openstack/kolla-ansible
Code Issues Proposed changes

magnum: Add CA certificate configuration for internal TLS

Browse Source 
Magnum has various sections in its configuration file for OpenStack
clients. When internal TLS is enabled, these may need a CA certificate
to be specified.

This change adds a CA certificate configuration, based on
openstack_cacert, for all clients using internal endpoints.

Note: we are explicitly not adding the configuration for the
[magnum_client] ca_file and [drivers] openstack_ca_file options, since
these use the public endpoint by default. These options may be
provided via custom configuration if necessary.

Change-Id: Ie59b3777c0a2c142b580addd67e279bc4b2f2c90
Co-Authored-By: Kyle Dean
Closes-Bug: #1919389
This commit is contained in:
Mark Goddard 2021-03-17 09:32:33 +00:00
parent 46e4f5a33a
commit 48f0957a1c
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ansible/roles/magnum/templates/magnum.conf.j2
View File

@ -32,30 +32,37 @@ endpoint_type = publicURL
[heat_client] [heat_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
endpoint_type = internalURL endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[octavia_client] [octavia_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
endpoint_type = internalURL endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[cinder_client] [cinder_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
endpoint_type = internalURL endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[barbican_client] [barbican_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
endpoint_type = internalURL endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[glance_client] [glance_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
endpoint_type = internalURL endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[neutron_client] [neutron_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
endpoint_type = internalURL endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[nova_client] [nova_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
endpoint_type = internalURL endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[keystone_auth] [keystone_auth]
auth_url = {{ keystone_internal_url }}/v3 auth_url = {{ keystone_internal_url }}/v3
@ -78,6 +85,7 @@ user_domain_name = {{ default_user_domain_name }}
project_name = service project_name = service
username = {{ magnum_keystone_user }} username = {{ magnum_keystone_user }}
password = {{ magnum_keystone_password }} password = {{ magnum_keystone_password }}
cafile = {{ openstack_cacert }}
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
memcache_security_strategy = ENCRYPT memcache_security_strategy = ENCRYPT

5
releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
Fixes an issue with Magnum when TLS is enabled. `LP#781062
<https://review.opendev.org/c/openstack/kolla-ansible/+/781062>`__