Replace internal and external VIP CA with root CA

Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with "kolla_admin_openrc_cacert". OS_CACERT is now set to the value of "kolla_admin_openrc_cacert" in the generated admin-openrc.sh file. Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf Partially-Implements: blueprint add-ssl-internal-network Depends-On: https://review.opendev.org/#/c/731344/

Replace internal and external VIP CA with root CA
e3cd02ed · James Kirsch · Mark Goddard · a982d3ac · e3cd02ed · e3cd02ed
Commit e3cd02ed authored 4 years ago by James Kirsch Committed by Mark Goddard 4 years ago
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -763,8 +763,7 @@ kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_
 kolla_certificates_dir: "{{ node_config }}/certificates"
 kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
-kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
+kolla_admin_openrc_cacert: ""
 kolla_copy_ca_into_containers: "no"
 kolla_verify_tls_backend: "yes"
 haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"

--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -64,12 +64,6 @@
        src: "{{ external_dir }}"
        dest: "{{ kolla_external_fqdn_cert }}"
        mode: "0660"
-
-    - name: Creating external CA Certificate File
-      copy:
-        src: "{{ root_dir }}/root.crt"
-        dest: "{{ kolla_external_fqdn_cacert }}"
-        mode: "0660"
  when:
    - kolla_enable_tls_external | bool

@@ -80,13 +74,6 @@
        dest: "{{ kolla_internal_fqdn_cert }}"
        remote_src: yes
        mode: "0660"
-
-    - name: Copy the external CA Certificate file to be the internal when internal + external are same network
-      copy:
-        src: "{{ kolla_external_fqdn_cacert }}"
-        dest: "{{ kolla_internal_fqdn_cacert }}"
-        remote_src: yes
-        mode: "0660"
  when:
    - kolla_enable_tls_external | bool
    - kolla_enable_tls_internal | bool
@@ -139,12 +126,6 @@
        mode: "0660"
        state: file

-    - name: Creating internal CA Certificate File
-      copy:
-        src: "{{ root_dir }}/root.crt"
-        dest: "{{ kolla_internal_fqdn_cacert }}"
-        mode: "0660"
-
    - name: Creating internal Server PEM File
      assemble:
        regexp: '.*[crt|key]'

--- a/ansible/roles/common/templates/admin-openrc.sh.j2
+++ b/ansible/roles/common/templates/admin-openrc.sh.j2
@@ -18,8 +18,6 @@ export OS_MISTRAL_ENDPOINT_TYPE=internalURL
 export OS_IDENTITY_API_VERSION=3
 export OS_REGION_NAME={{ openstack_region_name }}
 export OS_AUTH_PLUGIN=password
-{% if kolla_enable_tls_internal | bool and kolla_internal_fqdn_cacert %}
-export OS_CACERT={{ kolla_internal_fqdn_cacert }}
-{% elif  kolla_enable_tls_external | bool and kolla_external_fqdn_cacert %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
+export OS_CACERT={{ kolla_admin_openrc_cacert }}
 {% endif %}
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -189,8 +189,7 @@
 #kolla_certificates_dir: "{{ node_config }}/certificates"
 #kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 #kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-#kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
-#kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
+#kolla_admin_openrc_cacert: ""
 #kolla_copy_ca_into_containers: "no"
 #kolla_verify_tls_backend: "yes"
 #haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"

--- a/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml
+++ b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml
@@ -9,3 +9,9 @@ features:
    certificates and signs them using the root CA. If backend TLS is enabled,
    the command will generate the backend certificate and sign it with the
    root CA.
+upgrade:
+  - |
+    Replaced ``kolla_external_fqdn_cacert`` and ``kolla_internal_fqdn_cacert``
+    with ``kolla_admin_openrc_cacert``, which by default is not set.
+    ``OS_CACERT`` is now set to the value of ``kolla_admin_openrc_cacert`` in
+    the generated ``admin-openrc.sh`` file.
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -127,6 +127,7 @@ openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
 {% if base_distro == "centos" %}
 openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 {% endif %}
+kolla_admin_openrc_cacert: "{% raw %}{{ kolla_certificates_dir }}{% endraw %}/ca/root.crt"
 {% endif %}

 {% if scenario == 'linuxbridge' %}