Fix setting kolla_admin_openrc_cacert
Kolla Ansible renamed kolla_internal_fqdn_cacert to kolla_admin_openrc_cacert in Victoria, after which we no longer set the variable correctly in globals.yml. This would lead to a missing OS_CACERT in admin-openrc.sh and public-openrc.sh. This change fixes the issue by renaming the relevant Kayobe variables to match and passing through the correct variable. Backwards compatibility is provided until the end of the deprecation period. kolla_public_openrc_cacert -> kolla_external_fqdn_cacert kolla_admin_openrc_cacert -> kolla_internal_fqdn_cacert Story: 2010486 Task: 47054 Change-Id: I9e1cc20579cf80525d6ef732a1aac99a65bc171b Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
This commit is contained in:
parent
fbf0006895
commit
95729405a3
@ -628,7 +628,7 @@ kolla_external_tls_cert:
|
|||||||
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
||||||
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
||||||
# default.
|
# default.
|
||||||
kolla_external_fqdn_cacert:
|
kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
|
||||||
|
|
||||||
# Internal API certificate bundle.
|
# Internal API certificate bundle.
|
||||||
#
|
#
|
||||||
@ -641,7 +641,7 @@ kolla_internal_tls_cert:
|
|||||||
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
||||||
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
||||||
# default.
|
# default.
|
||||||
kolla_internal_fqdn_cacert:
|
kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Proxy configuration
|
# Proxy configuration
|
||||||
|
@ -165,8 +165,8 @@ kolla_enable_tls_external:
|
|||||||
kolla_enable_tls_internal:
|
kolla_enable_tls_internal:
|
||||||
kolla_external_fqdn_cert:
|
kolla_external_fqdn_cert:
|
||||||
kolla_internal_fqdn_cert:
|
kolla_internal_fqdn_cert:
|
||||||
kolla_external_fqdn_cacert:
|
kolla_public_openrc_cacert:
|
||||||
kolla_internal_fqdn_cacert:
|
kolla_admin_openrc_cacert:
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# Ironic options
|
# Ironic options
|
||||||
|
@ -206,8 +206,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
|
|||||||
{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
|
{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
|
||||||
kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
|
kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
|
kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"
|
||||||
kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
|
|
||||||
|
|
||||||
################
|
################
|
||||||
# Region options
|
# Region options
|
||||||
|
@ -121,6 +121,7 @@
|
|||||||
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
|
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
|
||||||
kolla_internal_tls_cert: |
|
kolla_internal_tls_cert: |
|
||||||
bogus internal certificate
|
bogus internal certificate
|
||||||
|
kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
|
||||||
kolla_openstack_logging_debug: True
|
kolla_openstack_logging_debug: True
|
||||||
grafana_local_admin_user_name: "grafana-admin"
|
grafana_local_admin_user_name: "grafana-admin"
|
||||||
kolla_inspector_dhcp_pool_start: "1.2.3.4"
|
kolla_inspector_dhcp_pool_start: "1.2.3.4"
|
||||||
@ -240,6 +241,7 @@
|
|||||||
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
|
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
|
||||||
kolla_enable_tls_internal: True
|
kolla_enable_tls_internal: True
|
||||||
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
|
kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
|
||||||
|
kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
|
||||||
openstack_logging_debug: True
|
openstack_logging_debug: True
|
||||||
grafana_admin_username: "grafana-admin"
|
grafana_admin_username: "grafana-admin"
|
||||||
ironic_dnsmasq_dhcp_ranges:
|
ironic_dnsmasq_dhcp_ranges:
|
||||||
|
@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
|
|||||||
export OS_MANILA_ENDPOINT_TYPE=publicURL
|
export OS_MANILA_ENDPOINT_TYPE=publicURL
|
||||||
{% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
|
{% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
|
||||||
export OS_MISTRAL_ENDPOINT_TYPE=publicURL
|
export OS_MISTRAL_ENDPOINT_TYPE=publicURL
|
||||||
{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
|
{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
|
||||||
export OS_CACERT={{ kolla_external_fqdn_cacert }}
|
export OS_CACERT={{ kolla_public_openrc_cacert }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{{ line }}
|
{{ line }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -268,10 +268,6 @@ The following variables affect TLS encryption of the public API.
