From c15dc20341bc7e9d26f63e677d0d45ef962301dc Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Mon, 16 Dec 2019 15:50:19 -0800 Subject: [PATCH] Configure services to use Certificate Authority Include a reference to the globally configured Certificate Authority to all services. Services use the CA to verify HTTPs connections. Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc Partially-Implements: blueprint support-trusted-ca-certificate-file --- ansible/roles/aodh/templates/aodh.conf.j2 | 2 ++ ansible/roles/barbican/templates/barbican.conf.j2 | 1 + ansible/roles/blazar/templates/blazar.conf.j2 | 1 + ansible/roles/ceilometer/templates/ceilometer.conf.j2 | 1 + ansible/roles/cinder/templates/cinder.conf.j2 | 2 ++ ansible/roles/cloudkitty/templates/cloudkitty.conf.j2 | 1 + ansible/roles/congress/templates/congress.conf.j2 | 1 + ansible/roles/cyborg/templates/cyborg.conf.j2 | 1 + ansible/roles/designate/templates/designate.conf.j2 | 1 + ansible/roles/freezer/templates/freezer.conf.j2 | 1 + ansible/roles/glance/templates/glance-api.conf.j2 | 1 + ansible/roles/glance/templates/glance-swift.conf.j2 | 1 + ansible/roles/gnocchi/templates/gnocchi.conf.j2 | 1 + ansible/roles/heat/tasks/bootstrap_service.yml | 1 + ansible/roles/heat/templates/heat.conf.j2 | 1 + .../roles/ironic/templates/ironic-inspector.conf.j2 | 2 ++ ansible/roles/ironic/templates/ironic.conf.j2 | 7 +++++++ ansible/roles/karbor/templates/karbor.conf.j2 | 2 ++ ansible/roles/kibana/templates/kibana.yml.j2 | 1 + ansible/roles/kuryr/templates/kuryr.conf.j2 | 1 + ansible/roles/magnum/templates/magnum.conf.j2 | 1 + ansible/roles/manila/templates/manila-share.conf.j2 | 3 +++ ansible/roles/manila/templates/manila.conf.j2 | 1 + .../masakari/templates/masakari-monitors.conf.j2 | 1 + ansible/roles/masakari/templates/masakari.conf.j2 | 1 + ansible/roles/mistral/templates/mistral.conf.j2 | 1 + .../roles/monasca/templates/monasca-api/api.conf.j2 | 1 + .../monasca/templates/monasca-log-api/log-api.conf.j2 | 1 + ansible/roles/murano/templates/murano.conf.j2 | 7 +++++++ ansible/roles/neutron/templates/neutron.conf.j2 | 4 ++++ ansible/roles/nova-cell/templates/nova.conf.j2 | 7 +++++++ .../roles/nova-hyperv/templates/nova_hyperv.conf.j2 | 3 +++ ansible/roles/nova/templates/nova.conf.j2 | 11 +++++++---- ansible/roles/octavia/templates/octavia.conf.j2 | 4 ++++ ansible/roles/panko/templates/panko.conf.j2 | 1 + ansible/roles/placement/templates/placement.conf.j2 | 1 + ansible/roles/qinling/templates/qinling.conf.j2 | 1 + ansible/roles/sahara/templates/sahara.conf.j2 | 2 ++ .../roles/searchlight/templates/searchlight.conf.j2 | 2 ++ ansible/roles/senlin/templates/senlin.conf.j2 | 1 + ansible/roles/solum/templates/solum.conf.j2 | 1 + ansible/roles/swift/templates/proxy-server.conf.j2 | 1 + ansible/roles/tacker/templates/tacker.conf.j2 | 1 + ansible/roles/telegraf/templates/telegraf.conf.j2 | 1 + ansible/roles/tempest/templates/tempest.conf.j2 | 2 +- ansible/roles/trove/templates/trove.conf.j2 | 1 + ansible/roles/vitrage/templates/vitrage.conf.j2 | 2 ++ ansible/roles/watcher/templates/watcher.conf.j2 | 2 ++ ansible/roles/zun/templates/zun.conf.j2 | 2 ++ ...figure-certificate-authority-aa21fa88234b021e.yaml | 5 +++++ 50 files changed, 97 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/configure-certificate-authority-aa21fa88234b021e.yaml diff --git a/ansible/roles/aodh/templates/aodh.conf.j2 b/ansible/roles/aodh/templates/aodh.conf.j2 index b424936048..d65e35d84f 100644 --- a/ansible/roles/aodh/templates/aodh.conf.j2 +++ b/ansible/roles/aodh/templates/aodh.conf.j2 @@ -25,6 +25,7 @@ username = {{ aodh_keystone_user }} password = {{ aodh_keystone_password }} auth_url = {{ keystone_admin_url }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} [oslo_middleware] enable_proxy_headers_parsing = True @@ -44,6 +45,7 @@ project_domain_id = {{ default_project_domain_id }} user_domain_id = {{ default_user_domain_id }} auth_type = password interface = internal +cafile = {{ openstack_cacert | default(omit) }} [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2 index c2d14a2bca..306f2eab9a 100644 --- a/ansible/roles/barbican/templates/barbican.conf.j2 +++ b/ansible/roles/barbican/templates/barbican.conf.j2 @@ -59,6 +59,7 @@ username = {{ barbican_keystone_user }} password = {{ barbican_keystone_password }} auth_url = {{ keystone_admin_url }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/blazar/templates/blazar.conf.j2 b/ansible/roles/blazar/templates/blazar.conf.j2 index 91d1e46c01..d6c6dcccd3 100644 --- a/ansible/roles/blazar/templates/blazar.conf.j2 +++ b/ansible/roles/blazar/templates/blazar.conf.j2 @@ -32,6 +32,7 @@ project_name = service username = {{ blazar_keystone_user }} password = {{ blazar_keystone_password }} service_token_roles_required = True +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/ceilometer/templates/ceilometer.conf.j2 b/ansible/roles/ceilometer/templates/ceilometer.conf.j2 index 412e01b0bf..58fd80301d 100644 --- a/ansible/roles/ceilometer/templates/ceilometer.conf.j2 +++ b/ansible/roles/ceilometer/templates/ceilometer.conf.j2 @@ -21,6 +21,7 @@ project_domain_id = {{ default_project_domain_id }} user_domain_id = {{ default_user_domain_id }} auth_type = password interface = internal +cafile = {{ openstack_cacert | default(omit) }} {% if nova_compute_virt_type == 'vmware' %} [vmware] diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index 410d63312b..751ec806d6 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -86,6 +86,7 @@ region_name = {{ openstack_region_name }} project_name = service username = {{ nova_keystone_user }} password = {{ nova_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} [database] connection = mysql+pymysql://{{ cinder_database_user }}:{{ cinder_database_password }}@{{ cinder_database_address }}/{{ cinder_database_name }} @@ -100,6 +101,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ cinder_keystone_user }} password = {{ cinder_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2 index 8966606a06..1bfbde4c0c 100644 --- a/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2 +++ b/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2 @@ -24,6 +24,7 @@ project_name = service username = {{ cloudkitty_keystone_user }} password = {{ cloudkitty_keystone_password }} region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/congress/templates/congress.conf.j2 b/ansible/roles/congress/templates/congress.conf.j2 index 8bf690796e..4d2f027668 100644 --- a/ansible/roles/congress/templates/congress.conf.j2 +++ b/ansible/roles/congress/templates/congress.conf.j2 @@ -37,6 +37,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ congress_keystone_user }} password = {{ congress_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/cyborg/templates/cyborg.conf.j2 b/ansible/roles/cyborg/templates/cyborg.conf.j2 index 7bf0a1b3cd..48fd9b56ae 100644 --- a/ansible/roles/cyborg/templates/cyborg.conf.j2 +++ b/ansible/roles/cyborg/templates/cyborg.conf.j2 @@ -25,6 +25,7 @@ username = {{ cyborg_keystone_user }} password = {{ cyborg_keystone_password }} auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ keystone_admin_port }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} {% if cyborg_policy_file is defined %} [oslo_policy] diff --git a/ansible/roles/designate/templates/designate.conf.j2 b/ansible/roles/designate/templates/designate.conf.j2 index b1b67deece..617e2abd2e 100644 --- a/ansible/roles/designate/templates/designate.conf.j2 +++ b/ansible/roles/designate/templates/designate.conf.j2 @@ -29,6 +29,7 @@ username = {{ designate_keystone_user }} password = {{ designate_keystone_password }} http_connect_timeout = 60 service_token_roles_required = True +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2 index e31e48c737..0716d8020d 100644 --- a/ansible/roles/freezer/templates/freezer.conf.j2 +++ b/ansible/roles/freezer/templates/freezer.conf.j2 @@ -30,6 +30,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ freezer_keystone_user }} password = {{ freezer_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2 index a7f68d0198..ba7ea07178 100644 --- a/ansible/roles/glance/templates/glance-api.conf.j2 +++ b/ansible/roles/glance/templates/glance-api.conf.j2 @@ -35,6 +35,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ glance_keystone_user }} password = {{ glance_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/glance/templates/glance-swift.conf.j2 b/ansible/roles/glance/templates/glance-swift.conf.j2 index 9cec0ab69e..ee836fe00a 100644 --- a/ansible/roles/glance/templates/glance-swift.conf.j2 +++ b/ansible/roles/glance/templates/glance-swift.conf.j2 @@ -5,3 +5,4 @@ user = service:{{ glance_keystone_user }} key = {{ glance_keystone_password }} project_domain_id = default