Merge pull request #49 from stackhpc/external-tls

markgoddard · web-flow · commit 7e11de618848 · 2024-04-30T13:57:04.000+01:00
Enable external TLS using Vault CA
diff --git a/templates/deploy-openstack.tpl b/templates/deploy-openstack.tpl
@@ -91,6 +91,12 @@ kayobe overcloud service deploy --skip-tags os_capacity -kt haproxy
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-overcloud.yml
 ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
 
+# Generate external tls certificates
+if [[ -f $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml ]]; then
+  kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml
+  ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem
+fi
+
 # Generate internal tls certificates
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-internal-tls.yml
 ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy-internal.pem
@@ -102,6 +108,7 @@ ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH
 %{ endfor ~}
 
 # Set config to use tls
+sed -i 's/# kolla_enable_tls_external: true/kolla_enable_tls_external: true/g' $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla.yml
 sed -i 's/# kolla_enable_tls_internal: true/kolla_enable_tls_internal: true/g' $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla.yml
 cat $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals-tls-config.yml >> $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml
 
@@ -121,7 +128,7 @@ kayobe overcloud service deploy
 %{ if deploy_wazuh }
 # Deploy Wazuh
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-secrets.yml
-ansible-vault encrypt --vault-password-file ~/vault.password  $KAYOBE_CONFIG_PATH/environments/ci-multinode/wazuh-secrets.yml
+ansible-vault encrypt --vault-password-file ~/vault.password  $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/wazuh-secrets.yml
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-manager.yml
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-agent.yml
 %{ endif }
@@ -133,7 +140,12 @@ set +x
 source $${KOLLA_CONFIG_PATH}/public-openrc.sh
 set -x
 
-~/src/openstack-config/tools/openstack-config -- -e ansible_user=${ ssh_user }
+# Add the Vault CA to the trust store on the seed.
+scp -oStrictHostKeyChecking=no $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/ca/vault.crt ${ ssh_user }@${ seed_addr }:
+ssh -oStrictHostKeyChecking=no ${ ssh_user }@${ seed_addr } sudo cp vault.crt /etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.crt
+ssh -oStrictHostKeyChecking=no ${ ssh_user }@${ seed_addr } sudo update-ca-trust
+
+~/src/openstack-config/tools/openstack-config
 
 git -C $${config_directories[kayobe]} submodule init
 git -C $${config_directories[kayobe]} submodule update
