From cd9ec7be366234e422dff1813561c141398c040f Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 15 Apr 2024 16:06:15 +0100 Subject: [PATCH] Update .automation submodule for Tempest CA cert support --- .automation | 2 +- doc/source/configuration/vault.rst | 2 ++ doc/source/operations/tempest.rst | 19 +++++++++++++++++++ .../tempest-cacert-33e2ae1cf0ba88cf.yaml | 4 ++++ 4 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/tempest-cacert-33e2ae1cf0ba88cf.yaml diff --git a/.automation b/.automation index b00f285be..98e92aae8 160000 --- a/.automation +++ b/.automation @@ -1 +1 @@ -Subproject commit b00f285be240e34c643c4bd93a877e56587f71fa +Subproject commit 98e92aae8460db84cd4bf9813e4ef1ba02c5e034 diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 87bdf8151..8c177570a 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -220,6 +220,8 @@ Enable the required TLS variables in kayobe and kolla # Whether TLS is enabled for the external API endpoints. Default is 'no'. kolla_enable_tls_external: yes + See :ref:`tempest-cacert` for information on adding CA certificates to the trust store when running Tempest. + 2. Set the following in kayobe-config/etc/kayobe/kolla.yml or if environments are being used etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla.yml .. code-block:: diff --git a/doc/source/operations/tempest.rst b/doc/source/operations/tempest.rst index c747b5377..e110e208f 100644 --- a/doc/source/operations/tempest.rst +++ b/doc/source/operations/tempest.rst @@ -251,6 +251,25 @@ ever contain one host. The seed is usually used as the tempest runner however it is also common to use the Ansible control host or an infrastructure VM. The main requirement of the host is that it can reach the OpenStack API. +.. _tempest-cacert: + +Tempest CA certificate +---------------------- + +If your public OpenStack API uses TLS with a Certificate Authority (CA) that is +not trusted by the Python CA trust store, it may be necessary to add a CA +certificate to the trust store in the container that runs Tempest. This can be +done by defining a ``tempest_cacert`` Ansible variable to a path containing the +CA certificate. You may wish to use ``kayobe_config_path`` or +``kayobe_env_config_path`` to be agnostic to the path where kayobe-config is +mounted within the container. For example: + +.. code-block:: yaml + :caption: ``etc/kayobe/tempest.yml`` + + # Add the Vault CA certificate to the rally container when running tempest. + tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt" + Running Tempest =============== diff --git a/releasenotes/notes/tempest-cacert-33e2ae1cf0ba88cf.yaml b/releasenotes/notes/tempest-cacert-33e2ae1cf0ba88cf.yaml new file mode 100644 index 000000000..83ddb8102 --- /dev/null +++ b/releasenotes/notes/tempest-cacert-33e2ae1cf0ba88cf.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Supports adding CA certificates to the Tempest container trust store.