CI: stop using zuul as kayobe_ansible_user in TLS jobs

Previously we were using the zuul user in the TLS jobs. This was due to a permissions issue when accessing the CA certificate in kayobe-config in the zuul user's home directory. This change reverts to the default of using the stack user for the TLS jobs. In order to make this work, the generated CA cert chain is added to the trust store. Change-Id: I875f8976df75dee68ba00842fe624c29cc1b123c

CI: stop using zuul as kayobe_ansible_user in TLS jobs
a0665cd9 · Mark Goddard · 082f9c54 · a0665cd9 · a0665cd9 · a0665cd9
Commit a0665cd9 authored 3 years ago by Mark Goddard
--- a/dev/functions
+++ b/dev/functions
@@ -404,6 +404,17 @@ function overcloud_deploy {
    if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then
        echo "Generate TLS certificates"
        run_kayobe kolla ansible run certificates --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates
+        # Add CA cert to trust store.
+        ca_cert=${KAYOBE_CONFIG_PATH}/kolla/certificates/ca/root.crt
+        if [[ -e /etc/debian_version ]]; then
+            # Ubuntu
+            sudo cp $ca_cert "/usr/local/share/ca-certificates/kayobe-customca.crt"
+            sudo update-ca-certificates
+        elif [[ -e /etc/redhat-release ]]; then
+            # CentOS
+            sudo cp $ca_cert "/etc/pki/ca-trust/source/anchors/kayobe-customca.crt"
+            sudo update-ca-trust
+        fi
    fi

    # Note: This must currently be before host configure, because host

--- a/playbooks/kayobe-overcloud-base/globals.yml.j2
+++ b/playbooks/kayobe-overcloud-base/globals.yml.j2
@@ -20,6 +20,6 @@ nova_libvirt_logging_debug: False
 kolla_copy_ca_into_containers: "yes"
 kolla_enable_tls_backend: "yes"
 openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
-kolla_admin_openrc_cacert: "{% raw %}{{ '{{' }} kolla_certificates_dir }}{% endraw %}/ca/root.crt"
+kolla_admin_openrc_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 libvirt_tls: "yes"
 {% endif %}
--- a/playbooks/kayobe-overcloud-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -45,9 +45,6 @@ kolla_ironic_default_boot_interface: ipxe
 kolla_enable_tls_external: "yes"
 kolla_enable_tls_internal: "yes"

-# FIXME: ipa-images fails to access OS_CACERT from /home/zuul.
-kayobe_ansible_user: zuul
-
 kolla_ironic_pxe_append_params_extra:
  - ipa-insecure=1
 {% endif %}