Adds bits to set domain and enable tlse for adoption multinode ci jobs

As part of [1] this aims to enable tls for the adoption multinode ci.

[1] https://issues.redhat.com/browse/OSPRH-8973

devsetup/scripts/tripleo.sh

@@ -35,6 +35,7 @@ TRIPLEO_NETWORKING=${TRIPLEO_NETWORKING:-true}
 MANILA_ENABLED=${MANILA_ENABLED:-true}
 OCTAVIA_ENABLED=${OCTAVIA_ENABLED:-false}
 TELEMETRY_ENABLED=${TELEMETRY_ENABLED:-true}
+TLSE_ENABLED=${TLSE_ENABLED:-false}
 
 if [[ ! -f $SSH_KEY_FILE ]]; then
     echo "$SSH_KEY_FILE is missing"
@@ -78,8 +79,8 @@ cat <<EOF > $CMDS_FILE
 set -ex
 sudo dnf install -y podman python3-tripleoclient util-linux lvm2
 
-sudo hostnamectl set-hostname undercloud.localdomain
-sudo hostnamectl set-hostname undercloud.localdomain --transient
+sudo hostnamectl set-hostname undercloud.${CLOUD_DOMAIN}
+sudo hostnamectl set-hostname undercloud.${CLOUD_DOMAIN} --transient
 
 cat >\$HOME/nova_noceph.yaml <<__EOF__
 parameter_defaults:
@@ -99,6 +100,8 @@ export EDPM_COMPUTE_CELLS=${COMPUTE_CELLS:-1}
 export MANILA_ENABLED=${MANILA_ENABLED:-true}
 export OCTAVIA_ENABLED=${OCTAVIA_ENABLED}
 export TELEMETRY_ENABLED=${TELEMETRY_ENABLED:-true}
+export TLSE_ENABLED=${TLSE_ENABLED:-false}
+export CLOUD_DOMAIN=${CLOUD_DOMAIN:-localdomain}
 
 set +x
 if [[ -f \$HOME/containers-prepare-parameters.yaml ]]; then
@@ -169,10 +172,15 @@ gateway_ip: ${GATEWAY}
 manage_default_route: ${TRIPLEO_NETWORKING}
 dns_server: ${PRIMARY_RESOLV_CONF_ENTRY}
 user_home: /home/zuul
+cloud_domain: ${CLOUD_DOMAIN}
 EOF
 
