Adding vars and needed bits to enable tls in adoption multinode job

This adds enable_tls for the multinode-no-ceph job as part of [1]. It passes the enable-tls and cloud domain vars through to the tripleo deployment and adoption tests execution. Includes needed workarounds for TLS such as creating missing /etc/pki/CA directory, updating resolv.conf and creating needed IP route for overcloud nodes. Depends-On: openstack-k8s-operators/install_yamls#897 [1] https://issues.redhat.com/browse/OSPRH-8973 Change-Id: I440f123df34b2ba0a118ecaceb90fb44bad63ae5
rdo-infra · Oct 11, 2024 · 0d13901 · 0d13901
1 parent a9a8bff
commit 0d13901
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 2 deletions.
diff --git a/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml b/playbooks/data_plane_adoption/deploy_tripleo_run_repo_tests.yaml
@@ -69,6 +69,42 @@
             state: present
           loop: "{{ groups['rh-subscription'] }}"
 
+    - name: Setup overcloud nodes for free-ipa when enable_tls true
+      when: enable_tls|default('false')|bool
+      vars:
+        overcloud_hosts: "{{ groups['rh-subscription'] | reject('search', 'undercloud') | list }}"
+      block:
+        - name: Install ipa-client on all nodes
+          delegate_to: "{{ item }}"
+          become: true
+          ansible.builtin.package:
+            name: ipa-client
+            state: present
+          loop: "{{ groups['rh-subscription'] }}"
+        - name: Template etc resolv.conf on tripleo overcloud nodes when enable_tls
+          delegate_to: "{{ item }}"
+          become: true
+          ansible.builtin.template:
+            src: "{{ playbook_dir }}/files/ipa_resolv_conf.j2"
+            dest: "/etc/resolv.conf"
+            owner: root
+            group: root
+            mode: 0644
+          loop: "{{ overcloud_hosts }}"
+        - name: Add ip route via ctlplane for overcloud nodes to reach the ipaserver dns
+          delegate_to: "{{ item }}"
+          become: true
+          ansible.builtin.shell: "ip route add {{ ipa_container_ip | default('10.255.255.25') }} via 192.168.122.100 dev br-ex"
+          loop: "{{ overcloud_hosts }}"
+        - name: Create expected /etc/pki/CA directory on overcloud nodes
+          delegate_to: "{{ item }}"
+          become: true
+          ansible.builtin.file:
+            path: /etc/pki/CA
+            state: directory
+            mode: '0755'
+          loop: "{{ overcloud_hosts }}"
+
     - name: Write repo commands and deploy undercloud with install_yamls
       block:
         - name: Write out the repo setup commands to file for undercloud to use
@@ -96,6 +132,8 @@
             -e "use_ceph={{ use_ceph | default('false') }}"
             -e "multi_cell={{ multi_cell | default(false) }}"
             -e "enable_telemetry={{ enable_telemetry | default('false') }}"
+            -e "cloud_domain={{ cloud_domain | default('localdomain') }}"
+            -e "enable_tls={{ enable_tls | default('false') }}"
           args:
             chdir: "{{ framework_dir }}"
 
@@ -271,6 +309,12 @@
         regexp: "'^prelaunch_barbican_secret:'"
         value: "prelaunch_barbican_secret: {{ enable_barbican | default('false') }}"
 
+    - name: Set ipa_ssh var in secrets.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ rdo_dir }}/secrets.yaml"
+        regexp: 'ipa_ssh:'
+        value: "ipa_ssh: ssh -i {{ standalone_private_key | default('/home/zuul/src/github.com/openstack-k8s-operators/install_yamls/out/edpm/ansibleee-ssh-key-id_rsa') }} root@{{ standalone_ip }} podman exec -ti freeipa-server-container"
+
     - name: Insert vars for data plane operator and os-net-config with zuul native undercloud node
       ansible.builtin.blockinfile:
         marker_begin: "BEGIN os-net-config vars"

diff --git a/playbooks/data_plane_adoption/files/ipa_resolv_conf.j2 b/playbooks/data_plane_adoption/files/ipa_resolv_conf.j2
@@ -0,0 +1,2 @@
+search {{ cloud_domain | default('ooo.test') }}
+nameserver {{ ipa_container_ip | default('10.255.255.25') }}
diff --git a/playbooks/data_plane_adoption/install_yamls_deploy_tripleo.yaml b/playbooks/data_plane_adoption/install_yamls_deploy_tripleo.yaml
@@ -22,6 +22,7 @@
           EDPM_COMPUTE_CELLS: "{% if multi_cell | bool | default(false) %}3{% else %}1{% endif %}"
           EDPM_CONFIGURE_NETWORKING: 'false'
           DNS_DOMAIN: "{{ cloud_domain | default('localdomain') }}"
+          TLS_ENABLED: "{{ enable_tls | default('false') }}"
           RH_REGISTRY_PWD: ""
           RH_REGISTRY_USER: ""
           TELEMETRY_ENABLED: "{{ enable_telemetry | default('false') }}"

diff --git a/playbooks/data_plane_adoption/setup_tripleo_os_net_config.yaml b/playbooks/data_plane_adoption/setup_tripleo_os_net_config.yaml
@@ -114,8 +114,8 @@
             hostname_str_array=(${hostname//./ })
             echo ${hostname_str_array[0]} > /home/zuul/ansible_hostname
 
-        - name: Set expected overcloud hostname with .localdomain
+        - name: "Set expected overcloud hostname with {{ cloud_domain | default('localdomain') }}"
           become: true
           ansible.builtin.shell: |
             hostname=$(cat /home/zuul/ansible_hostname)
-            hostnamectl hostname "$hostname.localdomain"
+            hostnamectl hostname "$hostname.{{ cloud_domain | default('localdomain') }}"
diff --git a/zuul.d/container-jobs-antelope-centos9.yaml b/zuul.d/container-jobs-antelope-centos9.yaml
@@ -119,6 +119,9 @@
     description: multinode source OSP 17.1 adopted to crc RHOSO 18. No Ceph, no TLS.
     parent: adoption-multinode-to-crc-no-ceph
     vars:
+      enable_tls: "true"
+      cloud_domain: "ooo.test"
+      ipa_container_ip: "10.255.255.25"
       registry_namespace: podified-antelope-centos9
       openstack_release: antelope
       promote_source: podified-ci-testing
@@ -157,6 +160,8 @@
       use_ceph: "true"
       migrate_ceph: true
       dpa_test_suite: "test-with-ceph"
+      enable_tls: "false"
+      cloud_domain: "localdomain"
       registry_namespace: podified-antelope-centos9
       openstack_release: antelope
       promote_source: podified-ci-testing