Add tls upgrade jobs

This patch adds new jobs to test upgrade scenario where TLS is fully disabled on SOURCE_SERIES but enabled on TARGET_SERIES. Keystone proto is set to 'http' to ensure that `openstack_service_accept_both_protocols` works as expected. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/885190 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/885337 Change-Id: I6d967f444b2de67fc394cf8c52f4e236418b5f98
2023-06-04 17:37:15 +02:00 · 2023-06-04 17:37:15 +02:00 · 46ffb2702b
commit 46ffb2702b
parent 42b7c85528
3 changed files with 40 additions and 1 deletions
--- a/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2
@ -10,7 +10,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+# UPGRADE_TARGET_BRANCH variable is defined only during upgrade scenario
+# when source version is being deployed.
+{% if lookup('env', 'UPGRADE_TARGET_BRANCH') == '' %}
+# Make sure that TLS is fully enabled on target release.
+openstack_service_publicuri_proto: https
 openstack_service_adminuri_proto: https
 openstack_service_internaluri_proto: https
-haproxy_ssl_all_vips: true
+haproxy_ssl: True
+haproxy_ssl_all_vips: True
+rabbitmq_management_ssl: True
 openstack_service_backend_ssl: True
+openstack_service_accept_both_protocols: True
+# Keep keystone proto set to 'http'. This way we can ensure that
+# `openstack_service_accept_both_protocols` works as expected.
+keystone_service_publicuri_proto: http
+keystone_service_adminuri_proto: http
+keystone_service_internaluri_proto: http
+{% else %}
+# Make sure that source release has TLS fully disabled.
+openstack_service_publicuri_proto: http
+openstack_service_adminuri_proto: http
+openstack_service_internaluri_proto: http
+haproxy_ssl: False
+haproxy_ssl_all_vips: False
+rabbitmq_management_ssl: False
+openstack_service_backend_ssl: False
+openstack_service_accept_both_protocols: False
+{% endif %}
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -431,6 +431,12 @@
    parent: openstack-ansible-deploy-aio
    nodeset: ubuntu-jammy

+- job:
+    name: openstack-ansible-upgrade-aio_metal_tls-ubuntu-jammy
+    parent: openstack-ansible-deploy-aio
+    nodeset: ubuntu-jammy
+    timeout: 10800
+
 - job:
    name: openstack-ansible-upgrade-aio_lxc-ubuntu-jammy
    parent: openstack-ansible-deploy-aio
@ -796,6 +802,12 @@
    parent: openstack-ansible-deploy-aio
    nodeset: rockylinux-9

+- job:
+    name: openstack-ansible-upgrade-aio_metal_tls-rockylinux-9
+    parent: openstack-ansible-deploy-aio
+    nodeset: rockylinux-9
+    timeout: 10800
+
 - job:
    name: openstack-ansible-deploy-aio_telemetry_metal-rockylinux-9
    parent: openstack-ansible-deploy-aio
--- a/zuul.d/project-templates.yaml
+++ b/zuul.d/project-templates.yaml
@ -172,6 +172,9 @@
        - openstack-ansible-deploy-aio_metal_tls-ubuntu-jammy
        - openstack-ansible-upgrade-aio_metal-rockylinux-9
        - openstack-ansible-upgrade-aio_metal-ubuntu-jammy
+        - openstack-ansible-upgrade-aio_metal_tls-rockylinux-9
+        - openstack-ansible-upgrade-aio_metal_tls-ubuntu-jammy
+
    gate:
      jobs:
        - openstack-ansible-deploy-aio_metal-debian-bullseye