Merge pull request #559 from stackhpc/multinode-tls

Alex-Welsh · web-flow · commit 02a992d0253b · 2023-07-19T09:06:10.000+01:00
Support TLS &amp; HCP Vault PKI in the multinode env
diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
@@ -36,6 +36,8 @@ Before beginning the deployment of vault for openstack internal TLS and backend
 
   * Seed Node or a host to run the vault container on
   * Overcloud controller hosts to install second vault on
+  * Ansible Galaxy dependencies installed: ``kayobe control host bootstrap``
+  * Python dependencies installed: ``pip install -r kayobe-config/requirements.txt``
 
 Deployment
 ==========
@@ -197,7 +199,7 @@ Enable the required TLS variables in kayobe and kolla
       # Copy the self-signed CA into the kolla containers
       kolla_copy_ca_into_containers: "yes"
       # Use the following trust store within the container
-      openstack_cacert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if os_distribution in ["centos", "rocky"] else '/etc/ssl/certs/ca-certificates.crt' }}"
+      openstack_cacert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if os_distribution in ['centos', 'rocky'] else '/etc/ssl/certs/ca-certificates.crt' }}"
 
       # Backend TLS config
       # Enable backend TLS
diff --git a/etc/kayobe/ansible/vault-deploy-barbican.yml b/etc/kayobe/ansible/vault-deploy-barbican.yml
@@ -77,6 +77,13 @@
       debug:
         msg: "barbican role id is {{ barbican_role_id.id }}"
 
+    - name: Write barbican Approle ID to file if requested
+      delegate_to: localhost
+      copy:
+        content: "{{ barbican_role_id.id }}"
+        dest: "{{ stackhpc_barbican_role_id_file_path | default('~/barbican-role-id') }}"
+      when: stackhpc_write_barbican_role_id_to_file | bool | default(false)
+
     - name: Check if barbican Approle Secret ID is defined
       hashivault_approle_role_secret_list:
         url: "{{ vault_api_addr }}"
diff --git a/etc/kayobe/environments/ci-multinode/globals.yml b/etc/kayobe/environments/ci-multinode/globals.yml
@@ -56,6 +56,12 @@ os_release: >-
              (lookup('pipe', '. /etc/os-release && echo $VERSION_ID') | trim | split('.') | first) if os_distribution == 'rocky' else
              'stream-8' }}
 ###############################################################################
+# Hashicorp vault, Barbican, and TLS configuration
+
+stackhpc_write_barbican_role_id_to_file: true
+stackhpc_barbican_role_id_file_path: "/tmp/barbican-role-id"
+
+###############################################################################
 
 # Avoid a reboot.
 disable_selinux_do_reboot: false
diff --git a/etc/kayobe/environments/ci-multinode/kolla.yml b/etc/kayobe/environments/ci-multinode/kolla.yml
@@ -5,6 +5,13 @@ kolla_enable_neutron_provider_networks: true
 kolla_enable_ovn: true
 kolla_enable_octavia: true
 kolla_enable_magnum: true
+kolla_enable_barbican: true
+
+# The multinode environment supports Backend and internal TLS , but it must be
+# enabled in the correct order. See
+# https://stackhpc-kayobe-config.readthedocs.io/en/stackhpc-yoga/configuration/vault.html
+# for details.
+# kolla_enable_tls_internal: true
 
 # The multinode environment supports Manila but it is not enabled by default.
 # kolla_enable_manila: true
diff --git a/etc/kayobe/environments/ci-multinode/kolla/config/barbican.conf b/etc/kayobe/environments/ci-multinode/kolla/config/barbican.conf
@@ -0,0 +1,12 @@
+# Example barbican config for vault integration
+[secretstore]
+namespace=barbican.secretstore.plugin
+enable_multiple_secret_stores=false
+enabled_secretstore_plugins=vault_plugin
+
+[vault_plugin]
+vault_url = https://{{ kolla_internal_vip_address }}:8200
+use_ssl = True
+approle_role_id = {{ secrets_barbican_approle_role_id }}
+approle_secret_id = {{ secrets_barbican_approle_secret_id }}
+kv_mountpoint = barbican
diff --git a/etc/kayobe/environments/ci-multinode/kolla/config/haproxy/services.d/vault.cfg b/etc/kayobe/environments/ci-multinode/kolla/config/haproxy/services.d/vault.cfg
@@ -0,0 +1,22 @@
+{% raw %}
+frontend vault_front
+   mode tcp
+   option tcplog
+   bind {{ kolla_internal_vip_address }}:8200
+   default_backend vault_back
+
+backend vault_back
+   mode tcp
+   option httpchk GET /v1/sys/health
+   # https://www.vaultproject.io/api-docs/system/health
+   # 200: initialized, unsealed, and active
+   # 501: not initialised (required for bootstrapping)
+   # 503: sealed (required for bootstrapping)
+   http-check expect rstatus (200|501|503)
+
+{% for host in groups['control'] %}
+{% set host_name = hostvars[host].ansible_facts.hostname %}
+{% set host_ip = 'api' | kolla_address(host) %}
+   server {{ host_name }} {{ host_ip }}:8200 check check-ssl verify none inter 2000 rise 2 fall 5
+{% endfor %}
+{% endraw %}
diff --git a/etc/kayobe/environments/ci-multinode/kolla/globals-tls-config.yml b/etc/kayobe/environments/ci-multinode/kolla/globals-tls-config.yml
@@ -0,0 +1,18 @@
+############################################################################
+# This content is copied into globals.yml during automated setup, but cannot
+# exist during the initial configuration
+
+# Internal TLS configuration
+# Copy the self-signed CA into the kolla containers
+kolla_copy_ca_into_containers: "yes"
+# Use the following trust store within the container
+openstack_cacert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if os_distribution in ['centos', 'rocky'] else '/etc/ssl/certs/ca-certificates.crt' }}"
+
+# Backend TLS config
+# Enable backend TLS
+kolla_enable_tls_backend: "yes"
+
+# If using RabbitMQ TLS:
+rabbitmq_enable_tls: "yes"
+
+############################################################################
