Add support for CA certificate parameter
When using Ansible OpenStack modules, if OS_CACERT is defined, then this will be passed as the cacert module argument. This ensures that non-standard CA certificate paths can be used. Change-Id: I2a2575b1fb0f149cc13c44526fc0167e68e07aab Story: 2004911 Task: 29261
This commit is contained in:
parent
9156fa0e2d
commit
e83c57f233
@ -34,6 +34,7 @@
|
||||
os_ironic_inspect:
|
||||
auth_type: "{{ openstack_auth_type }}"
|
||||
auth: "{{ openstack_auth }}"
|
||||
cacert: "{{ openstack_cacert | default(omit, true) }}"
|
||||
name: "{{ inventory_hostname }}"
|
||||
timeout: "{{ baremetal_compute_timeout }}"
|
||||
wait: "{{ baremetal_compute_wait }}"
|
||||
|
@ -32,6 +32,7 @@
|
||||
- role: stackhpc.os-ironic-state
|
||||
os_ironic_state_auth_type: "{{ openstack_auth_type }}"
|
||||
os_ironic_state_auth: "{{ openstack_auth }}"
|
||||
os_ironic_state_cacert: "{{ openstack_cacert }}"
|
||||
os_ironic_state_name: "{{ inventory_hostname }}"
|
||||
os_ironic_state_provision_state: "manage"
|
||||
os_ironic_state_wait: "{{ baremetal_compute_wait }}"
|
||||
|
@ -32,6 +32,7 @@
|
||||
- role: stackhpc.os-ironic-state
|
||||
os_ironic_state_auth_type: "{{ openstack_auth_type }}"
|
||||
os_ironic_state_auth: "{{ openstack_auth }}"
|
||||
os_ironic_state_cacert: "{{ openstack_cacert }}"
|
||||
os_ironic_state_name: "{{ inventory_hostname }}"
|
||||
os_ironic_state_provision_state: "provide"
|
||||
os_ironic_state_wait: "{{ baremetal_compute_wait }}"
|
||||
|
@ -17,6 +17,9 @@ openstack_auth:
|
||||
password: "{{ lookup('env', 'OS_PASSWORD') }}"
|
||||
auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}"
|
||||
|
||||
# Overcloud CA certificate path.
|
||||
openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
|
||||
|
||||
# Overcloud authentication environment variables. These should be compatible
|
||||
# with the openstack client.
|
||||
# By default we pull these from the environment of the shell executing Ansible.
|
||||
@ -29,6 +32,7 @@ openstack_auth_env:
|
||||
OS_AUTH_URL: "{{ lookup('env', 'OS_AUTH_URL') }}"
|
||||
OS_INTERFACE: "{{ lookup('env', 'OS_INTERFACE') }}"
|
||||
OS_IDENTITY_API_VERSION: "{{ lookup('env', 'OS_IDENTITY_API_VERSION') }}"
|
||||
OS_CACERT: "{{ lookup('env', 'OS_CACERT') }}"
|
||||
|
||||
# List of parameters required in openstack_auth when openstack_auth_type is
|
||||
# password.
|
||||
|
@ -127,3 +127,4 @@
|
||||
ironic_inspector_venv: "{{ virtualenv_path }}/shade"
|
||||
ironic_inspector_auth_type: "{{ openstack_auth_type }}"
|
||||
ironic_inspector_auth: "{{ openstack_auth }}"
|
||||
ironic_inspector_cacert: "{{ openstack_cacert }}"
|
||||
|
@ -59,6 +59,7 @@
|
||||
ironic_inspector_venv: "{{ venv }}"
|
||||
ironic_inspector_auth_type: "{{ openstack_auth_type }}"
|
||||
ironic_inspector_auth: "{{ openstack_auth }}"
|
||||
ironic_inspector_cacert: "{{ openstack_cacert }}"
|
||||
ironic_inspector_rules: "{{ inspector_rules }}"
|
||||
# These variables may be referenced in the introspection rules.
|
||||
inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}"
|
||||
|
@ -104,4 +104,5 @@
|
||||
ipa_images_openstack_auth_type: "{{ openstack_auth_type }}"
|
||||
ipa_images_openstack_auth: "{{ openstack_auth }}"
|
||||
ipa_images_openstack_auth_env: "{{ openstack_auth_env }}"
|
||||
ipa_images_openstack_cacert: "{{ openstack_cacert }}"
|
||||
ipa_images_cache_path: "{{ image_cache_path }}/{{ ipa_image_name }}"
|
||||
|
@ -62,5 +62,6 @@
|
||||
os_networks_venv: "{{ virtualenv_path }}/shade"
|
||||
os_networks_auth_type: "{{ openstack_auth_type }}"
|
||||
os_networks_auth: "{{ openstack_auth }}"
|
||||
os_networks_cacert: "{{ openstack_cacert | default(omit, true) }}"
