template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/solum/tasks/config.yml b/ansible/roles/solum/tasks/config.yml index 6e6c8c56ae..4b3b842922 100644 --- a/ansible/roles/solum/tasks/config.yml +++ b/ansible/roles/solum/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ solum_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ solum_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/swift/tasks/config.yml b/ansible/roles/swift/tasks/config.yml index 8a70049192..7613ef6bc9 100644 --- a/ansible/roles/swift/tasks/config.yml +++ b/ansible/roles/swift/tasks/config.yml @@ -28,6 +28,18 @@ - "swift-proxy-server" - "swift-rsyncd" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ swift_services }}" + - name: Copying over config.json files for services template: src: "{{ item }}.json.j2" diff --git a/ansible/roles/tacker/tasks/config.yml b/ansible/roles/tacker/tasks/config.yml index 6995500fa4..0363db4432 100644 --- a/ansible/roles/tacker/tasks/config.yml +++ b/ansible/roles/tacker/tasks/config.yml @@ -31,6 +31,18 @@ when: - tacker_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ tacker_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/telegraf/tasks/config.yml b/ansible/roles/telegraf/tasks/config.yml index 9a80744580..95963a4dc7 100644 --- a/ansible/roles/telegraf/tasks/config.yml +++ b/ansible/roles/telegraf/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ telegraf_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ telegraf_services }}" + - name: Copying over default config.json files template: src: "telegraf.json.j2" diff --git a/ansible/roles/tempest/tasks/config.yml b/ansible/roles/tempest/tasks/config.yml index 6ffb5956cf..899e541fbb 100644 --- a/ansible/roles/tempest/tasks/config.yml +++ b/ansible/roles/tempest/tasks/config.yml @@ -12,6 +12,18 @@ - item.value.enabled | bool with_dict: "{{ tempest_services }}" +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ tempest_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml index 7e38e5e462..28d744442e 100644 --- a/ansible/roles/trove/tasks/config.yml +++ b/ansible/roles/trove/tasks/config.yml @@ -31,6 +31,18 @@ when: - trove_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ trove_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/vitrage/tasks/config.yml b/ansible/roles/vitrage/tasks/config.yml index 8c8259401a..017d11ca8e 100644 --- a/ansible/roles/vitrage/tasks/config.yml +++ b/ansible/roles/vitrage/tasks/config.yml @@ -31,6 +31,18 @@ when: - vitrage_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ vitrage_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/watcher/tasks/config.yml b/ansible/roles/watcher/tasks/config.yml index 26aef59ab8..986338976e 100644 --- a/ansible/roles/watcher/tasks/config.yml +++ b/ansible/roles/watcher/tasks/config.yml @@ -31,6 +31,18 @@ when: - watcher_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ watcher_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/ansible/roles/zun/tasks/config.yml b/ansible/roles/zun/tasks/config.yml index 1016b6c9fb..d5f841fab3 100644 --- a/ansible/roles/zun/tasks/config.yml +++ b/ansible/roles/zun/tasks/config.yml @@ -31,6 +31,18 @@ when: - zun_policy.results +- name: Copying over extra CA certificates + become: true + copy: + src: "{{ node_config }}/certificates/ca/" + dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" + mode: "0644" + when: + - item.value.enabled | bool + - inventory_hostname in groups[item.value.group] + - kolla_copy_ca_into_containers | bool + with_dict: "{{ zun_services }}" + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst index ecc2337b0f..9d5b52ed20 100644 --- a/doc/source/admin/advanced-configuration.rst +++ b/doc/source/admin/advanced-configuration.rst @@ -165,6 +165,32 @@ configuration file: The files haproxy.pem and haproxy-ca.pem will be generated and stored in the ``/etc/kolla/certificates/`` directory. +Adding CA Certificates to the Service Containers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To copy CA certificate files to the service containers + +.. code-block:: yaml + + kolla_copy_ca_into_containers: "yes" + +When ``kolla_copy_ca_into_containers`` is configured to "yes", the +CA certificate files in /etc/kolla/certificates/ca will be copied into +service containers to enable trust for those CA certificates. This is required +for any certificates that are either self-signed or signed by a private CA, +and are not already present in the service image trust store. + +All certificate file names will have the "kolla-customca-" prefix appended to +it when it is copied into the containers. For example, if a certificate file is +named "internal.crt", it will be named "kolla-customca-internal.crt" in the +containers. + +For Debian and Ubuntu containers, the certificate files will be copied to +the ``/usr/local/share/ca-certificates/`` directory. + +For Centos and Red Hat Linux containers, the certificate files will be copied +to the ``/etc/pki/ca-trust/source/anchors/`` directory. + .. _service-config: OpenStack Service Configuration in Kolla diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 9dc85f3f46..e661910b19 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -186,6 +186,7 @@ #kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" #kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" #kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" +#kolla_copy_ca_into_containers: "no" ################ # Region options diff --git a/releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml b/releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml new file mode 100644 index 0000000000..78c7e11db8 --- /dev/null +++ b/releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml @@ -0,0 +1,21 @@ +--- +features: + - | + When 'kolla_copy_ca_into_containers' is configured to 'yes', the + certificate authority files in /etc/kolla/certificates/ca will be copied + into service containers to enable trust for those CA certificates. This + is required for any certificates that are either self-signed or signed by + a private CA, and are not already present in the service image trust store. + Otherwise, either CA validation will need to be explicitly disabled or the + path to the CA certificate must be configured in the service using + the ``openstack_cacert`` parameter. + +issues: + - | + Python <= 2.7.9 will not trust self-signed or privately signed CAs even + if they are added into the OS trusted CA folder and update-ca-trust is + executed. This is also true for the Python Requests library, regardless of + Python version. For services that run Python <= 2.7.9 or rely on the + Python Requests library, either CA verification must be explicitly disabled + in the service or the path to the CA certificate must be configured using + the ``openstack_cacert`` parameter.