From 9fbd7ca9e7fa34e2baf4248990e7f52cad06dc9b Mon Sep 17 00:00:00 2001 From: m Date: Fri, 16 Aug 2024 17:24:39 +0300 Subject: [PATCH] Adds bits to set domain and enable tlse for adoption multinode ci jobs As part of [1] this aims to enable tls for the adoption multinode ci. [1] https://issues.redhat.com/browse/OSPRH-8973 --- devsetup/Makefile | 1 + devsetup/scripts/tripleo.sh | 46 +++++++++++-------- ...yaml => config-download-networker.yaml.j2} | 3 +- ...-download.yaml => config-download.yaml.j2} | 2 +- ...network_data.yaml => network_data.yaml.j2} | 10 ++-- ...rvices.yaml => overcloud_services.yaml.j2} | 12 ++--- devsetup/tripleo/tripleo_install.sh | 40 ++++++++++++++++ devsetup/tripleo/undercloud.conf.j2 | 16 +++++-- 8 files changed, 92 insertions(+), 38 deletions(-) rename devsetup/tripleo/{config-download-networker.yaml => config-download-networker.yaml.j2} (99%) rename devsetup/tripleo/{config-download.yaml => config-download.yaml.j2} (99%) rename devsetup/tripleo/{network_data.yaml => network_data.yaml.j2} (86%) rename devsetup/tripleo/{overcloud_services.yaml => overcloud_services.yaml.j2} (93%) diff --git a/devsetup/Makefile b/devsetup/Makefile index 06160e5ce..0a784c3e3 100644 --- a/devsetup/Makefile +++ b/devsetup/Makefile @@ -455,6 +455,7 @@ edpm_deploy_instance: ## Spin a instance on edpm node .PHONY: tripleo_deploy tripleo_deploy: export CLOUD_DOMAIN=${DNS_DOMAIN} +tripleo_deploy: export TLSE_ENABLED=${TLS_ENABLED} tripleo_deploy: export INTERFACE_MTU=${NETWORK_MTU} tripleo_deploy: export COMPUTE_CELLS=${EDPM_COMPUTE_CELLS} tripleo_deploy: export REGISTRY_USER ?= ${RH_REGISTRY_USER} diff --git a/devsetup/scripts/tripleo.sh b/devsetup/scripts/tripleo.sh index d3121e6f3..792c797bb 100755 --- a/devsetup/scripts/tripleo.sh +++ b/devsetup/scripts/tripleo.sh @@ -35,6 +35,7 @@ TRIPLEO_NETWORKING=${TRIPLEO_NETWORKING:-true} MANILA_ENABLED=${MANILA_ENABLED:-true} OCTAVIA_ENABLED=${OCTAVIA_ENABLED:-false} TELEMETRY_ENABLED=${TELEMETRY_ENABLED:-true} +TLSE_ENABLED=${TLSE_ENABLED:-false} if [[ ! -f $SSH_KEY_FILE ]]; then echo "$SSH_KEY_FILE is missing" @@ -78,8 +79,8 @@ cat < $CMDS_FILE set -ex sudo dnf install -y podman python3-tripleoclient util-linux lvm2 -sudo hostnamectl set-hostname undercloud.localdomain -sudo hostnamectl set-hostname undercloud.localdomain --transient +sudo hostnamectl set-hostname undercloud.${CLOUD_DOMAIN} +sudo hostnamectl set-hostname undercloud.${CLOUD_DOMAIN} --transient cat >\$HOME/nova_noceph.yaml <<__EOF__ parameter_defaults: @@ -99,6 +100,8 @@ export EDPM_COMPUTE_CELLS=${COMPUTE_CELLS:-1} export MANILA_ENABLED=${MANILA_ENABLED:-true} export OCTAVIA_ENABLED=${OCTAVIA_ENABLED} export TELEMETRY_ENABLED=${TELEMETRY_ENABLED:-true} +export TLSE_ENABLED=${TLSE_ENABLED:-false} +export CLOUD_DOMAIN=${CLOUD_DOMAIN:-localdomain} set +x if [[ -f \$HOME/containers-prepare-parameters.yaml ]]; then @@ -169,10 +172,16 @@ gateway_ip: ${GATEWAY} manage_default_route: ${TRIPLEO_NETWORKING} dns_server: ${PRIMARY_RESOLV_CONF_ENTRY} user_home: /home/zuul +cloud_domain: ${CLOUD_DOMAIN} EOF -jinja2_render ${SCRIPTPATH}/../tripleo/undercloud.conf.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/undercloud.conf -jinja2_render ${SCRIPTPATH}/../tripleo/net_config.