From ce212cc23c19906571af25e54ae2379d08c0c72b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 3 Apr 2020 17:17:24 +0200 Subject: [PATCH] Prevent openrc files from using wrong OS_CACERT value Kolla Ansible sets kolla_{external,internal}_fqdn_cacert variables with default values compatible with the use of `kolla-ansible certificates`. However, when these variables are left unset in Kayobe, which is generally the case when using trusted certificates, we end up with openrc files setting OS_CACERT to a file that does not exist: ${KOLLA_CONFIG_PATH}/certificates/haproxy-ca.crt Instead we allow null cacert variables to be passed to kolla-ansible, which results in openrc files without the bogus OS_CACERT entry. Change-Id: Ifa615888b6d8d54c9e6314fd90f3fc4872fc6e5a Story: 2007516 Task: 39299 --- ansible/roles/kolla-ansible/templates/globals.yml.j2 | 4 ---- .../prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2 index 6bc96d479..b7a90ec51 100644 --- a/ansible/roles/kolla-ansible/templates/globals.yml.j2 +++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2 @@ -184,12 +184,8 @@ kolla_enable_tls_internal: {{ kolla_enable_tls_internal | bool }} kolla_enable_tls_external: {{ kolla_enable_tls_external | bool }} kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}" kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}" -{% if kolla_external_fqdn_cacert %} kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}" -{% endif %} -{% if kolla_internal_fqdn_cacert %} kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}" -{% endif %} ################ # Region options diff --git a/releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml b/releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml new file mode 100644 index 000000000..436d950f4 --- /dev/null +++ b/releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes an issue where ``OS_CACERT`` variable in ``openrc`` files would be + set to the path of a non-existent file. New ``openrc`` files can be + generated with the ``kayobe control host bootstrap`` command. `See story + 2007516 `_ for more + details.