Add support for CA certificate parameter

When using Ansible OpenStack modules, if OS_CACERT is defined, then this will be passed as the cacert module argument. This ensures that non-standard CA certificate paths can be used. Change-Id: I2a2575b1fb0f149cc13c44526fc0167e68e07aab Story: 2004911 Task: 29261
2019-01-22 16:59:24 +00:00 · 2019-01-22 16:59:24 +00:00 · e83c57f233
commit e83c57f233
parent 9156fa0e2d
15 changed files with 32 additions and 0 deletions
--- a/ansible/baremetal-compute-inspect.yml
+++ b/ansible/baremetal-compute-inspect.yml
@ -34,6 +34,7 @@
      os_ironic_inspect:
        auth_type: "{{ openstack_auth_type }}"
        auth: "{{ openstack_auth }}"
        cacert: "{{ openstack_cacert | default(omit, true) }}"
        name: "{{ inventory_hostname }}"
        timeout: "{{ baremetal_compute_timeout }}"
        wait: "{{ baremetal_compute_wait }}"
--- a/ansible/baremetal-compute-manage.yml
+++ b/ansible/baremetal-compute-manage.yml
@ -32,6 +32,7 @@
    - role: stackhpc.os-ironic-state
      os_ironic_state_auth_type: "{{ openstack_auth_type }}"
      os_ironic_state_auth: "{{ openstack_auth }}"
      os_ironic_state_cacert: "{{ openstack_cacert }}"
      os_ironic_state_name: "{{ inventory_hostname }}"
      os_ironic_state_provision_state: "manage"
      os_ironic_state_wait: "{{ baremetal_compute_wait }}"
--- a/ansible/baremetal-compute-provide.yml
+++ b/ansible/baremetal-compute-provide.yml
@ -32,6 +32,7 @@
    - role: stackhpc.os-ironic-state
      os_ironic_state_auth_type: "{{ openstack_auth_type }}"
      os_ironic_state_auth: "{{ openstack_auth }}"
      os_ironic_state_cacert: "{{ openstack_cacert }}"
      os_ironic_state_name: "{{ inventory_hostname }}"
      os_ironic_state_provision_state: "provide"
      os_ironic_state_wait: "{{ baremetal_compute_wait }}"
--- a/ansible/group_vars/all/openstack
+++ b/ansible/group_vars/all/openstack
@ -17,6 +17,9 @@ openstack_auth:
  password: "{{ lookup('env', 'OS_PASSWORD') }}"
  auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}"
 # Overcloud CA certificate path.
 openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
 # Overcloud authentication environment variables. These should be compatible
 # with the openstack client.
 # By default we pull these from the environment of the shell executing Ansible.
@ -29,6 +32,7 @@ openstack_auth_env:
  OS_AUTH_URL: "{{ lookup('env', 'OS_AUTH_URL') }}"
  OS_INTERFACE: "{{ lookup('env', 'OS_INTERFACE') }}"
  OS_IDENTITY_API_VERSION: "{{ lookup('env', 'OS_IDENTITY_API_VERSION') }}"
  OS_CACERT: "{{ lookup('env', 'OS_CACERT') }}"
 # List of parameters required in openstack_auth when openstack_auth_type is
 # password.
--- a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
+++ b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
@ -127,3 +127,4 @@
      ironic_inspector_venv: "{{ virtualenv_path }}/shade"
      ironic_inspector_auth_type: "{{ openstack_auth_type }}"
      ironic_inspector_auth: "{{ openstack_auth }}"
      ironic_inspector_cacert: "{{ openstack_cacert }}"
--- a/ansible/overcloud-introspection-rules.yml
+++ b/ansible/overcloud-introspection-rules.yml
@ -59,6 +59,7 @@
      ironic_inspector_venv: "{{ venv }}"
      ironic_inspector_auth_type: "{{ openstack_auth_type }}"
      ironic_inspector_auth: "{{ openstack_auth }}"
      ironic_inspector_cacert: "{{ openstack_cacert }}"
      ironic_inspector_rules: "{{ inspector_rules }}"