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/net_config.yaml +jinja2_render tripleo/net_config.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/net_config.yaml +jinja2_render tripleo/undercloud.conf.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/undercloud.conf +jinja2_render tripleo/overcloud_services.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/overcloud_services.yaml +jinja2_render tripleo/config-download.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/config-download.yaml +jinja2_render tripleo/config-download-networker.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/config-download-networker.yaml +jinja2_render tripleo/network_data.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/network_data.yaml + # NOTE(bogdando): no computes supported in the cetnral overcloud stack in OSP. # Reduced footprint for adoption dev envs: no HA controllers, an all-in-one host in the cell 2 ind=0 @@ -221,11 +230,10 @@ fi scp $SSH_OPT $MY_TMP_DIR/.standalone_env_file zuul@$IP:.standalone_env_file scp $SSH_OPT $CMDS_FILE zuul@$IP:/tmp/undercloud-deploy-cmds.sh scp $SSH_OPT ${MY_TMP_DIR}/net_config.yaml root@$IP:/tmp/net_config.yaml -scp $SSH_OPT ${SCRIPTPATH}/../tripleo/tripleo_install.sh zuul@$IP:tripleo_install.sh -scp $SSH_OPT ${SCRIPTPATH}/../tripleo/hieradata_overrides_undercloud.yaml zuul@$IP:hieradata_overrides_undercloud.yaml -scp $SSH_OPT ${SCRIPTPATH}/../tripleo/undercloud-parameter-defaults.yaml zuul@$IP:undercloud-parameter-defaults.yaml -scp $SSH_OPT ${MY_TMP_DIR}/undercloud.conf zuul@$IP:undercloud.conf -scp $SSH_OPT ${SCRIPTPATH}/../tripleo/config-download-networker.yaml zuul@$IP:config-download-networker.yaml +scp $SSH_OPT tripleo/tripleo_install.sh zuul@$IP:$HOME/tripleo_install.sh +scp $SSH_OPT tripleo/hieradata_overrides_undercloud.yaml zuul@$IP:$HOME/hieradata_overrides_undercloud.yaml +scp $SSH_OPT tripleo/undercloud-parameter-defaults.yaml zuul@$IP:$HOME/undercloud-parameter-defaults.yaml +scp $SSH_OPT ${MY_TMP_DIR}/undercloud.conf zuul@$IP:$HOME/undercloud.conf if [ $EDPM_COMPUTE_CELLS -gt 1 ]; then for cell in $(seq 0 $(( EDPM_COMPUTE_CELLS - 1))); do scp $SSH_OPT ${MY_TMP_DIR}/vips_data${cell}.yaml zuul@$IP:vips_data${cell}.yaml @@ -234,21 +242,21 @@ if [ $EDPM_COMPUTE_CELLS -gt 1 ]; then scp $SSH_OPT ${MY_TMP_DIR}/config-download-cell${cell}.yaml zuul@$IP:config-download-cell${cell}.yaml done else - scp $SSH_OPT ${SCRIPTPATH}/../tripleo/vips_data.yaml zuul@$IP:vips_data.yaml - scp $SSH_OPT ${SCRIPTPATH}/../tripleo/network_data.yaml zuul@$IP:network_data.yaml - scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_services.yaml zuul@$IP:overcloud_services.yaml - scp $SSH_OPT ${SCRIPTPATH}/../tripleo/config-download.yaml zuul@$IP:config-download.yaml + scp $SSH_OPT tripleo/vips_data.yaml zuul@$IP:$HOME/vips_data.yaml + scp $SSH_OPT ${MY_TMP_DIR}/network_data.yaml zuul@$IP:$HOME/network_data.yaml + scp $SSH_OPT ${MY_TMP_DIR}/overcloud_services.yaml zuul@$IP:$HOME/overcloud_services.yaml + scp $SSH_OPT ${MY_TMP_DIR}/config-download.yaml zuul@$IP:$HOME/config-download.yaml + scp $SSH_OPT ${MY_TMP_DIR}/config-download-networker.yaml