CI: Add a CentOS 8 overcloud job with TLS enabled

Change-Id: I5fc49fb734d0fe94f5f75c66eb4c1a935774ef30

dev/functions

@@ -40,6 +40,10 @@ function config_defaults {
     # Whether to deploy seed services.
     export KAYOBE_SEED_SERVICE_DEPLOY=${KAYOBE_SEED_SERVICE_DEPLOY:-1}
 
+    # Whether to use the 'kolla-ansible certificates' command to generate X.509
+    # certificates.
+    export KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES=${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES:-0}
+
     # Whether to build container images for the overcloud services. If 0, they
     # will be pulled if $KAYOBE_OVERCLOUD_CONTAINER_IMAGE_PULL is 1.
     export KAYOBE_OVERCLOUD_CONTAINER_IMAGE_BUILD=${KAYOBE_OVERCLOUD_CONTAINER_IMAGE_BUILD:-0}
@@ -346,6 +350,11 @@ function overcloud_deploy {
     echo "Workaround: upgrading the controller host"
     run_kayobe overcloud host upgrade
 
+    if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then
+        echo "Generate TLS certificates"
+        run_kayobe kolla ansible run certificates --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates
+    fi
+
     # Note: This must currently be before host configure, because host
     # configure runs kolla-ansible.yml, which validates the presence of the
     # built deploy images.

playbooks/kayobe-overcloud-base/globals.yml.j2

@@ -0,0 +1,17 @@
+---
+# Most development environments will use nested virtualisation, and we can't
+# guarantee that nested KVM support is available. Use QEMU as a lowest common
+# denominator.
+nova_compute_virt_type: qemu
+
+# Reduce the control plane's memory footprint by limiting the number of worker
+# processes to one per-service.
+openstack_service_workers: "1"
+
+{% if tls_enabled %}
+# TLS
+kolla_copy_ca_into_containers: "yes"
+kolla_enable_tls_backend: "yes"
+openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
+kolla_admin_openrc_cacert: "{% raw %}{{ '{{' }} kolla_certificates_dir }}{% endraw %}/ca/root.crt"
+{% endif %}

playbooks/kayobe-overcloud-base/overrides.yml.j2

@@ -24,3 +24,14 @@ pip_index_url: "http://{{ zuul_site_mirror_fqdn }}/pypi/simple"
 # are using for SSH to be removed. Use a dummy interface.
 aio_bridge_ports:
   - dummy1
+
+{% if tls_enabled %}
+kolla_enable_tls_external: "yes"
+kolla_enable_tls_internal: "yes"
+
+# FIXME: ipa-images fails to access OS_CACERT from /home/zuul.
+kayobe_ansible_user: zuul
+
+kolla_ironic_pxe_append_params_extra:
+  - ipa-insecure=1
+{% endif %}

playbooks/kayobe-overcloud-base/pre.yml

@@ -10,6 +10,12 @@
         src: overrides.yml.j2
         dest: "{{ kayobe_config_src_dir }}/etc/kayobe/zz-overrides.yml"
 
+    - name: Ensure kolla-ansible globals.yml override config file exists
+      template:
+        src: globals.yml.j2
+        dest: "{{ kayobe_config_src_dir }}/etc/kayobe/kolla/globals.yml"
+      when: tls_enabled
+
     # NOTE(mgoddard): The kayobe dev config by default expects a bridge -
     # breth1 - to exist with an IP address of 192.168.33.3.
     - name: Ensure all-in-one network bridge interface exists

playbooks/kayobe-overcloud-base/run.yml

@@ -2,6 +2,7 @@
 - hosts: primary
   environment:
     KAYOBE_CONFIG_SOURCE_PATH: "{{ kayobe_config_src_dir }}"
+    KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES: "{{ tls_enabled | ternary(1, 0) }}"
   tasks:
     - name: Ensure overcloud is deployed
       shell:

zuul.d/jobs.yaml

@@ -77,6 +77,7 @@
       requirements_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/requirements'].src_dir }}"
       tenks_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/tenks'].src_dir }}"
       is_upgrade: "{{ 'upgrade' in zuul.job }}"
+      tls_enabled: false
 
 - job:
     name: kayobe-overcloud-base
@@ -94,6 +95,17 @@
     parent: kayobe-overcloud-base
     nodeset: kayobe-centos8
 
+- job:
+    name: kayobe-overcloud-tls-base
+    parent: kayobe-overcloud-base
+    vars:
+      tls_enabled: true
+
+- job:
+    name: kayobe-overcloud-tls-centos8
+    parent: kayobe-overcloud-tls-base
+    nodeset: kayobe-centos8
+
 - job:
     name: kayobe-overcloud-upgrade-base
     parent: kayobe-base

zuul.d/project.yaml

@@ -11,6 +11,7 @@
         - kayobe-tox-ansible
         - kayobe-tox-molecule
         - kayobe-overcloud-centos8
+        - kayobe-overcloud-tls-centos8
         - kayobe-overcloud-host-configure-centos8
         - kayobe-overcloud-upgrade-centos8
         - kayobe-seed-centos8
@@ -24,6 +25,7 @@
         - kayobe-tox-ansible
         - kayobe-tox-molecule
         - kayobe-overcloud-centos8
+        - kayobe-overcloud-tls-centos8
         - kayobe-overcloud-host-configure-centos8
         - kayobe-overcloud-upgrade-centos8
         - kayobe-seed-centos8