From 95729405a38e6292a828c26347406e70132136b2 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 20 Dec 2022 10:54:49 +0000 Subject: [PATCH] Fix setting kolla_admin_openrc_cacert Kolla Ansible renamed kolla_internal_fqdn_cacert to kolla_admin_openrc_cacert in Victoria, after which we no longer set the variable correctly in globals.yml. This would lead to a missing OS_CACERT in admin-openrc.sh and public-openrc.sh. This change fixes the issue by renaming the relevant Kayobe variables to match and passing through the correct variable. Backwards compatibility is provided until the end of the deprecation period. kolla_public_openrc_cacert -> kolla_external_fqdn_cacert kolla_admin_openrc_cacert -> kolla_internal_fqdn_cacert Story: 2010486 Task: 47054 Change-Id: I9e1cc20579cf80525d6ef732a1aac99a65bc171b Co-Authored-By: Maksim Malchuk --- ansible/inventory/group_vars/all/kolla | 4 ++-- ansible/roles/kolla-ansible/defaults/main.yml | 4 ++-- .../kolla-ansible/templates/kolla/globals.yml | 3 +-- .../roles/kolla-ansible/tests/test-extras.yml | 2 ++ .../templates/public-openrc.sh.j2 | 4 ++-- .../configuration/reference/kolla-ansible.rst | 22 +++++++++++-------- etc/kayobe/kolla.yml | 4 ++-- ...eprecate-fqdn-cacert-301d5a26ed7107ab.yaml | 13 +++++++++++ 8 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index daf4fa799..c13afeb9d 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -628,7 +628,7 @@ kolla_external_tls_cert: # Path to a CA certificate file to use for the OS_CACERT environment variable # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -kolla_external_fqdn_cacert: +kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}" # Internal API certificate bundle. # @@ -641,7 +641,7 @@ kolla_internal_tls_cert: # Path to a CA certificate file to use for the OS_CACERT environment variable # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -kolla_internal_fqdn_cacert: +kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}" ############################################################################### # Proxy configuration diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 3cee9c96c..9fa81e456 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -165,8 +165,8 @@ kolla_enable_tls_external: kolla_enable_tls_internal: kolla_external_fqdn_cert: kolla_internal_fqdn_cert: -kolla_external_fqdn_cacert: -kolla_internal_fqdn_cacert: +kolla_public_openrc_cacert: +kolla_admin_openrc_cacert: ############################# # Ironic options diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index f7c370236..8b0a704d0 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -206,8 +206,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}" {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %} kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}" {% endif %} -kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}" -kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}" +kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}" ################ # Region options diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml index e3d1d6a96..44502c8a2 100644 --- a/ansible/roles/kolla-ansible/tests/test-extras.yml +++ b/ansible/roles/kolla-ansible/tests/test-extras.yml @@ -121,6 +121,7 @@ kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" kolla_internal_tls_cert: | bogus internal certificate + kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt" kolla_openstack_logging_debug: True grafana_local_admin_user_name: "grafana-admin" kolla_inspector_dhcp_pool_start: "1.2.3.4" @@ -240,6 +241,7 @@ kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem" kolla_enable_tls_internal: True kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" + kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt" openstack_logging_debug: True grafana_admin_username: "grafana-admin" ironic_dnsmasq_dhcp_ranges: diff --git a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 index d0356e800..1c2dd179c 100644 --- a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 +++ b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 @@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL export OS_MANILA_ENDPOINT_TYPE=publicURL {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %} export OS_MISTRAL_ENDPOINT_TYPE=publicURL -{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %} -export OS_CACERT={{ kolla_external_fqdn_cacert }} +{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %} +export OS_CACERT={{ kolla_public_openrc_cacert }} {% else %} {{ line }} {% endif %} diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst index 078660018..458f8afb9 100644 --- a/doc/source/configuration/reference/kolla-ansible.rst +++ b/doc/source/configuration/reference/kolla-ansible.rst @@ -268,10 +268,6 @@ The following variables affect TLS encryption of the public API. A TLS certificate bundle to use for the public API endpoints, if ``kolla_enable_tls_external`` is ``true``. Note that this should be formatted as a literal style block scalar. -``kolla_external_fqdn_cacert`` - Path to a CA certificate file to use for the ``OS_CACERT`` environment - variable in openrc files when TLS is enabled, instead of Kolla Ansible's - default. The following variables affect TLS encryption of the internal API. Currently this requires all Kolla images to be built with the API's root CA trusted. @@ -282,10 +278,18 @@ this requires all Kolla images to be built with the API's root CA trusted. A TLS certificate bundle to use for the internal API endpoints, if ``kolla_enable_tls_internal`` is ``true``. Note that this should be formatted as a literal style block scalar. -``kolla_internal_fqdn_cacert`` + +The following variables affect the generated ``admin-openrc.sh`` and +``public-openrc.sh`` environment files. + +``kolla_public_openrc_cacert`` Path to a CA certificate file to use for the ``OS_CACERT`` environment - variable in openrc files when TLS is enabled, instead of Kolla Ansible's - default. + variable in the ``public-openrc.sh`` file when TLS is enabled, instead of + ``kolla_admin_openrc_cacert``. +``kolla_admin_openrc_cacert`` + Path to a CA certificate file to use for the ``OS_CACERT`` environment + variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS + is enabled, instead of Kolla Ansible's default. Example: enabling TLS for the public API ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -302,7 +306,7 @@ Here is an example: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle + kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle Example: enabling TLS for the internal API ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -319,7 +323,7 @@ Here is an example: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle + kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle Other certificates ------------------ diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 2d975b260..d5acd863c 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -479,7 +479,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_external_fqdn_cacert: +#kolla_public_openrc_cacert: # Internal API certificate bundle. # @@ -492,7 +492,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_internal_fqdn_cacert: +#kolla_admin_openrc_cacert: ############################################################################### # Proxy configuration diff --git a/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml new file mode 100644 index 000000000..d892cac43 --- /dev/null +++ b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml @@ -0,0 +1,13 @@ +--- +deprecates: + - | + Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert`` + and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This + matches the Kolla Ansible variable name and better reflects their purpose. + The old variable names are still supported until the end of the deprecation + period (2024.2 "D" series release or later). +fixes: + - | + Fixes an issue where the Kolla Ansible variable + ``kolla_admin_openrc_cacert`` was not set to the value of + ``kolla_internal_fqdn_cacert``.