Merge "Configure services to use Certificate Authority"

2c2eeb81 · Zuul · Gerrit Code Review · 76713849 · c15dc203 · 2c2eeb81
Commit 2c2eeb81 authored 5 years ago by Zuul Committed by Gerrit Code Review 5 years ago
--- a/ansible/roles/aodh/templates/aodh.conf.j2
+++ b/ansible/roles/aodh/templates/aodh.conf.j2
@@ -25,6 +25,7 @@ username = {{ aodh_keystone_user }}
 password = {{ aodh_keystone_password }}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
+cafile = {{ openstack_cacert | default(omit) }}
 [oslo_middleware]
 enable_proxy_headers_parsing = True
@@ -44,6 +45,7 @@ project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}
 auth_type = password
 interface = internal
+cafile = {{ openstack_cacert | default(omit) }}
 [oslo_messaging_notifications]
 transport_url = {{ notify_transport_url }}

--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -59,6 +59,7 @@ username = {{ barbican_keystone_user }}
 password = {{ barbican_keystone_password }}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/blazar/templates/blazar.conf.j2
+++ b/ansible/roles/blazar/templates/blazar.conf.j2
@@ -32,6 +32,7 @@ project_name = service
 username = {{ blazar_keystone_user }}
 password = {{ blazar_keystone_password }}
 service_token_roles_required = True
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/ceilometer/templates/ceilometer.conf.j2
+++ b/ansible/roles/ceilometer/templates/ceilometer.conf.j2
@@ -21,6 +21,7 @@ project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}
 auth_type = password
 interface = internal
+cafile = {{ openstack_cacert | default(omit) }}
 {% if nova_compute_virt_type == 'vmware' %}
 [vmware]

--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -86,6 +86,7 @@ region_name = {{ openstack_region_name }}
 project_name = service
 username = {{ nova_keystone_user }}
 password = {{ nova_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 [database]
 connection = mysql+pymysql://{{ cinder_database_user }}:{{ cinder_database_password }}@{{ cinder_database_address }}/{{ cinder_database_name }}
@@ -100,6 +101,7 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ cinder_keystone_user }}
 password = {{ cinder_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
+++ b/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
@@ -24,6 +24,7 @@ project_name = service
 username = {{ cloudkitty_keystone_user }}
 password = {{ cloudkitty_keystone_password }}
 region_name = {{ openstack_region_name }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/congress/templates/congress.conf.j2
+++ b/ansible/roles/congress/templates/congress.conf.j2
@@ -37,6 +37,7 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ congress_keystone_user }}
 password = {{ congress_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/cyborg/templates/cyborg.conf.j2
+++ b/ansible/roles/cyborg/templates/cyborg.conf.j2
@@ -25,6 +25,7 @@ username = {{ cyborg_keystone_user }}
 password = {{ cyborg_keystone_password }}
 auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ keystone_admin_port }}
 auth_type = password
+cafile = {{ openstack_cacert | default(omit) }}
 {% if cyborg_policy_file is defined %}
 [oslo_policy]

--- a/ansible/roles/designate/templates/designate.conf.j2
+++ b/ansible/roles/designate/templates/designate.conf.j2
@@ -29,6 +29,7 @@ username = {{ designate_keystone_user }}
 password = {{ designate_keystone_password }}
 http_connect_timeout = 60
 service_token_roles_required = True
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@@ -30,6 +30,7 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ freezer_keystone_user }}
 password = {{ freezer_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -35,6 +35,7 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ glance_keystone_user }}
 password = {{ glance_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/glance/templates/glance-swift.conf.j2
+++ b/ansible/roles/glance/templates/glance-swift.conf.j2
@@ -5,3 +5,4 @@ user = service:{{ glance_keystone_user }}
 key = {{ glance_keystone_password }}
 project_domain_id = default
 user_domain_id = default
+cafile = {{ openstack_cacert | default(omit) }}
--- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2
@@ -50,6 +50,7 @@ username = {{ gnocchi_keystone_user }}
 password = {{ gnocchi_keystone_password }}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/heat/tasks/bootstrap_service.yml
+++ b/ansible/roles/heat/tasks/bootstrap_service.yml
@@ -17,6 +17,7 @@
      OS_PASSWORD: "{{ openstack_auth.password }}"
      OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
      OS_REGION_NAME: "{{ openstack_region_name }}"
+      OS_CACERT: "{{ openstack_cacert | default(omit) }}"
      HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"
    image: "{{ heat_api.image }}"
    labels:

