Merge "Copy CA into containers."

This commit is contained in:
Zuul 2020-02-07 17:25:00 +00:00 committed by Gerrit Code Review
commit b3c8ff59f1
53 changed files with 633 additions and 1 deletions

View File

@ -759,7 +759,7 @@ kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
kolla_copy_ca_into_containers: "no"
#################### ####################
# Kibana options # Kibana options

View File

@ -45,6 +45,18 @@
notify: notify:
- "Restart {{ item.key }} container" - "Restart {{ item.key }} container"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ aodh_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -47,6 +47,18 @@
when: when:
- barbican_policy.results - barbican_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ barbican_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- blazar_policy.results - blazar_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ blazar_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -136,6 +136,18 @@
when: when:
- ceilometer_policy.results - ceilometer_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ ceilometer_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -46,6 +46,18 @@
when: when:
- cinder_policy.results - cinder_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ cinder_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -55,6 +55,18 @@
set_fact: set_fact:
cloudkitty_custom_metrics_used: "{{ cloudkitty_custom_metrics_file.stat.exists }}" cloudkitty_custom_metrics_used: "{{ cloudkitty_custom_metrics_file.stat.exists }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ cloudkitty_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -52,6 +52,17 @@
fluentd_binary: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_binary }}" fluentd_binary: "{{ fluentd_labels.images.0.ContainerConfig.Labels.fluentd_binary }}"
when: enable_fluentd | bool when: enable_fluentd | bool
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ common_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- congress_policy.results - congress_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ congress_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -45,6 +45,18 @@
notify: notify:
- Restart {{ item.key }} container - Restart {{ item.key }} container
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ cyborg_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- designate_policy.results - designate_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ designate_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -21,6 +21,17 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ elasticsearch_services }}" with_dict: "{{ elasticsearch_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ elasticsearch_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- freezer_policy.results - freezer_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ freezer_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -41,6 +41,18 @@
when: when:
- glance_policy.results - glance_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ glance_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -41,6 +41,18 @@
when: when:
- gnocchi_policy.results - gnocchi_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ gnocchi_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -20,6 +20,17 @@
run_once: True run_once: True
register: check_extra_conf_grafana register: check_extra_conf_grafana
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ grafana_services }}"
- name: Copying over config.json files - name: Copying over config.json files
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- heat_policy.results - heat_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ heat_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
become: true become: true
template: template:

View File

@ -38,6 +38,18 @@
when: when:
- ironic_policy.results - ironic_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ ironic_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ karbor_services }}" with_dict: "{{ karbor_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ karbor_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -38,6 +38,18 @@
run_once: True run_once: True
register: keystone_domain_directory register: keystone_domain_directory
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ keystone_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ kibana_services }}" with_dict: "{{ kibana_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ kibana_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- kuryr_policy.results - kuryr_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ kuryr_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- magnum_policy.results - magnum_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ magnum_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -45,6 +45,18 @@
when: when:
- manila_policy.results - manila_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ manila_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- mistral_policy.results - mistral_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ mistral_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ monasca_services }}" with_dict: "{{ monasca_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ monasca_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}/{{ item.key }}.json.j2" src: "{{ item.key }}/{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- murano_policy.results - murano_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ murano_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -47,6 +47,18 @@
changed_when: False changed_when: False
register: check_extra_ml2_plugins register: check_extra_ml2_plugins
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- item.value.host_in_groups | bool
- kolla_copy_ca_into_containers | bool
with_dict: "{{ neutron_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
become: true become: true
template: template:

View File

@ -24,6 +24,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ nova_cell_services }}" with_dict: "{{ nova_cell_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ nova_cell_services }}"
- include_tasks: ceph.yml - include_tasks: ceph.yml
when: when:
- enable_ceph | bool and nova_backend == "rbd" - enable_ceph | bool and nova_backend == "rbd"

View File

@ -33,3 +33,14 @@
- "{{ node_custom_config }}/nova-hyperv/wsgate.ini" - "{{ node_custom_config }}/nova-hyperv/wsgate.ini"
- "wsgate.ini.j2" - "wsgate.ini.j2"
notify: Restart FreeRDP-WebConnect notify: Restart FreeRDP-WebConnect
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_custom_config }}/nova-hyperv/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool

View File

@ -31,6 +31,18 @@
when: when:
- nova_policy.results - nova_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ nova_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
become: true become: true
template: template:

View File

@ -45,6 +45,18 @@
notify: notify:
- "Restart {{ item.key }} container" - "Restart {{ item.key }} container"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ octavia_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- panko_policy.results - panko_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ panko_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- placement_policy.results - placement_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ placement_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
become: true become: true
template: template:

