From e83c57f233de4c3e625d148922a7d31aff999c7e Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Tue, 22 Jan 2019 16:59:24 +0000
Subject: [PATCH] Add support for CA certificate parameter
When using Ansible OpenStack modules, if OS_CACERT is defined, then this
will be passed as the cacert module argument.
This ensures that non-standard CA certificate paths can be used.
Change-Id: I2a2575b1fb0f149cc13c44526fc0167e68e07aab
Story: 2004911
Task: 29261
---
ansible/baremetal-compute-inspect.yml | 1 +
ansible/baremetal-compute-manage.yml | 1 +
ansible/baremetal-compute-provide.yml | 1 +
ansible/group_vars/all/openstack | 4 ++++
...overcloud-introspection-rules-dell-lldp-workaround.yml | 1 +
ansible/overcloud-introspection-rules.yml | 1 +
ansible/overcloud-ipa-images.yml | 1 +
ansible/provision-net.yml | 1 +
ansible/roles/ipa-images/defaults/main.yml | 3 +++
ansible/roles/ipa-images/tasks/main.yml | 3 +++
ansible/roles/ipa-images/tasks/set-driver-info.yml | 1 +
ansible/roles/ironic-inspector-rules/README.md | 2 ++
ansible/roles/ironic-inspector-rules/defaults/main.yml | 3 +++
ansible/roles/ironic-inspector-rules/tasks/main.yml | 1 +
releasenotes/notes/cacert-514b8645d6912bf9.yaml | 8 ++++++++
15 files changed, 32 insertions(+)
create mode 100644 releasenotes/notes/cacert-514b8645d6912bf9.yaml
diff --git a/ansible/baremetal-compute-inspect.yml b/ansible/baremetal-compute-inspect.yml
index 9474d2b54..aa029662a 100644
--- a/ansible/baremetal-compute-inspect.yml
+++ b/ansible/baremetal-compute-inspect.yml
@@ -34,6 +34,7 @@
os_ironic_inspect:
auth_type: "{{ openstack_auth_type }}"
auth: "{{ openstack_auth }}"
+ cacert: "{{ openstack_cacert | default(omit, true) }}"
name: "{{ inventory_hostname }}"
timeout: "{{ baremetal_compute_timeout }}"
wait: "{{ baremetal_compute_wait }}"
diff --git a/ansible/baremetal-compute-manage.yml b/ansible/baremetal-compute-manage.yml
index 7f9d1f7ef..279079381 100644
--- a/ansible/baremetal-compute-manage.yml
+++ b/ansible/baremetal-compute-manage.yml
@@ -32,6 +32,7 @@
- role: stackhpc.os-ironic-state
os_ironic_state_auth_type: "{{ openstack_auth_type }}"
os_ironic_state_auth: "{{ openstack_auth }}"
+ os_ironic_state_cacert: "{{ openstack_cacert }}"
os_ironic_state_name: "{{ inventory_hostname }}"
os_ironic_state_provision_state: "manage"
os_ironic_state_wait: "{{ baremetal_compute_wait }}"
diff --git a/ansible/baremetal-compute-provide.yml b/ansible/baremetal-compute-provide.yml
index b51a37c5b..bd5330944 100644
--- a/ansible/baremetal-compute-provide.yml
+++ b/ansible/baremetal-compute-provide.yml
@@ -32,6 +32,7 @@
- role: stackhpc.os-ironic-state
os_ironic_state_auth_type: "{{ openstack_auth_type }}"
os_ironic_state_auth: "{{ openstack_auth }}"
+ os_ironic_state_cacert: "{{ openstack_cacert }}"
os_ironic_state_name: "{{ inventory_hostname }}"
os_ironic_state_provision_state: "provide"
os_ironic_state_wait: "{{ baremetal_compute_wait }}"
diff --git a/ansible/group_vars/all/openstack b/ansible/group_vars/all/openstack
index 85c69aae5..ac0d4870a 100644
--- a/ansible/group_vars/all/openstack
+++ b/ansible/group_vars/all/openstack
@@ -17,6 +17,9 @@ openstack_auth:
password: "{{ lookup('env', 'OS_PASSWORD') }}"
auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}"
+# Overcloud CA certificate path.
+openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
+
# Overcloud authentication environment variables. These should be compatible
# with the openstack client.
# By default we pull these from the environment of the shell executing Ansible.
@@ -29,6 +32,7 @@ openstack_auth_env:
OS_AUTH_URL: "{{ lookup('env', 'OS_AUTH_URL') }}"
OS_INTERFACE: "{{ lookup('env', 'OS_INTERFACE') }}"
OS_IDENTITY_API_VERSION: "{{ lookup('env', 'OS_IDENTITY_API_VERSION') }}"
+ OS_CACERT: "{{ lookup('env', 'OS_CACERT') }}"
# List of parameters required in openstack_auth when openstack_auth_type is
# password.
diff --git a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
index 7257a3f18..0cd0ca9ea 100644
--- a/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
+++ b/ansible/overcloud-introspection-rules-dell-lldp-workaround.yml
@@ -127,3 +127,4 @@
ironic_inspector_venv: "{{ virtualenv_path }}/shade"
ironic_inspector_auth_type: "{{ openstack_auth_type }}"
ironic_inspector_auth: "{{ openstack_auth }}"
+ ironic_inspector_cacert: "{{ openstack_cacert }}"
diff --git a/ansible/overcloud-introspection-rules.yml b/ansible/overcloud-introspection-rules.yml
index 4b9626194..2fcf4d59a 100644
--- a/ansible/overcloud-introspection-rules.yml
+++ b/ansible/overcloud-introspection-rules.yml
@@ -59,6 +59,7 @@
ironic_inspector_venv: "{{ venv }}"
ironic_inspector_auth_type: "{{ openstack_auth_type }}"
ironic_inspector_auth: "{{ openstack_auth }}"
+ ironic_inspector_cacert: "{{ openstack_cacert }}"
ironic_inspector_rules: "{{ inspector_rules }}"
# These variables may be referenced in the introspection rules.
inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}"
diff --git a/ansible/overcloud-ipa-images.yml b/ansible/overcloud-ipa-images.yml
index 35c64835e..2ff8d20fe 100644
--- a/ansible/overcloud-ipa-images.yml
+++ b/ansible/overcloud-ipa-images.yml
@@ -104,4 +104,5 @@
ipa_images_openstack_auth_type: "{{ openstack_auth_type }}"
ipa_images_openstack_auth: "{{ openstack_auth }}"
ipa_images_openstack_auth_env: "{{ openstack_auth_env }}"
+ ipa_images_openstack_cacert: "{{ openstack_cacert }}"
ipa_images_cache_path: "{{ image_cache_path }}/{{ ipa_image_name }}"
diff --git a/ansible/provision-net.yml b/ansible/provision-net.yml
index 13a26c694..2294676e0 100644
--- a/ansible/provision-net.yml
+++ b/ansible/provision-net.yml
@@ -62,5 +62,6 @@
os_networks_venv: "{{ virtualenv_path }}/shade"
os_networks_auth_type: "{{ openstack_auth_type }}"
os_networks_auth: "{{ openstack_auth }}"
+ os_networks_cacert: "{{ openstack_cacert | default(omit, true) }}"
# Network configuration.
os_networks: "{{ network_registrations + ([] if cleaning_net_name == provision_wl_net_name else [cleaning_net]) }}"
diff --git a/ansible/roles/ipa-images/defaults/main.yml b/ansible/roles/ipa-images/defaults/main.yml
index 72a9d8991..cd5c6dbe9 100644
--- a/ansible/roles/ipa-images/defaults/main.yml
+++ b/ansible/roles/ipa-images/defaults/main.yml
@@ -14,6 +14,9 @@ ipa_images_openstack_auth: {}
# openstack client.
ipa_images_openstack_auth_env: {}
+# CA certificate path.
