Skip to content

Commit

Permalink
Adds bits to set domain and enable tlse for adoption multinode ci jobs
Browse files Browse the repository at this point in the history
As part of [1] this aims to enable tls for the adoption multinode ci.

[1] https://issues.redhat.com/browse/OSPRH-8973
  • Loading branch information
marios committed Sep 20, 2024
1 parent 51ebd28 commit 9fbd7ca
Show file tree
Hide file tree
Showing 8 changed files with 92 additions and 38 deletions.
1 change: 1 addition & 0 deletions devsetup/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,7 @@ edpm_deploy_instance: ## Spin a instance on edpm node

.PHONY: tripleo_deploy
tripleo_deploy: export CLOUD_DOMAIN=${DNS_DOMAIN}
tripleo_deploy: export TLSE_ENABLED=${TLS_ENABLED}
tripleo_deploy: export INTERFACE_MTU=${NETWORK_MTU}
tripleo_deploy: export COMPUTE_CELLS=${EDPM_COMPUTE_CELLS}
tripleo_deploy: export REGISTRY_USER ?= ${RH_REGISTRY_USER}
Expand Down
46 changes: 27 additions & 19 deletions devsetup/scripts/tripleo.sh
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ TRIPLEO_NETWORKING=${TRIPLEO_NETWORKING:-true}
MANILA_ENABLED=${MANILA_ENABLED:-true}
OCTAVIA_ENABLED=${OCTAVIA_ENABLED:-false}
TELEMETRY_ENABLED=${TELEMETRY_ENABLED:-true}
TLSE_ENABLED=${TLSE_ENABLED:-false}

if [[ ! -f $SSH_KEY_FILE ]]; then
echo "$SSH_KEY_FILE is missing"
Expand Down Expand Up @@ -78,8 +79,8 @@ cat <<EOF > $CMDS_FILE
set -ex
sudo dnf install -y podman python3-tripleoclient util-linux lvm2
sudo hostnamectl set-hostname undercloud.localdomain
sudo hostnamectl set-hostname undercloud.localdomain --transient
sudo hostnamectl set-hostname undercloud.${CLOUD_DOMAIN}
sudo hostnamectl set-hostname undercloud.${CLOUD_DOMAIN} --transient
cat >\$HOME/nova_noceph.yaml <<__EOF__
parameter_defaults:
Expand All @@ -99,6 +100,8 @@ export EDPM_COMPUTE_CELLS=${COMPUTE_CELLS:-1}
export MANILA_ENABLED=${MANILA_ENABLED:-true}
export OCTAVIA_ENABLED=${OCTAVIA_ENABLED}
export TELEMETRY_ENABLED=${TELEMETRY_ENABLED:-true}
export TLSE_ENABLED=${TLSE_ENABLED:-false}
export CLOUD_DOMAIN=${CLOUD_DOMAIN:-localdomain}
set +x
if [[ -f \$HOME/containers-prepare-parameters.yaml ]]; then
Expand Down Expand Up @@ -169,10 +172,16 @@ gateway_ip: ${GATEWAY}
manage_default_route: ${TRIPLEO_NETWORKING}
dns_server: ${PRIMARY_RESOLV_CONF_ENTRY}
user_home: /home/zuul
cloud_domain: ${CLOUD_DOMAIN}
EOF

jinja2_render ${SCRIPTPATH}/../tripleo/undercloud.conf.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/undercloud.conf
jinja2_render ${SCRIPTPATH}/../tripleo/net_config.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/net_config.yaml
jinja2_render tripleo/net_config.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/net_config.yaml
jinja2_render tripleo/undercloud.conf.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/undercloud.conf
jinja2_render tripleo/overcloud_services.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/overcloud_services.yaml
jinja2_render tripleo/config-download.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/config-download.yaml
jinja2_render tripleo/config-download-networker.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/config-download-networker.yaml
jinja2_render tripleo/network_data.yaml.j2 "${J2_VARS_FILE}" > ${MY_TMP_DIR}/network_data.yaml