-jinja2_render ${SCRIPTPATH}/../tripleo/undercloud.conf.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/undercloud.conf
-jinja2_render ${SCRIPTPATH}/../tripleo/net_config.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/net_config.yaml
+jinja2_render tripleo/net_config.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/net_config.yaml
+jinja2_render tripleo/undercloud.conf.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/undercloud.conf
+jinja2_render tripleo/overcloud_services.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/overcloud_services.yaml
+jinja2_render tripleo/config-download.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/config-download.yaml
+jinja2_render tripleo/config-download-networker.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/config-download-networker.yaml
+
 # NOTE(bogdando): no computes supported in the cetnral overcloud stack in OSP.
 # Reduced footprint for adoption dev envs: no HA controllers, an all-in-one host in the cell 2
 ind=0
@@ -221,10 +229,10 @@ fi
 scp $SSH_OPT $MY_TMP_DIR/.standalone_env_file zuul@$IP:.standalone_env_file
 scp $SSH_OPT $CMDS_FILE zuul@$IP:/tmp/undercloud-deploy-cmds.sh
 scp $SSH_OPT ${MY_TMP_DIR}/net_config.yaml root@$IP:/tmp/net_config.yaml
-scp $SSH_OPT ${SCRIPTPATH}/../tripleo/tripleo_install.sh zuul@$IP:tripleo_install.sh
-scp $SSH_OPT ${SCRIPTPATH}/../tripleo/hieradata_overrides_undercloud.yaml zuul@$IP:hieradata_overrides_undercloud.yaml
-scp $SSH_OPT ${SCRIPTPATH}/../tripleo/undercloud-parameter-defaults.yaml zuul@$IP:undercloud-parameter-defaults.yaml
-scp $SSH_OPT ${MY_TMP_DIR}/undercloud.conf zuul@$IP:undercloud.conf
+scp $SSH_OPT tripleo/tripleo_install.sh zuul@$IP:$HOME/tripleo_install.sh
+scp $SSH_OPT tripleo/hieradata_overrides_undercloud.yaml zuul@$IP:$HOME/hieradata_overrides_undercloud.yaml
+scp $SSH_OPT tripleo/undercloud-parameter-defaults.yaml zuul@$IP:$HOME/undercloud-parameter-defaults.yaml
+scp $SSH_OPT ${MY_TMP_DIR}/undercloud.conf zuul@$IP:$HOME/undercloud.conf
 scp $SSH_OPT ${SCRIPTPATH}/../tripleo/config-download-networker.yaml zuul@$IP:config-download-networker.yaml
 if [ $EDPM_COMPUTE_CELLS -gt 1 ]; then
     for cell in $(seq 0 $(( EDPM_COMPUTE_CELLS - 1))); do
@@ -234,21 +242,21 @@ if [ $EDPM_COMPUTE_CELLS -gt 1 ]; then
         scp $SSH_OPT ${MY_TMP_DIR}/config-download-cell${cell}.yaml zuul@$IP:config-download-cell${cell}.yaml
     done
 else
-    scp $SSH_OPT ${SCRIPTPATH}/../tripleo/vips_data.yaml zuul@$IP:vips_data.yaml
-    scp $SSH_OPT ${SCRIPTPATH}/../tripleo/network_data.yaml zuul@$IP:network_data.yaml
-    scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_services.yaml zuul@$IP:overcloud_services.yaml
-    scp $SSH_OPT ${SCRIPTPATH}/../tripleo/config-download.yaml zuul@$IP:config-download.yaml
+	scp $SSH_OPT tripleo/vips_data.yaml zuul@$IP:$HOME/vips_data.yaml
+	scp $SSH_OPT tripleo/network_data.yaml zuul@$IP:$HOME/network_data.yaml
+	scp $SSH_OPT ${MY_TMP_DIR}/overcloud_services.yaml zuul@$IP:$HOME/overcloud_services.yaml
+	scp $SSH_OPT  ${MY_TMP_DIR}/config-download.yaml zuul@$IP:$HOME/config-download.yaml
+	scp $SSH_OPT  ${MY_TMP_DIR}/config-download-networker.yaml zuul@$IP:$HOME/config-download-networker.yaml
 fi
-scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_roles.yaml zuul@$IP:overcloud_roles.yaml
-scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_services.yaml zuul@$IP:overcloud_services.yaml
-scp $SSH_OPT ${SCRIPTPATH}/../tripleo/ansible_config.cfg zuul@$IP:ansible_config.cfg
+scp $SSH_OPT tripleo/overcloud_roles.yaml zuul@$IP:$HOME/overcloud_roles.yaml
+scp $SSH_OPT tripleo/ansible_config.cfg zuul@$IP:$HOME/ansible_config.cfg
 if [[ "$EDPM_COMPUTE_CEPH_ENABLED" == "true" ]]; then
-    scp $SSH_OPT ${SCRIPTPATH}/../tripleo/ceph.sh root@$IP:/tmp/ceph.sh
-    scp $SSH_OPT ${SCRIPTPATH}/../tripleo/generate_ceph_inventory.py root@$IP:/tmp/generate_ceph_inventory.py
+    scp $SSH_OPT tripleo/ceph.sh root@$IP:/tmp/ceph.sh
+    scp $SSH_OPT tripleo/generate_ceph_inventory.py root@$IP:/tmp/generate_ceph_inventory.py
 fi
 
 if [[ -f $HOME/containers-prepare-parameters.yaml ]]; then
-    scp $SSH_OPT $HOME/containers-prepare-parameters.yaml zuul@$IP:containers-prepare-parameters.yaml
+    scp $SSH_OPT $HOME/containers-prepare-parameters.yaml zuul@$IP:$HOME/containers-prepare-parameters.yaml
 fi
 
