From b029cfd8806216304267c51cef18b8bc66320c0a Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Tue, 2 May 2023 15:34:57 +0200 Subject: [PATCH] Add 'tls' scenario This patch adds new 'tls' scenario along with its jobs. TLS scenario changes two things in default deployment: - TLS is enabled on all openstack endpoints(by default only public endpoint is available over https). - TLS backend is enabled for all services(traffic between haproxy and service backends is encrypted) Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/876429 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/874810 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/879380 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/874966 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/873654 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/821011 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/879379 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/879517 Change-Id: If4cc13e3d0907e36de6d932936cac81f02b4dc2c --- .../tasks/prepare_aio_config.yml | 3 +++ .../templates/user_variables_tls.yml.j2 | 16 +++++++++++++++ zuul.d/jobs.yaml | 20 +++++++++++++++++++ zuul.d/project-templates.yaml | 8 ++++++++ 4 files changed, 47 insertions(+) create mode 100644 tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 diff --git a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml index 3322613d8b..e6db77e75b 100644 --- a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml +++ b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml @@ -180,6 +180,9 @@ - src: user_variables_stepca.yml.j2 dest: user_variables_stepca.yml condition: "{{ 'stepca' in bootstrap_host_scenarios_expanded }}" + - src: user_variables_tls.yml.j2 + dest: user_variables_tls.yml + condition: "{{ 'tls' in bootstrap_host_scenarios_expanded }}" - name: Copy modified cinder-volume env.d file for ceph scenario copy: diff --git a/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 new file mode 100644 index 0000000000..50f65f0021 --- /dev/null +++ b/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 @@ -0,0 +1,16 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +openstack_service_adminuri_proto: https +openstack_service_internaluri_proto: https +haproxy_ssl_all_vips: true +openstack_service_backend_ssl: True diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index aca2aa716f..f44da57b07 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -426,6 +426,11 @@ parent: openstack-ansible-deploy-aio nodeset: ubuntu-jammy +- job: + name: openstack-ansible-deploy-aio_metal_tls-ubuntu-jammy + parent: openstack-ansible-deploy-aio + nodeset: ubuntu-jammy + - job: name: openstack-ansible-upgrade-aio_lxc-ubuntu-jammy parent: openstack-ansible-deploy-aio @@ -448,6 +453,11 @@ parent: openstack-ansible-deploy-aio-infra nodeset: ubuntu-jammy +- job: + name: openstack-ansible-deploy-infra_lxc_tls-ubuntu-jammy + parent: openstack-ansible-deploy-aio-infra + nodeset: ubuntu-jammy + - job: name: openstack-ansible-deploy-hosts_lxc-ubuntu-jammy parent: openstack-ansible-deploy-aio-hosts @@ -760,6 +770,11 @@ parent: openstack-ansible-deploy-aio nodeset: rockylinux-9 +- job: + name: openstack-ansible-deploy-infra_lxc_tls-rockylinux-9 + parent: openstack-ansible-deploy-aio + nodeset: rockylinux-9 + - job: name: openstack-ansible-deploy-hosts_distro_lxc-rockylinux-9 parent: openstack-ansible-deploy-aio @@ -812,6 +827,11 @@ parent: openstack-ansible-deploy-aio nodeset: rockylinux-9 +- job: + name: openstack-ansible-deploy-aio_metal_tls-rockylinux-9 + parent: openstack-ansible-deploy-aio + nodeset: rockylinux-9 + - job: name: openstack-ansible-deploy-aio_telemetry_metal-rockylinux-9 parent: openstack-ansible-deploy-aio diff --git a/zuul.d/project-templates.yaml b/zuul.d/project-templates.yaml index d251968557..c3c1453953 100644 --- a/zuul.d/project-templates.yaml +++ b/zuul.d/project-templates.yaml @@ -90,16 +90,20 @@ - openstack-ansible-deploy-infra_lxc-centos-9-stream: voting: false - openstack-ansible-deploy-infra_lxc-rockylinux-9 + - openstack-ansible-deploy-infra_lxc_tls-rockylinux-9 - openstack-ansible-deploy-infra_lxc-debian-bullseye - openstack-ansible-deploy-infra_lxc-ubuntu-focal - openstack-ansible-deploy-infra_lxc-ubuntu-jammy - openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy + - openstack-ansible-deploy-infra_lxc_tls-ubuntu-jammy gate: jobs: - openstack-ansible-deploy-infra_lxc-rockylinux-9 + - openstack-ansible-deploy-infra_lxc_tls-rockylinux-9 - openstack-ansible-deploy-infra_lxc-debian-bullseye - openstack-ansible-deploy-infra_lxc-ubuntu-jammy - openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy + - openstack-ansible-deploy-infra_lxc_tls-ubuntu-jammy periodic: jobs: - openstack-ansible-deploy-infra_lxc-ubuntu-jammy @@ -166,6 +170,8 @@ - openstack-ansible-deploy-aio_metal-rockylinux-9 - openstack-ansible-deploy-aio_metal-ubuntu-focal - openstack-ansible-deploy-aio_metal-ubuntu-jammy + - openstack-ansible-deploy-aio_metal_tls-rockylinux-9 + - openstack-ansible-deploy-aio_metal_tls-ubuntu-jammy - openstack-ansible-upgrade-aio_metal-rockylinux-9 - openstack-ansible-upgrade-aio_metal-ubuntu-focal - openstack-ansible-upgrade_yoga-aio_metal-ubuntu-focal @@ -174,6 +180,8 @@ - openstack-ansible-deploy-aio_metal-debian-bullseye - openstack-ansible-deploy-aio_metal-rockylinux-9 - openstack-ansible-deploy-aio_metal-ubuntu-jammy + - openstack-ansible-deploy-aio_metal_tls-rockylinux-9 + - openstack-ansible-deploy-aio_metal_tls-ubuntu-jammy - project-template: name: openstack-ansible-deploy-aio_telemetry_metal-jobs