# NOTE(bogdando): no computes supported in the cetnral overcloud stack in OSP.
# Reduced footprint for adoption dev envs: no HA controllers, an all-in-one host in the cell 2
ind=0
Expand Down Expand Up @@ -221,11 +230,10 @@ fi
scp $SSH_OPT $MY_TMP_DIR/.standalone_env_file zuul@$IP:.standalone_env_file
scp $SSH_OPT $CMDS_FILE zuul@$IP:/tmp/undercloud-deploy-cmds.sh
scp $SSH_OPT ${MY_TMP_DIR}/net_config.yaml root@$IP:/tmp/net_config.yaml
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/tripleo_install.sh zuul@$IP:tripleo_install.sh
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/hieradata_overrides_undercloud.yaml zuul@$IP:hieradata_overrides_undercloud.yaml
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/undercloud-parameter-defaults.yaml zuul@$IP:undercloud-parameter-defaults.yaml
scp $SSH_OPT ${MY_TMP_DIR}/undercloud.conf zuul@$IP:undercloud.conf
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/config-download-networker.yaml zuul@$IP:config-download-networker.yaml
scp $SSH_OPT tripleo/tripleo_install.sh zuul@$IP:$HOME/tripleo_install.sh
scp $SSH_OPT tripleo/hieradata_overrides_undercloud.yaml zuul@$IP:$HOME/hieradata_overrides_undercloud.yaml
scp $SSH_OPT tripleo/undercloud-parameter-defaults.yaml zuul@$IP:$HOME/undercloud-parameter-defaults.yaml
scp $SSH_OPT ${MY_TMP_DIR}/undercloud.conf zuul@$IP:$HOME/undercloud.conf
if [ $EDPM_COMPUTE_CELLS -gt 1 ]; then
for cell in $(seq 0 $(( EDPM_COMPUTE_CELLS - 1))); do
scp $SSH_OPT ${MY_TMP_DIR}/vips_data${cell}.yaml zuul@$IP:vips_data${cell}.yaml
Expand All @@ -234,21 +242,21 @@ if [ $EDPM_COMPUTE_CELLS -gt 1 ]; then
scp $SSH_OPT ${MY_TMP_DIR}/config-download-cell${cell}.yaml zuul@$IP:config-download-cell${cell}.yaml
done
else
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/vips_data.yaml zuul@$IP:vips_data.yaml
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/network_data.yaml zuul@$IP:network_data.yaml
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_services.yaml zuul@$IP:overcloud_services.yaml
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/config-download.yaml zuul@$IP:config-download.yaml
scp $SSH_OPT tripleo/vips_data.yaml zuul@$IP:$HOME/vips_data.yaml
scp $SSH_OPT ${MY_TMP_DIR}/network_data.yaml zuul@$IP:$HOME/network_data.yaml
scp $SSH_OPT ${MY_TMP_DIR}/overcloud_services.yaml zuul@$IP:$HOME/overcloud_services.yaml
scp $SSH_OPT ${MY_TMP_DIR}/config-download.yaml zuul@$IP:$HOME/config-download.yaml
scp $SSH_OPT ${MY_TMP_DIR}/config-download-networker.yaml zuul@$IP:$HOME/config-download-networker.yaml
fi
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_roles.yaml zuul@$IP:overcloud_roles.yaml
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/overcloud_services.yaml zuul@$IP:overcloud_services.yaml
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/ansible_config.cfg zuul@$IP:ansible_config.cfg
scp $SSH_OPT tripleo/overcloud_roles.yaml zuul@$IP:$HOME/overcloud_roles.yaml
scp $SSH_OPT tripleo/ansible_config.cfg zuul@$IP:$HOME/ansible_config.cfg
if [[ "$EDPM_COMPUTE_CEPH_ENABLED" == "true" ]]; then
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/ceph.sh root@$IP:/tmp/ceph.sh
scp $SSH_OPT ${SCRIPTPATH}/../tripleo/generate_ceph_inventory.py root@$IP:/tmp/generate_ceph_inventory.py
scp $SSH_OPT tripleo/ceph.sh root@$IP:/tmp/ceph.sh
scp $SSH_OPT tripleo/generate_ceph_inventory.py root@$IP:/tmp/generate_ceph_inventory.py
fi

if [[ -f $HOME/containers-prepare-parameters.yaml ]]; then
scp $SSH_OPT $HOME/containers-prepare-parameters.yaml zuul@$IP:containers-prepare-parameters.yaml
scp $SSH_OPT $HOME/containers-prepare-parameters.yaml zuul@$IP:$HOME/containers-prepare-parameters.yaml
fi