 # Running

devsetup/tripleo/config-download-networker.yaml → devsetup/tripleo/config-download-networker.yaml.j2

@@ -73,7 +73,6 @@ parameter_defaults:
         tags:
           - 192.168.122.0/24
 
-
   NodePortMap:
     controller-0:
       ctlplane:
@@ -225,7 +224,7 @@ parameter_defaults:
 
   CtlplaneNetworkAttributes:
     network:
-      dns_domain: localdomain
+      dns_domain: {{ cloud_domain }}
       mtu: 1500
       name: ctlplane
       tags:

devsetup/tripleo/config-download.yaml → devsetup/tripleo/config-download.yaml.j2

@@ -191,7 +191,7 @@ parameter_defaults:
         ip_subnet: 172.19.0.0/24
   CtlplaneNetworkAttributes:
     network:
-      dns_domain: localdomain
+      dns_domain: {{ cloud_domain }}
       mtu: 1500
       name: ctlplane
       tags:

devsetup/tripleo/overcloud_services.yaml → devsetup/tripleo/overcloud_services.yaml.j2

@@ -45,12 +45,12 @@ parameter_defaults:
   ComputeCount: 3
   NeutronGlobalPhysnetMtu: 1350
   CinderLVMLoopDeviceSize: 20480
-  CloudName: overcloud.localdomain
-  CloudNameInternal: overcloud.internalapi.localdomain
-  CloudNameStorage: overcloud.storage.localdomain
-  CloudNameStorageManagement: overcloud.storagemgmt.localdomain
-  CloudNameCtlplane: overcloud.ctlplane.localdomain
-  CloudDomain: localdomain
+  CloudName: overcloud.{{ cloud_domain }}
+  CloudNameInternal: overcloud.internalapi.{{ cloud_domain }}
+  CloudNameStorage: overcloud.storage.{{ cloud_domain }}
+  CloudNameStorageManagement: overcloud.storagemgmt.{{ cloud_domain }}
+  CloudNameCtlplane: overcloud.ctlplane.{{ cloud_domain }}
+  CloudDomain: {{ cloud_domain }}
   NetworkConfigWithAnsible: false
   ControllerNetworkConfigUpdate: false
   ComputeNetworkConfigUpdate: false

devsetup/tripleo/tripleo_install.sh

@@ -174,6 +174,44 @@ if [ "$EDPM_COMPUTE_CEPH_ENABLED" = "true" ] ; then
     /tmp/ceph.sh
 fi
 