--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@@ -49,6 +49,7 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ heat_keystone_user }}
 password = {{ heat_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
@@ -22,6 +22,7 @@ project_name = service
 username = {{ ironic_inspector_keystone_user }}
 password = {{ ironic_inspector_keystone_password }}
 os_endpoint_type = internalURL
+cafile = {{ openstack_cacert | default(omit) }}
 {% else %}
 auth_type = none
 endpoint_override = {{ ironic_internal_endpoint }}
@@ -37,6 +38,7 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ ironic_inspector_keystone_user }}
 password = {{ ironic_inspector_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -63,6 +63,7 @@ username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
@@ -80,6 +81,7 @@ username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
+cafile = {{ openstack_cacert | default(omit) }}
 {% endif %}
 {% if enable_glance | bool %}
@@ -93,6 +95,7 @@ username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
+cafile = {{ openstack_cacert | default(omit) }}
 {% endif %}
 {% if enable_neutron | bool %}
@@ -107,6 +110,7 @@ password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
 cleaning_network = {{ ironic_cleaning_network }}
+cafile = {{ openstack_cacert | default(omit) }}
 {% endif %}
 {% if enable_nova | bool %}
@@ -120,6 +124,7 @@ username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
+cafile = {{ openstack_cacert | default(omit) }}
 {% endif %}
 [inspector]
@@ -133,6 +138,7 @@ username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
+cafile = {{ openstack_cacert | default(omit) }}
 {% else %}
 auth_type = none
 endpoint_override = {{ ironic_inspector_internal_endpoint }}
@@ -149,6 +155,7 @@ username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
+cafile = {{ openstack_cacert | default(omit) }}
 {% else %}
 auth_type = none
 endpoint_override = {{ internal_protocol }}://{{ ironic_internal_fqdn | put_address_in_context('url') }}:{{ ironic_api_port }}

--- a/ansible/roles/karbor/templates/karbor.conf.j2
+++ b/ansible/roles/karbor/templates/karbor.conf.j2
@@ -19,6 +19,7 @@ username = {{ karbor_keystone_user }}
 password = {{ karbor_keystone_password }}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
+cafile = {{ openstack_cacert | default(omit) }}
 [clients_keystone]
 auth_uri = {{ keystone_internal_url }}
@@ -39,6 +40,7 @@ user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ karbor_keystone_user }}
 password = {{ karbor_keystone_password }}
+cafile = {{ openstack_cacert | default(omit) }}
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}

--- a/ansible/roles/kibana/templates/kibana.yml.j2
+++ b/ansible/roles/kibana/templates/kibana.yml.j2
@@ -6,3 +6,4 @@ elasticsearch.url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | pu
 elasticsearch.requestTimeout: {{ kibana_elasticsearch_request_timeout }}
 elasticsearch.shardTimeout: {{ kibana_elasticsearch_shard_timeout }}
 elasticsearch.ssl.verificationMode: "{{ 'full' if kibana_elasticsearch_ssl_verify | bool else 'none' }}"
+elasticsearch.ssl.certificateAuthorities: {{ openstack_cacert | default(omit) }}
--- a/ansible/roles/kuryr/templates/kuryr.conf.j2
+++ b/ansible/roles/kuryr/templates/kuryr.conf.j2
@@ -21,6 +21,7 @@ project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}
 password = {{ kuryr_keystone_password }}
 username = {{ kuryr_keystone_user }}
+cafile = {{ openstack_cacert | default(omit) }}
 {% if kuryr_policy_file is defined %}
 [oslo_policy]