openstack-ansible

openstack_host_ca_certificates in group_vars doesn't work

Bug #1993575 reported by Adrien Cunin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
New
Undecided
Unassigned

Bug Description

We realized that defining the openstack_host_ca_certificates variable (to deploy custom CA certificates) in group_vars (instead of just user_variables.yml) does not work.

Our use case, as an example, is to deploy a custom CA certificate that is only used by our LDAP server (for secure LDAP connection) - therefore it makes sense to deploy it only into Keystone containers.

We believe we had that working in the past, and think it stopped working since Wallaby, maybe with the introduction of ansible-role-pki.

https://opendev.org/openstack/ansible-role-pki/src/branch/master/tasks/standalone/install_ca.yml#L21
The run_once there seems to explain the problem. In our case, we saw Ansible decided to run the task only on a Cinder container - because of that, our Keystone group_vars is ignored, and our custom CA certificate is not deployed anywhere.

Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Hey Adrien,

I believe you're right about the root cause of the issue. However, I believe we already do have a workaround in place.

All PKI role stanzas does contain `condition` field. So while you indeed need to use user_variables or group_vars/all, you still can limit deployment of CA to specific hosts, for example:

pki_install_ca_keystone_only:
  - src: /opt/my-ca/MyRoot.crt
    filename: /etc/ssl/certs/MyRoot.crt
    condition: "{{ inventory_hostname in groups['keystone_all'] }}"

Please, let us know if this solution works for you.

PS: worth to mention that you can use any name after pki_search_install_ca_pattern, which is pki_install_ca_.*. So pki_install_ca_keystone_only is real variable you can use.

Revision history for this message
Adrien Cunin (adri2000) wrote :

Hello Dmitriy,

I cannot really try on my real environment, because there we "solved" the issue by running the containers-lxc-create.yml playbook limited to Keystone containers, and that works. Our custom CA certificates are therefore correctly deployed already.

So instead I tried in a test AIO environment, first using Xena, then master. In Xena I think the variable name (pki_install_ca_) may need to be different. But no matter what, I haven't been able to make it work, either in Xena or master - tried running the certificate-*.yml playbooks as well as containers-lxc-create.yml.

What am I missing? Happy to try again if you see what I'm doing wrong.

Revision history for this message
Damian Dąbrowski (damiandabrowski) wrote :

Hey Adrien,

There are basically 2 ways of achieving your goal.

You will be able to understand them by looking here: https://opendev.org/openstack/ansible-role-pki/src/commit/9108a8953f9d216d4e65d86e794a33805d08c966/vars/main.yml#L26

1. Combination of openstack_host_ca_certificates + `condition` in user_variables.yml. Example:

openstack_host_ca_certificates:
  - src: /etc/openstack_deploy/pki/roots/custom-ca.crt
    name: custom-ca
    condition: "{{ inventory_hostname in groups['keystone_all'] }}"

2. (Available since Yoga) Using `pki_search_install_ca_pattern` to parse all ansible variables and find suitable ones. It's similar to the above method but allows you to spread CA certificate list over multiple variables. Example:

pki_install_ca_keystone:
  - src: /etc/openstack_deploy/pki/roots/custom-ca.crt
    name: custom-ca
    condition: "{{ inventory_hostname in groups['keystone_all'] }}"

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.