Browse Source

Merge "Use correct variable for default certificate paths"

tags/8.0.0.0rc1
Zuul 5 months ago
parent
commit
568fd4dcfd

+ 5
- 2
ansible/group_vars/all.yml View File

@@ -6,6 +6,9 @@
6 6
 # again. Persistent files allow for idempotency
7 7
 container_config_directory: "/var/lib/kolla/config_files"
8 8
 
9
+# The directory on the deploy host containing globals.yml.
10
+node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}"
11
+
9 12
 # The directory to merge custom config files the kolla's config files
10 13
 node_custom_config: "/etc/kolla/config"
11 14
 
@@ -631,8 +634,8 @@ qdrouterd_user: "openstack"
631 634
 haproxy_user: "openstack"
632 635
 haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
633 636
 kolla_enable_tls_external: "no"
634
-kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
635
-kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
637
+kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
638
+kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
636 639
 
637 640
 
638 641
 ####################

+ 1
- 1
ansible/post-deploy.yml View File

@@ -5,5 +5,5 @@
5 5
   tasks:
6 6
     - template:
7 7
         src: "roles/common/templates/admin-openrc.sh.j2"
8
-        dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh"
8
+        dest: "{{ node_config }}/admin-openrc.sh"
9 9
       run_once: True

+ 3
- 0
ansible/roles/certificates/defaults/main.yml View File

@@ -0,0 +1,3 @@
1
+---
2
+# Directory on deploy node (localhost) in which certificates are generated.
3
+certificates_dir: "{{ node_config }}/certificates"

+ 11
- 13
ansible/roles/certificates/tasks/generate.yml View File

@@ -2,17 +2,15 @@
2 2
 - name: Ensuring config directories exist
3 3
   become: true
4 4
   file:
5
-    path: "{{ node_config_directory }}/{{ item }}"
5
+    path: "{{ certificates_dir }}/private"
6 6
     state: "directory"
7 7
     recurse: yes
8
-  with_items:
9
-    - "certificates/private"
10 8
 
11 9
 - name: Creating SSL configuration file
12 10
   become: true
13 11
   template:
14 12
     src: "{{ item }}.j2"
15
-    dest: "{{ node_config_directory }}/certificates/{{ item }}"
13
+    dest: "{{ certificates_dir }}/{{ item }}"
16 14
   with_items:
17 15
     - "openssl-kolla.cnf"
18 16
 
@@ -20,12 +18,12 @@
20 18
   become: true
21 19
   command: creates="{{ item }}" openssl genrsa -out {{ item }}
22 20
   with_items:
23
-    - "{{ node_config_directory }}/certificates/private/haproxy.key"
21
+    - "{{ certificates_dir }}/private/haproxy.key"
24 22
 
25 23
 - name: Setting permissions on key
26 24
   become: true
27 25
   file:
28
-    path: "{{ node_config_directory }}/certificates/private/haproxy.key"
26
+    path: "{{ certificates_dir }}/certificates/private/haproxy.key"
29 27
     mode: 0600
30 28
     state: file
31 29
 
@@ -33,23 +31,23 @@
33 31
   become: true
34 32
   command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
35 33
     -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
36
-    -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
34
+    -config {{ certificates_dir }}/openssl-kolla.cnf \
37 35
     -days 3650 \
38 36
     -extensions v3_req \
39
-    -key {{ node_config_directory }}/certificates/private/haproxy.key \
37
+    -key {{ certificates_dir }}/private/haproxy.key \
40 38
     -out {{ item }}
41 39
   with_items:
42
-    - "{{ node_config_directory }}/certificates/private/haproxy.crt"
40
+    - "{{ certificates_dir }}/private/haproxy.crt"
43 41
 
44 42
 - name: Creating CA Certificate File
45 43
   become: true
46 44
   copy:
47
-    src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
48
-    dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
45
+    src: "{{ certificates_dir }}/private/haproxy.crt"
46
+    dest: "{{ kolla_external_fqdn_cacert }}"
49 47
 
50 48
 - name: Creating Server PEM File
51 49
   become: true
52 50
   assemble:
53
-    src: "{{ node_config_directory }}/certificates/private"
54
-    dest: "{{ node_config_directory }}/certificates/haproxy.pem"
51
+    src: "{{ certificates_dir }}/private"
52
+    dest: "{{ kolla_external_fqdn_cert }}"
55 53
     mode: 0600

+ 1
- 1
ansible/roles/keystone/tasks/precheck.yml View File

@@ -44,7 +44,7 @@
44 44
 
45 45
 - name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
46 46
   run_once: true
47
-  local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml"
47
+  local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
48 48
   register: result
49 49
   changed_when: false
50 50
   failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")

+ 1
- 1
ansible/roles/prechecks/tasks/service_checks.yml View File

@@ -11,7 +11,7 @@
11 11
 # will pass, but only because nothing in the vault file has the format of a
12 12
 # YAML dict item.
13 13
 - name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
14
-  local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml"
14
+  local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml"
15 15
   run_once: True
16 16
   register: result
17 17
   changed_when: false

+ 1
- 1
doc/source/admin/advanced-configuration.rst View File

@@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking:
92 92
 .. code-block:: yaml
93 93
 
94 94
    kolla_enable_tls_external: "yes"
95
-   kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem"
95
+   kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem"
96 96
 
97 97
 .. note::
98 98
 

+ 1
- 1
etc/kolla/globals.yml View File

@@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254"
151 151
 # TLS can be enabled.  When TLS is enabled, certificates must be provided to
152 152
 # allow clients to perform authentication.
153 153
 #kolla_enable_tls_external: "no"
154
-#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
154
+#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
155 155
 
156 156
 
157 157
 ##############

+ 9
- 0
releasenotes/notes/cert-path-65943386e62f1a8c.yaml View File

@@ -0,0 +1,9 @@
1
+---
2
+upgrade:
3
+  - |
4
+    Changes the default path for certificates generated via ``kolla-ansible
5
+    certificates`` from ``{[ node_config_directory }}/certificates`` to
6
+    ``{{ node_config }}``.  ``{{ node_config }}`` is the directory containing
7
+    ``globals.yml``, which by default is ``/etc/kolla/``. This makes
8
+    certificates consistent with other locally generated files, such as
9
+    ``admin-openrc.sh``.

Loading…
Cancel
Save