diff --git a/ansible/roles/aodh/templates/aodh-api.json.j2 b/ansible/roles/aodh/templates/aodh-api.json.j2 index f9aa6cdfb0..b7d4feff77 100644 --- a/ansible/roles/aodh/templates/aodh-api.json.j2 +++ b/ansible/roles/aodh/templates/aodh-api.json.j2 @@ -20,6 +20,12 @@ "dest": "/etc/aodh/{{ aodh_policy_file }}", "owner": "aodh", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/aodh/templates/aodh-evaluator.json.j2 b/ansible/roles/aodh/templates/aodh-evaluator.json.j2 index 995802a8b4..24dda5250b 100644 --- a/ansible/roles/aodh/templates/aodh-evaluator.json.j2 +++ b/ansible/roles/aodh/templates/aodh-evaluator.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/aodh/{{ aodh_policy_file }}", "owner": "aodh", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/aodh/templates/aodh-listener.json.j2 b/ansible/roles/aodh/templates/aodh-listener.json.j2 index 31d1af6c92..44f74cea97 100644 --- a/ansible/roles/aodh/templates/aodh-listener.json.j2 +++ b/ansible/roles/aodh/templates/aodh-listener.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/aodh/{{ aodh_policy_file }}", "owner": "aodh", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/aodh/templates/aodh-notifier.json.j2 b/ansible/roles/aodh/templates/aodh-notifier.json.j2 index 49339eaa36..dcf23d1eb3 100644 --- a/ansible/roles/aodh/templates/aodh-notifier.json.j2 +++ b/ansible/roles/aodh/templates/aodh-notifier.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/aodh/{{ aodh_policy_file }}", "owner": "aodh", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml index 6dcfcbc0b8..07e79ece6d 100644 --- a/ansible/roles/barbican/defaults/main.yml +++ b/ansible/roles/barbican/defaults/main.yml @@ -213,3 +213,5 @@ barbican_enabled_notification_topics: "{{ barbican_notification_topics | selecta # TLS #################### barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}" + +barbican_copy_certs: "{{ kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool }}" diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml index cec2d566c1..58832dce56 100644 --- a/ansible/roles/barbican/tasks/config.yml +++ b/ansible/roles/barbican/tasks/config.yml @@ -44,7 +44,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool + - barbican_copy_certs - name: Copying over config.json files for services template: diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2 index a807c17ea4..b8c305ca07 100644 --- a/ansible/roles/barbican/templates/barbican-api.json.j2 +++ b/ansible/roles/barbican/templates/barbican-api.json.j2 @@ -37,6 +37,12 @@ "dest": "/etc/barbican/{{ barbican_policy_file }}", "owner": "barbican", "perm": "0600" + }{% endif %}{% if barbican_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 b/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 index e0f1f15618..40d896cf72 100644 --- a/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 +++ b/ansible/roles/barbican/templates/barbican-keystone-listener.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/barbican/{{ barbican_policy_file }}", "owner": "barbican", "perm": "0600" + }{% endif %}{% if barbican_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/barbican/templates/barbican-worker.json.j2 b/ansible/roles/barbican/templates/barbican-worker.json.j2 index 81a0ca7b17..1e26e0cb41 100644 --- a/ansible/roles/barbican/templates/barbican-worker.json.j2 +++ b/ansible/roles/barbican/templates/barbican-worker.json.j2 @@ -13,6 +13,13 @@ "owner": "barbican", "perm": "0600" }{% endif %} + {% if barbican_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/blazar/templates/blazar-api.json.j2 b/ansible/roles/blazar/templates/blazar-api.json.j2 index 02a8e07591..50fb62b38b 100644 --- a/ansible/roles/blazar/templates/blazar-api.json.j2 +++ b/ansible/roles/blazar/templates/blazar-api.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/blazar/{{ blazar_policy_file }}", "owner": "blazar", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/blazar/templates/blazar-manager.json.j2 b/ansible/roles/blazar/templates/blazar-manager.json.j2 index 8dda3afbd4..de550dc52f 100644 --- a/ansible/roles/blazar/templates/blazar-manager.json.j2 +++ b/ansible/roles/blazar/templates/blazar-manager.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/blazar/{{ blazar_policy_file }}", "owner": "blazar", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/ceilometer/templates/ceilometer-central.json.j2 b/ansible/roles/ceilometer/templates/ceilometer-central.json.j2 index 5912248190..dbb2e2dc08 100644 --- a/ansible/roles/ceilometer/templates/ceilometer-central.json.j2 +++ b/ansible/roles/ceilometer/templates/ceilometer-central.json.j2 @@ -42,7 +42,13 @@ "dest": "/etc/ceilometer/pipeline.yaml", "owner": "ceilometer", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/ceilometer/templates/ceilometer-compute.json.j2 b/ansible/roles/ceilometer/templates/ceilometer-compute.json.j2 index 4cd4f45c01..8b00500eed 100644 --- a/ansible/roles/ceilometer/templates/ceilometer-compute.json.j2 +++ b/ansible/roles/ceilometer/templates/ceilometer-compute.json.j2 @@ -42,6 +42,12 @@ "dest": "/etc/ceilometer/vmware_ca", "owner": "ceilometer", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/ceilometer/templates/ceilometer-ipmi.json.j2 b/ansible/roles/ceilometer/templates/ceilometer-ipmi.json.j2 index 5c44f8c79e..fca9dbc481 100644 --- a/ansible/roles/ceilometer/templates/ceilometer-ipmi.json.j2 +++ b/ansible/roles/ceilometer/templates/ceilometer-ipmi.json.j2 @@ -30,6 +30,12 @@ "dest": "/etc/ceilometer/meters.d", "owner": "ceilometer", "perm": "0700" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/ceilometer/templates/ceilometer-notification.json.j2 b/ansible/roles/ceilometer/templates/ceilometer-notification.json.j2 index a7b2492a55..828fcfbe6a 100644 --- a/ansible/roles/ceilometer/templates/ceilometer-notification.json.j2 +++ b/ansible/roles/ceilometer/templates/ceilometer-notification.json.j2 @@ -42,6 +42,12 @@ "dest": "/etc/ceilometer/{{ ceilometer_policy_file }}", "owner": "ceilometer", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml index 797dd7d66a..6e5d30dad0 100644 --- a/ansible/roles/cinder/defaults/main.yml +++ b/ansible/roles/cinder/defaults/main.yml @@ -342,6 +342,7 @@ cinder_ks_user_roles: # TLS #################### cinder_enable_tls_backend: "{{ kolla_enable_tls_backend }}" +cinder_copy_certs: "{{ kolla_copy_ca_into_containers | bool or cinder_enable_tls_backend | bool }}" ############ # Clustering diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml index 47adebb544..5802c9f414 100644 --- a/ansible/roles/cinder/tasks/config.yml +++ b/ansible/roles/cinder/tasks/config.yml @@ -42,7 +42,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or cinder_enable_tls_backend | bool + - cinder_copy_certs - name: Copying over config.json files for services template: diff --git a/ansible/roles/cinder/templates/cinder-api.json.j2 b/ansible/roles/cinder/templates/cinder-api.json.j2 index bd00a9a3e3..a5ae5a3e9e 100644 --- a/ansible/roles/cinder/templates/cinder-api.json.j2 +++ b/ansible/roles/cinder/templates/cinder-api.json.j2 @@ -32,7 +32,13 @@ "dest": "/etc/cinder/certs/cinder-key.pem", "owner": "cinder", "perm": "0600" - } + }{% if cinder_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} {% endif %}], "permissions": [ { diff --git a/ansible/roles/cinder/templates/cinder-backup.json.j2 b/ansible/roles/cinder/templates/cinder-backup.json.j2 index 18268e9830..d921a04142 100644 --- a/ansible/roles/cinder/templates/cinder-backup.json.j2 +++ b/ansible/roles/cinder/templates/cinder-backup.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/ceph", "owner": "cinder", "perm": "0600" + }{% endif %}{% if cinder_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cinder/templates/cinder-scheduler.json.j2 b/ansible/roles/cinder/templates/cinder-scheduler.json.j2 index cd4a5124a6..e99b9080fa 100644 --- a/ansible/roles/cinder/templates/cinder-scheduler.json.j2 +++ b/ansible/roles/cinder/templates/cinder-scheduler.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/cinder/{{ cinder_policy_file }}", "owner": "cinder", "perm": "0600" + }{% endif %}{% if cinder_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cinder/templates/cinder-volume.json.j2 b/ansible/roles/cinder/templates/cinder-volume.json.j2 index 93e9ee64d8..3de38cddb6 100644 --- a/ansible/roles/cinder/templates/cinder-volume.json.j2 +++ b/ansible/roles/cinder/templates/cinder-volume.json.j2 @@ -38,6 +38,12 @@ "dest": "/etc/cinder/{{ cinder_policy_file }}", "owner": "cinder", "perm": "0600" + }{% endif %}{% if cinder_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 b/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 index 29b67738c0..3ba9b72212 100644 --- a/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 +++ b/ansible/roles/cloudkitty/templates/cloudkitty-api.json.j2 @@ -26,6 +26,12 @@ "dest": "/etc/cloudkitty/{{ cloudkitty_custom_metrics_yaml_file }}", "owner": "cloudkitty", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cloudkitty/templates/cloudkitty-processor.json.j2 b/ansible/roles/cloudkitty/templates/cloudkitty-processor.json.j2 index 4cd1041e08..5366b917bc 100644 --- a/ansible/roles/cloudkitty/templates/cloudkitty-processor.json.j2 +++ b/ansible/roles/cloudkitty/templates/cloudkitty-processor.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/cloudkitty/{{ cloudkitty_custom_metrics_yaml_file }}", "owner": "cloudkitty", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/common/templates/cron.json.j2 b/ansible/roles/common/templates/cron.json.j2 index 14b0153670..3c712e8d44 100644 --- a/ansible/roles/common/templates/cron.json.j2 +++ b/ansible/roles/common/templates/cron.json.j2 @@ -7,6 +7,12 @@ "dest": "/etc/logrotate.conf", "owner": "root", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/common/templates/fluentd.json.j2 b/ansible/roles/common/templates/fluentd.json.j2 index f379fac105..906978f43d 100644 --- a/ansible/roles/common/templates/fluentd.json.j2 +++ b/ansible/roles/common/templates/fluentd.