From 9156fa0e2d53f0b20fb2656a9653456a2600df7b Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Mon, 28 Jan 2019 18:45:53 +0000
Subject: [PATCH] Allow Kayobe to set kolla_external_fqdn_cacert

This variable can be used to customize the CA certificate file used as
the OS_CACERT environment variable in openrc files when TLS is enabled.

Change-Id: Ia157e91dfab176b84a53354065172cac2d60fb78
Story: 2004876
Task: 29150
---
 ansible/group_vars/all/kolla                                | 4 ++++
 ansible/roles/kolla-ansible/defaults/main.yml               | 1 +
 ansible/roles/kolla-ansible/templates/globals.yml.j2        | 1 +
 etc/kayobe/kolla.yml                                        | 4 ++++
 .../notes/kolla-external-fqdn-cacert-048aa1299050cfd7.yaml  | 6 ++++++
 5 files changed, 16 insertions(+)
 create mode 100644 releasenotes/notes/kolla-external-fqdn-cacert-048aa1299050cfd7.yaml

diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla
index ae336a80f..b50df3ecc 100644
--- a/ansible/group_vars/all/kolla
+++ b/ansible/group_vars/all/kolla
@@ -402,3 +402,7 @@ kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"
 #
 # Note that this should be formatted as a literal style block scalar.
 kolla_tls_cert:
+
+# Path to a CA certificate file to use for the OS_CACERT environment variable in
+# openrc files when TLS is enabled, instead of Kolla-Ansible's default.
+kolla_external_fqdn_cacert:
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index d3e8b8bd4..1c9f33dfb 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -197,6 +197,7 @@ kolla_neutron_ml2_tenant_network_types: []
 # allow clients to perform authentication.
 kolla_enable_tls_external:
 kolla_external_fqdn_cert:
+kolla_external_fqdn_cacert:
 
 #############################
 # Ironic options
diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
index 1f722e5c7..03933b8a0 100644
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -128,6 +128,7 @@ neutron_tenant_network_types: {{ kolla_neutron_ml2_tenant_network_types | join('
 # allow clients to perform authentication.
 kolla_enable_tls_external: {{ kolla_enable_tls_external | bool }}
 kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
+kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
 
 
 ##############
diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
index 1a3e29e74..ad35f10cc 100644
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@@ -260,6 +260,10 @@
 # Note that this should be formatted as a literal style block scalar.
 #kolla_tls_cert:
 
+# Path to a CA certificate file to use for the OS_CACERT environment variable in
+# openrc files when TLS is enabled, instead of Kolla-Ansible's default.
+#kolla_external_fqdn_cacert:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
diff --git a/releasenotes/notes/kolla-external-fqdn-cacert-048aa1299050cfd7.yaml b/releasenotes/notes/kolla-external-fqdn-cacert-048aa1299050cfd7.yaml
new file mode 100644
index 000000000..433246728
--- /dev/null
+++ b/releasenotes/notes/kolla-external-fqdn-cacert-048aa1299050cfd7.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds support for setting the `kolla_external_fqdn_cacert` variable which
+    allows customizing the CA certificate file to be used as the OS_CACERT
+    environment variable in openrc files when TLS is enabled.