zuul@$IP:$HOME/config-download-networker.yaml fi -scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_roles.yaml zuul@$IP:overcloud_roles.yaml -scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_services.yaml zuul@$IP:overcloud_services.yaml -scp $SSH_OPT ${SCRIPTPATH}/../tripleo/ansible_config.cfg zuul@$IP:ansible_config.cfg +scp $SSH_OPT tripleo/overcloud_roles.yaml zuul@$IP:$HOME/overcloud_roles.yaml +scp $SSH_OPT tripleo/ansible_config.cfg zuul@$IP:$HOME/ansible_config.cfg if [[ "$EDPM_COMPUTE_CEPH_ENABLED" == "true" ]]; then - scp $SSH_OPT ${SCRIPTPATH}/../tripleo/ceph.sh root@$IP:/tmp/ceph.sh - scp $SSH_OPT ${SCRIPTPATH}/../tripleo/generate_ceph_inventory.py root@$IP:/tmp/generate_ceph_inventory.py + scp $SSH_OPT tripleo/ceph.sh root@$IP:/tmp/ceph.sh + scp $SSH_OPT tripleo/generate_ceph_inventory.py root@$IP:/tmp/generate_ceph_inventory.py fi if [[ -f $HOME/containers-prepare-parameters.yaml ]]; then - scp $SSH_OPT $HOME/containers-prepare-parameters.yaml zuul@$IP:containers-prepare-parameters.yaml + scp $SSH_OPT $HOME/containers-prepare-parameters.yaml zuul@$IP:$HOME/containers-prepare-parameters.yaml fi # Running diff --git a/devsetup/tripleo/config-download-networker.yaml b/devsetup/tripleo/config-download-networker.yaml.j2 similarity index 99% rename from devsetup/tripleo/config-download-networker.yaml rename to devsetup/tripleo/config-download-networker.yaml.j2 index f46390346..55350aaaf 100644 --- a/devsetup/tripleo/config-download-networker.yaml +++ b/devsetup/tripleo/config-download-networker.yaml.j2 @@ -73,7 +73,6 @@ parameter_defaults: tags: - 192.168.122.0/24 - NodePortMap: controller-0: ctlplane: @@ -225,7 +224,7 @@ parameter_defaults: CtlplaneNetworkAttributes: network: - dns_domain: localdomain + dns_domain: {{ cloud_domain }} mtu: 1500 name: ctlplane tags: diff --git a/devsetup/tripleo/config-download.yaml b/devsetup/tripleo/config-download.yaml.j2 similarity index 99% rename from devsetup/tripleo/config-download.yaml rename to devsetup/tripleo/config-download.yaml.j2 index e4c0eeb1a..7b6279028 100644 --- a/devsetup/tripleo/config-download.yaml +++ b/devsetup/tripleo/config-download.yaml.j2 @@ -191,7 +191,7 @@ parameter_defaults: ip_subnet: 172.19.0.0/24 CtlplaneNetworkAttributes: network: - dns_domain: localdomain + dns_domain: {{ cloud_domain }} mtu: 1500 name: ctlplane tags: diff --git a/devsetup/tripleo/network_data.yaml b/devsetup/tripleo/network_data.yaml.j2 similarity index 86% rename from devsetup/tripleo/network_data.yaml rename to devsetup/tripleo/network_data.yaml.j2 index d6affbae0..4a54b3589 100644 --- a/devsetup/tripleo/network_data.yaml +++ b/devsetup/tripleo/network_data.yaml.j2 @@ -3,7 +3,7 @@ mtu: 1500 vip: true name_lower: storage - dns_domain: storage.mydomain.tld. + dns_domain: storage.{{ cloud_domain }}. service_net_map_replace: storage subnets: storage_subnet: @@ -15,7 +15,7 @@ mtu: 1500 vip: true name_lower: storage_mgmt - dns_domain: storagemgmt.mydomain.tld. + dns_domain: storagemgmt.{{ cloud_domain }}. service_net_map_replace: storage_mgmt subnets: storage_mgmt_subnet: @@ -27,7 +27,7 @@ mtu: 1500 vip: true name_lower: internal_api - dns_domain: internal-api.mydomain.tld. + dns_domain: internal-api.