From 97e26b49cdb7962a1dc6f1a236a0c565ccba0d77 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Fri, 7 Aug 2020 14:16:03 +0100
Subject: [PATCH] Fix Barbican client (Castellan) with TLS (part 2)

This patch is a continuation of
I6a174468bd91d214c08477b93c88032a45c137be for the nova-cell role, which
was missed.

The Castellan (Barbican client) has different parameters to control
the used CA file.
This patch uses them.
Moreover, this aligns Barbican with other services by defaulting
its client config to the internal endpoint.

See also [1].

[1] https://bugs.launchpad.net/castellan/+bug/1876102

Closes-Bug: #1886615

Change-Id: I056f3eebcf87bcbaaf89fdd0dc1f46d143db7785
---
 ansible/roles/nova-cell/templates/nova.conf.j2 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2
index b9ae2fac86..5bbd4f1629 100644
--- a/ansible/roles/nova-cell/templates/nova.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.j2
@@ -222,7 +222,8 @@ connection_string = {{ osprofiler_backend_connection_string }}
 {% if enable_barbican | bool %}
 [barbican]
 auth_endpoint = {{ keystone_internal_url }}
-cafile = {{ openstack_cacert }}
+barbican_endpoint_type = internal
+verify_ssl_path = {{ openstack_cacert }}
 {% endif %}
 
 # Cell specific settings from DevStack:
-- 
GitLab