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/fluentd/fluentd.conf", "owner": "fluentd", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/common/templates/kolla-toolbox.json.j2 b/ansible/roles/common/templates/kolla-toolbox.json.j2 index edf965fe1c..fbfaad6411 100644 --- a/ansible/roles/common/templates/kolla-toolbox.json.j2 +++ b/ansible/roles/common/templates/kolla-toolbox.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/rabbitmq/erl_inetrc", "owner": "rabbitmq", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cyborg/templates/cyborg-agent.json.j2 b/ansible/roles/cyborg/templates/cyborg-agent.json.j2 index f72fe7379a..285c61b41f 100644 --- a/ansible/roles/cyborg/templates/cyborg-agent.json.j2 +++ b/ansible/roles/cyborg/templates/cyborg-agent.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/cyborg/{{ cyborg_policy_file }}", "owner": "cyborg", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cyborg/templates/cyborg-api.json.j2 b/ansible/roles/cyborg/templates/cyborg-api.json.j2 index 922906e458..29a3f1d148 100644 --- a/ansible/roles/cyborg/templates/cyborg-api.json.j2 +++ b/ansible/roles/cyborg/templates/cyborg-api.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/cyborg/{{ cyborg_policy_file }}", "owner": "cyborg", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/cyborg/templates/cyborg-conductor.json.j2 b/ansible/roles/cyborg/templates/cyborg-conductor.json.j2 index d4b673b81c..a50a4e6995 100644 --- a/ansible/roles/cyborg/templates/cyborg-conductor.json.j2 +++ b/ansible/roles/cyborg/templates/cyborg-conductor.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/cyborg/{{ cyborg_policy_file }}", "owner": "cyborg", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/designate/templates/designate-api.json.j2 b/ansible/roles/designate/templates/designate-api.json.j2 index 73c1011096..b07b41daed 100644 --- a/ansible/roles/designate/templates/designate-api.json.j2 +++ b/ansible/roles/designate/templates/designate-api.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/designate/{{ designate_policy_file }}", "owner": "designate", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/designate/templates/designate-backend-bind9.json.j2 b/ansible/roles/designate/templates/designate-backend-bind9.json.j2 index 36766addf5..bbfad04ae7 100644 --- a/ansible/roles/designate/templates/designate-backend-bind9.json.j2 +++ b/ansible/roles/designate/templates/designate-backend-bind9.json.j2 @@ -23,7 +23,13 @@ "owner": "root", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/designate/templates/designate-central.json.j2 b/ansible/roles/designate/templates/designate-central.json.j2 index 3605761b4d..3f4f8bd038 100644 --- a/ansible/roles/designate/templates/designate-central.json.j2 +++ b/ansible/roles/designate/templates/designate-central.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/designate/{{ designate_policy_file }}", "owner": "designate", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/designate/templates/designate-mdns.json.j2 b/ansible/roles/designate/templates/designate-mdns.json.j2 index 6e83d5e611..28907c9a0c 100644 --- a/ansible/roles/designate/templates/designate-mdns.json.j2 +++ b/ansible/roles/designate/templates/designate-mdns.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/designate/{{ designate_policy_file }}", "owner": "designate", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/designate/templates/designate-producer.json.j2 b/ansible/roles/designate/templates/designate-producer.json.j2 index 7e3c257031..e496a9d651 100644 --- a/ansible/roles/designate/templates/designate-producer.json.j2 +++ b/ansible/roles/designate/templates/designate-producer.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/designate/{{ designate_policy_file }}", "owner": "designate", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/designate/templates/designate-sink.json.j2 b/ansible/roles/designate/templates/designate-sink.json.j2 index c8d0768c70..39273e00a9 100644 --- a/ansible/roles/designate/templates/designate-sink.json.j2 +++ b/ansible/roles/designate/templates/designate-sink.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/designate/{{ designate_policy_file }}", "owner": "designate", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/designate/templates/designate-worker.json.j2 b/ansible/roles/designate/templates/designate-worker.json.j2 index c1d8f765d0..4b4ee2dcbf 100644 --- a/ansible/roles/designate/templates/designate-worker.json.j2 +++ b/ansible/roles/designate/templates/designate-worker.json.j2 @@ -33,7 +33,13 @@ "owner": "designate", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/etcd/defaults/main.yml b/ansible/roles/etcd/defaults/main.yml index 94a699f0e4..4cd94c4a3e 100644 --- a/ansible/roles/etcd/defaults/main.yml +++ b/ansible/roles/etcd/defaults/main.yml @@ -80,3 +80,8 @@ etcd_peer_internal_endpoint: "{{ etcd_protocol }}://{{ api_interface_address | p # Managing members ################### etcd_remove_deleted_members: "no" + +################### +# Copy certificates +################### +etcd_copy_certs: "{{ kolla_copy_ca_into_containers | bool or etcd_enable_tls | bool }}" diff --git a/ansible/roles/etcd/tasks/config.yml b/ansible/roles/etcd/tasks/config.yml index cd780bad76..da36ad3c23 100644 --- a/ansible/roles/etcd/tasks/config.yml +++ b/ansible/roles/etcd/tasks/config.yml @@ -21,4 +21,4 @@ - include_tasks: copy-certs.yml when: - - etcd_enable_tls | bool + - etcd_copy_certs diff --git a/ansible/roles/etcd/tasks/copy-certs.yml b/ansible/roles/etcd/tasks/copy-certs.yml index 7601236f55..5530b6a8ee 100644 --- a/ansible/roles/etcd/tasks/copy-certs.yml +++ b/ansible/roles/etcd/tasks/copy-certs.yml @@ -1,50 +1,6 @@ --- -- name: "{{ project_name }} | Copying over extra CA certificates" - become: true - copy: - src: "{{ kolla_certificates_dir }}/ca/" - dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates" - mode: "0644" - when: - - kolla_copy_ca_into_containers | bool - with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" - notify: - - "Restart {{ item.key }} container" - -- name: "{{ project_name }} | Copying over etcd TLS certificate" +- name: "Copy certificates and keys for {{ project_name }}" + import_role: + role: service-cert-copy vars: - certs: - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem" - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem" - - "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem" - - "{{ kolla_tls_backend_cert }}" - backend_tls_cert: "{{ lookup('first_found', certs) }}" - copy: - src: "{{ backend_tls_cert }}" - dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-cert.pem" - mode: "0644" - become: true - with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" - notify: - - "Restart {{ item.key }} container" - when: - - etcd_enable_tls | bool - -- name: "{{ project_name }} | Copying over etcd TLS key" - vars: - keys: - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem" - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem" - - "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem" - - "{{ kolla_tls_backend_key }}" - backend_tls_key: "{{ lookup('first_found', keys) }}" - copy: - src: "{{ backend_tls_key }}" - dest: "{{ node_config_directory }}/{{ item.key }}/{{ project_name }}-key.pem" - mode: "0600" - become: true - with_dict: "{{ etcd_services | select_services_enabled_and_mapped_to_host }}" - notify: - - "Restart {{ item.key }} container" - when: - - etcd_enable_tls | bool + project_services: "{{ etcd_services }}" diff --git a/ansible/roles/etcd/templates/etcd.json.j2 b/ansible/roles/etcd/templates/etcd.json.j2 index dfd66d2e19..81324af915 100644 --- a/ansible/roles/etcd/templates/etcd.json.j2 +++ b/ansible/roles/etcd/templates/etcd.json.j2 @@ -13,6 +13,12 @@ "dest": "/etc/etcd/certs/etcd-key.pem", "owner": "etcd", "perm": "0600" + }{% endif %}{% if etcd_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ] } diff --git a/ansible/roles/glance/defaults/main.yml b/ansible/roles/glance/defaults/main.yml index 21289fee7b..c791b58cf4 100644 --- a/ansible/roles/glance/defaults/main.yml +++ b/ansible/roles/glance/defaults/main.yml @@ -298,3 +298,8 @@ glance_tls_proxy_check_timeout: "10s" # Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options glance_tls_proxy_defaults_balance: "roundrobin" + +################### +# Copy certificates +################### +glance_copy_certs: "{{ kolla_copy_ca_into_containers | bool or glance_enable_tls_backend | bool }}" diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml index f98aefc29e..b81483dbe3 100644 --- a/ansible/roles/glance/tasks/config.yml +++ b/ansible/roles/glance/tasks/config.yml @@ -34,7 +34,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or glance_enable_tls_backend | bool + - glance_copy_certs - name: Creating TLS backend PEM File vars: diff --git a/ansible/roles/glance/templates/glance-api.json.j2 b/ansible/roles/glance/templates/glance-api.json.j2 index 69ed722479..486d4d6686 100644 --- a/ansible/roles/glance/templates/glance-api.json.j2 +++ b/ansible/roles/glance/templates/glance-api.json.j2 @@ -42,6 +42,12 @@ "dest": "/etc/glance/property-protections-rules.conf", "owner": "glance", "perm": "0600" + }{% endif %}{% if glance_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/glance/templates/glance-tls-proxy.json.j2 b/ansible/roles/glance/templates/glance-tls-proxy.json.j2 index 27546f2d17..711f054f38 100644 --- a/ansible/roles/glance/templates/glance-tls-proxy.json.j2 +++ b/ansible/roles/glance/templates/glance-tls-proxy.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/glance/certs/glance-cert-and-key.pem", "owner": "glance", "perm": "0600" - } + }{% if glance_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 index 2dc59c1202..de8ed12900 100644 --- a/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi-api.json.j2 @@ -26,8 +26,13 @@ "dest": "/etc/ceph", "owner": "gnocchi", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} - ], "permissions": [ { diff --git a/ansible/roles/gnocchi/templates/gnocchi-metricd.json.j2 b/ansible/roles/gnocchi/templates/gnocchi-metricd.json.j2 index 9eb29ae51e..f9b4c6a53f 100644 --- a/ansible/roles/gnocchi/templates/gnocchi-metricd.json.