From ea4505f17a83f517f0f6e00d6583accf23051bfe Mon Sep 17 00:00:00 2001
From: lixuehai <li.xuehai@99cloud.net>
Date: Mon, 13 Apr 2020 14:11:29 +0800
Subject: [PATCH] Fix Octavia CA cert paths

This fixes Octavia in scenarios requiring providing
CA cert (self-signed, internally-signed).

Change-Id: I60b7ec85f4fd8bbacf5df0ab7ed9a00658c91871
Closes-Bug: #1872404
---
 ansible/roles/octavia/templates/octavia.conf.j2      | 7 ++++---
 releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml | 6 ++++++
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml

diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index 90d58135c7..7f7fdabee9 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -30,6 +30,7 @@ password = {{ octavia_keystone_password }}
 user_domain_name = {{ default_user_domain_name }}
 project_name = {{ openstack_auth.project_name }}
 project_domain_name = {{ default_project_domain_name }}
+cafile = {{ openstack_cacert }}
 
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
@@ -84,14 +85,14 @@ policy_file = {{ octavia_policy_file }}
 [glance]
 region_name = {{ openstack_region_name }}
 endpoint_type = internal
-ca_certificates_file ==  {{ openstack_cacert }}
+ca_certificates_file = {{ openstack_cacert }}
 
 [neutron]
 region_name = {{ openstack_region_name }}
 endpoint_type = internal
-ca_certificates_file ==  {{ openstack_cacert }}
+ca_certificates_file = {{ openstack_cacert }}
 
 [nova]
 region_name = {{ openstack_region_name }}
 endpoint_type = internal
-ca_certificates_file ==  {{ openstack_cacert }}
+ca_certificates_file = {{ openstack_cacert }}
diff --git a/releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml b/releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml
new file mode 100644
index 0000000000..4fecfe9ec6
--- /dev/null
+++ b/releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes Octavia in internally-signed (e.g. self-signed) cert TLS deployments
+    by providing path to CA cert file in proper config places.
+    `LP#1872404 <https://launchpad.net/bugs/1872404>`__