Skip to content

Commit 80700ee

Browse files
markgoddardmarkgoddard
committed
Enable external TLS using Vault CA
This requires a new vault-generate-test-external-tls.yml custom playbook in stackhpc-kayobe-config and associated config in the ci-multinode environment.
1 parent b35ff26 commit 80700ee

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

templates/deploy-openstack.tpl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,12 @@ kayobe overcloud service deploy --skip-tags os_capacity -kt haproxy
9191
kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-overcloud.yml
9292
ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
9393

94+
# Generate external tls certificates
95+
if [[ -f $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml ]]; then
96+
kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-test-external-tls.yml
97+
ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem
98+
fi
99+
94100
# Generate internal tls certificates
95101
kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-internal-tls.yml
96102
ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy-internal.pem
@@ -102,6 +108,7 @@ ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH
102108
%{ endfor ~}
103109

104110
# Set config to use tls
111+
sed -i 's/# kolla_enable_tls_external: true/kolla_enable_tls_external: true/g' $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla.yml
105112
sed -i 's/# kolla_enable_tls_internal: true/kolla_enable_tls_internal: true/g' $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla.yml
106113
cat $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals-tls-config.yml >> $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml
107114

@@ -133,6 +140,11 @@ set +x
133140
source $${KOLLA_CONFIG_PATH}/public-openrc.sh
134141
set -x
135142

143+
# Add the Vault CA to the trust store on the seed.
144+
scp -oStrictHostKeyChecking=no $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/ca/vault.crt ${ ssh_user }@${ seed_addr }:
145+
ssh -oStrictHostKeyChecking=no ${ ssh_user }@${ seed_addr } sudo cp vault.crt /etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.crt
146+
ssh -oStrictHostKeyChecking=no ${ ssh_user }@${ seed_addr } sudo update-ca-trust
147+
136148
~/src/openstack-config/tools/openstack-config -- -e ansible_user=${ ssh_user }
137149

138150
git -C $${config_directories[kayobe]} submodule init

0 commit comments

Comments
 (0)