user_domain_id = default +cafile = {{ openstack_cacert | default(omit) }} diff --git a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/gnocchi.conf.j2 index 7a952fe334..76906f8de1 100644 --- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2 @@ -50,6 +50,7 @@ username = {{ gnocchi_keystone_user }} password = {{ gnocchi_keystone_password }} auth_url = {{ keystone_admin_url }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/heat/tasks/bootstrap_service.yml b/ansible/roles/heat/tasks/bootstrap_service.yml index 8f6a757380..849d218bbb 100644 --- a/ansible/roles/heat/tasks/bootstrap_service.yml +++ b/ansible/roles/heat/tasks/bootstrap_service.yml @@ -17,6 +17,7 @@ OS_PASSWORD: "{{ openstack_auth.password }}" OS_PROJECT_NAME: "{{ openstack_auth.project_name }}" OS_REGION_NAME: "{{ openstack_region_name }}" + OS_CACERT: "{{ openstack_cacert | default(omit) }}" HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}" image: "{{ heat_api.image }}" labels: diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2 index 014d6529b6..5c58f0dc47 100644 --- a/ansible/roles/heat/templates/heat.conf.j2 +++ b/ansible/roles/heat/templates/heat.conf.j2 @@ -49,6 +49,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ heat_keystone_user }} password = {{ heat_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 b/ansible/roles/ironic/templates/ironic-inspector.conf.j2 index 54b68eab5d..fb11fab366 100644 --- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 +++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2 @@ -22,6 +22,7 @@ project_name = service username = {{ ironic_inspector_keystone_user }} password = {{ ironic_inspector_keystone_password }} os_endpoint_type = internalURL +cafile = {{ openstack_cacert | default(omit) }} {% else %} auth_type = none endpoint_override = {{ ironic_internal_endpoint }} @@ -37,6 +38,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ ironic_inspector_keystone_user }} password = {{ ironic_inspector_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index d22e1d0f7b..9b8f563472 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -63,6 +63,7 @@ username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -80,6 +81,7 @@ username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal +cafile = {{ openstack_cacert | default(omit) }} {% endif %} {% if enable_glance | bool %} @@ -93,6 +95,7 @@ username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal +cafile = {{ openstack_cacert | default(omit) }} {% endif %} {% if enable_neutron | bool %} @@ -107,6 +110,7 @@ password = {{ ironic_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal cleaning_network = {{ ironic_cleaning_network }} +cafile = {{ openstack_cacert | default(omit) }} {% endif %} {% if enable_nova | bool %} @@ -120,6 +124,7 @@ username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal +cafile = {{ openstack_cacert | default(omit) }} {% endif %} [inspector] @@ -133,6 +138,7 @@ username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal +cafile = {{ openstack_cacert | default(omit) }} {% else %} auth_type = none endpoint_override = {{ ironic_inspector_internal_endpoint }} @@ -149,6 +155,7 @@ username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal +cafile = {{ openstack_cacert | default(omit) }} {% else %} auth_type = none endpoint_override = {{ internal_protocol }}://{{ ironic_internal_fqdn | put_address_in_context('url') }}:{{ ironic_api_port }} diff --git a/ansible/roles/karbor/templates/karbor.conf.j2 b/ansible/roles/karbor/templates/karbor.conf.j2 index 4190e04bf8..e996f0e8b6 100644 --- a/ansible/roles/karbor/templates/karbor.conf.j2 +++ b/ansible/roles/karbor/templates/karbor.conf.j2 @@ -19,6 +19,7 @@ username = {{ karbor_keystone_user }} password = {{ karbor_keystone_password }} auth_url = {{ keystone_admin_url }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} [clients_keystone] auth_uri = {{ keystone_internal_url }} @@ -39,6 +40,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ karbor_keystone_user }} password = {{ karbor_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/kibana/templates/kibana.yml.j2 b/ansible/roles/kibana/templates/kibana.yml.j2 index 581dcafce0..9203d2a0ae 100644 --- a/ansible/roles/kibana/templates/kibana.yml.j2 +++ b/ansible/roles/kibana/templates/kibana.yml.j2 @@ -6,3 +6,4 @@ elasticsearch.url: "{{ internal_protocol }}://{{ kolla_internal_vip_address | pu elasticsearch.requestTimeout: {{ kibana_elasticsearch_request_timeout }} elasticsearch.shardTimeout: {{ kibana_elasticsearch_shard_timeout }} elasticsearch.ssl.verificationMode: "{{ 'full' if kibana_elasticsearch_ssl_verify | bool else 'none' }}" +elasticsearch.ssl.certificateAuthorities: {{ openstack_cacert | default(omit) }} diff --git a/ansible/roles/kuryr/templates/kuryr.conf.j2 b/ansible/roles/kuryr/templates/kuryr.conf.j2 index b41e5f41e9..30027a2e63 100644 --- a/ansible/roles/kuryr/templates/kuryr.conf.j2 +++ b/ansible/roles/kuryr/templates/kuryr.conf.j2 @@ -21,6 +21,7 @@ project_domain_id = {{ default_project_domain_id }} user_domain_id = {{ default_user_domain_id }} password = {{ kuryr_keystone_password }} username = {{ kuryr_keystone_user }} +cafile = {{ openstack_cacert | default(omit) }} {% if kuryr_policy_file is defined %} [oslo_policy] diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2 index c7c5fcdad8..772421742e 100644 --- a/ansible/roles/magnum/templates/magnum.conf.j2 +++ b/ansible/roles/magnum/templates/magnum.conf.j2 @@ -65,6 +65,7 @@ user_domain_name = {{ default_user_domain_name }} project_name = service username = {{ magnum_keystone_user }} password = {{ magnum_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/manila/templates/manila-share.conf.j2 b/ansible/roles/manila/templates/manila-share.conf.j2 index db76ea42e8..9a837d5b99 100644 --- a/ansible/roles/manila/templates/manila-share.conf.j2 +++ b/ansible/roles/manila/templates/manila-share.conf.j2 @@ -16,6 +16,7 @@ endpoint_type = internalURL project_name = service username = cinder password = {{ cinder_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -32,6 +33,7 @@ endpoint_type = internalURL project_name = service username = {{ nova_keystone_user }} password = {{ nova_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -49,6 +51,7 @@ endpoint_type = internalURL project_name = service username = {{ neutron_keystone_user }} password = {{ neutron_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/manila/templates/manila.conf.j2 b/ansible/roles/manila/templates/manila.conf.j2 index 7ee7f9a917..9598560325 100644 --- a/ansible/roles/manila/templates/manila.conf.j2 +++ b/ansible/roles/manila/templates/manila.conf.j2 @@ -37,6 +37,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ manila_keystone_user }} password = {{ manila_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/masakari/templates/masakari-monitors.conf.j2 b/ansible/roles/masakari/templates/masakari-monitors.conf.j2 index 142075894a..0a8a6b547e 100644 --- a/ansible/roles/masakari/templates/masakari-monitors.conf.j2 +++ b/ansible/roles/masakari/templates/masakari-monitors.conf.j2 @@ -10,6 +10,7 @@ project_name = service project_domain_id = {{ default_project_domain_id }} username = {{ masakari_keystone_user }} password = {{ masakari_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} [libvirt] connection_uri = "qemu+tcp://{{ migration_interface_address | put_address_in_context('url') }}/system" diff --git a/ansible/roles/masakari/templates/masakari.conf.j2 b/ansible/roles/masakari/templates/masakari.conf.j2 index 4111eac980..eb4c512783 100644 --- a/ansible/roles/masakari/templates/masakari.conf.j2 +++ b/ansible/roles/masakari/templates/masakari.conf.j2 @@ -28,6 +28,7 @@ username = {{ masakari_keystone_user }} password = {{ masakari_keystone_password }} service_token_roles_required = True region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} {% if enable_memcached | bool %} memcache_security_strategy = ENCRYPT diff --git a/ansible/roles/mistral/templates/mistral.conf.j2 b/ansible/roles/mistral/templates/mistral.conf.j2 index b612cc57ff..1c758543d3 100644 --- a/ansible/roles/mistral/templates/mistral.conf.j2 +++ b/ansible/roles/mistral/templates/mistral.conf.j2 @@ -45,6 +45,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ mistral_keystone_user }} password = {{ mistral_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/monasca/templates/monasca-api/api.conf.j2 b/ansible/roles/monasca/templates/monasca-api/api.conf.j2 index dc1aa4ec71..30491645ab 100644 --- a/ansible/roles/monasca/templates/monasca-api/api.conf.j2 +++ b/ansible/roles/monasca/templates/monasca-api/api.conf.j2 @@ -36,6 +36,7 @@ project_name = service username = {{ monasca_keystone_user }} password = {{ monasca_keystone_password }} service_token_roles_required=True +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/monasca/templates/monasca-log-api/log-api.conf.j2 b/ansible/roles/monasca/templates/monasca-log-api/log-api.conf.j2 index 91e3ef6e6c..b303de5cbb 100644 --- a/ansible/roles/monasca/templates/monasca-log-api/log-api.conf.j2 +++ b/ansible/roles/monasca/templates/monasca-log-api/log-api.conf.j2 @@ -36,6 +36,7 @@ project_name = service username = {{ monasca_keystone_user }} password = {{ monasca_keystone_password }} service_token_roles_required=True +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/murano/templates/murano.conf.j2 b/ansible/roles/murano/templates/murano.conf.j2 index 5f4e3654ff..98831dc016 100644 --- a/ansible/roles/murano/templates/murano.conf.j2 +++ b/ansible/roles/murano/templates/murano.conf.j2 @@ -27,6 +27,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ murano_keystone_user }} password = {{ murano_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -41,6 +42,7 @@ user_domain_name = {{ default_user_domain_name }} project_name = service username = {{ murano_keystone_user }} password = {{ murano_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} [murano] url = {{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ murano_api_port }} @@ -78,17 +80,22 @@ auth_url = {{ keystone_internal_url }}/v3 username = {{ murano_keystone_user }} password = {{ murano_keystone_password }} user_domain_name = {{ default_project_domain_name }} +cafile = {{ openstack_cacert | default(omit) }} {% endif %} {% endif %} [neutron] endpoint_type = internalURL +cafile = {{ openstack_cacert | default(omit) }} [heat] endpoint_type = internalURL +cafile = {{ openstack_cacert | default(omit) }} [glance] endpoint_type = internalURL +cafile = {{ openstack_cacert | default(omit) }} [mistral] endpoint_type = internalURL +cafile = {{ openstack_cacert | default(omit) }} diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2 index 1990e967f7..03a02132f1 100644 --- a/ansible/roles/neutron/templates/neutron.conf.j2 +++ b/ansible/roles/neutron/templates/neutron.conf.j2 @@ -84,6 +84,7 @@ project_name = service username = {{ nova_keystone_user }} password = {{ nova_keystone_password }} endpoint_type = internal +cafile = {{ openstack_cacert | default(omit) }} [oslo_middleware] enable_proxy_headers_parsing = True @@ -107,6 +108,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ neutron_keystone_user }} password = {{ neutron_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -149,6 +151,7 @@ password = {{ designate_keystone_password }} allow_reverse_dns_lookup = True ipv4_ptr_zone_prefix_size = 24 ipv6_ptr_zone_prefix_size = 116 +cafile = {{ openstack_cacert | default(omit) }} {% endif %} {% if enable_osprofiler | bool %} @@ -169,6 +172,7 @@ project_name = service project_domain_name = {{ default_project_domain_name }} os_region_name = {{ openstack_region_name }} os_interface = internal +cafile = {{ openstack_cacert | default(omit) }} [privsep] helper_command=sudo neutron-rootwrap /etc/neutron/rootwrap.conf privsep-helper diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2 index ea9e543204..f39c95ef61 100644 --- a/ansible/roles/nova-cell/templates/nova.conf.j2 +++ b/ansible/roles/nova-cell/templates/nova.conf.j2 @@ -90,6 +90,7 @@ proxyclient_address = {{ api_interface_address }} username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} auth_url = {{ openstack_auth.auth_url }}/v3 +cafile = {{ openstack_cacert | default(omit) }} auth_type = password project_name = service user_domain_name = {{ default_user_domain_name }} @@ -103,12 +104,14 @@ lock_path = /var/lib/nova/tmp [glance] api_servers = {{ internal_protocol }}://{{ glance_internal_fqdn | put_address_in_context('url') }}:{{ glance_api_port }} +cafile = {{ openstack_cacert | default(omit) }} num_retries = 3 {% if enable_cinder | bool %} [cinder] catalog_info = volumev3:cinderv3:internalURL os_region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} {% endif %} [neutron] @@ -119,6 +122,7 @@ ovs_bridge = {{ ovs_bridge }} {% endif %} auth_url = {{ keystone_admin_url }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} project_domain_name = {{ default_project_domain_name }} user_domain_id = {{ default_user_domain_id }} project_name = service @@ -184,6 +188,7 @@ helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --confi [glance] debug = {{ nova_logging_debug }} +cafile = {{ openstack_cacert | default(omit) }} [guestfs] debug = {{ nova_logging_debug }} @@ -197,6 +202,7 @@ user_domain_name = {{ default_user_domain_name }} project_name = service project_domain_name = {{ default_project_domain_name }} region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} valid_interfaces = internal [notifications] @@ -221,6 +227,7 @@ connection_string = {{ osprofiler_backend_connection_string }} {% if enable_barbican | bool %} [barbican] auth_endpoint = {{ keystone_internal_url }} +cafile = {{ openstack_cacert | default(omit) }} {% endif %} {% if nova_compute_virt_type == "xenapi" %} diff --git a/ansible/roles/nova-hyperv/templates/nova_hyperv.conf.j2 b/ansible/roles/nova-hyperv/templates/nova_hyperv.conf.j2 index 7ff452799e..7a2dc9f51a 100644 --- a/ansible/roles/nova-hyperv/templates/nova_hyperv.conf.j2 +++ b/ansible/roles/nova-hyperv/templates/nova_hyperv.conf.j2 @@ -29,9 +29,11 @@ password = {{ placement_keystone_password }} project_domain_name = {{ default_project_domain_name }} user_domain_name = {{ default_user_domain_name }} os_region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} [glance] api_servers = {{ internal_protocol }}://{{ glance_internal_fqdn | put_address_in_context('url') }}:{{ glance_api_port }} +cafile = {{ openstack_cacert | default(omit) }} [hyperv] @@ -57,6 +59,7 @@ username = {{ neutron_keystone_user }} password = {{ neutron_keystone_password }} auth_url = {{ keystone_admin_url }}/v3 auth_type = v3password +cafile = {{ openstack_cacert | default(omit) }} [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index e9c1b73250..d3e21781c7 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -59,8 +59,9 @@ lock_path = /var/lib/nova/tmp [glance] api_servers = {{ internal_protocol }}://{{ glance_internal_fqdn | put_address_in_context('url') }}:{{ glance_api_port }} - +cafile = {{ openstack_cacert | default(omit) }} num_retries = {{ groups['glance-api'] | length }} +debug = {{ nova_logging_debug }} {% if enable_cinder | bool %} [cinder] @@ -73,6 +74,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ cinder_keystone_user }} password = {{ cinder_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} {% endif %} [neutron] @@ -90,6 +92,7 @@ username = {{ neutron_keystone_user }} password = {{ neutron_keystone_password }} region_name = {{ openstack_region_name }} valid_interfaces = internal +cafile = {{ openstack_cacert | default(omit) }} [database] connection = mysql+pymysql://{{ nova_cell0_database_user }}:{{ nova_cell0_database_password }}@{{ nova_cell0_database_address }}/{{ nova_cell0_database_name }} @@ -116,6 +119,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ nova_keystone_user }} password = {{ nova_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -141,9 +145,6 @@ policy_file = {{ nova_policy_file }} [privsep_entrypoint] helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf -[glance] -debug = {{ nova_logging_debug }} - [guestfs] debug = {{ nova_logging_debug }} @@ -169,6 +170,7 @@ user_domain_name = {{ default_user_domain_name }} project_name = service project_domain_name = {{ default_project_domain_name }} region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} valid_interfaces = internal [notifications] @@ -193,4 +195,5 @@ connection_string = {{ osprofiler_backend_connection_string }} {% if enable_barbican | bool %} [barbican] auth_endpoint = {{ keystone_internal_url }} +cafile = {{ openstack_cacert | default(omit) }} {% endif %} diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2 index 0072e0527a..48bb231eb9 100644 --- a/ansible/roles/octavia/templates/octavia.conf.j2 +++ b/ansible/roles/octavia/templates/octavia.conf.j2 @@ -44,6 +44,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ octavia_keystone_user }} password = {{ octavia_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -83,11 +84,14 @@ policy_file = {{ octavia_policy_file }} [glance] region_name = {{ openstack_region_name }} endpoint_type = internal +ca_certificates_file == {{ openstack_cacert | default(omit) }} [neutron] region_name = {{ openstack_region_name }} endpoint_type = internal +ca_certificates_file == {{ openstack_cacert | default(omit) }} [nova] region_name = {{ openstack_region_name }} endpoint_type = internal +ca_certificates_file == {{ openstack_cacert | default(omit) }} diff --git a/ansible/roles/panko/templates/panko.conf.j2 