diff --git a/ansible/roles/cloudkitty/defaults/main.yml b/ansible/roles/cloudkitty/defaults/main.yml index f7b87daac4..0735b4a67e 100644 --- a/ansible/roles/cloudkitty/defaults/main.yml +++ b/ansible/roles/cloudkitty/defaults/main.yml @@ -154,10 +154,10 @@ cloudkitty_custom_metrics_yaml_file: "metrics.yml" # cloudkitty_influxdb_retention_policy: "autogen" # Set to true to use SSL for InfluxDB connections. -cloudkitty_influxdb_use_ssl: false +cloudkitty_influxdb_use_ssl: "{{ kolla_enable_tls_internal }}" # Path of the CA certificate to trust for HTTPS connections. -# cloudkitty_influxdb_cafile: "{{ openstack_cacert }}" +cloudkitty_influxdb_cafile: "{{ openstack_cacert }}" # Set to true to authorize insecure HTTPS connections to InfluxDB. # This means, HTTPS connections without validating the certificate used by InfluxDB @@ -172,7 +172,7 @@ cloudkitty_elasticsearch_index_name: "cloudkitty" cloudkitty_elasticsearch_url: "{{ internal_protocol }}://{{ opensearch_address }}:{{ opensearch_port }}" # Path of the CA certificate to trust for HTTPS connections. -# cloudkitty_elasticsearch_cafile: "{{ openstack_cacert }}" +cloudkitty_elasticsearch_cafile: "{{ openstack_cacert }}" # Set to true to authorize insecure HTTPS connections to Elasticsearch. # This means, HTTPS connections without validating the certificate used by elasticsearch @@ -189,7 +189,7 @@ cloudkitty_collector_backend: "gnocchi" cloudkitty_prometheus_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_port }}/api/v1" # Path of the CA certificate to trust for HTTPS connections. -# cloudkitty_prometheus_cafile: "{{ openstack_cacert }}" +cloudkitty_prometheus_cafile: "{{ openstack_cacert }}" # Set to true to authorize insecure HTTPS connections to Prometheus. # This means, HTTPS connections without validating the certificate used by prometheus. diff --git a/ansible/roles/cloudkitty/tasks/bootstrap.yml b/ansible/roles/cloudkitty/tasks/bootstrap.yml index 679c33ae95..8c432f3ffc 100644 --- a/ansible/roles/cloudkitty/tasks/bootstrap.yml +++ b/ansible/roles/cloudkitty/tasks/bootstrap.yml @@ -45,6 +45,9 @@ port: "{{ influxdb_http_port }}" ssl: "{{ cloudkitty_influxdb_use_ssl | bool }}" database_name: "{{ cloudkitty_influxdb_name }}" + # The influxdb_database module and the InfluxDB 1.x Python client don't + # support specifying a CA certificate file. + validate_certs: False run_once: True delegate_to: "{{ groups['cloudkitty-api'][0] }}" when: cloudkitty_storage_backend == 'influxdb' diff --git a/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml b/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml new file mode 100644 index 0000000000..8cd08af65c --- /dev/null +++ b/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes configuration of CloudKitty when internal TLS is enabled. + `LP#1998831 `__