Merge pull request #7634 from dcritch/openstack-ssl-cert

Adding support for an SSL certificate signed by the OpenStack cluster

playbooks/openstack/configuration.md

@@ -131,34 +131,16 @@ configuration file locally and specify it in `inventory/group_vars/OSEv3.yml`:
 ## OpenStack With SSL Configuration
 
 In order to configure your OpenShift cluster to work properly with OpenStack with
-SSL-endpoints, you must do the following:
-
-### 1. Specify a custom OpenStack cloud provider configuration file
-
-Follow the instructions in [OpenStack Cloud Provider Configuration](#openstack-cloud-provider-configuration)
-and create a custom OpenStack cloud provider configuration file. In the Global
-section, add:
-
-```
-[Global]
-.
-.
-ca-file = /path/to/ca-bundle.crt
-.
-.
-```
-
-Make sure you set `openshift_cloudprovider_openstack_conf_file` in 
-`inventory/group_vars/OSEv3.yml`.
-
-### 2. Add Parameters to OSEv3.yml
-
-Add the following to `inventory/group_vars/OSEv3.yml`:
+SSL-endpoints, add the following to `inventory/group_vars/OSEv3.yml`:
 
 ```
 openshift_certificates_redeploy: true
 openshift_additional_ca: /path/to/ca.crt.pem
 kuryr_openstack_ca: /path/to/ca.crt.pem (optional)
+openshift_cloudprovider_openstack_ca_file: |
+  -----BEGIN CERTIFICATE-----
+  CONTENTS OF OPENSTACK SSL CERTIFICATE
+  -----END CERTIFICATE-----
 ```
 
 ## Stack Name Configuration

roles/openshift_cloud_provider/defaults/main.yml

@@ -3,3 +3,4 @@ openshift_gcp_project: ''
 openshift_gcp_prefix: ''
 openshift_gcp_network_name: "{{ openshift_gcp_prefix }}network"
 openshift_gcp_multizone: False
+openshift_openstack_ca_file_path: '/etc/origin/cloudprovider/openstack.crt'

roles/openshift_cloud_provider/tasks/openstack.yml

@@ -1,4 +1,10 @@
 ---
+- name: Copy cloud CA certificate
+  copy:
+    content: "{{ openshift_cloudprovider_openstack_ca_file }}"
+    dest: "{{ openshift_openstack_ca_file_path }}"
+  when: openshift_cloudprovider_openstack_ca_file is defined
+
 - name: Create cloud config from template
   template:
     dest: "{{ openshift.common.config_base }}/cloudprovider/openstack.conf"

roles/openshift_cloud_provider/templates/openstack.conf.j2

@@ -15,6 +15,9 @@ tenant-name = {{ openshift_cloudprovider_openstack_tenant_name }}
 {% if openshift_cloudprovider_openstack_region is defined %}
 region = {{ openshift_cloudprovider_openstack_region }}
 {% endif %}
+{% if openshift_cloudprovider_openstack_ca_file is defined %}
+ca-file = {{ openshift_openstack_ca_file_path }}
+{% endif %}
 {% if openshift_cloudprovider_openstack_lb_subnet_id is defined %}
 [LoadBalancer]
 subnet-id = {{ openshift_cloudprovider_openstack_lb_subnet_id }}
@@ -22,4 +25,4 @@ subnet-id = {{ openshift_cloudprovider_openstack_lb_subnet_id }}
 {% if openshift_cloudprovider_openstack_blockstorage_version is defined %}
 [BlockStorage]
 bs-version={{ openshift_cloudprovider_openstack_blockstorage_version }}
-{% endif %}
+{% endif %}