From 86ad3d7b508108385fddac797b126b0e2ac5ee2c Mon Sep 17 00:00:00 2001
From: Grzegorz Grasza <xek@redhat.com>
Date: Wed, 3 Apr 2024 17:30:21 +0200
Subject: [PATCH] Enable TLS Everywhere testing

Depends-On: https://github.com/openstack-k8s-operators/install_yamls/pull/756
Depends-On: https://github.com/openstack-k8s-operators/data-plane-adoption/pull/331
Change-Id: Id40199097d46ba19b12b79577ace599c97674441
---
 .../ci_framework_deploy_standalone_vm.yaml    |  2 ++
 .../deploy_standalone_run_repo_tests.yaml     | 20 +++++++++++++++++++
 .../deploy_tripleo_run_repo_tests.yaml        | 15 ++++++++++++--
 playbooks/data_plane_adoption/secrets.yaml    |  3 +++
 playbooks/data_plane_adoption/vars.yaml       |  7 +++++++
 zuul.d/_data_plane_adoption.yaml              |  4 +++-
 6 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/playbooks/data_plane_adoption/ci_framework_deploy_standalone_vm.yaml b/playbooks/data_plane_adoption/ci_framework_deploy_standalone_vm.yaml
index 0e4001a19..b6016e6df 100644
--- a/playbooks/data_plane_adoption/ci_framework_deploy_standalone_vm.yaml
+++ b/playbooks/data_plane_adoption/ci_framework_deploy_standalone_vm.yaml
@@ -21,3 +21,5 @@
           HOST_PRIMARY_RESOLV_CONF_ENTRY: "{{ standalone_gateway }}"
           EDPM_COMPUTE_CEPH_ENABLED: "{{ use_ceph | default('true') }}"
           EDPM_COMPUTE_CEPH_NOVA: "{{ use_ceph | default('true') }}"
+          DNS_DOMAIN: "{{ cloud_domain | default('localdomain') }}"
+          TLS_ENABLED: "{{ enable_tls | default('false') }}"
diff --git a/playbooks/data_plane_adoption/deploy_standalone_run_repo_tests.yaml b/playbooks/data_plane_adoption/deploy_standalone_run_repo_tests.yaml
index 10e3019db..5b16c5274 100644
--- a/playbooks/data_plane_adoption/deploy_standalone_run_repo_tests.yaml
+++ b/playbooks/data_plane_adoption/deploy_standalone_run_repo_tests.yaml
@@ -34,6 +34,8 @@
             -e "standalone_ip={{ standalone_ip }}" -e "standalone_gateway={{ standalone_gateway }}"
             -e "standalone_dns={{ standalone_dns | default(standalone_gateway) }}"
             -e "use_ceph={{ use_ceph | default('true') }}"
+            -e "cloud_domain={{ cloud_domain | default('localdomain') }}"
+            -e "enable_tls={{ enable_tls | default('false') }}"
           args:
             chdir: "{{ framework_dir }}"
 
@@ -69,6 +71,18 @@
         - "source_mariadb_ip"
         - "source_ovndb_ip"
 
+    - name: Set EDPM node hostname in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^edpm_node_hostname:'"
+        value: "edpm_node_hostname: standalone.{{ cloud_domain | default('localdomain') }}"
+
+    - name: Set TLS Everywhere in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^enable_tlse:'"
+        value: "enable_tlse: {{ enable_tls | default('false') }}"
+
     - name: Insert vars for data plane operator and os-net-config with zuul native standalone node
       ansible.builtin.blockinfile:
         marker_begin: "BEGIN os-net-config vars"
@@ -134,6 +148,12 @@
         regexp: 'controller1_ssh:'
         value: "controller1_ssh: ssh -i {{ standalone_private_key | default('/home/zuul/src/github.com/openstack-k8s-operators/install_yamls/out/edpm/ansibleee-ssh-key-id_rsa') }} root@{{ standalone_ip }}"
 
+    - name: Set ipa_ssh var in secrets.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/secrets.yaml"
+        regexp: 'ipa_ssh:'
+        value: "ipa_ssh: ssh -i {{ standalone_private_key | default('/home/zuul/src/github.com/openstack-k8s-operators/install_yamls/out/edpm/ansibleee-ssh-key-id_rsa') }} root@{{ standalone_ip }} podman exec -ti freeipa-server-container"
+
     - name: Install required packages
       become: true
       ansible.builtin.package:
diff --git a/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml b/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml
index c23dc1e18..2bd6db3c2 100644
--- a/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml
+++ b/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml
@@ -124,6 +124,18 @@
         regexp: "'^edpm_node_ip:'"
         value: "edpm_node_ip: {{ edpm_node_ip }}"
 
