Enable TLS everywhere for data plane adoption no-ceph standalone job

This doesn't enable TLS everywhere testing for the Ceph job, since we don't need to test with Ceph. We also still want to test the case without TLS. Depends-On: openstack-k8s-operators/install_yamls#756 Depends-On: openstack-k8s-operators/data-plane-adoption#331 Change-Id: Id40199097d46ba19b12b79577ace599c97674441
rdo-infra · May 15, 2024 · 25a1015 · 25a1015
1 parent 0035f1b
commit 25a1015
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 4 deletions.
diff --git a/playbooks/data_plane_adoption/ci_framework_deploy_standalone_vm.yaml b/playbooks/data_plane_adoption/ci_framework_deploy_standalone_vm.yaml
@@ -21,3 +21,5 @@
           HOST_PRIMARY_RESOLV_CONF_ENTRY: "{{ standalone_gateway }}"
           EDPM_COMPUTE_CEPH_ENABLED: "{{ use_ceph | default('true') }}"
           EDPM_COMPUTE_CEPH_NOVA: "{{ use_ceph | default('true') }}"
+          DNS_DOMAIN: "{{ cloud_domain | default('localdomain') }}"
+          TLS_ENABLED: "{{ enable_tls | default('false') }}"
diff --git a/playbooks/data_plane_adoption/deploy_standalone_run_repo_tests.yaml b/playbooks/data_plane_adoption/deploy_standalone_run_repo_tests.yaml
@@ -34,6 +34,8 @@
             -e "standalone_ip={{ standalone_ip }}" -e "standalone_gateway={{ standalone_gateway }}"
             -e "standalone_dns={{ standalone_dns | default(standalone_gateway) }}"
             -e "use_ceph={{ use_ceph | default('true') }}"
+            -e "cloud_domain={{ cloud_domain | default('localdomain') }}"
+            -e "enable_tls={{ enable_tls | default('false') }}"
           args:
             chdir: "{{ framework_dir }}"
 
@@ -69,6 +71,18 @@
         - "source_mariadb_ip"
         - "source_ovndb_ip"
 
+    - name: Set EDPM node hostname in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^edpm_node_hostname:'"
+        value: "edpm_node_hostname: standalone.{{ cloud_domain | default('localdomain') }}"
+
+    - name: Set TLS Everywhere in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^enable_tlse:'"
+        value: "enable_tlse: {{ enable_tls | default('false') }}"
+
     - name: Insert vars for data plane operator and os-net-config with zuul native standalone node
       ansible.builtin.blockinfile:
         marker_begin: "BEGIN os-net-config vars"
@@ -134,6 +148,12 @@
         regexp: 'controller1_ssh:'
         value: "controller1_ssh: ssh -i {{ standalone_private_key | default('/home/zuul/src/github.com/openstack-k8s-operators/install_yamls/out/edpm/ansibleee-ssh-key-id_rsa') }} root@{{ standalone_ip }}"
 
+    - name: Set ipa_ssh var in secrets.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/secrets.yaml"
+        regexp: 'ipa_ssh:'
+        value: "ipa_ssh: ssh -i {{ standalone_private_key | default('/home/zuul/src/github.com/openstack-k8s-operators/install_yamls/out/edpm/ansibleee-ssh-key-id_rsa') }} root@{{ standalone_ip }} podman exec -ti freeipa-server-container"
+
     - name: Install required packages
       become: true
       ansible.builtin.package:

diff --git a/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml b/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml
@@ -130,6 +130,18 @@
         path: /home/zuul/ansible_hostname
       register: compute_hostname
 
+    - name: Set EDPM node hostname in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^edpm_node_hostname:'"
+        value: "edpm_node_hostname: {{ compute_hostname['content'] | b64decode | trim }}.{{ cloud_domain | default('localdomain') }}"
+
+    - name: Set TLS Everywhere in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^enable_tlse:'"
+        value: "enable_tlse: {{ enable_tls | default('false') }}"
+
     - name: Insert vars for data plane operator and os-net-config with zuul native undercloud node
       ansible.builtin.blockinfile:
         marker_begin: "BEGIN os-net-config vars"
@@ -140,13 +152,12 @@
           dataplane_public_iface: eth1
           dataplane_os_net_config_set_route: false
           os_cloud_name: overcloud
-          edpm_node_hostname: "{{ compute_hostname['content'] | b64decode | trim }}.localdomain"
           edpm_user: zuul
           standalone_ip: "{{ standalone_ip | default('192.168.122.100') }}"
           neutron_physical_bridge_name: br-ex
           edpm_nodes:
             {{ compute_hostname['content'] | b64decode | trim }}:
-              hostName: "{{ compute_hostname['content'] | b64decode | trim }}.localdomain"
+              hostName: "{{ compute_hostname['content'] | b64decode | trim }}.{{ cloud_domain | default('localdomain') }}"
               ansible:
                 ansibleHost: {{ edpm_node_ip }}
               networks:

diff --git a/playbooks/data_plane_adoption/secrets.yaml b/playbooks/data_plane_adoption/secrets.yaml
@@ -25,9 +25,12 @@ heat_auth_encryption_key: CUSTOMIZE_THIS
 manila_password: CUSTOMIZE_THIS
 swift_password: CUSTOMIZE_THIS
 
+# FreeIPA SSH connection strings for importing the CA certificate and key
+ipa_ssh: "ssh -F ~/director_standalone/vagrant_ssh_config vagrant@standalone podman exec -ti freeipa-server-container"  # CUSTOMIZE THIS
+
 # Controller SSH connection strings for the MariaDB copy procedure.
 # Use ":" for controler 2 and 3 if you are testing with a single controller.
-controller1_ssh: "ssh -F ~/director_stanalone/vagrant_ssh_config vagrant@standalone"  # CUSTOMIZE THIS
+controller1_ssh: "ssh -F ~/director_standalone/vagrant_ssh_config vagrant@standalone"  # CUSTOMIZE THIS
 controller2_ssh: ":"
 controller3_ssh: ":"
 

diff --git a/playbooks/data_plane_adoption/vars.yaml b/playbooks/data_plane_adoption/vars.yaml
@@ -1,5 +1,12 @@
 # Path to install_yamls repo
 install_yamls_path: /home/zuul/src/github.com/openstack-k8s-operators/install_yamls/
+
+# This flag signifies if TLS Everywhere is enabled on the source cloud
+enable_tlse: CUSTOMIZE_THIS
+
+# To enable TLS-E, the standalone hostname must be set to standalone.ooo.test
+edpm_node_hostname: CUSTOMIZE_THIS
+
 # Whether to remove all the persistent data (databases, dumbs, ansible logs)
 # before the test
 reset_crc_storage: true

diff --git a/zuul.d/_data_plane_adoption.yaml b/zuul.d/_data_plane_adoption.yaml
@@ -46,6 +46,8 @@
     name: data-plane-adoption-osp-17-to-extracted-crc-minimal-no-ceph
     parent: data-plane-adoption-osp-17-to-extracted-crc
     vars:
+      enable_tls: "true"
+      cloud_domain: "ooo.test"
       use_ceph: "false"
       dpa_test_suite: "test-minimal"
 
@@ -91,4 +93,4 @@
     name: data-plane-adoption-osp17-multinode-to-extracted-crc-with-ceph
     parent: data-plane-adoption-osp17-multinode-to-extracted-crc-no-ceph
     vars:
-      use_ceph: 'true'
+      use_ceph: "true"