From 78e7f133f0b5462ca5449b34c9aed7745c14600b Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Tue, 14 May 2024 09:35:51 +0200
Subject: [PATCH] Support CloudKitty deployment with internal TLS
Configure cloudkitty_influxdb_use_ssl automatically based on the value
of kolla_enable_tls_internal. Set cloudkitty_elasticsearch_cafile,
cloudkitty_influxdb_cafile and cloudkitty_prometheus_cafile to
openstack_cacert.
Disable certificate validation when bootstrapping the InfluxDB database:
the influxdb_database module and the InfluxDB 1.x Python client don't
support specifying a CA certificate file.
This fixes bootstrap and execution of CloudKitty with internal TLS.
Closes-Bug: #1998831
Change-Id: I5524169b9567819d379726099bf70c692c85acc1
---
ansible/roles/cloudkitty/defaults/main.yml | 8 ++++----
ansible/roles/cloudkitty/tasks/bootstrap.yml | 3 +++
.../notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml | 5 +++++
3 files changed, 12 insertions(+), 4 deletions(-)
create mode 100644 releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml
diff --git a/ansible/roles/cloudkitty/defaults/main.yml b/ansible/roles/cloudkitty/defaults/main.yml
index f7b87daac4..0735b4a67e 100644
--- a/ansible/roles/cloudkitty/defaults/main.yml
+++ b/ansible/roles/cloudkitty/defaults/main.yml
@@ -154,10 +154,10 @@ cloudkitty_custom_metrics_yaml_file: "metrics.yml"
# cloudkitty_influxdb_retention_policy: "autogen"
# Set to true to use SSL for InfluxDB connections.
-cloudkitty_influxdb_use_ssl: false
+cloudkitty_influxdb_use_ssl: "{{ kolla_enable_tls_internal }}"
# Path of the CA certificate to trust for HTTPS connections.
-# cloudkitty_influxdb_cafile: "{{ openstack_cacert }}"
+cloudkitty_influxdb_cafile: "{{ openstack_cacert }}"
# Set to true to authorize insecure HTTPS connections to InfluxDB.
# This means, HTTPS connections without validating the certificate used by InfluxDB
@@ -172,7 +172,7 @@ cloudkitty_elasticsearch_index_name: "cloudkitty"
cloudkitty_elasticsearch_url: "{{ internal_protocol }}://{{ opensearch_address }}:{{ opensearch_port }}"
# Path of the CA certificate to trust for HTTPS connections.
-# cloudkitty_elasticsearch_cafile: "{{ openstack_cacert }}"
+cloudkitty_elasticsearch_cafile: "{{ openstack_cacert }}"
# Set to true to authorize insecure HTTPS connections to Elasticsearch.
# This means, HTTPS connections without validating the certificate used by elasticsearch
@@ -189,7 +189,7 @@ cloudkitty_collector_backend: "gnocchi"
cloudkitty_prometheus_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ prometheus_port }}/api/v1"
# Path of the CA certificate to trust for HTTPS connections.
-# cloudkitty_prometheus_cafile: "{{ openstack_cacert }}"
+cloudkitty_prometheus_cafile: "{{ openstack_cacert }}"
# Set to true to authorize insecure HTTPS connections to Prometheus.
# This means, HTTPS connections without validating the certificate used by prometheus.
diff --git a/ansible/roles/cloudkitty/tasks/bootstrap.yml b/ansible/roles/cloudkitty/tasks/bootstrap.yml
index 679c33ae95..8c432f3ffc 100644
--- a/ansible/roles/cloudkitty/tasks/bootstrap.yml
+++ b/ansible/roles/cloudkitty/tasks/bootstrap.yml
@@ -45,6 +45,9 @@
port: "{{ influxdb_http_port }}"
ssl: "{{ cloudkitty_influxdb_use_ssl | bool }}"
database_name: "{{ cloudkitty_influxdb_name }}"
+ # The influxdb_database module and the InfluxDB 1.x Python client don't
+ # support specifying a CA certificate file.
+ validate_certs: False
run_once: True
delegate_to: "{{ groups['cloudkitty-api'][0] }}"
when: cloudkitty_storage_backend == 'influxdb'
diff --git a/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml b/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml
new file mode 100644
index 0000000000..8cd08af65c
--- /dev/null
+++ b/releasenotes/notes/cloudkitty-internal-tls-c3e18be2a9f95c5d.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - |
+ Fixes configuration of CloudKitty when internal TLS is enabled.
+ `LP#1998831 <https://bugs.launchpad.net/kolla-ansible/+bug/1998831>`__
--
GitLab