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ prometheus_services }}" with_dict: "{{ prometheus_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ prometheus_services }}"
- name: Copying over config.json files - name: Copying over config.json files
become: true become: true
template: template:

View File

@ -36,6 +36,18 @@
when: when:
- qinling_policy.results - qinling_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ qinling_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- rally_policy.results - rally_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ rally_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- sahara_policy.results - sahara_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ sahara_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- searchlight_policy.results - searchlight_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ searchlight_config_jsons }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- senlin_policy.results - senlin_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ senlin_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ skydive_services }}" with_dict: "{{ skydive_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ skydive_services }}"
- name: Copying over default config.json files - name: Copying over default config.json files
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ solum_services }}" with_dict: "{{ solum_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ solum_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -28,6 +28,18 @@
- "swift-proxy-server" - "swift-proxy-server"
- "swift-rsyncd" - "swift-rsyncd"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ swift_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item }}.json.j2" src: "{{ item }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- tacker_policy.results - tacker_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ tacker_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ telegraf_services }}" with_dict: "{{ telegraf_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ telegraf_services }}"
- name: Copying over default config.json files - name: Copying over default config.json files
template: template:
src: "telegraf.json.j2" src: "telegraf.json.j2"

View File

@ -12,6 +12,18 @@
- item.value.enabled | bool - item.value.enabled | bool
with_dict: "{{ tempest_services }}" with_dict: "{{ tempest_services }}"
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ tempest_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- trove_policy.results - trove_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ trove_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- vitrage_policy.results - vitrage_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ vitrage_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- watcher_policy.results - watcher_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ watcher_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -31,6 +31,18 @@
when: when:
- zun_policy.results - zun_policy.results
- name: Copying over extra CA certificates
become: true
copy:
src: "{{ node_config }}/certificates/ca/"
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
mode: "0644"
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
- kolla_copy_ca_into_containers | bool
with_dict: "{{ zun_services }}"
- name: Copying over config.json files for services - name: Copying over config.json files for services
template: template:
src: "{{ item.key }}.json.j2" src: "{{ item.key }}.json.j2"

View File

@ -165,6 +165,32 @@ configuration file:
The files haproxy.pem and haproxy-ca.pem will be generated and stored The files haproxy.pem and haproxy-ca.pem will be generated and stored
in the ``/etc/kolla/certificates/`` directory. in the ``/etc/kolla/certificates/`` directory.
Adding CA Certificates to the Service Containers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To copy CA certificate files to the service containers
.. code-block:: yaml
kolla_copy_ca_into_containers: "yes"
When ``kolla_copy_ca_into_containers`` is configured to "yes", the
CA certificate files in /etc/kolla/certificates/ca will be copied into
service containers to enable trust for those CA certificates. This is required
for any certificates that are either self-signed or signed by a private CA,
and are not already present in the service image trust store.
All certificate file names will have the "kolla-customca-" prefix appended to
it when it is copied into the containers. For example, if a certificate file is
named "internal.crt", it will be named "kolla-customca-internal.crt" in the
containers.
For Debian and Ubuntu containers, the certificate files will be copied to
the ``/usr/local/share/ca-certificates/`` directory.
For Centos and Red Hat Linux containers, the certificate files will be copied
to the ``/etc/pki/ca-trust/source/anchors/`` directory.
.. _service-config: .. _service-config:
OpenStack Service Configuration in Kolla OpenStack Service Configuration in Kolla

View File

@ -186,6 +186,7 @@
#kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem" #kolla_internal_fqdn_cert: "{{ node_config }}/certificates/haproxy-internal.pem"
#kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt" #kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
#kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt" #kolla_internal_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca-internal.crt"
#kolla_copy_ca_into_containers: "no"
################ ################
# Region options # Region options

View File

@ -0,0 +1,21 @@
---
features:
- |
When 'kolla_copy_ca_into_containers' is configured to 'yes', the
certificate authority files in /etc/kolla/certificates/ca will be copied
into service containers to enable trust for those CA certificates. This
is required for any certificates that are either self-signed or signed by
a private CA, and are not already present in the service image trust store.
Otherwise, either CA validation will need to be explicitly disabled or the
path to the CA certificate must be configured in the service using
the ``openstack_cacert`` parameter.
issues:
- |
Python <= 2.7.9 will not trust self-signed or privately signed CAs even
if they are added into the OS trusted CA folder and update-ca-trust is
executed. This is also true for the Python Requests library, regardless of
Python version. For services that run Python <= 2.7.9 or rely on the
Python Requests library, either CA verification must be explicitly disabled
in the service or the path to the CA certificate must be configured using
the ``openstack_cacert`` parameter.