+ipa_images_openstack_caert:
+
# Path to directory in which to store downloaded images.
ipa_images_cache_path:
diff --git a/ansible/roles/ipa-images/tasks/main.yml b/ansible/roles/ipa-images/tasks/main.yml
index fe2e9f8a9..a6cbe7f8a 100644
--- a/ansible/roles/ipa-images/tasks/main.yml
+++ b/ansible/roles/ipa-images/tasks/main.yml
@@ -68,6 +68,7 @@
os_image_facts:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
+ cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
image: "{{ ipa_images_kernel_name }}"
- name: Set a fact containing the Ironic Python Agent (IPA) kernel image
@@ -78,6 +79,7 @@
os_image_facts:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
+ cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
image: "{{ ipa_images_ramdisk_name }}"
- name: Set a fact containing the Ironic Python Agent (IPA) ramdisk image
@@ -109,6 +111,7 @@
os_image:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
+ cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
name: "{{ item.name }}"
container_format: "{{ item.format }}"
disk_format: "{{ item.format }}"
diff --git a/ansible/roles/ipa-images/tasks/set-driver-info.yml b/ansible/roles/ipa-images/tasks/set-driver-info.yml
index c47a61283..c4f4dbd52 100644
--- a/ansible/roles/ipa-images/tasks/set-driver-info.yml
+++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml
@@ -4,6 +4,7 @@
os_image_facts:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
+ cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
image: "{{ item.name }}"
with_items:
- name: "{{ ipa_images_kernel_name }}"
diff --git a/ansible/roles/ironic-inspector-rules/README.md b/ansible/roles/ironic-inspector-rules/README.md
index fd9bbefe8..eeaee662b 100644
--- a/ansible/roles/ironic-inspector-rules/README.md
+++ b/ansible/roles/ironic-inspector-rules/README.md
@@ -24,6 +24,8 @@ the `auth_type` argument of `os_*` Ansible modules.
`ironic_inspector_auth` is a dict containing authentication information
compatible with the `auth` argument of `os_*` Ansible modules.
+`ironic_inspector_cacert` is an optional path to a CA certificate.
+
`ironic_inspector_url` is the URL of Ironic Inspector API endpoint,
required if no authentication is used.
diff --git a/ansible/roles/ironic-inspector-rules/defaults/main.yml b/ansible/roles/ironic-inspector-rules/defaults/main.yml
index a23418082..2944208a7 100644
--- a/ansible/roles/ironic-inspector-rules/defaults/main.yml
+++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml
@@ -8,6 +8,9 @@ ironic_inspector_auth_type:
# Authentication information.
ironic_inspector_auth: {}
+# CA certificate path.
+ironic_inspector_cacert:
+
# URL of Ironic Inspector API endpoint.
ironic_inspector_url:
diff --git a/ansible/roles/ironic-inspector-rules/tasks/main.yml b/ansible/roles/ironic-inspector-rules/tasks/main.yml
index 2ede1e114..1f6e405ef 100644
--- a/ansible/roles/ironic-inspector-rules/tasks/main.yml
+++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml
@@ -18,6 +18,7 @@
os_ironic_inspector_rule:
auth_type: "{{ ironic_inspector_auth_type }}"
auth: "{{ ironic_inspector_auth }}"
+ cacert: "{{ ironic_inspector_cacert | default(omit, true) }}"
conditions: "{{ item.conditions }}"
actions: "{{ item.actions }}"
description: "{{ item.description | default(omit) }}"
diff --git a/releasenotes/notes/cacert-514b8645d6912bf9.yaml b/releasenotes/notes/cacert-514b8645d6912bf9.yaml
new file mode 100644
index 000000000..b3bad2bdd
--- /dev/null
+++ b/releasenotes/notes/cacert-514b8645d6912bf9.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Adds support for specifying a CA certificate when accessing APIs. The path
+ to the CA certificate may be specified via ``openstack_cacert`` , which
+ takes its default value from the ``OS_CACERT`` environment variable. See
+ `story 2004911 <https://storyboard.openstack.org/#!/story/2004911>`__ for
+ details.