|
||||
# Network configuration.
|
||||
os_networks: "{{ network_registrations + ([] if cleaning_net_name == provision_wl_net_name else [cleaning_net]) }}"
|
||||
|
@ -14,6 +14,9 @@ ipa_images_openstack_auth: {}
|
||||
# openstack client.
|
||||
ipa_images_openstack_auth_env: {}
|
||||
|
||||
# CA certificate path.
|
||||
ipa_images_openstack_caert:
|
||||
|
||||
# Path to directory in which to store downloaded images.
|
||||
ipa_images_cache_path:
|
||||
|
||||
|
@ -68,6 +68,7 @@
|
||||
os_image_facts:
|
||||
auth_type: "{{ ipa_images_openstack_auth_type }}"
|
||||
auth: "{{ ipa_images_openstack_auth }}"
|
||||
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
|
||||
image: "{{ ipa_images_kernel_name }}"
|
||||
|
||||
- name: Set a fact containing the Ironic Python Agent (IPA) kernel image
|
||||
@ -78,6 +79,7 @@
|
||||
os_image_facts:
|
||||
auth_type: "{{ ipa_images_openstack_auth_type }}"
|
||||
auth: "{{ ipa_images_openstack_auth }}"
|
||||
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
|
||||
image: "{{ ipa_images_ramdisk_name }}"
|
||||
|
||||
- name: Set a fact containing the Ironic Python Agent (IPA) ramdisk image
|
||||
@ -109,6 +111,7 @@
|
||||
os_image:
|
||||
auth_type: "{{ ipa_images_openstack_auth_type }}"
|
||||
auth: "{{ ipa_images_openstack_auth }}"
|
||||
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
|
||||
name: "{{ item.name }}"
|
||||
container_format: "{{ item.format }}"
|
||||
disk_format: "{{ item.format }}"
|
||||
|
@ -4,6 +4,7 @@
|
||||
os_image_facts:
|
||||
auth_type: "{{ ipa_images_openstack_auth_type }}"
|
||||
auth: "{{ ipa_images_openstack_auth }}"
|
||||
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
|
||||
image: "{{ item.name }}"
|
||||
with_items:
|
||||
- name: "{{ ipa_images_kernel_name }}"
|
||||
|
@ -24,6 +24,8 @@ the `auth_type` argument of `os_*` Ansible modules.
|
||||
`ironic_inspector_auth` is a dict containing authentication information
|
||||
compatible with the `auth` argument of `os_*` Ansible modules.
|
||||
|
||||
`ironic_inspector_cacert` is an optional path to a CA certificate.
|
||||
|
||||
`ironic_inspector_url` is the URL of Ironic Inspector API endpoint,
|
||||
required if no authentication is used.
|
||||
|
||||
|
@ -8,6 +8,9 @@ ironic_inspector_auth_type:
|
||||
# Authentication information.
|
||||
ironic_inspector_auth: {}
|
||||
|
||||
# CA certificate path.
|
||||
ironic_inspector_cacert:
|
||||
|
||||
# URL of Ironic Inspector API endpoint.
|
||||
ironic_inspector_url:
|
||||
|
||||
|
@ -18,6 +18,7 @@
|
||||
os_ironic_inspector_rule:
|
||||
auth_type: "{{ ironic_inspector_auth_type }}"
|
||||
auth: "{{ ironic_inspector_auth }}"
|
||||
cacert: "{{ ironic_inspector_cacert | default(omit, true) }}"
|
||||
conditions: "{{ item.conditions }}"
|
||||
actions: "{{ item.actions }}"
|
||||
description: "{{ item.description | default(omit) }}"
|
||||
|
8
releasenotes/notes/cacert-514b8645d6912bf9.yaml
Normal file
8
releasenotes/notes/cacert-514b8645d6912bf9.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Adds support for specifying a CA certificate when accessing APIs. The path
|
||||
to the CA certificate may be specified via ``openstack_cacert`` , which
|
||||
takes its default value from the ``OS_CACERT`` environment variable. See
|
||||
`story 2004911 <https://storyboard.openstack.org/#!/story/2004911>`__ for
|
||||
details.
|
Loading…
Reference in New Issue
Block a user