b/ansible/roles/panko/templates/panko.conf.j2 index eb1a83ae23..29544fba49 100644 --- a/ansible/roles/panko/templates/panko.conf.j2 +++ b/ansible/roles/panko/templates/panko.conf.j2 @@ -25,6 +25,7 @@ username = {{ panko_keystone_user }} password = {{ panko_keystone_password }} auth_url = {{ keystone_admin_url }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/placement/templates/placement.conf.j2 b/ansible/roles/placement/templates/placement.conf.j2 index a3fa5fad5f..300329c09a 100644 --- a/ansible/roles/placement/templates/placement.conf.j2 +++ b/ansible/roles/placement/templates/placement.conf.j2 @@ -42,6 +42,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ placement_keystone_user }} password = {{ placement_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/qinling/templates/qinling.conf.j2 b/ansible/roles/qinling/templates/qinling.conf.j2 index 03a1ee5f5e..f22917bc93 100644 --- a/ansible/roles/qinling/templates/qinling.conf.j2 +++ b/ansible/roles/qinling/templates/qinling.conf.j2 @@ -28,6 +28,7 @@ project_name = service username = {{ qinling_keystone_user }} password = {{ qinling_keystone_password }} region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/sahara/templates/sahara.conf.j2 b/ansible/roles/sahara/templates/sahara.conf.j2 index c2b6036d53..5f1baa8144 100644 --- a/ansible/roles/sahara/templates/sahara.conf.j2 +++ b/ansible/roles/sahara/templates/sahara.conf.j2 @@ -21,6 +21,7 @@ project_name = service project_domain_name = {{ default_project_domain_name }} username = {{ sahara_keystone_user }} password = {{ sahara_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -51,3 +52,4 @@ user_domain_name = {{ default_user_domain_name }} username = {{ sahara_keystone_user }} password = {{ sahara_keystone_password }} auth_url = {{ keystone_admin_url }}/v3 +cafile = {{ openstack_cacert | default(omit) }} diff --git a/ansible/roles/searchlight/templates/searchlight.conf.j2 b/ansible/roles/searchlight/templates/searchlight.conf.j2 index a8f11b766c..4a22f8a3e1 100644 --- a/ansible/roles/searchlight/templates/searchlight.conf.j2 +++ b/ansible/roles/searchlight/templates/searchlight.conf.j2 @@ -29,6 +29,7 @@ user_domain_name = {{ default_user_domain_name }} username = {{ searchlight_keystone_user }} password = {{ searchlight_keystone_password }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -60,6 +61,7 @@ username = {{ searchlight_keystone_user }} password = {{ searchlight_keystone_password }} auth_type = password auth_plugin = password +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/senlin/templates/senlin.conf.j2 b/ansible/roles/senlin/templates/senlin.conf.j2 index fbe31a72ac..a3c689c34b 100644 --- a/ansible/roles/senlin/templates/senlin.conf.j2 +++ b/ansible/roles/senlin/templates/senlin.conf.j2 @@ -49,6 +49,7 @@ project_name = service username = {{ senlin_keystone_user }} password = {{ senlin_keystone_password }} service_token_roles_required = False +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/solum/templates/solum.conf.j2 b/ansible/roles/solum/templates/solum.conf.j2 index 12083a76a8..71f7373ad9 100644 --- a/ansible/roles/solum/templates/solum.conf.j2 +++ b/ansible/roles/solum/templates/solum.conf.j2 @@ -51,6 +51,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ solum_keystone_user }} password = {{ solum_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/swift/templates/proxy-server.conf.j2 b/ansible/roles/swift/templates/proxy-server.conf.j2 index 958b4bf535..e7b2c42f2b 100644 --- a/ansible/roles/swift/templates/proxy-server.conf.j2 +++ b/ansible/roles/swift/templates/proxy-server.conf.j2 @@ -44,6 +44,7 @@ project_name = service username = {{ swift_keystone_user }} password = {{ swift_keystone_password }} delay_auth_decision = {{ swift_delay_auth_decision }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/tacker/templates/tacker.conf.j2 b/ansible/roles/tacker/templates/tacker.conf.j2 index 8e0fa2910c..4267564817 100644 --- a/ansible/roles/tacker/templates/tacker.conf.j2 +++ b/ansible/roles/tacker/templates/tacker.conf.j2 @@ -38,6 +38,7 @@ user_domain_name = {{ default_user_domain_id }} project_name = service username = {{ tacker_keystone_user }} password = {{ tacker_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/telegraf/templates/telegraf.conf.j2 b/ansible/roles/telegraf/templates/telegraf.conf.j2 index 2dceae53e7..c61b4682ea 