Support CloudKitty deployment with internal TLS

Configure cloudkitty_influxdb_use_ssl automatically based on the value of kolla_enable_tls_internal. Set cloudkitty_elasticsearch_cafile, cloudkitty_influxdb_cafile and cloudkitty_prometheus_cafile to openstack_cacert. Disable certificate validation when bootstrapping the InfluxDB database: the influxdb_database module and the InfluxDB 1.x Python client don't support specifying a CA certificate file. This fixes bootstrap and execution of CloudKitty with internal TLS. Closes-Bug: #1998831 Change-Id: I5524169b9567819d379726099bf70c692c85acc1
2024-05-14 09:35:51 +02:00 · 2024-05-14 09:35:51 +02:00 · 78e7f133f0
commit 78e7f133f0
parent cff75f6eac
3 changed files with 12 additions and 4 deletions
--- a/ansible/roles/cloudkitty/defaults/main.yml
+++ b/ansible/roles/cloudkitty/defaults/main.yml
@ -154,10 +154,10 @@ cloudkitty_custom_metrics_yaml_file: "metrics.yml"
 # cloudkitty_influxdb_retention_policy: "autogen"

 # Set to true to use SSL for InfluxDB connections.
-cloudkitty_influxdb_use_ssl: false
+cloudkitty_influxdb_use_ssl: "{{ kolla_enable_tls_internal }}"

 # Path of the CA certificate to trust for HTTPS connections.
-# cloudkitty_influxdb_cafile: "{{ openstack_cacert }}"
+cloudkitty_influxdb_cafile: "{{ openstack_cacert }}"

 # Set to true to authorize insecure HTTPS connections to InfluxDB.
 # This means, HTTPS connections without validating the certificate used by InfluxDB
@ -172,7 +172,7 @@ cloudkitty_elasticsearch_index_name: "cloudkitty"
 cloudkitty_elasticsearch_url: "{{ internal_protocol }}://{{ opensearch_address }}:{{ opensearch_port }}"

 # Path of the CA certificate to trust for HTTPS connections.
-# cloudkitty_elasticsearch_cafile: "{{ openstack_cacert }}"
+cloudkitty_elasticsearch_cafile: "{{ openstack_cacert }}"

 # Set to true to authorize insecure HTTPS connections to Elasticsearch.
 # This means, HTTPS connections without validating the certificate used by elasticsearch
@ -189,7 +189,7 @@ cloudkitty_collector_backend: "gnocchi"
 cloudkitty_prometheus_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_port }}/api/v1"

 # Path of the CA certificate to trust for HTTPS connections.
-# cloudkitty_prometheus_cafile: "{{ openstack_cacert }}"
+cloudkitty_prometheus_cafile: "{{ openstack_cacert }}"

 # Set to true to authorize insecure HTTPS connections to Prometheus.
 # This means, HTTPS connections without validating the certificate used by prometheus.
--- a/ansible/roles/cloudkitty/tasks/bootstrap.yml
+++ b/ansible/roles/cloudkitty/tasks/bootstrap.yml
@ -45,6 +45,9 @@
      port: "{{ influxdb_http_port }}"
      ssl: "{{ cloudkitty_influxdb_use_ssl | bool }}"
      database_name: "{{ cloudkitty_influxdb_name }}"
+      # The influxdb_database module and the InfluxDB 1.x Python client don't
+      # support specifying a CA certificate file.
+      validate_certs: False
  run_once: True
  delegate_to: "{{ groups['cloudkitty-api'][0] }}"
  when: cloudkitty_storage_backend == 'influxdb'
--- a/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml
+++ b/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes configuration of CloudKitty when internal TLS is enabled.
+    `LP#1998831 <https://bugs.launchpad.net/kolla-ansible/+bug/1998831>`__