From ce212cc23c19906571af25e54ae2379d08c0c72b Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Fri, 3 Apr 2020 17:17:24 +0200
Subject: [PATCH] Prevent openrc files from using wrong OS_CACERT value

Kolla Ansible sets kolla_{external,internal}_fqdn_cacert variables with
default values compatible with the use of `kolla-ansible certificates`.

However, when these variables are left unset in Kayobe, which is
generally the case when using trusted certificates, we end up with
openrc files setting OS_CACERT to a file that does not exist:

    ${KOLLA_CONFIG_PATH}/certificates/haproxy-ca.crt

Instead we allow null cacert variables to be passed to kolla-ansible,
which results in openrc files without the bogus OS_CACERT entry.

Change-Id: Ifa615888b6d8d54c9e6314fd90f3fc4872fc6e5a
Story: 2007516
Task: 39299
---
 ansible/roles/kolla-ansible/templates/globals.yml.j2      | 4 ----
 .../prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml | 8 ++++++++
 2 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml

diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
index 6bc96d47..b7a90ec5 100644
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -184,12 +184,8 @@ kolla_enable_tls_internal: {{ kolla_enable_tls_internal | bool }}
 kolla_enable_tls_external: {{ kolla_enable_tls_external | bool }}
 kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
 kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
-{% if kolla_external_fqdn_cacert %}
 kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
-{% endif %}
-{% if kolla_internal_fqdn_cacert %}
 kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
-{% endif %}
 
 ################
 # Region options
diff --git a/releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml b/releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml
new file mode 100644
index 00000000..436d950f
--- /dev/null
+++ b/releasenotes/notes/prevent-wrong-oscacert-variable-9ede7f60c1562a77.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+     Fixes an issue where ``OS_CACERT`` variable in ``openrc`` files would be
+     set to the path of a non-existent file. New ``openrc`` files can be
+     generated with the ``kayobe control host bootstrap`` command. `See story
+     2007516 <https://storyboard.openstack.org/#!/story/2007516>`_ for more
+     details.
-- 
GitLab