Merge pull request #750 from stackhpc/upstream/master-2025-07-17

Synchronise master with upstream

Author: bbezak

ansible/roles/aodh/defaults/main.yml

@@ -249,3 +249,11 @@ aodh_ks_users:
     user: "{{ aodh_keystone_user }}"
     password: "{{ aodh_keystone_password }}"
     role: "admin"
+
+# Database
+aodh_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
+
+###################
+# Copy certificates
+###################
+aodh_copy_certs: "{{ kolla_copy_ca_into_containers | bool or aodh_database_enable_tls_internal | bool }}"

ansible/roles/aodh/tasks/bootstrap.yml

@@ -5,6 +5,7 @@
     container_engine: "{{ kolla_container_engine }}"
     module_name: mysql_db
     module_args:
+      ca_cert: "{{ openstack_cacert if database_enable_tls_internal | bool else omit }}"
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
       login_user: "{{ aodh_database_shard_root_user }}"
@@ -21,6 +22,7 @@
     container_engine: "{{ kolla_container_engine }}"
     module_name: mysql_user
     module_args:
+      ca_cert: "{{ openstack_cacert if database_enable_tls_internal | bool else omit }}"
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
       login_user: "{{ aodh_database_shard_root_user }}"

ansible/roles/aodh/tasks/config.yml

@@ -40,7 +40,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - aodh_copy_certs | bool
 
 - name: Copying over config.json files for services
   template:

ansible/roles/aodh/templates/aodh.conf.j2

@@ -11,7 +11,7 @@ port = {{ aodh_api_listen_port }}
 host = {{ api_interface_address }}
 
 [database]
-connection = mysql+pymysql://{{ aodh_database_user }}:{{ aodh_database_password }}@{{ aodh_database_address }}/{{ aodh_database_name }}
+connection = mysql+pymysql://{{ aodh_database_user }}:{{ aodh_database_password }}@{{ aodh_database_address }}/{{ aodh_database_name }}{{ '?ssl_ca=' ~ openstack_cacert if aodh_database_enable_tls_internal | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 

ansible/roles/barbican/defaults/main.yml

@@ -224,4 +224,10 @@ barbican_enabled_notification_topics: "{{ barbican_notification_topics | selecta
 ####################
 barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
 
-barbican_copy_certs: "{{ kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool }}"
+# Database
+barbican_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
+
+###################
+# Copy certificates
+###################
+barbican_copy_certs: "{{ kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool or barbican_database_enable_tls_internal | bool }}"

ansible/roles/barbican/tasks/bootstrap.yml

@@ -5,6 +5,7 @@
     container_engine: "{{ kolla_container_engine }}"
     module_name: mysql_db
     module_args:
+      ca_cert: "{{ openstack_cacert if database_enable_tls_internal | bool else omit }}"
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
       login_user: "{{ barbican_database_shard_root_user }}"
@@ -21,6 +22,7 @@
     container_engine: "{{ kolla_container_engine }}"
     module_name: mysql_user
     module_args:
+      ca_cert: "{{ openstack_cacert if database_enable_tls_internal | bool else omit }}"
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
       login_user: "{{ barbican_database_shard_root_user }}"

ansible/roles/barbican/tasks/config.yml

@@ -44,7 +44,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - barbican_copy_certs
+    - barbican_copy_certs | bool
 
 - name: Copying over config.json files for services
   template:

ansible/roles/barbican/templates/barbican-api.json.j2

@@ -37,7 +37,7 @@
             "dest": "/etc/barbican/{{ barbican_policy_file }}",
             "owner": "barbican",
             "perm": "0600"
-        }{% endif %}{% if barbican_copy_certs | bool %},
+        }{% endif %}{% if kolla_copy_ca_into_containers | bool %},
         {
             "source": "{{ container_config_directory }}/ca-certificates",
             "dest": "/var/lib/kolla/share/ca-certificates",

ansible/roles/barbican/templates/barbican-keystone-listener.json.j2

@@ -12,7 +12,7 @@
             "dest": "/etc/barbican/{{ barbican_policy_file }}",
             "owner": "barbican",
             "perm": "0600"
-        }{% endif %}{% if barbican_copy_certs | bool %},
+        }{% endif %}{% if kolla_copy_ca_into_containers | bool %},
         {
             "source": "{{ container_config_directory }}/ca-certificates",
             "dest": "/var/lib/kolla/share/ca-certificates",

ansible/roles/barbican/templates/barbican-worker.json.j2

@@ -13,7 +13,7 @@
             "owner": "barbican",
             "perm": "0600"
         }{% endif %}
-        {% if barbican_copy_certs | bool %},
+        {% if kolla_copy_ca_into_containers | bool %},
         {
             "source": "{{ container_config_directory }}/ca-certificates",
             "dest": "/var/lib/kolla/share/ca-certificates",