Set REQUESTS_CA_BUNDLE env var
In order to force requests module inside venvs to trust system-trusted certificate authorities, we need to define environment variable that will provide full path to CA file. Otherwise certifi provided file will be used, that can't be updated with new CA once they're added to system trust store. Change-Id: I79446813602ae094bb788d3c29654fb814ec19a8
This commit is contained in:
parent
77ff7c7f26
commit
92b1d408b8
@ -88,6 +88,10 @@ openstack_host_environment_path:
|
||||
- /usr/games
|
||||
- /usr/local/games
|
||||
|
||||
# Allows the ability to override or add extra parameters to the systemd global config
|
||||
# that will be applied by default to all units
|
||||
openstack_systemd_global_overrides: {}
|
||||
|
||||
# Set the level of reverse path filtering to use
|
||||
openstack_host_rp_filter_all: 0
|
||||
openstack_host_rp_filter_default: 0
|
||||
@ -170,8 +174,8 @@ openstack_hosts_enable_yum_fastestmirror: yes
|
||||
# src: /etc/ssl/certs/snake-oil-cert-latest.pem #the source file on the deploy host
|
||||
openstack_host_ca_certificates: []
|
||||
|
||||
# target directory for user supplied CA certificates
|
||||
openstack_host_ca_location: "{{ _openstack_host_ca_location }}"
|
||||
# Path to the file with trusted CA that will be used by python requests module
|
||||
openstack_ca_bundle_path: "{{ _openstack_ca_bundle_path }}"
|
||||
|
||||
# extra configuration for OS package manager
|
||||
openstack_hosts_package_manager_extra_conf: ''
|
||||
|
@ -28,3 +28,7 @@
|
||||
until: _restart is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
|
||||
- name: Systemd daemon reload
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
15
releasenotes/notes/requests_ca_bundle-1a678a22b3375976.yaml
Normal file
15
releasenotes/notes/requests_ca_bundle-1a678a22b3375976.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
New variable ``openstack_ca_bundle_path`` has been added which defines
|
||||
the path to the ca-bundle certificate which contains all system-trusted CA
|
||||
and will be used by the Python Requests module.
|
||||
- |
|
||||
Added variable ``openstack_systemd_global_overrides`` that defines
|
||||
some defaults for all systemd services. It will be deployed to all hosts
|
||||
and containers, but can be controlled with group_vars or host_vars as well
|
||||
if needed.
|
||||
deprecations:
|
||||
- |
|
||||
Since certificates and CA distribution are now handled with PKI role,
|
||||
variable ``openstack_host_ca_location`` has been deprecated and removed.
|
@ -47,6 +47,33 @@
|
||||
tags:
|
||||
- openstack_hosts-config
|
||||
|
||||
- name: Ensure environement is applied during sudo
|
||||
lineinfile:
|
||||
path: /etc/pam.d/sudo
|
||||
line: "session required pam_env.so readenv=1 user_readenv=0"
|
||||
regexp: 'session\s+required\s+pam_env\.so'
|
||||
insertbefore: '^@include'
|
||||
when: ansible_facts['distribution'] | lower == 'debian'
|
||||
|
||||
- name: Create systemd global directory
|
||||
file:
|
||||
path: /etc/systemd/system.conf.d/
|
||||
state: directory
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
|
||||
- name: Add DefaultEnvironment to systemd
|
||||
config_template:
|
||||
src: systemd-environment.j2
|
||||
dest: /etc/systemd/system.conf.d/osa-default-environment.conf
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
config_overrides: "{{ openstack_systemd_global_overrides }}"
|
||||
config_type: ini
|
||||
notify: Systemd daemon reload
|
||||
|
||||
# Configure host files should apply to all nodes
|
||||
- name: Configure etc hosts files
|
||||
include_tasks: openstack_update_hosts_file.yml
|
||||
|
@ -1,8 +1,7 @@
|
||||
PATH="{{ openstack_host_environment_path | join(':') }}"
|
||||
{% if global_environment_variables is defined %}
|
||||
REQUESTS_CA_BUNDLE="{{ openstack_ca_bundle_path }}"
|
||||
{% for key, value in global_environment_variables.items() %}
|
||||
{% if value %}
|
||||
{{ key }}={{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
4
templates/systemd-environment.j2
Normal file
4
templates/systemd-environment.j2
Normal file
@ -0,0 +1,4 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Manager]
|
||||
DefaultEnvironment=REQUESTS_CA_BUNDLE={{ openstack_ca_bundle_path }}
|
@ -94,4 +94,4 @@ _package_repos:
|
||||
state: present
|
||||
filename: "osbpo"
|
||||
|
||||
_openstack_host_ca_location: /usr/local/share/ca-certificates/
|
||||
_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt
|
||||
|
@ -104,4 +104,4 @@ _package_repos:
|
||||
gpgcheck: no
|
||||
module_hotfixes: yes
|
||||
|
||||
_openstack_host_ca_location: /etc/pki/ca-trust/source/anchors/
|
||||
_openstack_ca_bundle_path: /etc/pki/tls/certs/ca-bundle.crt
|
||||
|
@ -96,4 +96,4 @@ _package_repos:
|
||||
state: present
|
||||
filename: "uca"
|
||||
|
||||
_openstack_host_ca_location: /usr/local/share/ca-certificates/
|
||||
_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt
|
||||
|
@ -97,4 +97,4 @@ _package_repos: []
|
||||
|
||||
_uca_repo: "deb {{ apt_repo_url | default('http://ubuntu-cloud.archive.canonical.com/ubuntu') }} {{ ansible_facts['lsb']['codename'] }}-updates/{{ openstack_distrib_code_name | lower }} main"
|
||||
|
||||
_openstack_host_ca_location: /usr/local/share/ca-certificates/
|
||||
_openstack_ca_bundle_path: /etc/ssl/certs/ca-certificates.crt
|
||||
|
Loading…
Reference in New Issue
Block a user