This is a prerequisite for patchset #745164
This fixes unwanted restarts during copying of certificates.
By removing conditional statements from role handlers in #745164,
copying certificates caused containers to restart, this is unwanted
during the genconfig process. However, if we would remove handler
notifiers from copying certificates, the container would never
restart, since from #745164, containers will restart only if any
of the files specified in config.json change. Certificates are now
copied to intermediary location inside of the container, from which
the script kolla_copy_cacerts will install them in the trust store.
Depends-on: https://review.opendev.org/c/openstack/kolla/+/926882
Change-Id: Ib89048c7e0f250182c4bf57d8c8a1b5478e9b4ab
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>
- Introduced `letsencrypt_managed_certs`
variable to handle whether letsencrypt
will generate internal, external or both
certificates.
- Updated certificate generation logic to use
`letsencrypt_managed_certs` conditionally,
replacing the previous `enable_letsencrypt` boolean.
- Adjusted tasks and templates to support
internal/external certificate management based
on the new variable.
- Enhanced Let's Encrypt script (`letsencrypt-lego-run.sh.j2`)
to handle both internal and external certificates depending
on VIP configurations.
- Refined HAProxy configuration templates to correctly map
certificates based on TLS settings and new management logic.
Closes-bug: #2076331
Change-Id: Id80c7823fcc5d934b7369c7c0722cd78188e2ccf
Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
This patch fixes an issue where backend related
certificates are attempted to be copied when
``kolla_copy_ca_into_containers`` is enabled but
``kolla_enable_tls_backend`` is disabled.
The fix consists of these specific tasks now
being limited by the condition ``kolla_enable_tls_backend``
Closes-Bug: #2080381
Change-Id: I7ccae4c501ce332519edef336bcceefae9f9568b
Currently, service-cert-copy role used to copy certs and CA
into containers has 'when' statements that check if HAProxy is
defined and enabled for the service. However, some services like
RabbitMQ, ProxySQL or Redis don't use HAProxy
This patch removes the when condition, as it is not necessary.
PartiallyImplements: mariadb-ssl
Change-Id: I8864e05212e0ed76ea3a0108b00ed9dd04b1a697
This option disables copy of certificates from the operator host to
kolla-ansible managed hosts.
This is especially useful if you already have some mechanisms to handle
your certificates directly on your hosts.
Co-Authored-By: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Change-Id: Ie18b2464cb5a65a88c4ac191a921b8074a14f504
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.
Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