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi-metricd.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/ceph", "owner": "gnocchi", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/gnocchi/templates/gnocchi-statsd.json.j2 b/ansible/roles/gnocchi/templates/gnocchi-statsd.json.j2 index 7c439d74de..0024b5405d 100644 --- a/ansible/roles/gnocchi/templates/gnocchi-statsd.json.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi-statsd.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/ceph", "owner": "gnocchi", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/grafana/templates/grafana.json.j2 b/ansible/roles/grafana/templates/grafana.json.j2 index e685eacd56..8b47e25e7c 100644 --- a/ansible/roles/grafana/templates/grafana.json.j2 +++ b/ansible/roles/grafana/templates/grafana.json.j2 @@ -42,7 +42,13 @@ "owner": "grafana", "perm": "0755", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml index e12df96f3a..5775b223ec 100644 --- a/ansible/roles/heat/defaults/main.yml +++ b/ansible/roles/heat/defaults/main.yml @@ -243,3 +243,5 @@ heat_ks_user_roles: # TLS #################### heat_enable_tls_backend: "{{ kolla_enable_tls_backend }}" + +heat_copy_certs: "{{ kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool }}" diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml index ec7226a7d5..71a242c604 100644 --- a/ansible/roles/heat/tasks/config.yml +++ b/ansible/roles/heat/tasks/config.yml @@ -30,7 +30,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or heat_enable_tls_backend | bool + - heat_copy_certs - name: Copying over config.json files for services become: true diff --git a/ansible/roles/heat/templates/heat-api-cfn.json.j2 b/ansible/roles/heat/templates/heat-api-cfn.json.j2 index 3d7e483f52..dc75a092af 100644 --- a/ansible/roles/heat/templates/heat-api-cfn.json.j2 +++ b/ansible/roles/heat/templates/heat-api-cfn.json.j2 @@ -32,7 +32,13 @@ "owner": "heat", "perm": "0600" } - {% endif %} + {% endif %}{% if heat_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/heat/templates/heat-api.json.j2 b/ansible/roles/heat/templates/heat-api.json.j2 index f339f3383b..08f7bd8a97 100644 --- a/ansible/roles/heat/templates/heat-api.json.j2 +++ b/ansible/roles/heat/templates/heat-api.json.j2 @@ -32,7 +32,13 @@ "owner": "heat", "perm": "0600" } - {% endif %} + {% endif %}{% if heat_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/heat/templates/heat-engine.json.j2 b/ansible/roles/heat/templates/heat-engine.json.j2 index abad7cb725..afab1fc656 100644 --- a/ansible/roles/heat/templates/heat-engine.json.j2 +++ b/ansible/roles/heat/templates/heat-engine.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/heat/{{ heat_policy_file }}", "owner": "heat", "perm": "0600" + }{% endif %}{% if heat_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml index 9365bcfb35..0caf95ef5c 100644 --- a/ansible/roles/horizon/defaults/main.yml +++ b/ansible/roles/horizon/defaults/main.yml @@ -157,3 +157,8 @@ horizon_source_version: "{{ kolla_source_version }}" # Therefore, instead of overriding the whole "horizon_keystone_url", this change allows an easier integration because # the Keystone public URL is already defined with variable "keystone_public_url". horizon_use_keystone_public_url: False + +################### +# Copy certificates +################### +horizon_copy_certs: "{{ kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool }}" diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml index 836b1aabb9..5b136e8598 100644 --- a/ansible/roles/horizon/tasks/config.yml +++ b/ansible/roles/horizon/tasks/config.yml @@ -127,4 +127,4 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool + - horizon_copy_certs diff --git a/ansible/roles/horizon/templates/horizon.json.j2 b/ansible/roles/horizon/templates/horizon.json.j2 index 69e9632863..1a0786196b 100644 --- a/ansible/roles/horizon/templates/horizon.json.j2 +++ b/ansible/roles/horizon/templates/horizon.json.j2 @@ -48,5 +48,12 @@ "owner": "horizon", "perm": "0600" }{% endif %} + {% if horizon_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index db86c0cf39..40b98bb1ee 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -378,3 +378,5 @@ ironic_ks_user_roles: # TLS #################### ironic_enable_tls_backend: "{{ kolla_enable_tls_backend }}" + +ironic_copy_certs: "{{ kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool }}" diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml index 00f4eab21e..53c8369287 100644 --- a/ansible/roles/ironic/tasks/config.yml +++ b/ansible/roles/ironic/tasks/config.yml @@ -75,7 +75,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or ironic_enable_tls_backend | bool + - ironic_copy_certs - name: Copying over config.json files for services template: diff --git a/ansible/roles/ironic/templates/ironic-conductor.json.j2 b/ansible/roles/ironic/templates/ironic-conductor.json.j2 index 1cbc8eed5b..06ff789dff 100644 --- a/ansible/roles/ironic/templates/ironic-conductor.json.j2 +++ b/ansible/roles/ironic/templates/ironic-conductor.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/ironic/{{ ironic_policy_file }}", "owner": "ironic", "perm": "0600" + }{% endif %}{% if ironic_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/ironic/templates/ironic-dnsmasq.json.j2 b/ansible/roles/ironic/templates/ironic-dnsmasq.json.j2 index baab505285..dcca1843d3 100644 --- a/ansible/roles/ironic/templates/ironic-dnsmasq.json.j2 +++ b/ansible/roles/ironic/templates/ironic-dnsmasq.json.j2 @@ -6,6 +6,12 @@ "dest": "/etc/dnsmasq.conf", "owner": "root", "perm": "0600" - } + }{% if ironic_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/ironic/templates/ironic-http.json.j2 b/ansible/roles/ironic/templates/ironic-http.json.j2 index 8f1b7d08d5..670d45f1d3 100644 --- a/ansible/roles/ironic/templates/ironic-http.json.j2 +++ b/ansible/roles/ironic/templates/ironic-http.json.j2 @@ -28,6 +28,12 @@ "dest": "/etc/{{ apache_conf_dir }}/httpboot.conf", "owner": "root", "perm": "0644" - } + }{% if ironic_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/ironic/templates/ironic-inspector.json.j2 b/ansible/roles/ironic/templates/ironic-inspector.json.j2 index e204176846..3282698f42 100644 --- a/ansible/roles/ironic/templates/ironic-inspector.json.j2 +++ b/ansible/roles/ironic/templates/ironic-inspector.json.j2 @@ -17,6 +17,11 @@ "source": "{{ container_config_directory }}/known_devices.yaml", "dest": "/etc/ironic-inspector/known_devices.yaml", "owner": "ironic-inspector", + }{% endif %}{% if ironic_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", "perm": "0600" }{% endif %} ] diff --git a/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 b/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 index c3b4bf2ee5..5099c23240 100644 --- a/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 +++ b/ansible/roles/ironic/templates/ironic-prometheus-exporter.json.j2 @@ -14,7 +14,13 @@ "dest": "/etc/ironic/ironic.conf", "owner": "ironic", "perm": "0600" - } + }{% if ironic_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index 2ac66c6d9a..b518fb751b 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -246,3 +246,8 @@ keystone_oidc_enable_memcached: "{{ enable_memcached }}" # Database keystone_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}" + +################### +# Copy certificates +################### +keystone_copy_certs: "{{ kolla_copy_ca_into_containers | bool or keystone_enable_tls_backend | bool }}" diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index 04325d5735..3b3e2282b2 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -37,7 +37,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or keystone_enable_tls_backend | bool + - keystone_copy_certs - name: Copying over config.json files for services template: diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2 index 208e0dd922..695cad20a7 100644 --- a/ansible/roles/keystone/templates/keystone-fernet.json.j2 +++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2 @@ -55,6 +55,12 @@ "dest": "/usr/bin/fernet-healthcheck.sh", "owner": "root", "perm": "0755" + }{% endif %}{% if keystone_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/keystone/templates/keystone-ssh.json.j2 b/ansible/roles/keystone/templates/keystone-ssh.json.j2 index d2b5edb415..96870348d4 100644 --- a/ansible/roles/keystone/templates/keystone-ssh.json.j2 +++ b/ansible/roles/keystone/templates/keystone-ssh.json.j2 @@ -12,7 +12,13 @@ "dest": "/var/lib/keystone/.ssh/authorized_keys", "owner": "keystone", "perm": "0600" - } + }{% if keystone_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/keystone/templates/keystone.json.j2 b/ansible/roles/keystone/templates/keystone.json.j2 index 705c338655..05c435773d 100644 --- a/ansible/roles/keystone/templates/keystone.json.j2 +++ b/ansible/roles/keystone/templates/keystone.json.j2 @@ -67,8 +67,13 @@ "owner": "{{ apache_user }}:{{ apache_user }}", "perm": "0600", "merge": true - } - {% endif %} + }{% endif %}{% if keystone_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/kuryr/templates/kuryr.json.j2 b/ansible/roles/kuryr/templates/kuryr.json.j2 index bff4724a64..4ba23100ff 100644 --- a/ansible/roles/kuryr/templates/kuryr.json.j2 +++ b/ansible/roles/kuryr/templates/kuryr.