Merge "Copy CA into containers."

ansible/group_vars/all.yml

@@ -759,7 +759,7 @@ kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
 kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
 kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
 kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
-
+kolla_copy_ca_into_containers: "no"
 
 ####################
 # Kibana options

ansible/roles/aodh/tasks/config.yml

@@ -45,6 +45,18 @@
   notify:
     - "Restart {{ item.key }} container"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ aodh_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/barbican/tasks/config.yml

@@ -47,6 +47,18 @@
   when:
     - barbican_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ barbican_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/blazar/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - blazar_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ blazar_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/ceilometer/tasks/config.yml

@@ -136,6 +136,18 @@
   when:
     - ceilometer_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ ceilometer_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/cinder/tasks/config.yml

@@ -46,6 +46,18 @@
   when:
     - cinder_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ cinder_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/cloudkitty/tasks/config.yml

@@ -55,6 +55,18 @@
   set_fact:
     cloudkitty_custom_metrics_used: "{{ cloudkitty_custom_metrics_file.stat.exists }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ cloudkitty_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/common/tasks/config.yml

@@ -52,6 +52,17 @@
     fluentd_binary: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_binary }}"
   when: enable_fluentd | bool
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ common_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/congress/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - congress_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ congress_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/cyborg/tasks/config.yml

@@ -45,6 +45,18 @@
   notify:
     - Restart {{ item.key }} container
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ cyborg_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/designate/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - designate_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ designate_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/elasticsearch/tasks/config.yml

@@ -21,6 +21,17 @@
     - item.value.enabled | bool
   with_dict: "{{ elasticsearch_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ elasticsearch_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/freezer/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - freezer_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ freezer_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/glance/tasks/config.yml

@@ -41,6 +41,18 @@
   when:
     - glance_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ glance_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/gnocchi/tasks/config.yml

@@ -41,6 +41,18 @@
   when:
     - gnocchi_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ gnocchi_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/grafana/tasks/config.yml

@@ -20,6 +20,17 @@
   run_once: True
   register: check_extra_conf_grafana
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ grafana_services }}"
+
 - name: Copying over config.json files
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/heat/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - heat_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - inventory_hostname in groups[item.value.group]
+    - item.value.enabled | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ heat_services }}"
+
 - name: Copying over config.json files for services
   become: true
   template:

ansible/roles/ironic/tasks/config.yml

@@ -38,6 +38,18 @@
   when:
     - ironic_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ ironic_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/karbor/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ karbor_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ karbor_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/keystone/tasks/config.yml

@@ -38,6 +38,18 @@
   run_once: True
   register: keystone_domain_directory
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ keystone_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/kibana/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ kibana_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ kibana_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/kuryr/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - kuryr_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ kuryr_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/magnum/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - magnum_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ magnum_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/manila/tasks/config.yml

@@ -45,6 +45,18 @@
   when:
     - manila_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ manila_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/mistral/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - mistral_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ mistral_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/monasca/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ monasca_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ monasca_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}/{{ item.key }}.json.j2"

ansible/roles/murano/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - murano_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ murano_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/neutron/tasks/config.yml

@@ -47,6 +47,18 @@
   changed_when: False
   register: check_extra_ml2_plugins
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - item.value.host_in_groups | bool
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ neutron_services }}"
+
 - name: Copying over config.json files for services
   become: true
   template:

ansible/roles/nova-cell/tasks/config.yml

@@ -24,6 +24,18 @@
     - item.value.enabled | bool
   with_dict: "{{ nova_cell_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ nova_cell_services }}"
+
 - include_tasks: ceph.yml
   when:
     - enable_ceph | bool and nova_backend == "rbd"

ansible/roles/nova-hyperv/tasks/config.yml

@@ -33,3 +33,14 @@
     - "{{ node_custom_config  }}/nova-hyperv/wsgate.ini"
     - "wsgate.ini.j2"
   notify: Restart FreeRDP-WebConnect
+
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_custom_config  }}/nova-hyperv/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool

ansible/roles/nova/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - nova_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ nova_services }}"
+
 - name: Copying over config.json files for services
   become: true
   template:

ansible/roles/octavia/tasks/config.yml

@@ -45,6 +45,18 @@
   notify:
     - "Restart {{ item.key }} container"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ octavia_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/panko/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - panko_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ panko_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/placement/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - placement_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ placement_services }}"
+
 - name: Copying over config.json files for services
   become: true
   template:

ansible/roles/prometheus/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ prometheus_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ prometheus_services }}"
+
 - name: Copying over config.json files
   become: true
   template:

ansible/roles/qinling/tasks/config.yml

@@ -36,6 +36,18 @@
   when:
     - qinling_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ qinling_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/rally/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - rally_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ rally_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/sahara/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - sahara_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ sahara_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/searchlight/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - searchlight_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ searchlight_config_jsons }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/senlin/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - senlin_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ senlin_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/skydive/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ skydive_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ skydive_services }}"
+
 - name: Copying over default config.json files
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/solum/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ solum_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ solum_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/swift/tasks/config.yml

