From b59b392813c060139860afb74682ce664d895562 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Wed, 8 Mar 2023 08:39:26 +0000 Subject: [PATCH] Use certbot to generate SSL cert for the external VIP in 'stepca' scenario This patch uses the certbot functionality to issue a certificate from a locally installed ACME server on the AIO node, when the string 'stepca' appears in the scenario. This allows testing of the certbot code in the haproxy role and the wider integration with Openstack-Ansible to be tested in CI jobs. Change-Id: Ide769f54505898630aae67e25b238624ba4f4fdb --- .../openstack_user_config.yml.aio.j2 | 2 +- .../bootstrap-host/tasks/prepare_aio_config.yml | 3 +++ .../templates/user_variables_stepca.yml.j2 | 13 +++++++++++++ zuul.d/jobs.yaml | 15 +++++++++++++++ zuul.d/project-templates.yaml | 13 +++++++++++++ zuul.d/project.yaml | 1 + 6 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 tests/roles/bootstrap-host/templates/user_variables_stepca.yml.j2 diff --git a/etc/openstack_deploy/openstack_user_config.yml.aio.j2 b/etc/openstack_deploy/openstack_user_config.yml.aio.j2 index a4e02ed2f4..030b32983c 100644 --- a/etc/openstack_deploy/openstack_user_config.yml.aio.j2 +++ b/etc/openstack_deploy/openstack_user_config.yml.aio.j2 @@ -41,7 +41,7 @@ global_overrides: internal_lb_vip_address: 172.29.236.101 # The external IP is quoted simply to ensure that the .aio file can be used as input # dynamic inventory testing. - external_lb_vip_address: "{{ bootstrap_host_public_address | default(ansible_facts['default_ipv4']['address']) }}" + external_lb_vip_address: "{{ ('stepca' in bootstrap_host_scenarios) | ternary('external.openstack.local', bootstrap_host_public_address | default(ansible_facts['default_ipv4']['address'])) }}" management_bridge: "br-mgmt" no_containers: {{ true if 'metal' in bootstrap_host_scenarios else false }} provider_networks: diff --git a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml index 698f0eec43..3322613d8b 100644 --- a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml +++ b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml @@ -177,6 +177,9 @@ - src: user_variables_sahara.yml.j2 dest: user_variables_sahara.yml condition: "{{ 'sahara' in bootstrap_host_scenarios_expanded }}" + - src: user_variables_stepca.yml.j2 + dest: user_variables_stepca.yml + condition: "{{ 'stepca' in bootstrap_host_scenarios_expanded }}" - name: Copy modified cinder-volume env.d file for ceph scenario copy: diff --git a/tests/roles/bootstrap-host/templates/user_variables_stepca.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables_stepca.yml.j2 new file mode 100644 index 0000000000..2a8faa38ef --- /dev/null +++ b/tests/roles/bootstrap-host/templates/user_variables_stepca.yml.j2 @@ -0,0 +1,13 @@ +# Use the locally deployed Step-CA ACME server to configure the +# certificate for the haproxy external VIP + +# SSL setup +haproxy_ssl: true +haproxy_ssl_letsencrypt_enable: True +haproxy_ssl_letsencrypt_install_method: "distro" +haproxy_ssl_letsencrypt_certbot_server: "https://127.0.0.1:8889/acme/acme-osa/directory" + +# openstack_hosts role should ensure that everthing trusts the Step-CA roots +openstack_host_ca_certificates: + - name: StepCARoot.crt + src: /opt/step_ca_roots.pem diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index b3f43d8054..e7736ed2f1 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -405,6 +405,11 @@ parent: openstack-ansible-deploy-aio nodeset: ubuntu-jammy +- job: + name: openstack-ansible-deploy-aio_stepca-ubuntu-jammy + parent: openstack-ansible-deploy-aio + nodeset: ubuntu-jammy + - job: name: openstack-ansible-deploy-aio_metal-ubuntu-jammy parent: openstack-ansible-deploy-aio @@ -416,6 +421,11 @@ nodeset: ubuntu-jammy timeout: 10800 +- job: + name: openstack-ansible-deploy-aio_metal_stepca-ubuntu-jammy + parent: openstack-ansible-deploy-aio + nodeset: ubuntu-jammy + - job: name: openstack-ansible-upgrade-aio_lxc-ubuntu-jammy parent: openstack-ansible-deploy-aio @@ -433,6 +443,11 @@ parent: openstack-ansible-deploy-aio-infra nodeset: ubuntu-jammy +- job: + name: openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy + parent: openstack-ansible-deploy-aio-infra + nodeset: ubuntu-jammy + - job: name: openstack-ansible-deploy-hosts_lxc-ubuntu-jammy parent: openstack-ansible-deploy-aio-hosts diff --git a/zuul.d/project-templates.yaml b/zuul.d/project-templates.yaml index fca8f05f59..8ef5128fff 100644 --- a/zuul.d/project-templates.yaml +++ b/zuul.d/project-templates.yaml @@ -90,12 +90,14 @@ - openstack-ansible-deploy-infra_lxc-debian-bullseye - openstack-ansible-deploy-infra_lxc-ubuntu-focal - openstack-ansible-deploy-infra_lxc-ubuntu-jammy + - openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy gate: jobs: - openstack-ansible-deploy-infra_lxc-centos-9-stream - openstack-ansible-deploy-infra_lxc-rockylinux-9 - openstack-ansible-deploy-infra_lxc-debian-bullseye - openstack-ansible-deploy-infra_lxc-ubuntu-jammy + - openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy periodic: jobs: - openstack-ansible-deploy-infra_lxc-ubuntu-jammy @@ -225,6 +227,17 @@ jobs: - openstack-ansible-deploy-aio_ceph-ubuntu-focal +- project-template: + name: openstack-ansible-deploy-stepca-jobs + check: + jobs: + - openstack-ansible-deploy-aio_stepca-ubuntu-jammy + - openstack-ansible-deploy-aio_metal_stepca-ubuntu-jammy + gate: + jobs: + - openstack-ansible-deploy-aio_stepca-ubuntu-jammy + - openstack-ansible-deploy-aio_metal_stepca-ubuntu-jammy + - project-template: name: openstack-ansible-deploy-proxy-jobs check: diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index af88f49bdf..aaa052ff74 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -23,6 +23,7 @@ - openstack-ansible-deploy-aio_distro_metal-jobs - openstack-ansible-deploy-ceph-jobs - openstack-ansible-deploy-proxy-jobs + - openstack-ansible-deploy-stepca-jobs - openstack-ansible-deploy-distro_ceph-jobs - check-requirements - publish-openstack-docs-pti