From 0b4c8a3c3d73f5eade2b61730e74e672573ee13b Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Fri, 17 Jul 2020 14:20:22 +0000
Subject: [PATCH] Masakari: copy TLS certificates into containers

From Ussuri, if CA certificates are copied into
/etc/kolla/certificates/ca/, these should be copied into all containers.
This is not being done for masakari currently.

Additionally, we are not setting the [DEFAULT] nova_ca_certificates_file
option in masakari.conf. This depends on masakari bug 1873736 being
fixed to work.

This change fixes these issues.

Change-Id: I9a3633f58e5eb734fa32edc03a3022a500761bbb
Closes-Bug: #1888655
---
 ansible/roles/masakari/tasks/config.yml                   | 4 ++++
 ansible/roles/masakari/tasks/copy-certs.yml               | 6 ++++++
 ansible/roles/masakari/templates/masakari.conf.j2         | 1 +
 releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml | 8 ++++++++
 4 files changed, 19 insertions(+)
 create mode 100644 ansible/roles/masakari/tasks/copy-certs.yml
 create mode 100644 releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml

diff --git a/ansible/roles/masakari/tasks/config.yml b/ansible/roles/masakari/tasks/config.yml
index f81109d346..047814dcb1 100644
--- a/ansible/roles/masakari/tasks/config.yml
+++ b/ansible/roles/masakari/tasks/config.yml
@@ -58,6 +58,10 @@
   notify:
     - Restart {{ item.key }} container
 
+- include_tasks: copy-certs.yml
+  when:
+    - kolla_copy_ca_into_containers | bool
+
 - name: Copying over masakari.conf
   vars:
     service: "{{ item.key }}"
diff --git a/ansible/roles/masakari/tasks/copy-certs.yml b/ansible/roles/masakari/tasks/copy-certs.yml
new file mode 100644
index 0000000000..84e7656a56
--- /dev/null
+++ b/ansible/roles/masakari/tasks/copy-certs.yml
@@ -0,0 +1,6 @@
+---
+- name: "Copy certificates and keys for {{ project_name }}"
+  import_role:
+    role: service-cert-copy
+  vars:
+    project_services: "{{ masakari_services }}"
diff --git a/ansible/roles/masakari/templates/masakari.conf.j2 b/ansible/roles/masakari/templates/masakari.conf.j2
index bba3704b3a..92dc06b1ed 100644
--- a/ansible/roles/masakari/templates/masakari.conf.j2
+++ b/ansible/roles/masakari/templates/masakari.conf.j2
@@ -12,6 +12,7 @@ os_privileged_user_tenant = service
 os_privileged_user_auth_url = {{ keystone_internal_url }}/v3
 os_privileged_user_name = {{ nova_keystone_user }}
 os_privileged_user_password = {{ nova_keystone_password }}
+nova_ca_certificates_file = {{ openstack_cacert }}
 
 [database]
 connection = mysql+pymysql://{{ masakari_database_user }}:{{ masakari_database_password }}@{{ masakari_database_address }}/{{ masakari_database_name }}
diff --git a/releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml b/releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml
new file mode 100644
index 0000000000..9a82cb4fac
--- /dev/null
+++ b/releasenotes/notes/fix-masakari-tls-64f010c037e95bea.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fixes an issue with Masakari and internal TLS where CA certificates were
+    not copied into containers, and the path to the CA file was not configured.
+    Depends on `masakari bug 1873736
+    <https://bugs.launchpad.net/masakari/+bug/1873736>`__ being fixed.
+    `LP#1888655 <https://bugs.launchpad.net/kolla-ansible/+bug/1888655>`__
-- 
GitLab