From 9223deeecd5a6c6efa238463962ea8604d4ce103 Mon Sep 17 00:00:00 2001
From: caoyuan <cao.yuan@99cloud.net>
Date: Tue, 20 Mar 2018 20:31:24 +0800
Subject: [PATCH] Use correct variable for default certificate paths

The variable {{ node_config_directory }} is used for the configuration
directory on the remote hosts, and should not be used for paths on the
deploy host (localhost).

This changes the default value of the TLS certificate and CA file to
reference {{ CONFIG_DIR }}, in line with the directory used for
admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0).

This change also introduces a variable, {{ node_config }}, that
references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove
duplication.

Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0
Closes-Bug: #1804025
---
 ansible/group_vars/all.yml                    |  7 ++++--
 ansible/post-deploy.yml                       |  2 +-
 ansible/roles/certificates/defaults/main.yml  |  3 +++
 ansible/roles/certificates/tasks/generate.yml | 24 +++++++++----------
 ansible/roles/keystone/tasks/precheck.yml     |  2 +-
 .../roles/prechecks/tasks/service_checks.yml  |  2 +-
 doc/source/admin/advanced-configuration.rst   |  2 +-
 etc/kolla/globals.yml                         |  2 +-
 .../notes/cert-path-65943386e62f1a8c.yaml     |  9 +++++++
 9 files changed, 33 insertions(+), 20 deletions(-)
 create mode 100644 ansible/roles/certificates/defaults/main.yml
 create mode 100644 releasenotes/notes/cert-path-65943386e62f1a8c.yaml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index c6c94284b5..f6dd7c3628 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -6,6 +6,9 @@
 # again. Persistent files allow for idempotency
 container_config_directory: "/var/lib/kolla/config_files"
 
+# The directory on the deploy host containing globals.yml.
+node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}"
+
 # The directory to merge custom config files the kolla's config files
 node_custom_config: "/etc/kolla/config"
 
@@ -621,8 +624,8 @@ qdrouterd_user: "openstack"
 haproxy_user: "openstack"
 haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
 kolla_enable_tls_external: "no"
-kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
-kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
+kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
 
 
 ####################
diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml
index 2e1f9ef97d..ae95aabcb6 100644
--- a/ansible/post-deploy.yml
+++ b/ansible/post-deploy.yml
@@ -5,5 +5,5 @@
   tasks:
     - template:
         src: "roles/common/templates/admin-openrc.sh.j2"
-        dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh"
+        dest: "{{ node_config }}/admin-openrc.sh"
       run_once: True
diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml
new file mode 100644
index 0000000000..a741e6a32a
--- /dev/null
+++ b/ansible/roles/certificates/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# Directory on deploy node (localhost) in which certificates are generated.
+certificates_dir: "{{ node_config }}/certificates"
diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
index 3ca4809d3f..0e7db0c5a9 100644
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -2,17 +2,15 @@
 - name: Ensuring config directories exist
   become: true
   file:
-    path: "{{ node_config_directory }}/{{ item }}"
+    path: "{{ certificates_dir }}/private"
     state: "directory"
     recurse: yes
-  with_items:
-    - "certificates/private"
 
 - name: Creating SSL configuration file
   become: true
   template:
     src: "{{ item }}.j2"
-    dest: "{{ node_config_directory }}/certificates/{{ item }}"
+    dest: "{{ certificates_dir }}/{{ item }}"
   with_items:
     - "openssl-kolla.cnf"
 
@@ -20,12 +18,12 @@
   become: true
   command: creates="{{ item }}" openssl genrsa -out {{ item }}
   with_items:
-    - "{{ node_config_directory }}/certificates/private/haproxy.key"
+    - "{{ certificates_dir }}/private/haproxy.key"
 
 - name: Setting permissions on key
   become: true
   file:
-    path: "{{ node_config_directory }}/certificates/private/haproxy.key"
+    path: "{{ certificates_dir }}/certificates/private/haproxy.key"
     mode: 0600
     state: file
 
@@ -33,23 +31,23 @@
   become: true
   command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
     -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-    -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
+    -config {{ certificates_dir }}/openssl-kolla.cnf \
     -days 3650 \
     -extensions v3_req \
-    -key {{ node_config_directory }}/certificates/private/haproxy.key \
+    -key {{ certificates_dir }}/private/haproxy.key \
     -out {{ item }}
   with_items:
-    - "{{ node_config_directory }}/certificates/private/haproxy.crt"
+    - "{{ certificates_dir }}/private/haproxy.crt"
 
 - name: Creating CA Certificate File
   become: true
   copy:
-    src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
-    dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+    src: "{{ certificates_dir }}/private/haproxy.crt"
+    dest: "{{ kolla_external_fqdn_cacert }}"
 
 - name: Creating Server PEM File
   become: true
   assemble:
-    src: "{{ node_config_directory }}/certificates/private"
-    dest: "{{ node_config_directory }}/certificates/haproxy.pem"
+    src: "{{ certificates_dir }}/private"
+    dest: "{{ kolla_external_fqdn_cert }}"
     mode: 0600
diff --git a/ansible/roles/keystone/tasks/precheck.yml b/ansible/roles/keystone/tasks/precheck.yml
index 3df21a2d4e..53c268c793 100644
--- a/ansible/roles/keystone/tasks/precheck.yml
+++ b/ansible/roles/keystone/tasks/precheck.yml
@@ -44,7 +44,7 @@
 
 - name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
   run_once: true
-  local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml"
+  local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
   register: result
   changed_when: false
   failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")
diff --git a/ansible/roles/prechecks/tasks/service_checks.yml b/ansible/roles/prechecks/tasks/service_checks.yml
index d40d13b8da..e671ea4e2c 100644
--- a/ansible/roles/prechecks/tasks/service_checks.yml
+++ b/ansible/roles/prechecks/tasks/service_checks.yml
@@ -11,7 +11,7 @@
 # will pass, but only because nothing in the vault file has the format of a
 # YAML dict item.
 - name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
-  local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml"
+  local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml"
   run_once: True
   register: result
   changed_when: false
diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst
index 501b2d8605..13d327fc99 100644
--- a/doc/source/admin/advanced-configuration.rst
+++ b/doc/source/admin/advanced-configuration.rst
@@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking:
 .. code-block:: yaml
 
    kolla_enable_tls_external: "yes"
-   kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem"
+   kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem"
 
 .. note::
 
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 8244143758..16e4ee7cc2 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254"
 # TLS can be enabled.  When TLS is enabled, certificates must be provided to
 # allow clients to perform authentication.
 #kolla_enable_tls_external: "no"
-#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
+#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
 
 
 ##############
diff --git a/releasenotes/notes/cert-path-65943386e62f1a8c.yaml b/releasenotes/notes/cert-path-65943386e62f1a8c.yaml
new file mode 100644
index 0000000000..033e74c46a
--- /dev/null
+++ b/releasenotes/notes/cert-path-65943386e62f1a8c.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Changes the default path for certificates generated via ``kolla-ansible
+    certificates`` from ``{[ node_config_directory }}/certificates`` to
+    ``{{ node_config }}``.  ``{{ node_config }}`` is the directory containing
+    ``globals.yml``, which by default is ``/etc/kolla/``. This makes
+    certificates consistent with other locally generated files, such as
+    ``admin-openrc.sh``.