@@ -28,6 +28,18 @@
     - "swift-proxy-server"
     - "swift-rsyncd"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ swift_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item }}.json.j2"

ansible/roles/tacker/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - tacker_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ tacker_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/telegraf/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ telegraf_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ telegraf_services }}"
+
 - name: Copying over default config.json files
   template:
     src: "telegraf.json.j2"

ansible/roles/tempest/tasks/config.yml

@@ -12,6 +12,18 @@
     - item.value.enabled | bool
   with_dict: "{{ tempest_services }}"
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ tempest_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/trove/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - trove_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ trove_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/vitrage/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - vitrage_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ vitrage_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/watcher/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - watcher_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ watcher_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

ansible/roles/zun/tasks/config.yml

@@ -31,6 +31,18 @@
   when:
     - zun_policy.results
 
+- name: Copying over extra CA certificates
+  become: true
+  copy:
+    src: "{{ node_config }}/certificates/ca/"
+    dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
+    mode: "0644"
+  when:
+    - item.value.enabled | bool
+    - inventory_hostname in groups[item.value.group]
+    - kolla_copy_ca_into_containers | bool
+  with_dict: "{{ zun_services }}"
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"

doc/source/admin/advanced-configuration.rst

@@ -165,6 +165,32 @@ configuration file:
 The files haproxy.pem and haproxy-ca.pem will be generated and stored
 in the ``/etc/kolla/certificates/`` directory.
 
+Adding CA Certificates to the Service Containers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To copy CA certificate files to the service containers
+
+.. code-block:: yaml
+
+   kolla_copy_ca_into_containers: "yes"
+
+When ``kolla_copy_ca_into_containers`` is configured to "yes", the
+CA certificate files in /etc/kolla/certificates/ca will be copied into
+service containers to enable trust for those CA certificates. This is required
+for any certificates that are either self-signed or signed by a private CA,
+and are not already present in the service image trust store.
+
+All certificate file names will have the "kolla-customca-" prefix appended to
+it when it is copied into the containers. For example, if a certificate file is
+named "internal.crt", it will be named "kolla-customca-internal.crt" in the
+containers.
+
+For Debian and Ubuntu containers, the certificate files will be copied to
+the ``/usr/local/share/ca-certificates/`` directory.
+
+For Centos and Red Hat Linux containers, the certificate files will be copied
+to the ``/etc/pki/ca-trust/source/anchors/`` directory.
+
 .. _service-config:
 
 OpenStack Service Configuration in Kolla

etc/kolla/globals.yml

@@ -186,6 +186,7 @@
 #kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
 #kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
 #kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
+#kolla_copy_ca_into_containers: "no"
 
 ################
 # Region options

releasenotes/notes/copy-certificate-authority-into-containers-860cbda3384dd731.yaml

@@ -0,0 +1,21 @@
+---
+features:
+  - |
+    When 'kolla_copy_ca_into_containers' is configured to 'yes', the
+    certificate authority files in /etc/kolla/certificates/ca will be copied
+    into service containers to enable trust for those CA certificates. This
+    is required for any certificates that are either self-signed or signed by
+    a private CA, and are not already present in the service image trust store.
+    Otherwise, either CA validation will need to be explicitly disabled or the
+    path to the CA certificate must be configured in the service using
+    the ``openstack_cacert`` parameter.
+
+issues:
+  - |
+    Python <= 2.7.9 will not trust self-signed or privately signed CAs even
+    if they are added into the OS trusted CA folder and update-ca-trust is
+    executed. This is also true for the Python Requests library, regardless of
+    Python version. For services that run Python <= 2.7.9 or rely on the
+    Python Requests library, either CA verification must be explicitly disabled
+    in the service or the path to the CA certificate must be configured using
+    the ``openstack_cacert`` parameter.