Support CA certificate for fluentd & Elasticsearch

Currently there is no way to configure a CA certificate bundle file for fluentd to Elasticsearch communication. This change adds a new variable, 'fluentd_elasticsearch_cacert' with a default value set to the value of 'openstack_cacert. Closes-Bug: #1885109 Change-Id: I5bbf55a4dd4ccce9fa2635cee720139c088268e3

Support CA certificate for fluentd & Elasticsearch
31f3f848 · Mark Goddard · f13847a5 · 31f3f848 · 31f3f848 · 31f3f848
Commit 31f3f848 authored 4 years ago by Mark Goddard
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@@ -47,6 +47,7 @@ fluentd_elasticsearch_user: ""
 fluentd_elasticsearch_password: ""
 fluentd_elasticsearch_ssl_version: "TLSv1_2"
 fluentd_elasticsearch_ssl_verify: "true"
+fluentd_elasticsearch_cacert: "{{ openstack_cacert }}"

 ####################
 # Docker

--- a/ansible/roles/common/templates/conf/output/00-local.conf.j2
+++ b/ansible/roles/common/templates/conf/output/00-local.conf.j2
@@ -21,6 +21,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
       ssl_version {{ fluentd_elasticsearch_ssl_version }}
       ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
       user {{ fluentd_elasticsearch_user }}
@@ -78,6 +81,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
       ssl_version {{ fluentd_elasticsearch_ssl_version }}
       ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
       user {{ fluentd_elasticsearch_user }}

--- a/ansible/roles/common/templates/conf/output/01-es.conf.j2
+++ b/ansible/roles/common/templates/conf/output/01-es.conf.j2
@@ -11,6 +11,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
       ssl_version {{ fluentd_elasticsearch_ssl_version }}
       ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
       user {{ fluentd_elasticsearch_user }}

--- a/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml
+++ b/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml
+---
+fixes:
+  - |
+    Adds a new variable ``fluentd_elasticsearch_cacert``, which defaults to the
+    value of ``openstack_cacert``. If set, this will be used to set the path of
+    the CA certificate bundle used by Fluentd when communicating with
+    Elasticsearch. `LP#1885109
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1885109>`__