openstack/kolla-ansible
Code Issues Proposed changes

CI: Add TLS tests

Browse Source 
Add a TLS scenario in zuul to generate self signed certificates and
to configure TLS to be enabled in the open stack deployment.

Change-Id: If10a23dfa67212e843ef26486c9523074cc920e7
Partially-Implements: blueprint custom-cacerts
This commit is contained in:
generalfuzz 2020-01-07 09:51:10 -08:00 committed by James Kirsch
parent d100904f2c
commit 6404d0e031
8 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/check-config.sh
View File

@ -15,6 +15,8 @@ function check_config {
# Ignore files generated by Zuul. # Ignore files generated by Zuul.
for f in $(sudo find /etc/kolla \ for f in $(sudo find /etc/kolla \
-not -regex /etc/kolla/config.* \ -not -regex /etc/kolla/config.* \
-not -regex /etc/kolla/certificates.* \
-not -regex ".*ca-certificates.*" \
-not -path /etc/kolla \ -not -path /etc/kolla \
-not -name admin-openrc.sh \ -not -name admin-openrc.sh \
-not -name globals.yml \ -not -name globals.yml \

4
tests/deploy.sh
View File

@ -15,6 +15,10 @@ function deploy {
#TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there #TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
sudo chmod -R 777 /etc/kolla sudo chmod -R 777 /etc/kolla
# generate self-signed certificates for the optional internal TLS tests
if [[ "$TLS_ENABLED" = "True" ]]; then
tools/kolla-ansible -i ${RAW_INVENTORY} -vvv certificates > /tmp/logs/ansible/certificates
fi
# Actually do the deployment # Actually do the deployment
tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/deploy-prechecks tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/deploy-prechecks
# TODO(jeffrey4l): add pull action when we have a local registry # TODO(jeffrey4l): add pull action when we have a local registry

5
tests/run.yml
View File

@ -314,7 +314,8 @@
cmd: deploy.sh cmd: deploy.sh
executable: /bin/bash executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}" chdir: "{{ kolla_ansible_src_dir }}"
environment:
TLS_ENABLED: "{{ tls_enabled }}"
# NOTE(yoctozepto): this is nice as the first step after the deployment # NOTE(yoctozepto): this is nice as the first step after the deployment
# because it waits for the services to stabilize well enough so that # because it waits for the services to stabilize well enough so that
# the dashboard is able to show the login prompt # the dashboard is able to show the login prompt
@ -323,6 +324,8 @@
cmd: test-dashboard.sh cmd: test-dashboard.sh
executable: /bin/bash executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}" chdir: "{{ kolla_ansible_src_dir }}"
environment:
TLS_ENABLED: "{{ tls_enabled }}"
when: dashboard_enabled when: dashboard_enabled
- name: Run init-core-openstack.sh script - name: Run init-core-openstack.sh script

13
tests/templates/globals-default.j2
View File

@ -134,3 +134,16 @@ glance_backend_ceph: "yes"
cinder_backend_ceph: "yes" cinder_backend_ceph: "yes"
nova_backend_ceph: "yes" nova_backend_ceph: "yes"
{% endif %} {% endif %}
{% if tls_enabled %}
kolla_enable_tls_external: "yes"
kolla_enable_tls_internal: "yes"
kolla_verify_internal_ca_certs: "no"
kolla_copy_ca_into_containers: "yes"
{% if base_distro == "ubuntu" or base_distro == "debian" %}
openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
{% endif %}
{% if base_distro == "centos" %}
openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
{% endif %}
{% endif %}

10
tests/test-dashboard.sh
View File

@ -11,7 +11,15 @@ function check_dashboard {
# page. # page.
DASHBOARD_URL=${OS_AUTH_URL%:*} DASHBOARD_URL=${OS_AUTH_URL%:*}
output_path=$1 output_path=$1
if ! curl --include --location --fail $DASHBOARD_URL > $output_path; then args=(
--include
--location
--fail
)
if [[ "$TLS_ENABLED" = "True" ]]; then
args+=(--cacert $OS_CACERT)
fi
if ! curl "${args[@]}" $DASHBOARD_URL > $output_path; then
return 1 return 1
fi fi
if ! grep Login $output_path >/dev/null; then if ! grep Login $output_path >/dev/null; then

5
tests/upgrade.sh
View File

@ -9,7 +9,10 @@ export PYTHONUNBUFFERED=1
function upgrade { function upgrade {
RAW_INVENTORY=/etc/kolla/inventory RAW_INVENTORY=/etc/kolla/inventory
# generate self-signed certificates for the optional internal TLS tests
if [[ $SCENARIO == "tls" ]]; then
tools/kolla-ansible -i ${RAW_INVENTORY} -vvv certificates > /tmp/logs/ansible/certificates
fi
tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks
tools/kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade tools/kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade
tools/kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade tools/kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade

1
zuul.d/base.yaml
View File

@ -31,6 +31,7 @@
api_interface_name: vxlan0 api_interface_name: vxlan0
kolla_internal_vip_address: "192.0.2.10" kolla_internal_vip_address: "192.0.2.10"
address_family: 'ipv4' address_family: 'ipv4'
tls_enabled: false
roles: roles:
- zuul: zuul/zuul-jobs - zuul: zuul/zuul-jobs

2
zuul.d/jobs.yaml
View File

@ -24,6 +24,7 @@
vars: vars:
base_distro: debian base_distro: debian
install_type: source install_type: source
tls_enabled: true
- job: - job:
name: kolla-ansible-ubuntu-source name: kolla-ansible-ubuntu-source
@ -32,6 +33,7 @@
vars: vars:
base_distro: ubuntu base_distro: ubuntu
install_type: source install_type: source
tls_enabled: true
- job: - job:
name: kolla-ansible-ubuntu-source-multinode-ipv6 name: kolla-ansible-ubuntu-source-multinode-ipv6