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/kuryr/{{ kuryr_policy_file }}", "owner": "kuryr", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/letsencrypt/templates/letsencrypt-lego.json.j2 b/ansible/roles/letsencrypt/templates/letsencrypt-lego.json.j2 index 174f20bdad..0791f49c98 100644 --- a/ansible/roles/letsencrypt/templates/letsencrypt-lego.json.j2 +++ b/ansible/roles/letsencrypt/templates/letsencrypt-lego.json.j2 @@ -20,7 +20,13 @@ "dest": "/var/lib/letsencrypt/.ssh/id_rsa", "owner": "letsencrypt", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/letsencrypt/templates/letsencrypt-webserver.json.j2 b/ansible/roles/letsencrypt/templates/letsencrypt-webserver.json.j2 index 5284241643..195c374425 100644 --- a/ansible/roles/letsencrypt/templates/letsencrypt-webserver.json.j2 +++ b/ansible/roles/letsencrypt/templates/letsencrypt-webserver.json.j2 @@ -9,6 +9,12 @@ "dest": "/etc/{{ letsencrypt_apache_dir }}/letsencrypt-webserver.conf", "owner": "letsencrypt", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/loadbalancer/templates/haproxy-ssh/haproxy-ssh.json.j2 b/ansible/roles/loadbalancer/templates/haproxy-ssh/haproxy-ssh.json.j2 index 418be139d7..bf5f18de0c 100644 --- a/ansible/roles/loadbalancer/templates/haproxy-ssh/haproxy-ssh.json.j2 +++ b/ansible/roles/loadbalancer/templates/haproxy-ssh/haproxy-ssh.json.j2 @@ -12,6 +12,12 @@ "dest": "/var/lib/haproxy/.ssh/authorized_keys", "owner": "haproxy", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/loadbalancer/templates/haproxy/haproxy.json.j2 b/ansible/roles/loadbalancer/templates/haproxy/haproxy.json.j2 index 5cc97e6637..c6a3bd5037 100644 --- a/ansible/roles/loadbalancer/templates/haproxy/haproxy.json.j2 +++ b/ansible/roles/loadbalancer/templates/haproxy/haproxy.json.j2 @@ -40,6 +40,12 @@ "perm": "0600", "optional": {{ (not kolla_enable_tls_internal | bool) | string | lower }} } - {% endif %} + {% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 b/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 index eaadb5e175..e2c7c89da0 100644 --- a/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 +++ b/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 @@ -12,6 +12,12 @@ "dest": "/checks", "owner": "root", "perm": "0770" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 index 4f4e52fc07..ae1e90856a 100644 --- a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 +++ b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 @@ -24,7 +24,13 @@ "dest": "/etc/proxysql/rules", "owner": "proxysql", "perm": "0700" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} {% if database_enable_tls_backend | bool %}, { "source": "{{ container_config_directory }}/ca-certificates/root.crt", diff --git a/ansible/roles/magnum/templates/magnum-api.json.j2 b/ansible/roles/magnum/templates/magnum-api.json.j2 index f3b172b812..671c122051 100644 --- a/ansible/roles/magnum/templates/magnum-api.json.j2 +++ b/ansible/roles/magnum/templates/magnum-api.json.j2 @@ -19,6 +19,12 @@ "dest": "/etc/magnum/{{ magnum_policy_file }}", "owner": "magnum", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/magnum/templates/magnum-conductor.json.j2 b/ansible/roles/magnum/templates/magnum-conductor.json.j2 index 13a3f2062f..8d077396eb 100644 --- a/ansible/roles/magnum/templates/magnum-conductor.json.j2 +++ b/ansible/roles/magnum/templates/magnum-conductor.json.j2 @@ -19,6 +19,12 @@ "dest": "/etc/magnum/{{ magnum_policy_file }}", "owner": "magnum", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/manila/templates/manila-api.json.j2 b/ansible/roles/manila/templates/manila-api.json.j2 index e1d6c8af8b..cd189484c8 100644 --- a/ansible/roles/manila/templates/manila-api.json.j2 +++ b/ansible/roles/manila/templates/manila-api.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/manila/{{ manila_policy_file }}", "owner": "manila", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/manila/templates/manila-data.json.j2 b/ansible/roles/manila/templates/manila-data.json.j2 index 7c1f82316c..6dbd175ef1 100644 --- a/ansible/roles/manila/templates/manila-data.json.j2 +++ b/ansible/roles/manila/templates/manila-data.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/manila/{{ manila_policy_file }}", "owner": "manila", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/manila/templates/manila-scheduler.json.j2 b/ansible/roles/manila/templates/manila-scheduler.json.j2 index 2d6987af64..4f7c7b5af8 100644 --- a/ansible/roles/manila/templates/manila-scheduler.json.j2 +++ b/ansible/roles/manila/templates/manila-scheduler.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/manila/{{ manila_policy_file }}", "owner": "manila", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/manila/templates/manila-share.json.j2 b/ansible/roles/manila/templates/manila-share.json.j2 index b25f9c020b..b304665fd5 100644 --- a/ansible/roles/manila/templates/manila-share.json.j2 +++ b/ansible/roles/manila/templates/manila-share.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/manila/{{ manila_policy_file }}", "owner": "manila", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/masakari/templates/masakari-api.json.j2 b/ansible/roles/masakari/templates/masakari-api.json.j2 index 51805120f0..f911d38cba 100644 --- a/ansible/roles/masakari/templates/masakari-api.json.j2 +++ b/ansible/roles/masakari/templates/masakari-api.json.j2 @@ -26,6 +26,12 @@ "dest": "/etc/masakari/{{ masakari_policy_file }}", "owner": "masakari", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/masakari/templates/masakari-engine.json.j2 b/ansible/roles/masakari/templates/masakari-engine.json.j2 index acee59ab57..681b3bf9a7 100644 --- a/ansible/roles/masakari/templates/masakari-engine.json.j2 +++ b/ansible/roles/masakari/templates/masakari-engine.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/masakari/{{ masakari_policy_file }}", "owner": "masakari", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/masakari/templates/masakari-hostmonitor.json.j2 b/ansible/roles/masakari/templates/masakari-hostmonitor.json.j2 index 15dff56a4a..f2c6015b47 100644 --- a/ansible/roles/masakari/templates/masakari-hostmonitor.json.j2 +++ b/ansible/roles/masakari/templates/masakari-hostmonitor.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/masakari-monitors/masakari-monitors.conf", "owner": "masakari", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2 b/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2 index 2197bc0a0e..d4be66f59d 100644 --- a/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2 +++ b/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2 @@ -12,6 +12,12 @@ "dest": "/var/lib/masakari/.config/libvirt/auth.conf", "owner": "masakari", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/mistral/templates/mistral-api.json.j2 b/ansible/roles/mistral/templates/mistral-api.json.j2 index 34f2406d5d..c92e8c47cb 100644 --- a/ansible/roles/mistral/templates/mistral-api.json.j2 +++ b/ansible/roles/mistral/templates/mistral-api.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/mistral/{{ mistral_policy_file }}", "owner": "mistral", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/mistral/templates/mistral-engine.json.j2 b/ansible/roles/mistral/templates/mistral-engine.json.j2 index 358b8e15e0..bab45348fc 100644 --- a/ansible/roles/mistral/templates/mistral-engine.json.j2 +++ b/ansible/roles/mistral/templates/mistral-engine.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/mistral/{{ mistral_policy_file }}", "owner": "mistral", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/mistral/templates/mistral-event-engine.json.j2 b/ansible/roles/mistral/templates/mistral-event-engine.json.j2 index 6d45c2966f..67e8dc516c 100644 --- a/ansible/roles/mistral/templates/mistral-event-engine.json.j2 +++ b/ansible/roles/mistral/templates/mistral-event-engine.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/mistral/{{ mistral_policy_file }}", "owner": "mistral", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/mistral/templates/mistral-executor.json.j2 b/ansible/roles/mistral/templates/mistral-executor.json.j2 index 53c792ed32..e409bdab6d 100644 --- a/ansible/roles/mistral/templates/mistral-executor.json.j2 +++ b/ansible/roles/mistral/templates/mistral-executor.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/mistral/{{ mistral_policy_file }}", "owner": "mistral", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml index 000f89adb5..2501ce3a42 100644 --- a/ansible/roles/neutron/defaults/main.yml +++ b/ansible/roles/neutron/defaults/main.yml @@ -940,3 +940,8 @@ neutron_tls_proxy_defaults_balance: "roundrobin" neutron_dns_integration: "{{ enable_designate | bool }}" # When overridden by the user, this value must end with a dot. neutron_dns_domain: "openstacklocal" + +################### +# Copy certificates +################### +neutron_copy_certs: "{{ kolla_copy_ca_into_containers | bool or neutron_enable_tls_backend | bool }}" diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml index 8ba4e88a74..c71954fccd 100644 --- a/ansible/roles/neutron/tasks/config.yml +++ b/ansible/roles/neutron/tasks/config.yml @@ -19,7 +19,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or neutron_enable_tls_backend | bool + - neutron_copy_certs - name: Creating TLS backend PEM File vars: diff --git a/ansible/roles/neutron/templates/ironic-neutron-agent.json.j2 b/ansible/roles/neutron/templates/ironic-neutron-agent.json.j2 index 33eca34527..f60136490c 100644 --- a/ansible/roles/neutron/templates/ironic-neutron-agent.json.j2 +++ b/ansible/roles/neutron/templates/ironic-neutron-agent.json.j2 @@ -12,7 +12,13 @@ "dest": "/etc/neutron/plugins/ml2/ironic_neutron_agent.ini", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/neutron/templates/neutron-bgp-dragent.json.j2 b/ansible/roles/neutron/templates/neutron-bgp-dragent.json.j2 index cfce2042d2..1bae040c70 100644 --- a/ansible/roles/neutron/templates/neutron-bgp-dragent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-bgp-dragent.