Fix setting kolla_admin_openrc_cacert

Kolla Ansible renamed kolla_internal_fqdn_cacert to
kolla_admin_openrc_cacert in Victoria, after which we no longer set the
variable correctly in globals.yml. This would lead to a missing
OS_CACERT in admin-openrc.sh and public-openrc.sh.

This change fixes the issue by renaming the relevant Kayobe variables to
match and passing through the correct variable. Backwards compatibility
is provided until the end of the deprecation period.

kolla_public_openrc_cacert -> kolla_external_fqdn_cacert
kolla_admin_openrc_cacert -> kolla_internal_fqdn_cacert

Story: 2010486
Task: 47054

Change-Id: I9e1cc20579cf80525d6ef732a1aac99a65bc171b
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>

ansible/inventory/group_vars/all/kolla

@@ -628,7 +628,7 @@ kolla_external_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_external_fqdn_cacert:
+kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
 
 # Internal API certificate bundle.
 #
@@ -641,7 +641,7 @@ kolla_internal_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_internal_fqdn_cacert:
+kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
 
 ###############################################################################
 # Proxy configuration

ansible/roles/kolla-ansible/defaults/main.yml

@@ -165,8 +165,8 @@ kolla_enable_tls_external:
 kolla_enable_tls_internal:
 kolla_external_fqdn_cert:
 kolla_internal_fqdn_cert:
-kolla_external_fqdn_cacert:
-kolla_internal_fqdn_cacert:
+kolla_public_openrc_cacert:
+kolla_admin_openrc_cacert:
 
 #############################
 # Ironic options

ansible/roles/kolla-ansible/templates/kolla/globals.yml

@@ -206,8 +206,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
 {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
 kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
 {% endif %}
-kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
-kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
+kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"
 
 ################
 # Region options

ansible/roles/kolla-ansible/tests/test-extras.yml

@@ -121,6 +121,7 @@
             kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
             kolla_internal_tls_cert: |
               bogus internal certificate
+            kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
             kolla_openstack_logging_debug: True
             grafana_local_admin_user_name: "grafana-admin"
             kolla_inspector_dhcp_pool_start: "1.2.3.4"
@@ -240,6 +241,7 @@
               kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
               kolla_enable_tls_internal: True
               kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
+              kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
               openstack_logging_debug: True
               grafana_admin_username: "grafana-admin"
               ironic_dnsmasq_dhcp_ranges:

ansible/roles/public-openrc/templates/public-openrc.sh.j2

@@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
 export OS_MANILA_ENDPOINT_TYPE=publicURL
 {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
 export OS_MISTRAL_ENDPOINT_TYPE=publicURL
-{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
+export OS_CACERT={{ kolla_public_openrc_cacert }}
 {% else %}
 {{ line }}
 {% endif %}

doc/source/configuration/reference/kolla-ansible.rst

@@ -268,10 +268,6 @@ The following variables affect TLS encryption of the public API.
     A TLS certificate bundle to use for the public API endpoints, if
     ``kolla_enable_tls_external`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_external_fqdn_cacert``
-    Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
 
 The following variables affect TLS encryption of the internal API. Currently
 this requires all Kolla images to be built with the API's root CA trusted.
@@ -282,10 +278,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
     A TLS certificate bundle to use for the internal API endpoints, if
     ``kolla_enable_tls_internal`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_internal_fqdn_cacert``
+
+The following variables affect the generated ``admin-openrc.sh`` and
+``public-openrc.sh`` environment files.
+
+``kolla_public_openrc_cacert``
     Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
+    variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
+    ``kolla_admin_openrc_cacert``.
+``kolla_admin_openrc_cacert``
+    Path to a CA certificate file to use for the ``OS_CACERT`` environment
+    variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
+    is enabled, instead of Kolla Ansible's default.
 
 Example: enabling TLS for the public API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -302,7 +306,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Example: enabling TLS for the internal API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -319,7 +323,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Other certificates
 ------------------

etc/kayobe/kolla.yml

@@ -479,7 +479,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_external_fqdn_cacert:
+#kolla_public_openrc_cacert:
 
 # Internal API certificate bundle.
 #
@@ -492,7 +492,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_internal_fqdn_cacert:
+#kolla_admin_openrc_cacert:
 
 ###############################################################################
 # Proxy configuration

releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml

@@ -0,0 +1,13 @@
+---
+deprecates:
+  - |
+    Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert``
+    and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This
+    matches the Kolla Ansible variable name and better reflects their purpose.
+    The old variable names are still supported until the end of the deprecation
+    period (2024.2 "D" series release or later).
+fixes:
+  - |
+    Fixes an issue where the Kolla Ansible variable
+    ``kolla_admin_openrc_cacert`` was not set to the value of
+    ``kolla_internal_fqdn_cacert``.