diff --git a/playbooks/install_os.yml b/playbooks/install_os.yml index c03d4f7f5..47602a7a0 100644 --- a/playbooks/install_os.yml +++ b/playbooks/install_os.yml @@ -30,7 +30,7 @@ delegate_to: localhost - name: Install and configure time service using timesync system role ansible.builtin.include_role: - name: "{{timesyncfqcn}}" + name: "{{ timesyncfqcn }}" tags: - dataplane_chrony - name: Install edpm_chrony diff --git a/roles/edpm_nova/defaults/main.yml b/roles/edpm_nova/defaults/main.yml index 3eaf5e2ad..4b226a379 100644 --- a/roles/edpm_nova/defaults/main.yml +++ b/roles/edpm_nova/defaults/main.yml @@ -28,3 +28,9 @@ edpm_nova_image_download_retries: 5 edpm_nova_config_src: /var/lib/openstack/configs edpm_nova_config_dest: /var/lib/openstack/config/nova edpm_nova_compute_image: "quay.io/podified-antelope-centos9/openstack-nova-compute:current-podified" + +# certs +edpm_nova_certs_src: /var/lib/openstack/certs +edpm_nova_certs_dest: /var/lib/openstack/certs/nova +edpm_nova_cacerts_src: /var/lib/openstack/cacerts +edpm_nova_cacerts_dest: /var/lib/openstack/cacerts/nova diff --git a/roles/edpm_nova/meta/argument_specs.yml b/roles/edpm_nova/meta/argument_specs.yml index d038ff1c4..c69bda223 100644 --- a/roles/edpm_nova/meta/argument_specs.yml +++ b/roles/edpm_nova/meta/argument_specs.yml @@ -25,6 +25,32 @@ argument_specs: description: | The path to the directory where the nova config files will be rendered on the compute node. + edpm_nova_certs_src: + type: str + default: /var/lib/openstack/certs + description: | + The path to the directory containing the nova cert and key files + in the ansibleEE container. This is the directory + where all TLS certs and keys for the nova service are mounted. + edpm_nova_certs_dest: + type: str + default: /var/lib/openstack/certs/nova + description: | + The path to the directory where the nova cert and key files + will be rendered on the compute node. + edpm_nova_cacerts_src: + type: str + default: /var/lib/openstack/cacerts + description: | + The path to the directory containing the cacert files + in the ansibleEE container. This is the directory + where all cacert PEM files for the nova service are mounted. + edpm_nova_cacerts_dest: + type: str + default: /var/lib/openstack/cacerts/nova + description: | + The path to the directory where the cacert PEM files + for the nova service will be rendered on the compute node. edpm_nova_compute_image: type: str default: "quay.io/podified-antelope-centos9/openstack-nova-compute:current-podified" diff --git a/roles/edpm_nova/tasks/configure.yml b/roles/edpm_nova/tasks/configure.yml index 72e4aee4b..100f4397f 100644 --- a/roles/edpm_nova/tasks/configure.yml +++ b/roles/edpm_nova/tasks/configure.yml @@ -15,6 +15,7 @@ loop: - {"path": "{{ edpm_nova_config_dest }}", "mode": "0755"} - {"path": "/var/lib/openstack/config/containers", "mode": "0755"} + - {"path": "{{ edpm_nova_cacerts_dest }}", "mode": "0755"} - name: Create persistent directories tags: - configure @@ -118,3 +119,24 @@ mode: '0600' owner: nova group: nova + +- name: Get fact for tls_certs_enabled + ansible.builtin.set_fact: + tls_certs_enabled: "{{ lookup('env', 'tls_certs_enabled') | default(false, true) }}" + +- name: Copy TLS files to the compute node + tags: + - configure + - nova + become: true + loop: + - {"src": "{{ edpm_nova_certs_src }}/{{ inventory_hostname }}-tls.crt", "dest": "{{ edpm_nova_certs_dest }}/tls.crt"} + - {"src": "{{ edpm_nova_certs_src }}/{{ inventory_hostname }}-tls.key", "dest": "{{ edpm_nova_certs_dest }}/tls.key"} + - {"src": "{{ edpm_nova_cacerts_src }}/TLSCABundleFile", "dest": "{{ edpm_nova_cacerts_dest }}/TLSCABundleFile"} + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: '0600' + owner: nova + group: nova + when: tls_certs_enabled|bool diff --git a/roles/edpm_nova/templates/nova_compute.json.j2 b/roles/edpm_nova/templates/nova_compute.json.j2 index 0287884af..0a1bb5ed0 100644 --- a/roles/edpm_nova/templates/nova_compute.json.j2 +++ b/roles/edpm_nova/templates/nova_compute.json.j2 @@ -10,6 +10,9 @@ }, "volumes": [ "/var/lib/openstack/config/nova:/var/lib/kolla/config_files:ro", + "/var/lib/openstack/certs/nova/tls.crt:/etc/pki/nova/server-cert.pem:ro", + "/var/lib/openstack/certs/nova/tls.key:/etc/pki/nova/private/server-key.pem:ro", + "/var/lib/openstack/cacerts/nova/TLSCABundleFile:/etc/pki/CA/cacert.pem:ro", "/etc/localtime:/etc/localtime:ro", "/lib/modules:/lib/modules:ro", "/dev:/dev",