      # These variables may be referenced in the introspection rules.
      inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}"
--- a/ansible/overcloud-ipa-images.yml
+++ b/ansible/overcloud-ipa-images.yml
@ -104,4 +104,5 @@
      ipa_images_openstack_auth_type: "{{ openstack_auth_type }}"
      ipa_images_openstack_auth: "{{ openstack_auth }}"
      ipa_images_openstack_auth_env: "{{ openstack_auth_env }}"
      ipa_images_openstack_cacert: "{{ openstack_cacert }}"
      ipa_images_cache_path: "{{ image_cache_path }}/{{ ipa_image_name }}"
--- a/ansible/provision-net.yml
+++ b/ansible/provision-net.yml
@ -62,5 +62,6 @@
      os_networks_venv: "{{ virtualenv_path }}/shade"
      os_networks_auth_type: "{{ openstack_auth_type }}"
      os_networks_auth: "{{ openstack_auth }}"
      os_networks_cacert: "{{ openstack_cacert | default(omit, true) }}"
      # Network configuration.
      os_networks: "{{ network_registrations + ([] if cleaning_net_name == provision_wl_net_name else [cleaning_net]) }}"
--- a/ansible/roles/ipa-images/defaults/main.yml
+++ b/ansible/roles/ipa-images/defaults/main.yml
@ -14,6 +14,9 @@ ipa_images_openstack_auth: {}
 # openstack client.
 ipa_images_openstack_auth_env: {}
 # CA certificate path.
 ipa_images_openstack_caert:
 # Path to directory in which to store downloaded images.
 ipa_images_cache_path:
--- a/ansible/roles/ipa-images/tasks/main.yml
+++ b/ansible/roles/ipa-images/tasks/main.yml
@ -68,6 +68,7 @@
  os_image_facts:
    auth_type: "{{ ipa_images_openstack_auth_type }}"
    auth: "{{ ipa_images_openstack_auth }}"
    cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
    image: "{{ ipa_images_kernel_name }}"
 - name: Set a fact containing the Ironic Python Agent (IPA) kernel image
@ -78,6 +79,7 @@
  os_image_facts:
    auth_type: "{{ ipa_images_openstack_auth_type }}"
    auth: "{{ ipa_images_openstack_auth }}"
    cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
    image: "{{ ipa_images_ramdisk_name }}"
 - name: Set a fact containing the Ironic Python Agent (IPA) ramdisk image
@ -109,6 +111,7 @@
  os_image:
    auth_type: "{{ ipa_images_openstack_auth_type }}"
    auth: "{{ ipa_images_openstack_auth }}"
    cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
    name: "{{ item.name }}"
    container_format: "{{ item.format }}"
    disk_format: "{{ item.format }}"
--- a/ansible/roles/ipa-images/tasks/set-driver-info.yml
+++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml
@ -4,6 +4,7 @@
  os_image_facts:
    auth_type: "{{ ipa_images_openstack_auth_type }}"
    auth: "{{ ipa_images_openstack_auth }}"
    cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
    image: "{{ item.name }}"
  with_items:
    - name: "{{ ipa_images_kernel_name }}"
--- a/ansible/roles/ironic-inspector-rules/README.md
+++ b/ansible/roles/ironic-inspector-rules/README.md
@ -24,6 +24,8 @@ the `auth_type` argument of `os_*` Ansible modules.
 `ironic_inspector_auth` is a dict containing authentication information
 compatible with the `auth` argument of `os_*` Ansible modules.
 `ironic_inspector_cacert` is an optional path to a CA certificate.
 `ironic_inspector_url` is the URL of Ironic Inspector API endpoint,
 required if no authentication is used.
--- a/ansible/roles/ironic-inspector-rules/defaults/main.yml
+++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml
@ -8,6 +8,9 @@ ironic_inspector_auth_type:
 # Authentication information.
 ironic_inspector_auth: {}
 # CA certificate path.
 ironic_inspector_cacert:
 # URL of Ironic Inspector API endpoint.
 ironic_inspector_url:
--- a/ansible/roles/ironic-inspector-rules/tasks/main.yml
+++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml
@ -18,6 +18,7 @@
  os_ironic_inspector_rule:
    auth_type: "{{ ironic_inspector_auth_type }}"
    auth: "{{ ironic_inspector_auth }}"
    cacert: "{{ ironic_inspector_cacert | default(omit, true) }}"
    conditions: "{{ item.conditions }}"
    actions: "{{ item.actions }}"
    description: "{{ item.description | default(omit) }}"
--- a/releasenotes/notes/cacert-514b8645d6912bf9.yaml
+++ b/releasenotes/notes/cacert-514b8645d6912bf9.yaml
@ -0,0 +1,8 @@
 ---
 features:
  - |
    Adds support for specifying a CA certificate when accessing APIs.  The path
    to the CA certificate may be specified via ``openstack_cacert`` , which
    takes its default value from the ``OS_CACERT`` environment variable.  See
    `story 2004911 <https://storyboard.openstack.org/#!/story/2004911>`__ for
    details.