From 0e9a81fdca4e94048b731bc4c79da8b397437365 Mon Sep 17 00:00:00 2001
From: ramboman <lijie@unitedstack.com>
Date: Mon, 6 Jul 2020 16:37:52 +0800
Subject: [PATCH] Fix Barbican client (Castellan) with TLS

The Castellan (Barbican client) has different parameters to control
the used CA file.
This patch uses them.
Moreover, this aligns Barbican with other services by defaulting
its client config to the internal endpoint.

See also [1].

[1] https://bugs.launchpad.net/castellan/+bug/1876102

Closes-Bug: #1886615

Change-Id: I6a174468bd91d214c08477b93c88032a45c137be
---
 ansible/roles/cinder/templates/cinder.conf.j2        | 2 ++
 ansible/roles/glance/templates/glance-api.conf.j2    | 7 +++++++
 ansible/roles/nova/templates/nova.conf.j2            | 3 ++-
 releasenotes/notes/bug-1886615-640e817dfdb93b8a.yaml | 5 +++++
 4 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/bug-1886615-640e817dfdb93b8a.yaml

diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index 7cc75926fd..2066c4db92 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -206,6 +206,8 @@ connection_string = {{ osprofiler_backend_connection_string }}
 {% if enable_barbican | bool %}
 [barbican]
 auth_endpoint = {{ keystone_internal_url }}
+barbican_endpoint_type = internal
+verify_ssl_path = {{ openstack_cacert }}
 {% endif %}
 
 [coordination]
diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2
index 2964503029..50a47bf28c 100644
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -124,3 +124,10 @@ trace_sqlalchemy = true
 hmac_keys = {{ osprofiler_secret }}
 connection_string = {{ osprofiler_backend_connection_string }}
 {% endif %}
+
+{% if enable_barbican | bool %}
+[barbican]
+auth_endpoint = {{ keystone_internal_url }}
+barbican_endpoint_type = internal
+verify_ssl_path = {{ openstack_cacert }}
+{% endif %}
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index 447a5c0aa6..16ef6db36e 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -196,5 +196,6 @@ connection_string = {{ osprofiler_backend_connection_string }}
 {% if enable_barbican | bool %}
 [barbican]
 auth_endpoint = {{ keystone_internal_url }}
-cafile = {{ openstack_cacert }}
+barbican_endpoint_type = internal
+verify_ssl_path = {{ openstack_cacert }}
 {% endif %}
diff --git a/releasenotes/notes/bug-1886615-640e817dfdb93b8a.yaml b/releasenotes/notes/bug-1886615-640e817dfdb93b8a.yaml
new file mode 100644
index 0000000000..2b1436f15e
--- /dev/null
+++ b/releasenotes/notes/bug-1886615-640e817dfdb93b8a.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fix Castellan (Barbican client) when used with enabled TLS.
+    `LP#1886615 <https://bugs.launchpad.net/kolla-ansible/+bug/1886615>`__