From 081222753cdda21a811fc7f6bea336d99eb13dc9 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 18 Jun 2020 09:10:07 +0100
Subject: [PATCH] CI: Add a CentOS 8 overcloud job with TLS enabled
Change-Id: I5fc49fb734d0fe94f5f75c66eb4c1a935774ef30
---
dev/functions | 9 +++++++++
playbooks/kayobe-overcloud-base/globals.yml.j2 | 17 +++++++++++++++++
.../kayobe-overcloud-base/overrides.yml.j2 | 11 +++++++++++
playbooks/kayobe-overcloud-base/pre.yml | 6 ++++++
playbooks/kayobe-overcloud-base/run.yml | 1 +
zuul.d/jobs.yaml | 12 ++++++++++++
zuul.d/project.yaml | 2 ++
7 files changed, 58 insertions(+)
create mode 100644 playbooks/kayobe-overcloud-base/globals.yml.j2
diff --git a/dev/functions b/dev/functions
index c8165901..bc23a902 100644
--- a/dev/functions
+++ b/dev/functions
@@ -40,6 +40,10 @@ function config_defaults {
# Whether to deploy seed services.
export KAYOBE_SEED_SERVICE_DEPLOY=${KAYOBE_SEED_SERVICE_DEPLOY:-1}
+ # Whether to use the 'kolla-ansible certificates' command to generate X.509
+ # certificates.
+ export KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES=${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES:-0}
+
# Whether to build container images for the overcloud services. If 0, they
# will be pulled if $KAYOBE_OVERCLOUD_CONTAINER_IMAGE_PULL is 1.
export KAYOBE_OVERCLOUD_CONTAINER_IMAGE_BUILD=${KAYOBE_OVERCLOUD_CONTAINER_IMAGE_BUILD:-0}
@@ -346,6 +350,11 @@ function overcloud_deploy {
echo "Workaround: upgrading the controller host"
run_kayobe overcloud host upgrade
+ if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then
+ echo "Generate TLS certificates"
+ run_kayobe kolla ansible run certificates --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates
+ fi
+
# Note: This must currently be before host configure, because host
# configure runs kolla-ansible.yml, which validates the presence of the
# built deploy images.
diff --git a/playbooks/kayobe-overcloud-base/globals.yml.j2 b/playbooks/kayobe-overcloud-base/globals.yml.j2
new file mode 100644
index 00000000..e0903653
--- /dev/null
+++ b/playbooks/kayobe-overcloud-base/globals.yml.j2
@@ -0,0 +1,17 @@
+---
+# Most development environments will use nested virtualisation, and we can't
+# guarantee that nested KVM support is available. Use QEMU as a lowest common
+# denominator.
+nova_compute_virt_type: qemu
+
+# Reduce the control plane's memory footprint by limiting the number of worker
+# processes to one per-service.
+openstack_service_workers: "1"
+
+{% if tls_enabled %}
+# TLS
+kolla_copy_ca_into_containers: "yes"
+kolla_enable_tls_backend: "yes"
+openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
+kolla_admin_openrc_cacert: "{% raw %}{{ '{{' }} kolla_certificates_dir }}{% endraw %}/ca/root.crt"
+{% endif %}
diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
index c6d9ca05..bea6e2e9 100644
--- a/playbooks/kayobe-overcloud-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -24,3 +24,14 @@ pip_index_url: "http://{{ zuul_site_mirror_fqdn }}/pypi/simple"
# are using for SSH to be removed. Use a dummy interface.
aio_bridge_ports:
- dummy1
+
+{% if tls_enabled %}
+kolla_enable_tls_external: "yes"
+kolla_enable_tls_internal: "yes"
+
+# FIXME: ipa-images fails to access OS_CACERT from /home/zuul.
+kayobe_ansible_user: zuul
+
+kolla_ironic_pxe_append_params_extra:
+ - ipa-insecure=1
+{% endif %}
diff --git a/playbooks/kayobe-overcloud-base/pre.yml b/playbooks/kayobe-overcloud-base/pre.yml
index 99e3d5f2..38ca53d2 100644
--- a/playbooks/kayobe-overcloud-base/pre.yml
+++ b/playbooks/kayobe-overcloud-base/pre.yml
@@ -10,6 +10,12 @@
src: overrides.yml.j2
dest: "{{ kayobe_config_src_dir }}/etc/kayobe/zz-overrides.yml"
+ - name: Ensure kolla-ansible globals.yml override config file exists
+ template:
+ src: globals.yml.j2
+ dest: "{{ kayobe_config_src_dir }}/etc/kayobe/kolla/globals.yml"
+ when: tls_enabled
+
# NOTE(mgoddard): The kayobe dev config by default expects a bridge -
# breth1 - to exist with an IP address of 192.168.33.3.
- name: Ensure all-in-one network bridge interface exists
diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml
index 8e3e18db..8c60006d 100644
--- a/playbooks/kayobe-overcloud-base/run.yml
+++ b/playbooks/kayobe-overcloud-base/run.yml
@@ -2,6 +2,7 @@
- hosts: primary
environment:
KAYOBE_CONFIG_SOURCE_PATH: "{{ kayobe_config_src_dir }}"
+ KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES: "{{ tls_enabled | ternary(1, 0) }}"
tasks:
- name: Ensure overcloud is deployed
shell:
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index cc290377..194ec9d3 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -77,6 +77,7 @@
requirements_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/requirements'].src_dir }}"
tenks_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/tenks'].src_dir }}"
is_upgrade: "{{ 'upgrade' in zuul.job }}"
+ tls_enabled: false
- job:
name: kayobe-overcloud-base
@@ -94,6 +95,17 @@
parent: kayobe-overcloud-base
nodeset: kayobe-centos8
+- job:
+ name: kayobe-overcloud-tls-base
+ parent: kayobe-overcloud-base
+ vars:
+ tls_enabled: true
+
+- job:
+ name: kayobe-overcloud-tls-centos8
+ parent: kayobe-overcloud-tls-base
+ nodeset: kayobe-centos8
+
- job:
name: kayobe-overcloud-upgrade-base
parent: kayobe-base
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 80375c81..d15df072 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -11,6 +11,7 @@
- kayobe-tox-ansible
- kayobe-tox-molecule
- kayobe-overcloud-centos8
+ - kayobe-overcloud-tls-centos8
- kayobe-overcloud-host-configure-centos8
- kayobe-overcloud-upgrade-centos8
- kayobe-seed-centos8
@@ -24,6 +25,7 @@
- kayobe-tox-ansible
- kayobe-tox-molecule
- kayobe-overcloud-centos8
+ - kayobe-overcloud-tls-centos8
- kayobe-overcloud-host-configure-centos8
- kayobe-overcloud-upgrade-centos8
- kayobe-seed-centos8
--
GitLab