Add support for CA certificate parameter

When using Ansible OpenStack modules, if OS_CACERT is defined, then this
will be passed as the cacert module argument.

This ensures that non-standard CA certificate paths can be used.

Change-Id: I2a2575b1fb0f149cc13c44526fc0167e68e07aab
Story: 2004911
Task: 29261
This commit is contained in:
Mark Goddard 2019-01-22 16:59:24 +00:00
parent 9156fa0e2d
commit e83c57f233
15 changed files with 32 additions and 0 deletions

View File

@ -34,6 +34,7 @@
os_ironic_inspect:
auth_type: "{{ openstack_auth_type }}"
auth: "{{ openstack_auth }}"
cacert: "{{ openstack_cacert | default(omit, true) }}"
name: "{{ inventory_hostname }}"
timeout: "{{ baremetal_compute_timeout }}"
wait: "{{ baremetal_compute_wait }}"

View File

@ -32,6 +32,7 @@
- role: stackhpc.os-ironic-state
os_ironic_state_auth_type: "{{ openstack_auth_type }}"
os_ironic_state_auth: "{{ openstack_auth }}"
os_ironic_state_cacert: "{{ openstack_cacert }}"
os_ironic_state_name: "{{ inventory_hostname }}"
os_ironic_state_provision_state: "manage"
os_ironic_state_wait: "{{ baremetal_compute_wait }}"

View File

@ -32,6 +32,7 @@
- role: stackhpc.os-ironic-state
os_ironic_state_auth_type: "{{ openstack_auth_type }}"
os_ironic_state_auth: "{{ openstack_auth }}"
os_ironic_state_cacert: "{{ openstack_cacert }}"
os_ironic_state_name: "{{ inventory_hostname }}"
os_ironic_state_provision_state: "provide"
os_ironic_state_wait: "{{ baremetal_compute_wait }}"

View File

@ -17,6 +17,9 @@ openstack_auth:
password: "{{ lookup('env', 'OS_PASSWORD') }}"
auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}"
# Overcloud CA certificate path.
openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}"
# Overcloud authentication environment variables. These should be compatible
# with the openstack client.
# By default we pull these from the environment of the shell executing Ansible.
@ -29,6 +32,7 @@ openstack_auth_env:
OS_AUTH_URL: "{{ lookup('env', 'OS_AUTH_URL') }}"
OS_INTERFACE: "{{ lookup('env', 'OS_INTERFACE') }}"
OS_IDENTITY_API_VERSION: "{{ lookup('env', 'OS_IDENTITY_API_VERSION') }}"
OS_CACERT: "{{ lookup('env', 'OS_CACERT') }}"
# List of parameters required in openstack_auth when openstack_auth_type is
# password.

View File

@ -127,3 +127,4 @@
ironic_inspector_venv: "{{ virtualenv_path }}/shade"
ironic_inspector_auth_type: "{{ openstack_auth_type }}"
ironic_inspector_auth: "{{ openstack_auth }}"
ironic_inspector_cacert: "{{ openstack_cacert }}"

View File

@ -59,6 +59,7 @@
ironic_inspector_venv: "{{ venv }}"
ironic_inspector_auth_type: "{{ openstack_auth_type }}"
ironic_inspector_auth: "{{ openstack_auth }}"
ironic_inspector_cacert: "{{ openstack_cacert }}"
ironic_inspector_rules: "{{ inspector_rules }}"
# These variables may be referenced in the introspection rules.
inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}"

View File

@ -104,4 +104,5 @@
ipa_images_openstack_auth_type: "{{ openstack_auth_type }}"
ipa_images_openstack_auth: "{{ openstack_auth }}"
ipa_images_openstack_auth_env: "{{ openstack_auth_env }}"
ipa_images_openstack_cacert: "{{ openstack_cacert }}"
ipa_images_cache_path: "{{ image_cache_path }}/{{ ipa_image_name }}"

View File

@ -62,5 +62,6 @@
os_networks_venv: "{{ virtualenv_path }}/shade"
os_networks_auth_type: "{{ openstack_auth_type }}"
os_networks_auth: "{{ openstack_auth }}"
os_networks_cacert: "{{ openstack_cacert | default(omit, true) }}"
# Network configuration.
os_networks: "{{ network_registrations + ([] if cleaning_net_name == provision_wl_net_name else [cleaning_net]) }}"

View File

@ -14,6 +14,9 @@ ipa_images_openstack_auth: {}
# openstack client.
ipa_images_openstack_auth_env: {}
# CA certificate path.
ipa_images_openstack_caert:
# Path to directory in which to store downloaded images.
ipa_images_cache_path:

View File

@ -68,6 +68,7 @@
os_image_facts:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
image: "{{ ipa_images_kernel_name }}"
- name: Set a fact containing the Ironic Python Agent (IPA) kernel image
@ -78,6 +79,7 @@
os_image_facts:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
image: "{{ ipa_images_ramdisk_name }}"
- name: Set a fact containing the Ironic Python Agent (IPA) ramdisk image
@ -109,6 +111,7 @@
os_image:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
name: "{{ item.name }}"
container_format: "{{ item.format }}"
disk_format: "{{ item.format }}"

View File

@ -4,6 +4,7 @@
os_image_facts:
auth_type: "{{ ipa_images_openstack_auth_type }}"
auth: "{{ ipa_images_openstack_auth }}"
cacert: "{{ ipa_images_openstack_cacert | default(omit, true) }}"
image: "{{ item.name }}"
with_items:
- name: "{{ ipa_images_kernel_name }}"

View File

@ -24,6 +24,8 @@ the `auth_type` argument of `os_*` Ansible modules.
`ironic_inspector_auth` is a dict containing authentication information
compatible with the `auth` argument of `os_*` Ansible modules.
`ironic_inspector_cacert` is an optional path to a CA certificate.
`ironic_inspector_url` is the URL of Ironic Inspector API endpoint,
required if no authentication is used.

View File

@ -8,6 +8,9 @@ ironic_inspector_auth_type:
# Authentication information.
ironic_inspector_auth: {}
# CA certificate path.
ironic_inspector_cacert:
# URL of Ironic Inspector API endpoint.
ironic_inspector_url:

View File

@ -18,6 +18,7 @@
os_ironic_inspector_rule:
auth_type: "{{ ironic_inspector_auth_type }}"
auth: "{{ ironic_inspector_auth }}"
cacert: "{{ ironic_inspector_cacert | default(omit, true) }}"
conditions: "{{ item.conditions }}"
actions: "{{ item.actions }}"
description: "{{ item.description | default(omit) }}"

View File

@ -0,0 +1,8 @@
---
features:
- |
Adds support for specifying a CA certificate when accessing APIs. The path
to the CA certificate may be specified via ``openstack_cacert`` , which
takes its default value from the ``OS_CACERT`` environment variable. See
`story 2004911 <https://storyboard.openstack.org/#!/story/2004911>`__ for
details.