Use certbot to generate SSL cert for the external VIP in 'stepca' scenario

This patch uses the certbot functionality to issue a certificate from a locally installed ACME server on the AIO node, when the string 'stepca' appears in the scenario. This allows testing of the certbot code in the haproxy role and the wider integration with Openstack-Ansible to be tested in CI jobs. Change-Id: Ide769f54505898630aae67e25b238624ba4f4fdb
2023-03-08 08:39:26 +00:00 · 2023-03-08 08:39:26 +00:00 · b59b392813
commit b59b392813
parent 24c834ad06
6 changed files with 46 additions and 1 deletions
--- a/etc/openstack_deploy/openstack_user_config.yml.aio.j2
+++ b/etc/openstack_deploy/openstack_user_config.yml.aio.j2
@ -41,7 +41,7 @@ global_overrides:
  internal_lb_vip_address: 172.29.236.101
  # The external IP is quoted simply to ensure that the .aio file can be used as input
  # dynamic inventory testing.
-  external_lb_vip_address: "{{ bootstrap_host_public_address | default(ansible_facts['default_ipv4']['address']) }}"
+  external_lb_vip_address: "{{ ('stepca' in bootstrap_host_scenarios) | ternary('external.openstack.local', bootstrap_host_public_address | default(ansible_facts['default_ipv4']['address'])) }}"
  management_bridge: "br-mgmt"
  no_containers: {{ true if 'metal' in bootstrap_host_scenarios else false }}
  provider_networks:
--- a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml
+++ b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml
@ -177,6 +177,9 @@
    - src: user_variables_sahara.yml.j2
      dest: user_variables_sahara.yml
      condition: "{{ 'sahara' in bootstrap_host_scenarios_expanded }}"
+    - src: user_variables_stepca.yml.j2
+      dest: user_variables_stepca.yml
+      condition: "{{ 'stepca' in bootstrap_host_scenarios_expanded }}"

 - name: Copy modified cinder-volume env.d file for ceph scenario
  copy:
--- a/tests/roles/bootstrap-host/templates/user_variables_stepca.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables_stepca.yml.j2
@ -0,0 +1,13 @@
+# Use the locally deployed Step-CA ACME server to configure the
+# certificate for the haproxy external VIP
+
+# SSL setup
+haproxy_ssl: true
+haproxy_ssl_letsencrypt_enable: True
+haproxy_ssl_letsencrypt_install_method: "distro"
+haproxy_ssl_letsencrypt_certbot_server: "https://127.0.0.1:8889/acme/acme-osa/directory"
+
+# openstack_hosts role should ensure that everthing trusts the Step-CA roots
+openstack_host_ca_certificates:
+  - name: StepCARoot.crt
+    src: /opt/step_ca_roots.pem
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -405,6 +405,11 @@
    parent: openstack-ansible-deploy-aio
    nodeset: ubuntu-jammy

+- job:
+    name: openstack-ansible-deploy-aio_stepca-ubuntu-jammy
+    parent: openstack-ansible-deploy-aio
+    nodeset: ubuntu-jammy
+
 - job:
    name: openstack-ansible-deploy-aio_metal-ubuntu-jammy
    parent: openstack-ansible-deploy-aio
@ -416,6 +421,11 @@
    nodeset: ubuntu-jammy
    timeout: 10800

+- job:
+    name: openstack-ansible-deploy-aio_metal_stepca-ubuntu-jammy
+    parent: openstack-ansible-deploy-aio
+    nodeset: ubuntu-jammy
+
 - job:
    name: openstack-ansible-upgrade-aio_lxc-ubuntu-jammy
    parent: openstack-ansible-deploy-aio
@ -433,6 +443,11 @@
    parent: openstack-ansible-deploy-aio-infra
    nodeset: ubuntu-jammy

+- job:
+    name: openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy
+    parent: openstack-ansible-deploy-aio-infra
+    nodeset: ubuntu-jammy
+
 - job:
    name: openstack-ansible-deploy-hosts_lxc-ubuntu-jammy
    parent: openstack-ansible-deploy-aio-hosts
--- a/zuul.d/project-templates.yaml
+++ b/zuul.d/project-templates.yaml
@ -90,12 +90,14 @@
        - openstack-ansible-deploy-infra_lxc-debian-bullseye
        - openstack-ansible-deploy-infra_lxc-ubuntu-focal
        - openstack-ansible-deploy-infra_lxc-ubuntu-jammy
+        - openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy
    gate:
      jobs:
        - openstack-ansible-deploy-infra_lxc-centos-9-stream
        - openstack-ansible-deploy-infra_lxc-rockylinux-9
        - openstack-ansible-deploy-infra_lxc-debian-bullseye
        - openstack-ansible-deploy-infra_lxc-ubuntu-jammy
+        - openstack-ansible-deploy-infra_lxc_stepca-ubuntu-jammy
    periodic:
      jobs:
        - openstack-ansible-deploy-infra_lxc-ubuntu-jammy
@ -225,6 +227,17 @@
      jobs:
        - openstack-ansible-deploy-aio_ceph-ubuntu-focal

+- project-template:
+    name: openstack-ansible-deploy-stepca-jobs
+    check:
+      jobs:
+        - openstack-ansible-deploy-aio_stepca-ubuntu-jammy
+        - openstack-ansible-deploy-aio_metal_stepca-ubuntu-jammy
+    gate:
+      jobs:
+        - openstack-ansible-deploy-aio_stepca-ubuntu-jammy
+        - openstack-ansible-deploy-aio_metal_stepca-ubuntu-jammy
+
 - project-template:
    name: openstack-ansible-deploy-proxy-jobs
    check:
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -23,6 +23,7 @@
      - openstack-ansible-deploy-aio_distro_metal-jobs
      - openstack-ansible-deploy-ceph-jobs
      - openstack-ansible-deploy-proxy-jobs
+      - openstack-ansible-deploy-stepca-jobs
      - openstack-ansible-deploy-distro_ceph-jobs
      - check-requirements
      - publish-openstack-docs-pti