From 95729405a38e6292a828c26347406e70132136b2 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Tue, 20 Dec 2022 10:54:49 +0000
Subject: [PATCH] Fix setting kolla_admin_openrc_cacert

Kolla Ansible renamed kolla_internal_fqdn_cacert to
kolla_admin_openrc_cacert in Victoria, after which we no longer set the
variable correctly in globals.yml. This would lead to a missing
OS_CACERT in admin-openrc.sh and public-openrc.sh.

This change fixes the issue by renaming the relevant Kayobe variables to
match and passing through the correct variable. Backwards compatibility
is provided until the end of the deprecation period.

kolla_public_openrc_cacert -> kolla_external_fqdn_cacert
kolla_admin_openrc_cacert -> kolla_internal_fqdn_cacert

Story: 2010486
Task: 47054

Change-Id: I9e1cc20579cf80525d6ef732a1aac99a65bc171b
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
---
 ansible/inventory/group_vars/all/kolla        |  4 ++--
 ansible/roles/kolla-ansible/defaults/main.yml |  4 ++--
 .../kolla-ansible/templates/kolla/globals.yml |  3 +--
 .../roles/kolla-ansible/tests/test-extras.yml |  2 ++
 .../templates/public-openrc.sh.j2             |  4 ++--
 .../configuration/reference/kolla-ansible.rst | 22 +++++++++++--------
 etc/kayobe/kolla.yml                          |  4 ++--
 ...eprecate-fqdn-cacert-301d5a26ed7107ab.yaml | 13 +++++++++++
 8 files changed, 37 insertions(+), 19 deletions(-)
 create mode 100644 releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml

diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla
index daf4fa79..c13afeb9 100644
--- a/ansible/inventory/group_vars/all/kolla
+++ b/ansible/inventory/group_vars/all/kolla
@@ -628,7 +628,7 @@ kolla_external_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_external_fqdn_cacert:
+kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
 
 # Internal API certificate bundle.
 #
@@ -641,7 +641,7 @@ kolla_internal_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_internal_fqdn_cacert:
+kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
 
 ###############################################################################
 # Proxy configuration
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index 3cee9c96..9fa81e45 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -165,8 +165,8 @@ kolla_enable_tls_external:
 kolla_enable_tls_internal:
 kolla_external_fqdn_cert:
 kolla_internal_fqdn_cert:
-kolla_external_fqdn_cacert:
-kolla_internal_fqdn_cacert:
+kolla_public_openrc_cacert:
+kolla_admin_openrc_cacert:
 
 #############################
 # Ironic options
diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
index f7c37023..8b0a704d 100644
--- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml
+++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
@@ -206,8 +206,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
 {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
 kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
 {% endif %}
-kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
-kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
+kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"
 
 ################
 # Region options
diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml
index e3d1d6a9..44502c8a 100644
--- a/ansible/roles/kolla-ansible/tests/test-extras.yml
+++ b/ansible/roles/kolla-ansible/tests/test-extras.yml
@@ -121,6 +121,7 @@
             kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
             kolla_internal_tls_cert: |
               bogus internal certificate
+            kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
             kolla_openstack_logging_debug: True
             grafana_local_admin_user_name: "grafana-admin"
             kolla_inspector_dhcp_pool_start: "1.2.3.4"
@@ -240,6 +241,7 @@
               kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
               kolla_enable_tls_internal: True
               kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
+              kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
               openstack_logging_debug: True
               grafana_admin_username: "grafana-admin"
               ironic_dnsmasq_dhcp_ranges:
diff --git a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 b/ansible/roles/public-openrc/templates/public-openrc.sh.j2
index d0356e80..1c2dd179 100644
--- a/ansible/roles/public-openrc/templates/public-openrc.sh.j2
+++ b/ansible/roles/public-openrc/templates/public-openrc.sh.j2
@@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
 export OS_MANILA_ENDPOINT_TYPE=publicURL
 {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
 export OS_MISTRAL_ENDPOINT_TYPE=publicURL
-{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
+export OS_CACERT={{ kolla_public_openrc_cacert }}
 {% else %}
 {{ line }}
 {% endif %}
diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst
index 07866001..458f8afb 100644
--- a/doc/source/configuration/reference/kolla-ansible.rst
+++ b/doc/source/configuration/reference/kolla-ansible.rst
@@ -268,10 +268,6 @@ The following variables affect TLS encryption of the public API.
     A TLS certificate bundle to use for the public API endpoints, if
     ``kolla_enable_tls_external`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_external_fqdn_cacert``
-    Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
 
 The following variables affect TLS encryption of the internal API. Currently
 this requires all Kolla images to be built with the API's root CA trusted.
@@ -282,10 +278,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
     A TLS certificate bundle to use for the internal API endpoints, if
     ``kolla_enable_tls_internal`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_internal_fqdn_cacert``
+
+The following variables affect the generated ``admin-openrc.sh`` and
+``public-openrc.sh`` environment files.
+
+``kolla_public_openrc_cacert``
+    Path to a CA certificate file to use for the ``OS_CACERT`` environment
+    variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
+    ``kolla_admin_openrc_cacert``.
+``kolla_admin_openrc_cacert``
     Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
+    variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
+    is enabled, instead of Kolla Ansible's default.
 
 Example: enabling TLS for the public API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -302,7 +306,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Example: enabling TLS for the internal API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -319,7 +323,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Other certificates
 ------------------
diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
index 2d975b26..d5acd863 100644
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@@ -479,7 +479,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_external_fqdn_cacert:
+#kolla_public_openrc_cacert:
 
 # Internal API certificate bundle.
 #
@@ -492,7 +492,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_internal_fqdn_cacert:
+#kolla_admin_openrc_cacert:
 
 ###############################################################################
 # Proxy configuration
diff --git a/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml
new file mode 100644
index 00000000..d892cac4
--- /dev/null
+++ b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml
@@ -0,0 +1,13 @@
+---
+deprecates:
+  - |
+    Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert``
+    and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This
+    matches the Kolla Ansible variable name and better reflects their purpose.
+    The old variable names are still supported until the end of the deprecation
+    period (2024.2 "D" series release or later).
+fixes:
+  - |
+    Fixes an issue where the Kolla Ansible variable
+    ``kolla_admin_openrc_cacert`` was not set to the value of
+    ``kolla_internal_fqdn_cacert``.
-- 
GitLab