magnum: Add CA certificate configuration for internal TLS

markgoddard · markgoddard · commit 338d977317e3 · 2021-07-01T11:34:50.000Z
Magnum has various sections in its configuration file for OpenStack clients. When internal TLS is enabled, these may need a CA certificate to be specified. This change adds a CA certificate configuration, based on openstack_cacert, for all clients using internal endpoints. Note: we are explicitly not adding the configuration for the [magnum_client] ca_file and [drivers] openstack_ca_file options, since these use the public endpoint by default. These options may be provided via custom configuration if necessary. Change-Id: Ie59b3777c0a2c142b580addd67e279bc4b2f2c90 Co-Authored-By: Kyle Dean Closes-Bug: #1919389 (cherry picked from commit 48f0957)
diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2
@@ -32,30 +32,37 @@ endpoint_type = publicURL
 [heat_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [octavia_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [cinder_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [barbican_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [glance_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [neutron_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [nova_client]
 region_name = {{ openstack_region_name }}
 endpoint_type = internalURL
+ca_file = {{ openstack_cacert }}
 
 [keystone_auth]
 auth_url = {{ keystone_internal_url }}/v3
@@ -78,6 +85,7 @@ user_domain_name = {{ default_user_domain_name }}
 project_name = service
 username = {{ magnum_keystone_user }}
 password = {{ magnum_keystone_password }}
+cafile = {{ openstack_cacert }}
 region_name = {{ openstack_region_name }}
 
 memcache_security_strategy = ENCRYPT
diff --git a/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml b/releasenotes/notes/fix-magnum-tls-cacert-dd5ab5729391beb2.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes an issue with Magnum when TLS is enabled. `LP#781062
+    <https://review.opendev.org/c/openstack/kolla-ansible/+/781062>`__

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    Fixes an issue with Magnum when TLS is enabled. `LP#781062
 +    <https://review.opendev.org/c/openstack/kolla-ansible/+/781062>`__