From a0665cd9c63735b794f200514d90ff1b9e6dd239 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 2 Mar 2022 13:25:21 +0000
Subject: [PATCH] CI: stop using zuul as kayobe_ansible_user in TLS jobs

Previously we were using the zuul user in the TLS jobs. This was due to
a permissions issue when accessing the CA certificate in kayobe-config
in the zuul user's home directory.

This change reverts to the default of using the stack user for the TLS
jobs. In order to make this work, the generated CA cert chain is added
to the trust store.

Change-Id: I875f8976df75dee68ba00842fe624c29cc1b123c
---
 dev/functions                                    | 11 +++++++++++
 playbooks/kayobe-overcloud-base/globals.yml.j2   |  2 +-
 playbooks/kayobe-overcloud-base/overrides.yml.j2 |  3 ---
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/dev/functions b/dev/functions
index 0e994023..bd319be8 100644
--- a/dev/functions
+++ b/dev/functions
@@ -404,6 +404,17 @@ function overcloud_deploy {
     if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then
         echo "Generate TLS certificates"
         run_kayobe kolla ansible run certificates --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates
+        # Add CA cert to trust store.
+        ca_cert=${KAYOBE_CONFIG_PATH}/kolla/certificates/ca/root.crt
+        if [[ -e /etc/debian_version ]]; then
+            # Ubuntu
+            sudo cp $ca_cert "/usr/local/share/ca-certificates/kayobe-customca.crt"
+            sudo update-ca-certificates
+        elif [[ -e /etc/redhat-release ]]; then
+            # CentOS
+            sudo cp $ca_cert "/etc/pki/ca-trust/source/anchors/kayobe-customca.crt"
+            sudo update-ca-trust
+        fi
     fi
 
     # Note: This must currently be before host configure, because host
diff --git a/playbooks/kayobe-overcloud-base/globals.yml.j2 b/playbooks/kayobe-overcloud-base/globals.yml.j2
index 6ebb2af2..7de112f6 100644
--- a/playbooks/kayobe-overcloud-base/globals.yml.j2
+++ b/playbooks/kayobe-overcloud-base/globals.yml.j2
@@ -20,6 +20,6 @@ nova_libvirt_logging_debug: False
 kolla_copy_ca_into_containers: "yes"
 kolla_enable_tls_backend: "yes"
 openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
-kolla_admin_openrc_cacert: "{% raw %}{{ '{{' }} kolla_certificates_dir }}{% endraw %}/ca/root.crt"
+kolla_admin_openrc_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 libvirt_tls: "yes"
 {% endif %}
diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
index ab14f994..58ce039a 100644
--- a/playbooks/kayobe-overcloud-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -45,9 +45,6 @@ kolla_ironic_default_boot_interface: ipxe
 kolla_enable_tls_external: "yes"
 kolla_enable_tls_internal: "yes"
 
-# FIXME: ipa-images fails to access OS_CACERT from /home/zuul.
-kayobe_ansible_user: zuul
-
 kolla_ironic_pxe_append_params_extra:
   - ipa-insecure=1
 {% endif %}
-- 
GitLab