+if [ "$TLSE_ENABLED" = "true" ]; then
+    ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml"
+    ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml"
+    ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml"
+    ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-memcached-tls.yaml"
+    ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/ci/environments/standalone-ipa.yaml"
+    export IPA_ADMIN_USER=admin
+    export IPA_PRINCIPAL=$IPA_ADMIN_USER
+    export IPA_ADMIN_PASSWORD=fce95318204114530f31f885c9df588f
+    export IPA_PASSWORD=$IPA_ADMIN_PASSWORD
+    #export CLOUD_DOMAIN=$CLOUD_DOMAIN
+    export UNDERCLOUD_FQDN=undercloud.$CLOUD_DOMAIN
+    export IPA_DOMAIN=$CLOUD_DOMAIN
+    export IPA_REALM=$(echo $IPA_DOMAIN | awk '{print toupper($0)}')
+    export IPA_HOST=ipa.$IPA_DOMAIN
+    export IPA_SERVER_HOSTNAME=$IPA_HOST
+    mkdir /tmp/ipa-data
+    podman run -d --name freeipa-server-container \
+        --sysctl net.ipv6.conf.lo.disable_ipv6=0 \
+        --security-opt seccomp=unconfined \
+        --ip 10.88.0.2 \
+        -e IPA_SERVER_IP=10.88.0.2 \
+        -e PASSWORD=$IPA_ADMIN_PASSWORD \
+        -h $IPA_SERVER_HOSTNAME \
+        --read-only --tmpfs /run --tmpfs /tmp \
+        -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
+        -v /tmp/ipa-data:/data:Z quay.io/freeipa/freeipa-server:fedora-39 no-exit \
+        -U -r $IPA_REALM --setup-dns --no-reverse --no-ntp \
+        --no-dnssec-validation --auto-forwarders
+    timeout 900s grep -qEi '(INFO The ipa-server-install command was successful|ERROR The ipa-server-install command failed)' <(tail -F /tmp/ipa-data/var/log/ipaserver-install.log)
+    cat  <<EOF > /etc/resolv.conf
+search ${CLOUD_DOMAIN}
+nameserver 10.88.0.2
+EOF
+    cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
+    ansible-playbook /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml
+fi
+
 openstack overcloud deploy --stack overcloud \
     --override-ansible-cfg /home/zuul/ansible_config.cfg --templates /usr/share/openstack-tripleo-heat-templates \
     --roles-file ${ROLES_FILE} -n /home/zuul/network_data.yaml --libvirt-type qemu \

devsetup/tripleo/undercloud.conf.j2

@@ -13,7 +13,7 @@
 # the user is responsible for configuring all system hostname settings
 # appropriately.  If set, the undercloud install will configure all
 # system hostname settings. (string value)
-undercloud_hostname = undercloud.localdomain
+undercloud_hostname = undercloud.{{ cloud_domain }}
 
 # IP information for the interface on the Undercloud that will be
 # handling the PXE boots and DHCP for Overcloud instances.  The IP
@@ -30,13 +30,13 @@ local_mtu = {{ interface_mtu }}
 # Undercloud services. Only used with SSL. (string value)
 # Deprecated group/name - [DEFAULT]/undercloud_public_vip
 #undercloud_public_host = 192.168.24.2
-undercloud_public_host = 192.168.122.122
+undercloud_public_host = 192.168.122.99
 
 # Virtual IP or DNS address to use for the admin endpoints of
 # Undercloud services. Only used with SSL. (string value)
 # Deprecated group/name - [DEFAULT]/undercloud_admin_vip
 #undercloud_admin_host = 192.168.24.3
-undercloud_admin_host = 192.168.122.123
+undercloud_admin_host = 192.168.122.99
 
 # Nameserver for the Undercloud node.
 # (string value)
@@ -51,7 +51,10 @@ undercloud_timezone = UTC
 # DNS domain name to use when deploying the overcloud. The overcloud
 # parameter "CloudDomain" must be set to a matching value. (string
 # value)
-#overcloud_domain_name = localdomain
+{% if cloud_domain != 'localdomain' %}
+overcloud_domain_name = {{ cloud_domain }}
+{% endif %}
+
 
 # Certificate file to use for OpenStack service SSL connections.
 # Setting this enables SSL for the OpenStack API endpoints, leaving it
@@ -65,8 +68,11 @@ undercloud_timezone = UTC
 # /etc/pki/tls/certs/undercloud-[undercloud_public_vip].pem.  This
 # certificate is signed by CA selected by the
 # "certificate_generation_ca" option. (boolean value)
-#generate_service_certificate = true
+{% if cloud_domain == 'localdomain' %}
 generate_service_certificate = False
+{% else %}
+generate_service_certificate = True
+{% endif %}
 
 # The certmonger nickname of the CA from which the certificate will be
 # requested. This is used only if the generate_service_certificate