+    - name: Set EDPM node hostname in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^edpm_node_hostname:'"
+        value: "edpm_node_hostname: {{ compute_hostname['content'] | b64decode | trim }}.{{ cloud_domain | default('localdomain') }}"
+
+    - name: Set TLS Everywhere in vars.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/vars.yaml"
+        regexp: "'^enable_tlse:'"
+        value: "enable_tlse: {{ enable_tls | default('false') }}"
+
     - name: Fetch compute hostname to set edpm_node_hostname var
       delegate_to: "overcloud-novacompute-0"
       ansible.builtin.slurp:
@@ -140,13 +152,12 @@
           dataplane_public_iface: eth1
           dataplane_os_net_config_set_route: false
           os_cloud_name: overcloud
-          edpm_node_hostname: "{{ compute_hostname['content'] | b64decode | trim }}.localdomain"
           edpm_user: zuul
           standalone_ip: "{{ standalone_ip | default('192.168.122.100') }}"
           neutron_physical_bridge_name: br-ex
           edpm_nodes:
             {{ compute_hostname['content'] | b64decode | trim }}:
-              hostName: "{{ compute_hostname['content'] | b64decode | trim }}.localdomain"
+              hostName: "{{ compute_hostname['content'] | b64decode | trim }}.{{ cloud_domain | default('localdomain') }}"
               ansible:
                 ansibleHost: {{ edpm_node_ip }}
               networks:
diff --git a/playbooks/data_plane_adoption/secrets.yaml b/playbooks/data_plane_adoption/secrets.yaml
index 3f49195ca..6ccb2e671 100644
--- a/playbooks/data_plane_adoption/secrets.yaml
+++ b/playbooks/data_plane_adoption/secrets.yaml
@@ -25,6 +25,9 @@ heat_auth_encryption_key: CUSTOMIZE_THIS
 manila_password: CUSTOMIZE_THIS
 swift_password: CUSTOMIZE_THIS
 
+# FreeIPA SSH connection strings for importing the CA certificate and key
+ipa_ssh: "ssh -F ~/director_stanalone/vagrant_ssh_config vagrant@standalone podman exec -ti freeipa-server-container"  # CUSTOMIZE THIS
+
 # Controller SSH connection strings for the MariaDB copy procedure.
 # Use ":" for controler 2 and 3 if you are testing with a single controller.
 controller1_ssh: "ssh -F ~/director_stanalone/vagrant_ssh_config vagrant@standalone"  # CUSTOMIZE THIS
diff --git a/playbooks/data_plane_adoption/vars.yaml b/playbooks/data_plane_adoption/vars.yaml
index 5585a7151..a80a19e0f 100644
--- a/playbooks/data_plane_adoption/vars.yaml
+++ b/playbooks/data_plane_adoption/vars.yaml
@@ -1,5 +1,12 @@
 # Path to install_yamls repo
 install_yamls_path: /home/zuul/src/github.com/openstack-k8s-operators/install_yamls/
+
+# This flag signifies if TLS Everywhere is enabled on the source cloud
+enable_tlse: CUSTOMIZE_THIS
+
+# To enable TLS-E, the standalone hostname must be set to standalone.ooo.test
+edpm_node_hostname: CUSTOMIZE_THIS
+
 # Whether to remove all the persistent data (databases, dumbs, ansible logs)
 # before the test
 reset_crc_storage: true
diff --git a/zuul.d/_data_plane_adoption.yaml b/zuul.d/_data_plane_adoption.yaml
index 1784bae0d..6117649d3 100644
--- a/zuul.d/_data_plane_adoption.yaml
+++ b/zuul.d/_data_plane_adoption.yaml
@@ -46,6 +46,8 @@
     name: data-plane-adoption-osp-17-to-extracted-crc-minimal-no-ceph
     parent: data-plane-adoption-osp-17-to-extracted-crc
     vars:
+      enable_tls: "true"
+      cloud_domain: "ooo.test"
       use_ceph: "false"
       dpa_test_suite: "test-minimal"
 
@@ -91,4 +93,4 @@
     name: data-plane-adoption-osp17-multinode-to-extracted-crc-with-ceph
     parent: data-plane-adoption-osp17-multinode-to-extracted-crc-no-ceph
     vars:
-      use_ceph: 'true'
+      use_ceph: "true"