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2 b/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2 index f913957a10..bcf8ecd456 100644 --- a/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-dhcp-agent.json.j2 @@ -24,6 +24,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-eswitchd.json.j2 b/ansible/roles/neutron/templates/neutron-eswitchd.json.j2 index 721f4d7660..bb911e05b1 100644 --- a/ansible/roles/neutron/templates/neutron-eswitchd.json.j2 +++ b/ansible/roles/neutron/templates/neutron-eswitchd.json.j2 @@ -12,7 +12,13 @@ "dest": "/etc/neutron/plugins/ml2/eswitchd.conf", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/neutron/templates/neutron-infoblox-ipam-agent.json.j2 b/ansible/roles/neutron/templates/neutron-infoblox-ipam-agent.json.j2 index 24ef182f8c..d91d1b21c2 100644 --- a/ansible/roles/neutron/templates/neutron-infoblox-ipam-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-infoblox-ipam-agent.json.j2 @@ -12,7 +12,13 @@ "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/neutron/templates/neutron-l3-agent.json.j2 b/ansible/roles/neutron/templates/neutron-l3-agent.json.j2 index cd36548419..8e8d77da5d 100644 --- a/ansible/roles/neutron/templates/neutron-l3-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-l3-agent.json.j2 @@ -36,6 +36,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-linuxbridge-agent.json.j2 b/ansible/roles/neutron/templates/neutron-linuxbridge-agent.json.j2 index 2ea1dff2a5..e89ee94512 100644 --- a/ansible/roles/neutron/templates/neutron-linuxbridge-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-linuxbridge-agent.json.j2 @@ -26,7 +26,13 @@ "dest": "/etc/neutron/plugins/ml2/linuxbridge_agent.ini", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2 b/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2 index 8d96067228..29d781f732 100644 --- a/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-metadata-agent.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-metering-agent.json.j2 b/ansible/roles/neutron/templates/neutron-metering-agent.json.j2 index 6a1d6cef81..1929bbc5d3 100644 --- a/ansible/roles/neutron/templates/neutron-metering-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-metering-agent.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-mlnx-agent.json.j2 b/ansible/roles/neutron/templates/neutron-mlnx-agent.json.j2 index 812bbd0192..98a99c9f21 100644 --- a/ansible/roles/neutron/templates/neutron-mlnx-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-mlnx-agent.json.j2 @@ -12,7 +12,13 @@ "dest": "/etc/neutron/plugins/mlnx/mlnx_agent.ini", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/neutron/templates/neutron-openvswitch-agent-xenapi.json.j2 b/ansible/roles/neutron/templates/neutron-openvswitch-agent-xenapi.json.j2 index 66e969c8ae..06044c858a 100644 --- a/ansible/roles/neutron/templates/neutron-openvswitch-agent-xenapi.json.j2 +++ b/ansible/roles/neutron/templates/neutron-openvswitch-agent-xenapi.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-openvswitch-agent.json.j2 b/ansible/roles/neutron/templates/neutron-openvswitch-agent.json.j2 index 99f9064ef6..aa18920601 100644 --- a/ansible/roles/neutron/templates/neutron-openvswitch-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-openvswitch-agent.json.j2 @@ -34,7 +34,13 @@ "dest": "/etc/neutron/plugins/ml2/openvswitch_agent.ini", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/neutron/templates/neutron-ovn-agent.json.j2 b/ansible/roles/neutron/templates/neutron-ovn-agent.json.j2 index 4c10604fb1..9f49f86dd1 100644 --- a/ansible/roles/neutron/templates/neutron-ovn-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-ovn-agent.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-ovn-metadata-agent.json.j2 b/ansible/roles/neutron/templates/neutron-ovn-metadata-agent.json.j2 index 6c3850b5c5..7116dc185c 100644 --- a/ansible/roles/neutron/templates/neutron-ovn-metadata-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-ovn-metadata-agent.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-server.json.j2 b/ansible/roles/neutron/templates/neutron-server.json.j2 index 1fe3b349f5..f6af1ebbbd 100644 --- a/ansible/roles/neutron/templates/neutron-server.json.j2 +++ b/ansible/roles/neutron/templates/neutron-server.json.j2 @@ -60,7 +60,13 @@ "dest": "/var/lib/neutron/.ssh/id_rsa", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/neutron/templates/neutron-sriov-agent.json.j2 b/ansible/roles/neutron/templates/neutron-sriov-agent.json.j2 index 83abe58df3..3baf244f19 100644 --- a/ansible/roles/neutron/templates/neutron-sriov-agent.json.j2 +++ b/ansible/roles/neutron/templates/neutron-sriov-agent.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/neutron/{{ neutron_policy_file }}", "owner": "neutron", "perm": "0600" + }{% endif %}{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/neutron/templates/neutron-tls-proxy.json.j2 b/ansible/roles/neutron/templates/neutron-tls-proxy.json.j2 index 0a45cc2f8f..fe66141266 100644 --- a/ansible/roles/neutron/templates/neutron-tls-proxy.json.j2 +++ b/ansible/roles/neutron/templates/neutron-tls-proxy.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/neutron/certs/neutron-cert-and-key.pem", "owner": "neutron", "perm": "0600" - } + }{% if neutron_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/nova-cell/templates/nova-compute-ironic.json.j2 b/ansible/roles/nova-cell/templates/nova-compute-ironic.json.j2 index 1c2fb31d98..2385e402de 100644 --- a/ansible/roles/nova-cell/templates/nova-compute-ironic.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-compute-ironic.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/nova/vendordata.json", "owner": "nova", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/nova-cell/templates/nova-compute.json.j2 b/ansible/roles/nova-cell/templates/nova-compute.json.j2 index cf437bf7aa..dc33c3b81d 100644 --- a/ansible/roles/nova-cell/templates/nova-compute.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-compute.json.j2 @@ -79,6 +79,12 @@ "dest": "/etc/nova/vendordata.json", "owner": "nova", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/nova-cell/templates/nova-conductor.json.j2 b/ansible/roles/nova-cell/templates/nova-conductor.json.j2 index 6a7328713d..92925888f5 100644 --- a/ansible/roles/nova-cell/templates/nova-conductor.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-conductor.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova-cell/templates/nova-libvirt.json.j2 b/ansible/roles/nova-cell/templates/nova-libvirt.json.j2 index a7df6a275d..e81413b358 100644 --- a/ansible/roles/nova-cell/templates/nova-libvirt.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-libvirt.json.j2 @@ -67,6 +67,12 @@ "dest": "/root/.config/libvirt/auth.conf", "owner": "root", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ] } diff --git a/ansible/roles/nova-cell/templates/nova-novncproxy.json.j2 b/ansible/roles/nova-cell/templates/nova-novncproxy.json.j2 index d34efb3d69..8ff5b39e64 100644 --- a/ansible/roles/nova-cell/templates/nova-novncproxy.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-novncproxy.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova-cell/templates/nova-serialproxy.json.j2 b/ansible/roles/nova-cell/templates/nova-serialproxy.json.j2 index 3aac725913..867f9615fb 100644 --- a/ansible/roles/nova-cell/templates/nova-serialproxy.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-serialproxy.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova-cell/templates/nova-spicehtml5proxy.json.j2 b/ansible/roles/nova-cell/templates/nova-spicehtml5proxy.json.j2 index e12354bf43..5585803fea 100644 --- a/ansible/roles/nova-cell/templates/nova-spicehtml5proxy.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-spicehtml5proxy.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova-cell/templates/nova-ssh.json.j2 b/ansible/roles/nova-cell/templates/nova-ssh.json.j2 index f31f6d95e0..be378238c9 100644 --- a/ansible/roles/nova-cell/templates/nova-ssh.json.j2 +++ b/ansible/roles/nova-cell/templates/nova-ssh.json.j2 @@ -24,6 +24,12 @@ "dest": "/var/lib/nova/.ssh/authorized_keys", "owner": "nova", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml index 12ec10a133..038257b48e 100644 --- a/ansible/roles/nova/defaults/main.yml +++ b/ansible/roles/nova/defaults/main.yml @@ -272,3 +272,5 @@ nova_source_version: "{{ kolla_source_version }}" # TLS #################### nova_enable_tls_backend: "{{ kolla_enable_tls_backend }}" + +nova_copy_certs: "{{ kolla_copy_ca_into_containers | bool or nova_enable_tls_backend | bool }}" diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml index 8e53d79f71..c59281c238 100644 --- a/ansible/roles/nova/tasks/config.yml +++ b/ansible/roles/nova/tasks/config.yml @@ -43,7 +43,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or nova_enable_tls_backend | bool + - nova_copy_certs - name: Copying over config.json files for services become: true diff --git a/ansible/roles/nova/templates/nova-api.json.j2 b/ansible/roles/nova/templates/nova-api.json.j2 index 8a3bffa801..444e44ec66 100644 --- a/ansible/roles/nova/templates/nova-api.json.j2 +++ b/ansible/roles/nova/templates/nova-api.json.j2 @@ -38,6 +38,12 @@ "dest": "/etc/nova/vendordata.json", "owner": "nova", "perm": "0600" + }{% endif %}{% if nova_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/nova/templates/nova-scheduler.json.j2 b/ansible/roles/nova/templates/nova-scheduler.json.j2 index 36638987a0..9159bec31f 100644 --- a/ansible/roles/nova/templates/nova-scheduler.json.j2 +++ b/ansible/roles/nova/templates/nova-scheduler.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - } + }{% if nova_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/nova/templates/nova-super-conductor.json.j2 b/ansible/roles/nova/templates/nova-super-conductor.json.j2 index 6a7328713d..1f633f7599 100644 --- a/ansible/roles/nova/templates/nova-super-conductor.json.j2 +++ b/ansible/roles/nova/templates/nova-super-conductor.