Skip to content

Add CA choice template to multinode.sh #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add CA choice template to multinode.sh #93

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ansible/deploy-openstack-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,8 +179,8 @@
mode: "0644"

- name: Ensure multinode.sh script is present
ansible.builtin.copy:
src: "files/multinode.sh"
ansible.builtin.template:
src: "templates/multinode.sh.j2"
dest: "/usr/local/bin/multinode.sh"
mode: "0755"
become: true
Expand Down
48 changes: 24 additions & 24 deletions ansible/files/multinode.sh → ansible/templates/multinode.sh.j2
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer it if we kept this as a regular file rather than a template. It makes it easier to use & debug. Is there another way we could do this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can have two separate multinode.sh. One for openbao and another for vault. Then conditionally copy only one of them to control host?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From discussions in other channels, we've agreed the best solution would be to unify the playbooks in SKC and make one generic set. For example, we replace openbao-unseal-overcloud.yml and vault-unseal-overcloud.yml with secret-store-unseal-overcloud.yml. We could then have a single variable in SKC to switch between the two types

Original file line number Diff line number Diff line change
Expand Up @@ -113,12 +113,12 @@ function deploy_seed() {
run_kayobe seed host configure
}

function deploy_seed_vault() {
# Deploy hashicorp vault to the seed
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-seed.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/OS-TLS-INT.pem
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/seed-vault-keys.json
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/*.key
function deploy_seed_{{ certificate_authority }}() {
# Deploy {{ certificate_authority }} to the seed
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-deploy-seed.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/{{ certificate_authority }}/OS-TLS-INT.pem
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/{{ certificate_authority }}/seed-{{ certificate_authority }}-keys.json
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/{{ certificate_authority }}/*.key
}

function get_seed_ssh() {
Expand All @@ -130,15 +130,15 @@ function get_seed_ssh() {
}

function copy_ca_to_seed() {
# Add the Vault CA to the trust store on the seed.
# Add the {{ certificate_authority }} CA to the trust store on the seed.
seed_ssh=$(get_seed_ssh)

scp -oStrictHostKeyChecking=no $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/ca/vault.crt ${seed_ssh}:
scp -oStrictHostKeyChecking=no $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/ca/{{ certificate_authority }}.crt ${seed_ssh}:
if [[ $(grep '^ID=' /etc/os-release | cut -d= -f2) == "ubuntu" ]]; then
ssh -oStrictHostKeyChecking=no ${seed_ssh} sudo cp vault.crt /usr/local/share/ca-certificates/OS-TLS-ROOT.crt
ssh -oStrictHostKeyChecking=no ${seed_ssh} sudo cp {{ certificate_authority }}.crt /usr/local/share/ca-certificates/OS-TLS-ROOT.crt
ssh -oStrictHostKeyChecking=no ${seed_ssh} sudo update-ca-certificates
else
ssh -oStrictHostKeyChecking=no ${seed_ssh} sudo cp vault.crt /etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.crt
ssh -oStrictHostKeyChecking=no ${seed_ssh} sudo cp {{ certificate_authority }}.crt /etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.crt
ssh -oStrictHostKeyChecking=no ${seed_ssh} sudo update-ca-trust
fi
}
Expand All @@ -150,31 +150,31 @@ function deploy_ceph() {
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml
}

function deploy_overcloud_vault() {
function deploy_overcloud_{{ certificate_authority }}() {
# NOTE: Previously it was necessary to first deploy HAProxy with TLS disabled.
if [[ -f $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals-tls-config.yml ]]; then
# Skip os_capacity deployment since it requires admin-openrc.sh which doesn't exist yet.
run_kayobe overcloud service deploy --skip-tags os_capacity -kt haproxy
fi

# Deploy hashicorp vault to the controllers
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-overcloud.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
# Deploy {{ certificate_authority }} to the controllers
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-deploy-overcloud.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/{{ certificate_authority }}/overcloud-{{ certificate_authority }}-keys.json
}

function generate_overcloud_certs() {
# Generate external tls certificates
if [[ -f $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml ]]; then
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml
if [[ -f $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-generate-test-external-tls.yml ]]; then
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-generate-test-external-tls.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem
fi

# Generate internal tls certificates
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-internal-tls.yml
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-generate-internal-tls.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy-internal.pem

# Generate backend tls certificates
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-backend-tls.yml
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-generate-backend-tls.yml
for cert in $(ls -1 $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/*-key.pem); do
encrypt_file $cert
done
Expand All @@ -192,11 +192,11 @@ function generate_overcloud_certs() {
}

function generate_barbican_secrets() {
# Create vault configuration for barbican
# Create {{ certificate_authority }} configuration for barbican
decrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
sed -i "s/secret_id:.*/secret_id: $(uuidgen)/g" $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-barbican.yml
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-deploy-barbican.yml
decrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
sed -i "s/role_id:.*/role_id: $(cat /tmp/barbican-role-id)/g" $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
Expand All @@ -208,9 +208,9 @@ function deploy_overcloud() {

deploy_ceph

deploy_seed_vault
deploy_seed_{{ certificate_authority }}

deploy_overcloud_vault
deploy_overcloud_{{ certificate_authority }}

generate_overcloud_certs

Expand Down Expand Up @@ -354,8 +354,8 @@ function deploy_full() {

function upgrade_overcloud() {
# Generate external tls certificates if it was previously disabled.
if [[ -f $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml ]] && [[ ! -f $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem ]]; then
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml
if [[ -f $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-generate-test-external-tls.yml ]] && [[ ! -f $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem ]]; then
run_kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/{{ certificate_authority }}-generate-test-external-tls.yml
encrypt_file $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem
fi

Expand Down
4 changes: 4 additions & 0 deletions ansible/vars/defaults.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,3 +95,7 @@ pvresize_to_max: true

# Whether to upgrade the Ansible control host.
upgrade: false

# Name of secret store to use as Certificate Authority.
# Valid options are: openbao, vault
certificate_authority: openbao