{{ cloud_domain }}. service_net_map_replace: internal_api subnets: internal_api_subnet: @@ -39,7 +39,7 @@ mtu: 1500 vip: false # Tenant network does not use VIPs name_lower: tenant - dns_domain: tenant.mydomain.tld. + dns_domain: tenant.{{ cloud_domain }}. service_net_map_replace: tenant subnets: tenant_subnet: @@ -51,7 +51,7 @@ mtu: 1500 vip: true name_lower: external - dns_domain: external.mydomain.tld. + dns_domain: external.{{ cloud_domain }}. service_net_map_replace: external subnets: external_subnet: diff --git a/devsetup/tripleo/overcloud_services.yaml b/devsetup/tripleo/overcloud_services.yaml.j2 similarity index 93% rename from devsetup/tripleo/overcloud_services.yaml rename to devsetup/tripleo/overcloud_services.yaml.j2 index be675d979..7ffd2f3a6 100644 --- a/devsetup/tripleo/overcloud_services.yaml +++ b/devsetup/tripleo/overcloud_services.yaml.j2 @@ -45,12 +45,12 @@ parameter_defaults: ComputeCount: 3 NeutronGlobalPhysnetMtu: 1350 CinderLVMLoopDeviceSize: 20480 - CloudName: overcloud.localdomain - CloudNameInternal: overcloud.internalapi.localdomain - CloudNameStorage: overcloud.storage.localdomain - CloudNameStorageManagement: overcloud.storagemgmt.localdomain - CloudNameCtlplane: overcloud.ctlplane.localdomain - CloudDomain: localdomain + CloudName: overcloud.{{ cloud_domain }} + CloudNameInternal: overcloud.internalapi.{{ cloud_domain }} + CloudNameStorage: overcloud.storage.{{ cloud_domain }} + CloudNameStorageManagement: overcloud.storagemgmt.{{ cloud_domain }} + CloudNameCtlplane: overcloud.ctlplane.{{ cloud_domain }} + CloudDomain: {{ cloud_domain }} NetworkConfigWithAnsible: false ControllerNetworkConfigUpdate: false ComputeNetworkConfigUpdate: false diff --git a/devsetup/tripleo/tripleo_install.sh b/devsetup/tripleo/tripleo_install.sh index d72e7d6bf..98d39d3bf 100755 --- a/devsetup/tripleo/tripleo_install.sh +++ b/devsetup/tripleo/tripleo_install.sh @@ -169,6 +169,46 @@ if [ "$EDPM_COMPUTE_CEPH_ENABLED" = "true" ] ; then /tmp/ceph.sh fi +if [ "$TLSE_ENABLED" = "true" ]; then + ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml" + ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml" + ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml" + ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-memcached-tls.yaml" + ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/ci/environments/standalone-ipa.yaml" + export IPA_ADMIN_USER=admin + export IPA_PRINCIPAL=$IPA_ADMIN_USER + export IPA_ADMIN_PASSWORD=fce95318204114530f31f885c9df588f + export IPA_PASSWORD=$IPA_ADMIN_PASSWORD + export UNDERCLOUD_FQDN=undercloud.$CLOUD_DOMAIN + export IPA_DOMAIN=$CLOUD_DOMAIN + export IPA_REALM=$(echo $IPA_DOMAIN | awk '{print toupper($0)}') + export IPA_HOST=ipa.