Manage CA certificates using ansible

This change introduces a new implementation to manage CA certificate files by ansible, which replaces the existing one by puppet. Depends-on: https://review.opendev.org/743620 Change-Id: I241f3d635e36a1497a1146fdd4c1db7dfde28dc8
2022-04-26 14:15:25 +09:00 · 2022-04-26 14:15:25 +09:00 · f3ac1f9762
commit f3ac1f9762
parent f4d1d830a7
4 changed files with 14 additions and 7 deletions
--- a/deployment/certs/ca-certs-baremetal-ansible.yaml
+++ b/deployment/certs/ca-certs-baremetal-ansible.yaml
@ -1,7 +1,7 @@
 heat_template_version: wallaby

 description: >
-  CA certs injection with Puppet
+  CA certs injection with Ansible

 parameters:
  ServiceData:
@ -38,7 +38,9 @@ outputs:
    description: Role data for injecting CA certificates.
    value:
      service_name: ca_certs
-      config_settings:
-        tripleo::trusted_cas::ca_map: {get_param: CAMap}
-      step_config: |
-        include tripleo::trusted_cas
+      config_settings: {}
+      ansible_group_vars:
+        tripleo_update_trusted_cas_ca_map: {get_param: CAMap}
+      host_prep_tasks:
+        - include_role:
+            name: tripleo_update_trusted_cas
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -94,7 +94,7 @@ resource_registry:
 {%- endfor %}
  OS::TripleO::Services::Aide: OS::Heat::None
  OS::TripleO::Services::Apache: deployment/apache/apache-baremetal-puppet.yaml
-  OS::TripleO::Services::CACerts: deployment/certs/ca-certs-baremetal-puppet.yaml
+  OS::TripleO::Services::CACerts: deployment/certs/ca-certs-baremetal-ansible.yaml
  OS::TripleO::Services::CephMds: OS::Heat::None
  OS::TripleO::Services::CephMgr: OS::Heat::None
  OS::TripleO::Services::CephMon: OS::Heat::None
--- a/releasenotes/notes/ca-certs-ansible-7a06114f0571d7f3.yaml
+++ b/releasenotes/notes/ca-certs-ansible-7a06114f0571d7f3.yaml
@ -0,0 +1,5 @@
+upgrade:
+  - |
+    Puppet implementation to manage CA certificates has been replaced by
+    Ansible implementation. Deployment templates should be updated to use
+    the new template file (-baremetal-ansible.yaml) during update.
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@ -91,7 +91,7 @@ environments:
    children:
      - name: ssl/inject-trust-anchor-hiera
        files:
-          deployment/certs/ca-certs-baremetal-puppet.yaml:
+          deployment/certs/ca-certs-baremetal-ansible.yaml:
            parameters:
              - CAMap
        # Need to clear this so we don't inherit the parent registry