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/nova/nova.conf", "owner": "nova", "perm": "0600" - } + }{% if nova_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml index 130530b79e..38f0e1c3e5 100644 --- a/ansible/roles/octavia/defaults/main.yml +++ b/ansible/roles/octavia/defaults/main.yml @@ -376,3 +376,5 @@ octavia_provider_agents: "amphora_agent{% if neutron_plugin_agent == 'ovn' %}, o # TLS #################### octavia_enable_tls_backend: "{{ kolla_enable_tls_backend }}" + +octavia_copy_certs: "{{ kolla_copy_ca_into_containers | bool or octavia_enable_tls_backend | bool }}" diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml index 48044bc58d..3c9417c313 100644 --- a/ansible/roles/octavia/tasks/config.yml +++ b/ansible/roles/octavia/tasks/config.yml @@ -45,7 +45,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or octavia_enable_tls_backend | bool + - octavia_copy_certs - name: Copying over config.json files for services template: diff --git a/ansible/roles/octavia/templates/octavia-api.json.j2 b/ansible/roles/octavia/templates/octavia-api.json.j2 index cb470987e9..92fd67b227 100644 --- a/ansible/roles/octavia/templates/octavia-api.json.j2 +++ b/ansible/roles/octavia/templates/octavia-api.json.j2 @@ -32,8 +32,14 @@ "dest": "/etc/octavia/certs/octavia-key.pem", "owner": "octavia", "perm": "0600" - } - {% endif %}], + }{% endif %}{% if octavia_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} + ], "permissions": [ { "path": "/var/log/kolla/octavia", diff --git a/ansible/roles/octavia/templates/octavia-driver-agent.json.j2 b/ansible/roles/octavia/templates/octavia-driver-agent.json.j2 index cde7b33607..7f024d9f65 100644 --- a/ansible/roles/octavia/templates/octavia-driver-agent.json.j2 +++ b/ansible/roles/octavia/templates/octavia-driver-agent.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/octavia/{{ octavia_policy_file }}", "owner": "octavia", "perm": "0600" + }{% endif %}{% if octavia_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/octavia/templates/octavia-health-manager.json.j2 b/ansible/roles/octavia/templates/octavia-health-manager.json.j2 index 9c4696e7d0..59d4c3784b 100644 --- a/ansible/roles/octavia/templates/octavia-health-manager.json.j2 +++ b/ansible/roles/octavia/templates/octavia-health-manager.json.j2 @@ -30,6 +30,12 @@ "dest": "/etc/octavia/certs/server_ca.key.pem", "owner": "octavia", "perm": "0600" + }{% endif %}{% if octavia_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ] } diff --git a/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 b/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 index 6631bf8466..290d128bfc 100644 --- a/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 +++ b/ansible/roles/octavia/templates/octavia-housekeeping.json.j2 @@ -30,6 +30,12 @@ "dest": "/etc/octavia/certs/server_ca.key.pem", "owner": "octavia", "perm": "0600" + }{% endif %}{% if octavia_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ] } diff --git a/ansible/roles/octavia/templates/octavia-worker.json.j2 b/ansible/roles/octavia/templates/octavia-worker.json.j2 index 9aa32872d5..7b1df642fe 100644 --- a/ansible/roles/octavia/templates/octavia-worker.json.j2 +++ b/ansible/roles/octavia/templates/octavia-worker.json.j2 @@ -30,6 +30,12 @@ "dest": "/etc/octavia/certs/server_ca.key.pem", "owner": "octavia", "perm": "0600" + }{% endif %}{% if octavia_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ] } diff --git a/ansible/roles/opensearch/templates/opensearch-dashboards.json.j2 b/ansible/roles/opensearch/templates/opensearch-dashboards.json.j2 index ff37ec42b9..6cb96cb4a1 100644 --- a/ansible/roles/opensearch/templates/opensearch-dashboards.json.j2 +++ b/ansible/roles/opensearch/templates/opensearch-dashboards.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/opensearch-dashboards/opensearch_dashboards.yml", "owner": "opensearch-dashboards", "perm": "0640" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/opensearch/templates/opensearch.json.j2 b/ansible/roles/opensearch/templates/opensearch.json.j2 index 71fa6581e9..25bb7b7703 100644 --- a/ansible/roles/opensearch/templates/opensearch.json.j2 +++ b/ansible/roles/opensearch/templates/opensearch.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/opensearch/opensearch.yml", "owner": "opensearch", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/placement/defaults/main.yml b/ansible/roles/placement/defaults/main.yml index 0a6749829c..d189408e88 100644 --- a/ansible/roles/placement/defaults/main.yml +++ b/ansible/roles/placement/defaults/main.yml @@ -142,3 +142,5 @@ placement_ks_users: # TLS #################### placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}" + +placement_copy_certs: "{{ kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool }}" diff --git a/ansible/roles/placement/tasks/config.yml b/ansible/roles/placement/tasks/config.yml index 1cd6353b05..414c4324e1 100644 --- a/ansible/roles/placement/tasks/config.yml +++ b/ansible/roles/placement/tasks/config.yml @@ -30,7 +30,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool + - placement_copy_certs - name: Copying over config.json files for services become: true diff --git a/ansible/roles/placement/templates/placement-api.json.j2 b/ansible/roles/placement/templates/placement-api.json.j2 index e489cec5af..d2f91f731a 100644 --- a/ansible/roles/placement/templates/placement-api.json.j2 +++ b/ansible/roles/placement/templates/placement-api.json.j2 @@ -38,6 +38,12 @@ "dest": "/etc/placement/certs/placement-key.pem", "owner": "placement", "perm": "0600" + }{% endif %}{% if placement_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 b/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 index 06ab4132d0..93c2767dbc 100644 --- a/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-alertmanager.json.j2 @@ -13,7 +13,13 @@ "optional": true, "owner": "prometheus", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/prometheus/templates/prometheus-blackbox-exporter.json.j2 b/ansible/roles/prometheus/templates/prometheus-blackbox-exporter.json.j2 index 68c30fb0d5..924b49550c 100644 --- a/ansible/roles/prometheus/templates/prometheus-blackbox-exporter.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-blackbox-exporter.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/prometheus/blackbox.yml", "owner": "prometheus", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/prometheus/templates/prometheus-cadvisor.json.j2 b/ansible/roles/prometheus/templates/prometheus-cadvisor.json.j2 index b517b1b1d7..27160a8155 100644 --- a/ansible/roles/prometheus/templates/prometheus-cadvisor.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-cadvisor.json.j2 @@ -6,6 +6,12 @@ "path": "/var/log/kolla/prometheus", "owner": "prometheus:prometheus", "recurse": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/prometheus/templates/prometheus-elasticsearch-exporter.json.j2 b/ansible/roles/prometheus/templates/prometheus-elasticsearch-exporter.json.j2 index 9b29d92b33..46c25c1267 100644 --- a/ansible/roles/prometheus/templates/prometheus-elasticsearch-exporter.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-elasticsearch-exporter.json.j2 @@ -6,6 +6,12 @@ "path": "/var/log/kolla/prometheus", "owner": "prometheus:kolla", "recurse": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/prometheus/templates/prometheus-libvirt-exporter.json.j2 b/ansible/roles/prometheus/templates/prometheus-libvirt-exporter.json.j2 index 518358d8b1..ca67b6a422 100644 --- a/ansible/roles/prometheus/templates/prometheus-libvirt-exporter.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-libvirt-exporter.json.j2 @@ -1,4 +1,12 @@ { "command": "/opt/libvirt-exporter --web.listen-address={{ api_interface_address }}:{{ prometheus_libvirt_exporter_port }}", - "config_files": [] + "config_files": [ + {% if kolla_copy_ca_into_containers | bool %} + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} + ] } diff --git a/ansible/roles/prometheus/templates/prometheus-memcached-exporter.json.j2 b/ansible/roles/prometheus/templates/prometheus-memcached-exporter.json.j2 index 0974a629f8..1a02e3fb12 100644 --- a/ansible/roles/prometheus/templates/prometheus-memcached-exporter.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-memcached-exporter.json.j2 @@ -6,6 +6,12 @@ "path": "/var/log/kolla/prometheus", "owner": "prometheus:kolla", "recurse": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/prometheus/templates/prometheus-mysqld-exporter.json.j2 b/ansible/roles/prometheus/templates/prometheus-mysqld-exporter.json.j2 index 7d9ada68b9..0ab96dd6af 100644 --- a/ansible/roles/prometheus/templates/prometheus-mysqld-exporter.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-mysqld-exporter.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/prometheus/my.cnf", "owner": "prometheus", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/prometheus/templates/prometheus-node-exporter.json.j2 b/ansible/roles/prometheus/templates/prometheus-node-exporter.json.j2 index b874469556..3835c93ab4 100644 --- a/ansible/roles/prometheus/templates/prometheus-node-exporter.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-node-exporter.json.j2 @@ -6,6 +6,12 @@ "path": "/var/log/kolla/prometheus", "owner": "prometheus:kolla", "recurse": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/prometheus/templates/prometheus-openstack-exporter.json.j2 b/ansible/roles/prometheus/templates/prometheus-openstack-exporter.json.j2 index a405934e4e..48bec881d1 100644 --- a/ansible/roles/prometheus/templates/prometheus-openstack-exporter.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-openstack-exporter.