Fix setting kolla_admin_openrc_cacert

Kolla Ansible renamed kolla_internal_fqdn_cacert to
kolla_admin_openrc_cacert in Victoria, after which we no longer set the
variable correctly in globals.yml. This would lead to a missing
OS_CACERT in admin-openrc.sh and public-openrc.sh.

This change fixes the issue by renaming the relevant Kayobe variables to
match and passing through the correct variable. Backwards compatibility
is provided until the end of the deprecation period.

kolla_public_openrc_cacert -> kolla_external_fqdn_cacert
kolla_admin_openrc_cacert -> kolla_internal_fqdn_cacert

Story: 2010486
Task: 47054

Change-Id: I9e1cc20579cf80525d6ef732a1aac99a65bc171b
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
This commit is contained in:
Mark Goddard 2022-12-20 10:54:49 +00:00
parent fbf0006895
commit 95729405a3
8 changed files with 37 additions and 19 deletions

View File

@ -628,7 +628,7 @@ kolla_external_tls_cert:
# Path to a CA certificate file to use for the OS_CACERT environment variable
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default.
kolla_external_fqdn_cacert:
kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
# Internal API certificate bundle.
#
@ -641,7 +641,7 @@ kolla_internal_tls_cert:
# Path to a CA certificate file to use for the OS_CACERT environment variable
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default.
kolla_internal_fqdn_cacert:
kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
###############################################################################
# Proxy configuration

View File

@ -165,8 +165,8 @@ kolla_enable_tls_external:
kolla_enable_tls_internal:
kolla_external_fqdn_cert:
kolla_internal_fqdn_cert:
kolla_external_fqdn_cacert:
kolla_internal_fqdn_cacert:
kolla_public_openrc_cacert:
kolla_admin_openrc_cacert:
#############################
# Ironic options

View File

@ -206,8 +206,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
{% endif %}
kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"
################
# Region options

View File

@ -121,6 +121,7 @@
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
kolla_internal_tls_cert: |
bogus internal certificate
kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
kolla_openstack_logging_debug: True
grafana_local_admin_user_name: "grafana-admin"
kolla_inspector_dhcp_pool_start: "1.2.3.4"
@ -240,6 +241,7 @@
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
kolla_enable_tls_internal: True
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
openstack_logging_debug: True
grafana_admin_username: "grafana-admin"
ironic_dnsmasq_dhcp_ranges:

View File

@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
export OS_MANILA_ENDPOINT_TYPE=publicURL
{% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
export OS_MISTRAL_ENDPOINT_TYPE=publicURL
{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
export OS_CACERT={{ kolla_external_fqdn_cacert }}
{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
export OS_CACERT={{ kolla_public_openrc_cacert }}
{% else %}
{{ line }}
{% endif %}

View File

@ -268,10 +268,6 @@ The following variables affect TLS encryption of the public API.
A TLS certificate bundle to use for the public API endpoints, if
``kolla_enable_tls_external`` is ``true``. Note that this should be
formatted as a literal style block scalar.
``kolla_external_fqdn_cacert``
Path to a CA certificate file to use for the ``OS_CACERT`` environment
variable in openrc files when TLS is enabled, instead of Kolla Ansible's
default.
The following variables affect TLS encryption of the internal API. Currently
this requires all Kolla images to be built with the API's root CA trusted.
@ -282,10 +278,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
A TLS certificate bundle to use for the internal API endpoints, if
``kolla_enable_tls_internal`` is ``true``. Note that this should be
formatted as a literal style block scalar.
``kolla_internal_fqdn_cacert``
The following variables affect the generated ``admin-openrc.sh`` and
``public-openrc.sh`` environment files.
``kolla_public_openrc_cacert``
Path to a CA certificate file to use for the ``OS_CACERT`` environment
variable in openrc files when TLS is enabled, instead of Kolla Ansible's
default.
variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
``kolla_admin_openrc_cacert``.
``kolla_admin_openrc_cacert``
Path to a CA certificate file to use for the ``OS_CACERT`` environment
variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
is enabled, instead of Kolla Ansible's default.
Example: enabling TLS for the public API
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -302,7 +306,7 @@ Here is an example:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
Example: enabling TLS for the internal API
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -319,7 +323,7 @@ Here is an example:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
Other certificates
------------------

View File

@ -479,7 +479,7 @@
# Path to a CA certificate file to use for the OS_CACERT environment variable
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default.
#kolla_external_fqdn_cacert:
#kolla_public_openrc_cacert:
# Internal API certificate bundle.
#
@ -492,7 +492,7 @@
# Path to a CA certificate file to use for the OS_CACERT environment variable
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
# default.
#kolla_internal_fqdn_cacert:
#kolla_admin_openrc_cacert:
###############################################################################
# Proxy configuration

View File

@ -0,0 +1,13 @@
---
deprecates:
- |
Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert``
and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This
matches the Kolla Ansible variable name and better reflects their purpose.
The old variable names are still supported until the end of the deprecation
period (2024.2 "D" series release or later).
fixes:
- |
Fixes an issue where the Kolla Ansible variable
``kolla_admin_openrc_cacert`` was not set to the value of
``kolla_internal_fqdn_cacert``.