$IPA_DOMAIN + export IPA_SERVER_HOSTNAME=$IPA_HOST + sudo mkdir /tmp/ipa-data + sudo podman run -d --name freeipa-server-container \ + --sysctl net.ipv6.conf.lo.disable_ipv6=0 \ + --security-opt seccomp=unconfined \ + --ip 10.255.255.25 \ + -e IPA_SERVER_IP=10.255.255.25 \ + -e PASSWORD=$IPA_ADMIN_PASSWORD \ + -h $IPA_SERVER_HOSTNAME \ + -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 \ + -p 389:389 -p 636:636 -p 88:88 -p 464:464 \ + -p 88:88/udp -p 464:464/udp \ + --read-only --tmpfs /run --tmpfs /tmp \ + -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ + -v /tmp/ipa-data:/data:Z quay.io/freeipa/freeipa-server:fedora-39 no-exit \ + -U -r $IPA_REALM --setup-dns --no-reverse --no-ntp \ + --no-dnssec-validation --auto-forwarders + timeout 900s grep -qEi '(INFO The ipa-server-install command was successful|ERROR The ipa-server-install command failed)' <(sudo tail -F /tmp/ipa-data/var/log/ipaserver-install.log) + cat < ipa_resolv.conf +search ${CLOUD_DOMAIN} +nameserver 10.255.255.25 +EOF + sudo mv ipa_resolv.conf /etc/resolv.conf + ansible-playbook /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml +fi + openstack overcloud deploy --stack overcloud \ --override-ansible-cfg /home/zuul/ansible_config.cfg --templates /usr/share/openstack-tripleo-heat-templates \ --roles-file ${ROLES_FILE} -n /home/zuul/network_data.yaml --libvirt-type qemu \ diff --git a/devsetup/tripleo/undercloud.conf.j2 b/devsetup/tripleo/undercloud.conf.j2 index ffe949a27..726068ba0 100644 --- a/devsetup/tripleo/undercloud.conf.j2 +++ b/devsetup/tripleo/undercloud.conf.j2 @@ -13,7 +13,7 @@ # the user is responsible for configuring all system hostname settings # appropriately. If set, the undercloud install will configure all # system hostname settings. (string value) -undercloud_hostname = undercloud.localdomain +undercloud_hostname = undercloud.{{ cloud_domain }} # IP information for the interface on the Undercloud that will be # handling the PXE boots and DHCP for Overcloud instances. The IP @@ -30,13 +30,13 @@ local_mtu = {{ interface_mtu }} # Undercloud services. Only used with SSL. (string value) # Deprecated group/name - [DEFAULT]/undercloud_public_vip #undercloud_public_host = 192.168.24.2 -undercloud_public_host = 192.168.122.122 +undercloud_public_host = 192.168.122.99 # Virtual IP or DNS address to use for the admin endpoints of # Undercloud services. Only used with SSL. (string value) # Deprecated group/name - [DEFAULT]/undercloud_admin_vip #undercloud_admin_host = 192.168.24.3 -undercloud_admin_host = 192.168.122.123 +undercloud_admin_host = 192.168.122.99 # Nameserver for the Undercloud node. # (string value) @@ -51,7 +51,10 @@ undercloud_timezone = UTC # DNS domain name to use when deploying the overcloud. The overcloud # parameter "CloudDomain" must be set to a matching value. (string # value) -#overcloud_domain_name = localdomain +{% if cloud_domain != 'localdomain' %} +overcloud_domain_name = {{ cloud_domain }} +{% endif %} + # Certificate file to use for OpenStack service SSL connections. # Setting this enables SSL for the OpenStack API endpoints, leaving it @@ -65,8 +68,11 @@ undercloud_timezone = UTC # /etc/pki/tls/certs/undercloud-[undercloud_public_vip].pem. This # certificate is signed by CA selected by the # "certificate_generation_ca" option. (boolean value) -#generate_service_certificate = true +{% if cloud_domain == 'localdomain' %} generate_service_certificate = False +{% else %} +generate_service_certificate = True +{% endif %} # The certmonger nickname of the CA from which the certificate will be # requested. This is used only if the generate_service_certificate