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/openstack/clouds.yml", "owner": "prometheus", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/prometheus/templates/prometheus-server.json.j2 b/ansible/roles/prometheus/templates/prometheus-server.json.j2 index 99ee0c7865..4f875bf3bb 100644 --- a/ansible/roles/prometheus/templates/prometheus-server.json.j2 +++ b/ansible/roles/prometheus/templates/prometheus-server.json.j2 @@ -19,15 +19,20 @@ "preserve_properties": true, "optional": true } -{% if enable_prometheus_alertmanager | bool %} - ,{ + {% if enable_prometheus_alertmanager | bool %}, + { "source": "{{ container_config_directory }}/*.rules", "dest": "/etc/prometheus/", "optional": true, "owner": "prometheus", "perm": "0600" - } -{% endif %} + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/rabbitmq/defaults/main.yml b/ansible/roles/rabbitmq/defaults/main.yml index 71d92d7424..17f25a62eb 100644 --- a/ansible/roles/rabbitmq/defaults/main.yml +++ b/ansible/roles/rabbitmq/defaults/main.yml @@ -105,3 +105,4 @@ rabbitmq_version_suffix: "" # TLS #################### rabbitmq_enable_tls_backend: "{{ rabbitmq_enable_tls }}" +rabbitmq_copy_certs: "{{ kolla_copy_ca_into_containers | bool or rabbitmq_enable_tls | bool }}" diff --git a/ansible/roles/rabbitmq/tasks/config.yml b/ansible/roles/rabbitmq/tasks/config.yml index 4f0f0ccf31..a0f8d40747 100644 --- a/ansible/roles/rabbitmq/tasks/config.yml +++ b/ansible/roles/rabbitmq/tasks/config.yml @@ -116,4 +116,5 @@ - Restart rabbitmq container - include_tasks: copy-certs.yml - when: rabbitmq_enable_tls | bool + when: + - rabbitmq_copy_certs diff --git a/ansible/roles/rabbitmq/tasks/copy-certs.yml b/ansible/roles/rabbitmq/tasks/copy-certs.yml index f3c84a49ab..09b8dfbfe6 100644 --- a/ansible/roles/rabbitmq/tasks/copy-certs.yml +++ b/ansible/roles/rabbitmq/tasks/copy-certs.yml @@ -1,52 +1,6 @@ --- -- name: Copying over extra CA certificates - become: true +- name: "Copy certificates and keys for {{ project_name }}" + import_role: + role: service-cert-copy vars: - service: "{{ rabbitmq_services['rabbitmq'] }}" - copy: - src: "{{ kolla_certificates_dir }}/ca/" - dest: "{{ node_config_directory }}/{{ project_name }}/ca-certificates" - mode: "0644" - when: - - kolla_copy_ca_into_containers | bool - - service | service_enabled_and_mapped_to_host - notify: - - Restart rabbitmq container - -- name: Copying over TLS certificate - become: true - vars: - service: "{{ rabbitmq_services['rabbitmq'] }}" - copy: - src: "{{ item }}" - dest: "{{ node_config_directory }}/{{ project_name }}/{{ project_name }}-cert.pem" - mode: "0644" - with_first_found: - - files: - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-cert.pem" - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem" - - "{{ kolla_certificates_dir }}/{{ project_name }}-cert.pem" - skip: true - when: - - service | service_enabled_and_mapped_to_host - notify: - - Restart rabbitmq container - -- name: Copying over TLS key - become: true - vars: - service: "{{ rabbitmq_services['rabbitmq'] }}" - copy: - src: "{{ item }}" - dest: "{{ node_config_directory }}/{{ project_name }}/{{ project_name }}-key.pem" - mode: "0600" - with_first_found: - - files: - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ project_name }}-key.pem" - - "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem" - - "{{ kolla_certificates_dir }}/{{ project_name }}-key.pem" - skip: true - when: - - service | service_enabled_and_mapped_to_host - notify: - - Restart rabbitmq container + project_services: "{{ rabbitmq_services }}" diff --git a/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 b/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 index 150b1355d1..b06526eee4 100644 --- a/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 +++ b/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 @@ -48,6 +48,12 @@ "dest": "/etc/rabbitmq/certs/{{ project_name }}-key.pem", "owner": "rabbitmq", "perm": "0600" + }{% endif %}{% if rabbitmq_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/service-cert-copy/tasks/main.yml b/ansible/roles/service-cert-copy/tasks/main.yml index 9ae11a22d3..4b540302bd 100644 --- a/ansible/roles/service-cert-copy/tasks/main.yml +++ b/ansible/roles/service-cert-copy/tasks/main.yml @@ -8,8 +8,6 @@ when: - kolla_copy_ca_into_containers | bool with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}" - notify: - - "Restart {{ item.key }} container" - name: "{{ project_name }} | Copying over backend internal TLS certificate" vars: @@ -27,8 +25,6 @@ when: - kolla_copy_backend_tls_files | bool with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}" - notify: - - "Restart {{ item.key }} container" - name: "{{ project_name }} | Copying over backend internal TLS key" vars: @@ -46,5 +42,3 @@ when: - kolla_copy_backend_tls_files | bool with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}" - notify: - - "Restart {{ item.key }} container" diff --git a/ansible/roles/skyline/defaults/main.yml b/ansible/roles/skyline/defaults/main.yml index eb64fb37df..9cd77327cb 100644 --- a/ansible/roles/skyline/defaults/main.yml +++ b/ansible/roles/skyline/defaults/main.yml @@ -192,6 +192,8 @@ skyline_enable_sso: "no" #################### skyline_enable_tls_backend: "{{ kolla_enable_tls_backend }}" +skyline_copy_certs: "{{ kolla_copy_ca_into_containers | bool or skyline_enable_tls_backend | bool }}" + #################### # Custom logos: files and folders will be copied to static folder #################### diff --git a/ansible/roles/skyline/tasks/config.yml b/ansible/roles/skyline/tasks/config.yml index 75d2b94248..0c50a7b680 100644 --- a/ansible/roles/skyline/tasks/config.yml +++ b/ansible/roles/skyline/tasks/config.yml @@ -11,7 +11,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or skyline_enable_tls_backend | bool + - skyline_copy_certs - name: Copying over skyline.yaml files for services merge_yaml: diff --git a/ansible/roles/skyline/templates/skyline-apiserver.json.j2 b/ansible/roles/skyline/templates/skyline-apiserver.json.j2 index ee4559d4f8..95bdc61df8 100644 --- a/ansible/roles/skyline/templates/skyline-apiserver.json.j2 +++ b/ansible/roles/skyline/templates/skyline-apiserver.json.j2 @@ -24,6 +24,12 @@ "dest": "/etc/skyline/certs/skyline-key.pem", "owner": "skyline", "perm": "0600" + }{% endif %}{% if skyline_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/skyline/templates/skyline-console.json.j2 b/ansible/roles/skyline/templates/skyline-console.json.j2 index 30a0750f63..44955558c8 100644 --- a/ansible/roles/skyline/templates/skyline-console.json.j2 +++ b/ansible/roles/skyline/templates/skyline-console.json.j2 @@ -31,6 +31,12 @@ "dest": "/etc/skyline/certs/skyline-key.pem", "owner": "skyline", "perm": "0600" + }{% endif %}{% if skyline_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/swift/templates/swift-account-auditor.json.j2 b/ansible/roles/swift/templates/swift-account-auditor.json.j2 index 38e65d81aa..4599a6be41 100644 --- a/ansible/roles/swift/templates/swift-account-auditor.json.j2 +++ b/ansible/roles/swift/templates/swift-account-auditor.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-account-reaper.json.j2 b/ansible/roles/swift/templates/swift-account-reaper.json.j2 index b93ccf36cf..ec45a6f6bf 100644 --- a/ansible/roles/swift/templates/swift-account-reaper.json.j2 +++ b/ansible/roles/swift/templates/swift-account-reaper.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-account-replication-server.json.j2 b/ansible/roles/swift/templates/swift-account-replication-server.json.j2 index 1c9c50b44a..296244493e 100644 --- a/ansible/roles/swift/templates/swift-account-replication-server.json.j2 +++ b/ansible/roles/swift/templates/swift-account-replication-server.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-account-replicator.json.j2 b/ansible/roles/swift/templates/swift-account-replicator.json.j2 index a49731935b..ec57074a66 100644 --- a/ansible/roles/swift/templates/swift-account-replicator.json.j2 +++ b/ansible/roles/swift/templates/swift-account-replicator.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-account-server.json.j2 b/ansible/roles/swift/templates/swift-account-server.json.j2 index 998e06b138..ee66f112e6 100644 --- a/ansible/roles/swift/templates/swift-account-server.json.j2 +++ b/ansible/roles/swift/templates/swift-account-server.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-container-auditor.json.j2 b/ansible/roles/swift/templates/swift-container-auditor.json.j2 index 7044109718..0ce8103ad6 100644 --- a/ansible/roles/swift/templates/swift-container-auditor.json.j2 +++ b/ansible/roles/swift/templates/swift-container-auditor.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-container-replication-server.json.j2 b/ansible/roles/swift/templates/swift-container-replication-server.json.j2 index 02c202cab5..4a3415bd07 100644 --- a/ansible/roles/swift/templates/swift-container-replication-server.json.j2 +++ b/ansible/roles/swift/templates/swift-container-replication-server.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-container-replicator.json.j2 b/ansible/roles/swift/templates/swift-container-replicator.json.j2 index 76d0a190df..ac9d7b8822 100644 --- a/ansible/roles/swift/templates/swift-container-replicator.json.j2 +++ b/ansible/roles/swift/templates/swift-container-replicator.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-container-server.json.j2 b/ansible/roles/swift/templates/swift-container-server.json.j2 index a9870e5bd2..ff52bd0922 100644 --- a/ansible/roles/swift/templates/swift-container-server.json.j2 +++ b/ansible/roles/swift/templates/swift-container-server.json.j2 @@ -25,6 +25,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-container-updater.json.j2 b/ansible/roles/swift/templates/swift-container-updater.json.j2 index 0f59961b6f..42f070e074 100644 --- a/ansible/roles/swift/templates/swift-container-updater.json.j2 +++ b/ansible/roles/swift/templates/swift-container-updater.json.j2 @@ -31,6 +31,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-object-auditor.json.j2 b/ansible/roles/swift/templates/swift-object-auditor.json.j2 index 51df1a2eee..c25aadb854 100644 --- a/ansible/roles/swift/templates/swift-object-auditor.json.j2 +++ b/ansible/roles/swift/templates/swift-object-auditor.json.j2 @@ -39,6 +39,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-object-expirer.json.j2 b/ansible/roles/swift/templates/swift-object-expirer.json.j2 index 639f41e812..f000f7ad64 100644 --- a/ansible/roles/swift/templates/swift-object-expirer.json.j2 +++ b/ansible/roles/swift/templates/swift-object-expirer.json.j2 @@ -45,6 +45,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-object-replication-server.json.j2 b/ansible/roles/swift/templates/swift-object-replication-server.json.j2 index c5ddf90d31..f9697a1fee 100644 --- a/ansible/roles/swift/templates/swift-object-replication-server.json.j2 +++ b/ansible/roles/swift/templates/swift-object-replication-server.json.j2 @@ -39,6 +39,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-object-replicator.json.j2 b/ansible/roles/swift/templates/swift-object-replicator.json.j2 index 88c46cd342..a66f7c19b6 100644 --- a/ansible/roles/swift/templates/swift-object-replicator.json.j2 +++ b/ansible/roles/swift/templates/swift-object-replicator.json.j2 @@ -39,6 +39,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-object-server.json.j2 b/ansible/roles/swift/templates/swift-object-server.json.j2 index 2b0687c154..d9344cffe2 100644 --- a/ansible/roles/swift/templates/swift-object-server.json.j2 +++ b/ansible/roles/swift/templates/swift-object-server.json.j2 @@ -39,6 +39,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-object-updater.json.j2 b/ansible/roles/swift/templates/swift-object-updater.json.j2 index 1b6469c36b..2c665e5b98 100644 --- a/ansible/roles/swift/templates/swift-object-updater.json.j2 +++ b/ansible/roles/swift/templates/swift-object-updater.json.j2 @@ -39,6 +39,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-proxy-server.json.j2 b/ansible/roles/swift/templates/swift-proxy-server.json.j2 index a1f4daea59..d0fa0b6f39 100644 --- a/ansible/roles/swift/templates/swift-proxy-server.json.j2 +++ b/ansible/roles/swift/templates/swift-proxy-server.json.j2 @@ -45,6 +45,12 @@ "owner": "swift", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/swift/templates/swift-rsyncd.json.j2 b/ansible/roles/swift/templates/swift-rsyncd.json.j2 index d3580cc77a..29045d9875 100644 --- a/ansible/roles/swift/templates/swift-rsyncd.json.j2 +++ b/ansible/roles/swift/templates/swift-rsyncd.json.j2 @@ -6,6 +6,12 @@ "dest": "/etc/rsyncd.conf", "owner": "swift", "perm": "0640" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/tacker/templates/tacker-conductor.json.j2 b/ansible/roles/tacker/templates/tacker-conductor.json.j2 index 009e64acac..02cc0ef094 100644 --- a/ansible/roles/tacker/templates/tacker-conductor.json.j2 +++ b/ansible/roles/tacker/templates/tacker-conductor.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/tacker/{{ tacker_policy_file }}", "owner": "tacker", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/tacker/templates/tacker-server.json.j2 b/ansible/roles/tacker/templates/tacker-server.json.j2 index b2b17f90f2..950d63dc2f 100644 --- a/ansible/roles/tacker/templates/tacker-server.json.j2 +++ b/ansible/roles/tacker/templates/tacker-server.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/tacker/{{ tacker_policy_file }}", "owner": "tacker", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/telegraf/templates/telegraf.json.j2 b/ansible/roles/telegraf/templates/telegraf.json.j2 index 5bb8d40b76..8e5bd71a43 100644 --- a/ansible/roles/telegraf/templates/telegraf.json.j2 +++ b/ansible/roles/telegraf/templates/telegraf.json.j2 @@ -13,7 +13,13 @@ "owner": "telegraf", "perm": "0600", "optional": true - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/trove/defaults/main.yml b/ansible/roles/trove/defaults/main.yml index c4a33a92da..1977860bd9 100644 --- a/ansible/roles/trove/defaults/main.yml +++ b/ansible/roles/trove/defaults/main.yml @@ -208,3 +208,5 @@ trove_ks_users: # TLS #################### trove_enable_tls_backend: "{{ kolla_enable_tls_backend }}" + +trove_copy_certs: "{{ kolla_copy_ca_into_containers | bool or trove_enable_tls_backend | bool }}" diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml index 9c3d9d5f3f..8450e0f097 100644 --- a/ansible/roles/trove/tasks/config.yml +++ b/ansible/roles/trove/tasks/config.yml @@ -30,7 +30,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool or trove_enable_tls_backend | bool + - trove_copy_certs - name: Copying over config.json files for services template: diff --git a/ansible/roles/trove/templates/trove-api.json.j2 b/ansible/roles/trove/templates/trove-api.json.j2 index c2e4744efa..606c7de8c1 100644 --- a/ansible/roles/trove/templates/trove-api.json.j2 +++ b/ansible/roles/trove/templates/trove-api.json.j2 @@ -32,7 +32,13 @@ "dest": "/etc/trove/certs/trove-key.pem", "owner": "trove", "perm": "0600" - } + }{% if trove_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} {% endif %}], "permissions": [ { diff --git a/ansible/roles/trove/templates/trove-conductor.json.j2 b/ansible/roles/trove/templates/trove-conductor.json.j2 index 12d884a5d0..d2c763d836 100644 --- a/ansible/roles/trove/templates/trove-conductor.json.j2 +++ b/ansible/roles/trove/templates/trove-conductor.json.j2 @@ -6,12 +6,18 @@ "dest": "/etc/trove/trove.conf", "owner": "trove", "perm": "0600" - }{% if trove_policy_file is defined %}, + }{% if trove_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ trove_policy_file }}", "dest": "/etc/trove/{{ trove_policy_file }}", "owner": "trove", "perm": "0600" + }{% endif %}{% if trove_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/trove/templates/trove-taskmanager.json.j2 b/ansible/roles/trove/templates/trove-taskmanager.json.j2 index 7298de345f..47dc30d51c 100644 --- a/ansible/roles/trove/templates/trove-taskmanager.json.j2 +++ b/ansible/roles/trove/templates/trove-taskmanager.json.j2 @@ -18,6 +18,12 @@ "dest": "/etc/trove/{{ trove_policy_file }}", "owner": "trove", "perm": "0600" + }{% endif %}{% if trove_copy_certs | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/venus/templates/venus-api.json.j2 b/ansible/roles/venus/templates/venus-api.json.j2 index 086b6dfd14..0a825529d8 100644 --- a/ansible/roles/venus/templates/venus-api.json.j2 +++ b/ansible/roles/venus/templates/venus-api.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/venus/venus.conf", "owner": "venus", "perm": "0644" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/venus/templates/venus-manager.json.j2 b/ansible/roles/venus/templates/venus-manager.json.j2 index 3a0ff07ea9..02f7503cb3 100644 --- a/ansible/roles/venus/templates/venus-manager.json.j2 +++ b/ansible/roles/venus/templates/venus-manager.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/venus/venus.conf", "owner": "venus", "perm": "0644" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/watcher/templates/watcher-api.json.j2 b/ansible/roles/watcher/templates/watcher-api.json.j2 index 2ff6ac1427..c80bb842e9 100644 --- a/ansible/roles/watcher/templates/watcher-api.json.j2 +++ b/ansible/roles/watcher/templates/watcher-api.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/watcher/{{ watcher_policy_file }}", "owner": "watcher", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/watcher/templates/watcher-applier.json.j2 b/ansible/roles/watcher/templates/watcher-applier.json.j2 index e8d6ac38a0..2c5fc72686 100644 --- a/ansible/roles/watcher/templates/watcher-applier.json.j2 +++ b/ansible/roles/watcher/templates/watcher-applier.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/watcher/{{ watcher_policy_file }}", "owner": "watcher", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/watcher/templates/watcher-engine.json.j2 b/ansible/roles/watcher/templates/watcher-engine.json.j2 index 080e88f08a..ee8e20e008 100644 --- a/ansible/roles/watcher/templates/watcher-engine.json.j2 +++ b/ansible/roles/watcher/templates/watcher-engine.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/watcher/{{ watcher_policy_file }}", "owner": "watcher", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/zun/templates/zun-api.json.j2 b/ansible/roles/zun/templates/zun-api.json.j2 index 8b161c2565..18ed961724 100644 --- a/ansible/roles/zun/templates/zun-api.json.j2 +++ b/ansible/roles/zun/templates/zun-api.json.j2 @@ -20,6 +20,12 @@ "dest": "/etc/zun/{{ zun_policy_file }}", "owner": "zun", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/zun/templates/zun-cni-daemon.json.j2 b/ansible/roles/zun/templates/zun-cni-daemon.json.j2 index 504fc48f90..3e165e06ba 100644 --- a/ansible/roles/zun/templates/zun-cni-daemon.json.j2 +++ b/ansible/roles/zun/templates/zun-cni-daemon.json.j2 @@ -6,7 +6,13 @@ "dest": "/etc/zun/zun.conf", "owner": "zun", "perm": "0600" - } + }{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" + }{% endif %} ], "permissions": [ { diff --git a/ansible/roles/zun/templates/zun-compute.json.j2 b/ansible/roles/zun/templates/zun-compute.json.j2 index 4854a86f92..c9f9a7ccdf 100644 --- a/ansible/roles/zun/templates/zun-compute.json.j2 +++ b/ansible/roles/zun/templates/zun-compute.json.j2 @@ -26,6 +26,12 @@ "dest": "/etc/zun/{{ zun_policy_file }}", "owner": "zun", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/ansible/roles/zun/templates/zun-wsproxy.json.j2 b/ansible/roles/zun/templates/zun-wsproxy.json.j2 index 90defc385e..89dd398b60 100644 --- a/ansible/roles/zun/templates/zun-wsproxy.json.j2 +++ b/ansible/roles/zun/templates/zun-wsproxy.json.j2 @@ -12,6 +12,12 @@ "dest": "/etc/zun/{{ zun_policy_file }}", "owner": "zun", "perm": "0600" + }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates", + "dest": "/var/lib/kolla/share/ca-certificates", + "owner": "root", + "perm": "0600" }{% endif %} ], "permissions": [ diff --git a/releasenotes/notes/copy-certs-02ff11e9041800eb.yaml b/releasenotes/notes/copy-certs-02ff11e9041800eb.yaml new file mode 100644 index 0000000000..07de6dc442 --- /dev/null +++ b/releasenotes/notes/copy-certs-02ff11e9041800eb.yaml @@ -0,0 +1,14 @@ +--- +fixes: + - | + Fixes unwanted restarts during copying of certificates. + By removing conditional statements from role handlers in #745164, + copying certificates caused containers to restart, this is unwanted + during the genconfig process. However, if we would remove handler + notifiers from copying certificates, the container would never + restart, since from #745164, containers will restart only if any + of the files specified in config.json change. + So this adds certificate folder to config.json file for containers. + Certificates are copied to intermediary location inside of the + container, from which the script kolla_copy_cacerts will install them + in the system's trust store.