From 31f3f848597b7d26b67881ff1ff3794f334aa24a Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Fri, 19 Jun 2020 12:49:07 +0000
Subject: [PATCH] Support CA certificate for fluentd & Elasticsearch

Currently there is no way to configure a CA certificate bundle file for
fluentd to Elasticsearch communication. This change adds a new variable,
'fluentd_elasticsearch_cacert' with a default value set to the value of
'openstack_cacert.

Closes-Bug: #1885109

Change-Id: I5bbf55a4dd4ccce9fa2635cee720139c088268e3
---
 ansible/roles/common/defaults/main.yml                    | 1 +
 .../roles/common/templates/conf/output/00-local.conf.j2   | 6 ++++++
 ansible/roles/common/templates/conf/output/01-es.conf.j2  | 3 +++
 .../fluentd-elasticsearch-cacert-0e8824dd57052913.yaml    | 8 ++++++++
 4 files changed, 18 insertions(+)
 create mode 100644 releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml

diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml
index 9da9cc5b49..f50c325ec3 100644
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@@ -47,6 +47,7 @@ fluentd_elasticsearch_user: ""
 fluentd_elasticsearch_password: ""
 fluentd_elasticsearch_ssl_version: "TLSv1_2"
 fluentd_elasticsearch_ssl_verify: "true"
+fluentd_elasticsearch_cacert: "{{ openstack_cacert }}"
 
 ####################
 # Docker
diff --git a/ansible/roles/common/templates/conf/output/00-local.conf.j2 b/ansible/roles/common/templates/conf/output/00-local.conf.j2
index 2a826bc648..6d053513ee 100644
--- a/ansible/roles/common/templates/conf/output/00-local.conf.j2
+++ b/ansible/roles/common/templates/conf/output/00-local.conf.j2
@@ -21,6 +21,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
        ssl_version {{ fluentd_elasticsearch_ssl_version }}
        ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
        user {{ fluentd_elasticsearch_user }}
@@ -78,6 +81,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
        ssl_version {{ fluentd_elasticsearch_ssl_version }}
        ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
        user {{ fluentd_elasticsearch_user }}
diff --git a/ansible/roles/common/templates/conf/output/01-es.conf.j2 b/ansible/roles/common/templates/conf/output/01-es.conf.j2
index 38500e8e94..c586938668 100644
--- a/ansible/roles/common/templates/conf/output/01-es.conf.j2
+++ b/ansible/roles/common/templates/conf/output/01-es.conf.j2
@@ -11,6 +11,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
        ssl_version {{ fluentd_elasticsearch_ssl_version }}
        ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
        user {{ fluentd_elasticsearch_user }}
diff --git a/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml b/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml
new file mode 100644
index 0000000000..61e014daf5
--- /dev/null
+++ b/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Adds a new variable ``fluentd_elasticsearch_cacert``, which defaults to the
+    value of ``openstack_cacert``. If set, this will be used to set the path of
+    the CA certificate bundle used by Fluentd when communicating with
+    Elasticsearch. `LP#1885109
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1885109>`__