# Running
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ parameter_defaults:
tags:
- 192.168.122.0/24


NodePortMap:
controller-0:
ctlplane:
Expand Down Expand Up @@ -225,7 +224,7 @@ parameter_defaults:

CtlplaneNetworkAttributes:
network:
dns_domain: localdomain
dns_domain: {{ cloud_domain }}
mtu: 1500
name: ctlplane
tags:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ parameter_defaults:
ip_subnet: 172.19.0.0/24
CtlplaneNetworkAttributes:
network:
dns_domain: localdomain
dns_domain: {{ cloud_domain }}
mtu: 1500
name: ctlplane
tags:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
mtu: 1500
vip: true
name_lower: storage
dns_domain: storage.mydomain.tld.
dns_domain: storage.{{ cloud_domain }}.
service_net_map_replace: storage
subnets:
storage_subnet:
Expand All @@ -15,7 +15,7 @@
mtu: 1500
vip: true
name_lower: storage_mgmt
dns_domain: storagemgmt.mydomain.tld.
dns_domain: storagemgmt.{{ cloud_domain }}.
service_net_map_replace: storage_mgmt
subnets:
storage_mgmt_subnet:
Expand All @@ -27,7 +27,7 @@
mtu: 1500
vip: true
name_lower: internal_api
dns_domain: internal-api.mydomain.tld.
dns_domain: internal-api.{{ cloud_domain }}.
service_net_map_replace: internal_api
subnets:
internal_api_subnet:
Expand All @@ -39,7 +39,7 @@
mtu: 1500
vip: false # Tenant network does not use VIPs
name_lower: tenant
dns_domain: tenant.mydomain.tld.
dns_domain: tenant.{{ cloud_domain }}.
service_net_map_replace: tenant
subnets:
tenant_subnet:
Expand All @@ -51,7 +51,7 @@
mtu: 1500
vip: true
name_lower: external
dns_domain: external.mydomain.tld.
dns_domain: external.{{ cloud_domain }}.
service_net_map_replace: external
subnets:
external_subnet:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,12 @@ parameter_defaults:
ComputeCount: 3
NeutronGlobalPhysnetMtu: 1350
CinderLVMLoopDeviceSize: 20480
CloudName: overcloud.localdomain
CloudNameInternal: overcloud.internalapi.localdomain
CloudNameStorage: overcloud.storage.localdomain
CloudNameStorageManagement: overcloud.storagemgmt.localdomain
CloudNameCtlplane: overcloud.ctlplane.localdomain
CloudDomain: localdomain
CloudName: overcloud.{{ cloud_domain }}
CloudNameInternal: overcloud.internalapi.{{ cloud_domain }}
CloudNameStorage: overcloud.storage.{{ cloud_domain }}
CloudNameStorageManagement: overcloud.storagemgmt.{{ cloud_domain }}
CloudNameCtlplane: overcloud.ctlplane.{{ cloud_domain }}
CloudDomain: {{ cloud_domain }}
NetworkConfigWithAnsible: false
ControllerNetworkConfigUpdate: false
ComputeNetworkConfigUpdate: false
Expand Down
40 changes: 40 additions & 0 deletions devsetup/tripleo/tripleo_install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,46 @@ if [ "$EDPM_COMPUTE_CEPH_ENABLED" = "true" ] ; then
/tmp/ceph.sh
fi