|
|||||||
A TLS certificate bundle to use for the public API endpoints, if
|
A TLS certificate bundle to use for the public API endpoints, if
|
||||||
``kolla_enable_tls_external`` is ``true``. Note that this should be
|
``kolla_enable_tls_external`` is ``true``. Note that this should be
|
||||||
formatted as a literal style block scalar.
|
formatted as a literal style block scalar.
|
||||||
``kolla_external_fqdn_cacert``
|
|
||||||
Path to a CA certificate file to use for the ``OS_CACERT`` environment
|
|
||||||
variable in openrc files when TLS is enabled, instead of Kolla Ansible's
|
|
||||||
default.
|
|
||||||
|
|
||||||
The following variables affect TLS encryption of the internal API. Currently
|
The following variables affect TLS encryption of the internal API. Currently
|
||||||
this requires all Kolla images to be built with the API's root CA trusted.
|
this requires all Kolla images to be built with the API's root CA trusted.
|
||||||
@ -282,10 +278,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
|
|||||||
A TLS certificate bundle to use for the internal API endpoints, if
|
A TLS certificate bundle to use for the internal API endpoints, if
|
||||||
``kolla_enable_tls_internal`` is ``true``. Note that this should be
|
``kolla_enable_tls_internal`` is ``true``. Note that this should be
|
||||||
formatted as a literal style block scalar.
|
formatted as a literal style block scalar.
|
||||||
``kolla_internal_fqdn_cacert``
|
|
||||||
|
The following variables affect the generated ``admin-openrc.sh`` and
|
||||||
|
``public-openrc.sh`` environment files.
|
||||||
|
|
||||||
|
``kolla_public_openrc_cacert``
|
||||||
Path to a CA certificate file to use for the ``OS_CACERT`` environment
|
Path to a CA certificate file to use for the ``OS_CACERT`` environment
|
||||||
variable in openrc files when TLS is enabled, instead of Kolla Ansible's
|
variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
|
||||||
default.
|
``kolla_admin_openrc_cacert``.
|
||||||
|
``kolla_admin_openrc_cacert``
|
||||||
|
Path to a CA certificate file to use for the ``OS_CACERT`` environment
|
||||||
|
variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
|
||||||
|
is enabled, instead of Kolla Ansible's default.
|
||||||
|
|
||||||
Example: enabling TLS for the public API
|
Example: enabling TLS for the public API
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
@ -302,7 +306,7 @@ Here is an example:
|
|||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
...
|
...
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
|
kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
|
||||||
|
|
||||||
Example: enabling TLS for the internal API
|
Example: enabling TLS for the internal API
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
@ -319,7 +323,7 @@ Here is an example:
|
|||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
...
|
...
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
|
kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
|
||||||
|
|
||||||
Other certificates
|
Other certificates
|
||||||
------------------
|
------------------
|
||||||
|
@ -479,7 +479,7 @@
|
|||||||
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
||||||
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
# in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
||||||
# default.
|
# default.
|
||||||
#kolla_external_fqdn_cacert:
|
#kolla_public_openrc_cacert:
|
||||||
|
|
||||||
# Internal API certificate bundle.
|
# Internal API certificate bundle.
|
||||||
#
|
#
|
||||||
@ -492,7 +492,7 @@
|
|||||||
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
# Path to a CA certificate file to use for the OS_CACERT environment variable
|
||||||
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
# in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
|
||||||
# default.
|
# default.
|
||||||
#kolla_internal_fqdn_cacert:
|
#kolla_admin_openrc_cacert:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Proxy configuration
|
# Proxy configuration
|
||||||
|
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
deprecates:
|
||||||
|
- |
|
||||||
|
Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert``
|
||||||
|
and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This
|
||||||
|
matches the Kolla Ansible variable name and better reflects their purpose.
|
||||||
|
The old variable names are still supported until the end of the deprecation
|
||||||
|
period (2024.2 "D" series release or later).
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes an issue where the Kolla Ansible variable
|
||||||
|
``kolla_admin_openrc_cacert`` was not set to the value of
|
||||||
|
``kolla_internal_fqdn_cacert``.
|
Loading…
Reference in New Issue
Block a user