--- - hosts: all any_errors_fatal: true tasks: # NOTE(yoctozepto): setting vars as facts for all to have them around in all the plays - name: Set facts for commonly used variables set_fact: kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible" upper_constraints_file: "{{ ansible_env.HOME }}/src/opendev.org/openstack/requirements/upper-constraints.txt" pip_user_path_env: PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}" - hosts: primary any_errors_fatal: true environment: "{{ pip_user_path_env }}" tasks: - name: Ensure /etc/kolla exists file: path: "/etc/kolla" state: "directory" mode: 0777 become: true - name: Ensure python3-pip exists package: name: python3-pip become: true # NOTE(mgoddard): We need a recent pip to install the latest cryptography # library. See https://github.com/pyca/cryptography/issues/5753 - name: Install pip 19.1.1+ pip: name: "pip>=19.1.1" executable: "pip3" extra_args: "--user" - name: Install kolla-ansible and dependencies pip: executable: "pip3" extra_args: "-c {{ upper_constraints_file }} --user" name: - "{{ kolla_ansible_src_dir }}" - "ansible-core{{ ansible_core_version_constraint }}" - "ansible{{ ansible_version_constraint }}" - name: Copy passwords.yml file copy: src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml" dest: /etc/kolla/passwords.yml mode: "0640" remote_src: true - name: Generate passwords command: kolla-genpwd # At this point we have generated all necessary configuration, and are # ready to test Hashicorp Vault. - name: Run test-hashicorp-vault-passwords.sh script script: cmd: test-hashicorp-vault-passwords.sh executable: /bin/bash chdir: "{{ kolla_ansible_src_dir }}" environment: BASE_DISTRO: "{{ base_distro }}" - name: Read template file slurp: src: "/etc/kolla/passwords.yml" register: template_file - name: Read generated file slurp: src: "/tmp/passwords-hashicorp-vault.yml" register: generated_file # This test will load in the original input file and the one that was # generated by Vault and ensure that the keys are the same in both files. # This ensures that we are not missing any passwords. - name: Check passwords that were written to Vault are as expected vars: input_passwords: "{{ template_file['content'] | b64decode | from_yaml | sort }}" output_passwords: "{{ generated_file['content'] | b64decode | from_yaml | sort }}" assert: { that: "input_passwords == output_passwords" }