if [ "$TLSE_ENABLED" = "true" ]; then
ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml"
ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml"
ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml"
ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-memcached-tls.yaml"
ENV_ARGS+=" -e /usr/share/openstack-tripleo-heat-templates/ci/environments/standalone-ipa.yaml"
export IPA_ADMIN_USER=admin
export IPA_PRINCIPAL=$IPA_ADMIN_USER
export IPA_ADMIN_PASSWORD=fce95318204114530f31f885c9df588f
export IPA_PASSWORD=$IPA_ADMIN_PASSWORD
export UNDERCLOUD_FQDN=undercloud.$CLOUD_DOMAIN
export IPA_DOMAIN=$CLOUD_DOMAIN
export IPA_REALM=$(echo $IPA_DOMAIN | awk '{print toupper($0)}')
export IPA_HOST=ipa.$IPA_DOMAIN
export IPA_SERVER_HOSTNAME=$IPA_HOST
sudo mkdir /tmp/ipa-data
sudo podman run -d --name freeipa-server-container \
--sysctl net.ipv6.conf.lo.disable_ipv6=0 \
--security-opt seccomp=unconfined \
--ip 10.255.255.25 \
-e IPA_SERVER_IP=10.255.255.25 \
-e PASSWORD=$IPA_ADMIN_PASSWORD \
-h $IPA_SERVER_HOSTNAME \
-p 53:53/udp -p 53:53 -p 80:80 -p 443:443 \
-p 389:389 -p 636:636 -p 88:88 -p 464:464 \
-p 88:88/udp -p 464:464/udp \
--read-only --tmpfs /run --tmpfs /tmp \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v /tmp/ipa-data:/data:Z quay.io/freeipa/freeipa-server:fedora-39 no-exit \
-U -r $IPA_REALM --setup-dns --no-reverse --no-ntp \
--no-dnssec-validation --auto-forwarders
timeout 900s grep -qEi '(INFO The ipa-server-install command was successful|ERROR The ipa-server-install command failed)' <(sudo tail -F /tmp/ipa-data/var/log/ipaserver-install.log)
cat <<EOF > ipa_resolv.conf
search ${CLOUD_DOMAIN}
nameserver 10.255.255.25
EOF
sudo mv ipa_resolv.conf /etc/resolv.conf
ansible-playbook /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml
fi

openstack overcloud deploy --stack overcloud \
--override-ansible-cfg /home/zuul/ansible_config.cfg --templates /usr/share/openstack-tripleo-heat-templates \
--roles-file ${ROLES_FILE} -n /home/zuul/network_data.yaml --libvirt-type qemu \
Expand Down
16 changes: 11 additions & 5 deletions devsetup/tripleo/undercloud.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# the user is responsible for configuring all system hostname settings
# appropriately. If set, the undercloud install will configure all
# system hostname settings. (string value)
undercloud_hostname = undercloud.localdomain
undercloud_hostname = undercloud.{{ cloud_domain }}

# IP information for the interface on the Undercloud that will be
# handling the PXE boots and DHCP for Overcloud instances. The IP
Expand All @@ -30,13 +30,13 @@ local_mtu = {{ interface_mtu }}
# Undercloud services. Only used with SSL. (string value)
# Deprecated group/name - [DEFAULT]/undercloud_public_vip
#undercloud_public_host = 192.168.24.2
undercloud_public_host = 192.168.122.122
undercloud_public_host = 192.168.122.99

# Virtual IP or DNS address to use for the admin endpoints of
# Undercloud services. Only used with SSL. (string value)
# Deprecated group/name - [DEFAULT]/undercloud_admin_vip
#undercloud_admin_host = 192.168.24.3
undercloud_admin_host = 192.168.122.123
undercloud_admin_host = 192.168.122.99

# Nameserver for the Undercloud node.
# (string value)
Expand All @@ -51,7 +51,10 @@ undercloud_timezone = UTC
# DNS domain name to use when deploying the overcloud. The overcloud
# parameter "CloudDomain" must be set to a matching value. (string
# value)
#overcloud_domain_name = localdomain
{% if cloud_domain != 'localdomain' %}
overcloud_domain_name = {{ cloud_domain }}
{% endif %}


# Certificate file to use for OpenStack service SSL connections.
# Setting this enables SSL for the OpenStack API endpoints, leaving it
Expand All @@ -65,8 +68,11 @@ undercloud_timezone = UTC
# /etc/pki/tls/certs/undercloud-[undercloud_public_vip].pem. This
# certificate is signed by CA selected by the
# "certificate_generation_ca" option. (boolean value)
#generate_service_certificate = true
{% if cloud_domain == 'localdomain' %}
generate_service_certificate = False
{% else %}
generate_service_certificate = True
{% endif %}

# The certmonger nickname of the CA from which the certificate will be
# requested. This is used only if the generate_service_certificate
Expand Down

0 comments on commit 9fbd7ca

Please sign in to comment.