From 48f0957a1c9c3ef0cac77642f058fa9cb47fbbc8 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 17 Mar 2021 09:32:33 +0000
Subject: [PATCH] magnum: Add CA certificate configuration for internal TLS

Magnum has various sections in its configuration file for OpenStack
clients. When internal TLS is enabled, these may need a CA certificate
to be specified.

This change adds a CA certificate configuration, based on
openstack_cacert, for all clients using internal endpoints.

Note: we are explicitly not adding the configuration for the
[magnum_client] ca_file and [drivers] openstack_ca_file options, since
these use the public endpoint by default. These options may be
provided via custom configuration if necessary.

Change-Id: Ie59b3777c0a2c142b580addd67e279bc4b2f2c90
Co-Authored-By: Kyle Dean
Closes-Bug: #1919389
---
 ansible/roles/magnum/templates/magnum.conf.j2             | 8 ++++++++
 .../notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml     | 5 +++++
 2 files changed, 13 insertions(+)
 create mode 100644 releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml

diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2
index 06f08c2980..862c2e6842 100644
--- a/ansible/roles/magnum/templates/magnum.conf.j2
+++ b/ansible/roles/magnum/templates/magnum.conf.j2
@@ -32,30 +32,37 @@ endpoint_type = publicURL
 [heat_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [octavia_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [cinder_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [barbican_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [glance_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [neutron_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [nova_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [keystone_auth]
 auth_url = {{ keystone_internal_url }}/v3
@@ -78,6 +85,7 @@ user_domain_name = {{ default_user_domain_name }}
 project_name = service
 username = {{ magnum_keystone_user }}
 password = {{ magnum_keystone_password }}
+cafile = {{ openstack_cacert }}
 region_name = {{ openstack_region_name }}
 
 memcache_security_strategy = ENCRYPT
diff --git a/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml b/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml
new file mode 100644
index 0000000000..a4e5cf2aa4
--- /dev/null
+++ b/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes an issue with Magnum when TLS is enabled. `LP#781062
+    <https://review.opendev.org/c/openstack/kolla-ansible/+/781062>`__