diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index 50fdb7f8a..9efe74e47 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -652,7 +652,7 @@ kolla_external_tls_cert: # Path to a CA certificate file to use for the OS_CACERT environment variable # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -kolla_external_fqdn_cacert: +kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}" # Internal API certificate bundle. # @@ -665,7 +665,7 @@ kolla_internal_tls_cert: # Path to a CA certificate file to use for the OS_CACERT environment variable # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -kolla_internal_fqdn_cacert: +kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}" ############################################################################### # Proxy configuration diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index d83d98aa8..e5ce22ff9 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -175,8 +175,8 @@ kolla_enable_tls_external: kolla_enable_tls_internal: kolla_external_fqdn_cert: kolla_internal_fqdn_cert: -kolla_external_fqdn_cacert: -kolla_internal_fqdn_cacert: +kolla_public_openrc_cacert: +kolla_admin_openrc_cacert: ############################# # Ironic options diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index 65743036e..1d833b938 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -191,8 +191,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}" {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %} kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}" {% endif %} -kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}" -kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}" +kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}" ################ # Region options diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml index a737e6244..8f8576a62 100644 --- a/ansible/roles/kolla-ansible/tests/test-extras.yml +++ b/ansible/roles/kolla-ansible/tests/test-extras.yml @@ -136,6 +136,7 @@ kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" kolla_internal_tls_cert: | bogus internal certificate + kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt" kolla_openstack_logging_debug: True grafana_local_admin_user_name: "grafana-admin" kolla_inspector_dhcp_pool_start: "1.2.3.4" @@ -255,6 +256,7 @@ kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem" kolla_enable_tls_internal: True kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" + kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt" openstack_logging_debug: True grafana_admin_username: "grafana-admin" ironic_dnsmasq_dhcp_ranges: diff --git a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 index d0356e800..1c2dd179c 100644 --- a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 +++ b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 @@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL export OS_MANILA_ENDPOINT_TYPE=publicURL {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %} export OS_MISTRAL_ENDPOINT_TYPE=publicURL -{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %} -export OS_CACERT={{ kolla_external_fqdn_cacert }} +{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %} +export OS_CACERT={{ kolla_public_openrc_cacert }} {% else %} {{ line }} {% endif %} diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst index 559ccfc21..97bf88df5 100644 --- a/doc/source/configuration/reference/kolla-ansible.rst +++ b/doc/source/configuration/reference/kolla-ansible.rst @@ -264,10 +264,6 @@ The following variables affect TLS encryption of the public API. A TLS certificate bundle to use for the public API endpoints, if ``kolla_enable_tls_external`` is ``true``. Note that this should be formatted as a literal style block scalar. -``kolla_external_fqdn_cacert`` - Path to a CA certificate file to use for the ``OS_CACERT`` environment - variable in openrc files when TLS is enabled, instead of Kolla Ansible's - default. The following variables affect TLS encryption of the internal API. Currently this requires all Kolla images to be built with the API's root CA trusted. @@ -278,10 +274,18 @@ this requires all Kolla images to be built with the API's root CA trusted. A TLS certificate bundle to use for the internal API endpoints, if ``kolla_enable_tls_internal`` is ``true``. Note that this should be formatted as a literal style block scalar. -``kolla_internal_fqdn_cacert`` + +The following variables affect the generated ``admin-openrc.sh`` and +``public-openrc.sh`` environment files. + +``kolla_public_openrc_cacert`` Path to a CA certificate file to use for the ``OS_CACERT`` environment - variable in openrc files when TLS is enabled, instead of Kolla Ansible's - default. + variable in the ``public-openrc.sh`` file when TLS is enabled, instead of + ``kolla_admin_openrc_cacert``. +``kolla_admin_openrc_cacert`` + Path to a CA certificate file to use for the ``OS_CACERT`` environment + variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS + is enabled, instead of Kolla Ansible's default. Example: enabling TLS for the public API ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -298,7 +302,7 @@ Here is an example: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle + kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle Example: enabling TLS for the internal API ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -315,7 +319,7 @@ Here is an example: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle + kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle Other certificates ------------------ diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index f879fb6cb..86661d72a 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -565,7 +565,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_external_fqdn_cacert: +#kolla_public_openrc_cacert: # Internal API certificate bundle. # @@ -578,7 +578,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_internal_fqdn_cacert: +#kolla_admin_openrc_cacert: ############################################################################### # Proxy configuration diff --git a/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml new file mode 100644 index 000000000..d892cac43 --- /dev/null +++ b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml @@ -0,0 +1,13 @@ +--- +deprecates: + - | + Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert`` + and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This + matches the Kolla Ansible variable name and better reflects their purpose. + The old variable names are still supported until the end of the deprecation + period (2024.2 "D" series release or later). +fixes: + - | + Fixes an issue where the Kolla Ansible variable + ``kolla_admin_openrc_cacert`` was not set to the value of + ``kolla_internal_fqdn_cacert``.