100644 --- a/ansible/roles/telegraf/templates/telegraf.conf.j2 +++ b/ansible/roles/telegraf/templates/telegraf.conf.j2 @@ -19,6 +19,7 @@ retention_policy = "autogen" write_consistency = "any" timeout = "5s" + tls_ca = {{ openstack_cacert | default(omit) }} {% endfor %} {% endif %} [[inputs.cpu]] diff --git a/ansible/roles/tempest/templates/tempest.conf.j2 b/ansible/roles/tempest/templates/tempest.conf.j2 index ed0aa87215..90d7f691bd 100644 --- a/ansible/roles/tempest/templates/tempest.conf.j2 +++ b/ansible/roles/tempest/templates/tempest.conf.j2 @@ -10,7 +10,6 @@ admin_password = {{ keystone_admin_password }} admin_project_name = {{ openstack_auth.project_name }} admin_domain_name = {{ openstack_auth.domain_name }} - [dashboard] dashboard_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }} login_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}/auth/login/ @@ -42,6 +41,7 @@ region = {{ openstack_region_name }} auth_version = v3 uri = {{ keystone_admin_url }}/v2.0 uri_v3 = {{ keystone_admin_url }}/v3 +ca_certificates_file = {{ openstack_cacert | default(omit) }} [image] region = {{ openstack_region_name }} diff --git a/ansible/roles/trove/templates/trove.conf.j2 b/ansible/roles/trove/templates/trove.conf.j2 index 0c18d5e3e5..ef2fbe60a3 100644 --- a/ansible/roles/trove/templates/trove.conf.j2 +++ b/ansible/roles/trove/templates/trove.conf.j2 @@ -39,6 +39,7 @@ username = {{ trove_keystone_user }} password = {{ trove_keystone_password }} auth_url = {{ keystone_admin_url }} auth_type = password +cafile = {{ openstack_cacert | default(omit) }} [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} diff --git a/ansible/roles/vitrage/templates/vitrage.conf.j2 b/ansible/roles/vitrage/templates/vitrage.conf.j2 index 260a986c54..07c41707a6 100644 --- a/ansible/roles/vitrage/templates/vitrage.conf.j2 +++ b/ansible/roles/vitrage/templates/vitrage.conf.j2 @@ -39,6 +39,7 @@ project_name = service username = {{ vitrage_keystone_user }} password = {{ vitrage_keystone_password }} service_token_roles_required = True +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -54,6 +55,7 @@ project_name = admin password = {{ vitrage_keystone_password }} username = {{ vitrage_keystone_user }} interface = internal +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} diff --git a/ansible/roles/watcher/templates/watcher.conf.j2 b/ansible/roles/watcher/templates/watcher.conf.j2 index a73cae7e87..ed3ec2c68a 100644 --- a/ansible/roles/watcher/templates/watcher.conf.j2 +++ b/ansible/roles/watcher/templates/watcher.conf.j2 @@ -26,6 +26,7 @@ project_name = service username = {{ watcher_keystone_user }} password = {{ watcher_keystone_password }} service_token_roles_required = True +cafile = {{ openstack_cacert | default(omit) }} memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} @@ -40,6 +41,7 @@ user_domain_id = {{ default_user_domain_id }} project_name = service username = {{ watcher_keystone_user }} password = {{ watcher_keystone_password }} +cafile = {{ openstack_cacert | default(omit) }} [oslo_concurrency] lock_path = /var/lib/watcher/tmp diff --git a/ansible/roles/zun/templates/zun.conf.j2 b/ansible/roles/zun/templates/zun.conf.j2 index 3e41e9b717..bb8c0698b4 100644 --- a/ansible/roles/zun/templates/zun.conf.j2 +++ b/ansible/roles/zun/templates/zun.conf.j2 @@ -38,6 +38,7 @@ username = {{ zun_keystone_user }} password = {{ zun_keystone_password }} service_token_roles_required = True region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} {% if enable_memcached | bool %} memcache_security_strategy = ENCRYPT @@ -59,6 +60,7 @@ username = {{ zun_keystone_user }} password = {{ zun_keystone_password }} service_token_roles_required = True region_name = {{ openstack_region_name }} +cafile = {{ openstack_cacert | default(omit) }} {% if enable_memcached | bool %} memcache_security_strategy = ENCRYPT diff --git a/releasenotes/notes/configure-certificate-authority-aa21fa88234b021e.yaml b/releasenotes/notes/configure-certificate-authority-aa21fa88234b021e.yaml new file mode 100644 index 0000000000..583d34fbc5 --- /dev/null +++ b/releasenotes/notes/configure-certificate-authority-aa21fa88234b021e.yaml @@ -0,0 +1,5 @@ +--- +features: + - Configure all openstack services to use the globally defined Certificate + Authority to verify HTTPs connections. The global CA is configured by the + 'openstack_cacert' parameter.