Merge "Replace internal and external VIP CA with root CA"

ansible/group_vars/all.yml

@@ -763,8 +763,7 @@ kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_
 kolla_certificates_dir: "{{ node_config }}/certificates"
 kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
+kolla_admin_openrc_cacert: ""
-kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
 kolla_copy_ca_into_containers: "no"
 kolla_verify_tls_backend: "yes"
 haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"

ansible/roles/certificates/tasks/generate.yml

@@ -64,12 +64,6 @@
         src: "{{ external_dir }}"
         dest: "{{ kolla_external_fqdn_cert }}"
         mode: "0660"
-
-    - name: Creating external CA Certificate File
-      copy:
-        src: "{{ root_dir }}/root.crt"
-        dest: "{{ kolla_external_fqdn_cacert }}"
-        mode: "0660"
   when:
     - kolla_enable_tls_external | bool
 
@@ -80,13 +74,6 @@
         dest: "{{ kolla_internal_fqdn_cert }}"
         remote_src: yes
         mode: "0660"
-
-    - name: Copy the external CA Certificate file to be the internal when internal + external are same network
-      copy:
-        src: "{{ kolla_external_fqdn_cacert }}"
-        dest: "{{ kolla_internal_fqdn_cacert }}"
-        remote_src: yes
-        mode: "0660"
   when:
     - kolla_enable_tls_external | bool
     - kolla_enable_tls_internal | bool
@@ -139,12 +126,6 @@
         mode: "0660"
         state: file
 
-    - name: Creating internal CA Certificate File
-      copy:
-        src: "{{ root_dir }}/root.crt"
-        dest: "{{ kolla_internal_fqdn_cacert }}"
-        mode: "0660"
-
     - name: Creating internal Server PEM File
       assemble:
         regexp: '.*[crt|key]'

ansible/roles/common/templates/admin-openrc.sh.j2

@@ -18,8 +18,6 @@ export OS_MISTRAL_ENDPOINT_TYPE=internalURL
 export OS_IDENTITY_API_VERSION=3
 export OS_REGION_NAME={{ openstack_region_name }}
 export OS_AUTH_PLUGIN=password
-{% if kolla_enable_tls_internal | bool and kolla_internal_fqdn_cacert %}
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
-export OS_CACERT={{ kolla_internal_fqdn_cacert }}
+export OS_CACERT={{ kolla_admin_openrc_cacert }}
-{% elif  kolla_enable_tls_external | bool and kolla_external_fqdn_cacert %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
 {% endif %}

etc/kolla/globals.yml

@@ -189,8 +189,7 @@
 #kolla_certificates_dir: "{{ node_config }}/certificates"
 #kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 #kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-#kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
+#kolla_admin_openrc_cacert: ""
-#kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
 #kolla_copy_ca_into_containers: "no"
 #kolla_verify_tls_backend: "yes"
 #haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"

releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml

@@ -9,3 +9,9 @@ features:
     certificates and signs them using the root CA. If backend TLS is enabled,
     the command will generate the backend certificate and sign it with the
     root CA.
+upgrade:
+  - |
+    Replaced ``kolla_external_fqdn_cacert`` and ``kolla_internal_fqdn_cacert``
+    with ``kolla_admin_openrc_cacert``, which by default is not set.
+    ``OS_CACERT`` is now set to the value of ``kolla_admin_openrc_cacert`` in
+    the generated ``admin-openrc.sh`` file.

tests/templates/globals-default.j2

@@ -127,6 +127,7 @@ openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
 {% if base_distro == "centos" %}
 openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 {% endif %}
+kolla_admin_openrc_cacert: "{% raw %}{{ kolla_certificates_dir }}{% endraw %}/ca/root.crt"
 {% endif %}
 
 {% if scenario == 'linuxbridge' %}