From 46ffb2702bc93e932b4d42a7def7778d544ac7cb Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Sun, 4 Jun 2023 17:37:15 +0200 Subject: [PATCH] Add tls upgrade jobs This patch adds new jobs to test upgrade scenario where TLS is fully disabled on SOURCE_SERIES but enabled on TARGET_SERIES. Keystone proto is set to 'http' to ensure that `openstack_service_accept_both_protocols` works as expected. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/885190 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/885337 Change-Id: I6d967f444b2de67fc394cf8c52f4e236418b5f98 --- .../templates/user_variables_tls.yml.j2 | 26 ++++++++++++++++++- zuul.d/jobs.yaml | 12 +++++++++ zuul.d/project-templates.yaml | 3 +++ 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 index 50f65f0021..fb28787416 100644 --- a/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 +++ b/tests/roles/bootstrap-host/templates/user_variables_tls.yml.j2 @@ -10,7 +10,31 @@ # See the License for the specific language governing permissions and # limitations under the License. +# UPGRADE_TARGET_BRANCH variable is defined only during upgrade scenario +# when source version is being deployed. +{% if lookup('env', 'UPGRADE_TARGET_BRANCH') == '' %} +# Make sure that TLS is fully enabled on target release. +openstack_service_publicuri_proto: https openstack_service_adminuri_proto: https openstack_service_internaluri_proto: https -haproxy_ssl_all_vips: true +haproxy_ssl: True +haproxy_ssl_all_vips: True +rabbitmq_management_ssl: True openstack_service_backend_ssl: True +openstack_service_accept_both_protocols: True +# Keep keystone proto set to 'http'. This way we can ensure that +# `openstack_service_accept_both_protocols` works as expected. +keystone_service_publicuri_proto: http +keystone_service_adminuri_proto: http +keystone_service_internaluri_proto: http +{% else %} +# Make sure that source release has TLS fully disabled. +openstack_service_publicuri_proto: http +openstack_service_adminuri_proto: http +openstack_service_internaluri_proto: http +haproxy_ssl: False +haproxy_ssl_all_vips: False +rabbitmq_management_ssl: False +openstack_service_backend_ssl: False +openstack_service_accept_both_protocols: False +{% endif %} diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 0a2b63776c..df92021e8c 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -431,6 +431,12 @@ parent: openstack-ansible-deploy-aio nodeset: ubuntu-jammy +- job: + name: openstack-ansible-upgrade-aio_metal_tls-ubuntu-jammy + parent: openstack-ansible-deploy-aio + nodeset: ubuntu-jammy + timeout: 10800 + - job: name: openstack-ansible-upgrade-aio_lxc-ubuntu-jammy parent: openstack-ansible-deploy-aio @@ -796,6 +802,12 @@ parent: openstack-ansible-deploy-aio nodeset: rockylinux-9 +- job: + name: openstack-ansible-upgrade-aio_metal_tls-rockylinux-9 + parent: openstack-ansible-deploy-aio + nodeset: rockylinux-9 + timeout: 10800 + - job: name: openstack-ansible-deploy-aio_telemetry_metal-rockylinux-9 parent: openstack-ansible-deploy-aio diff --git a/zuul.d/project-templates.yaml b/zuul.d/project-templates.yaml index c67940ea94..49ed2beee5 100644 --- a/zuul.d/project-templates.yaml +++ b/zuul.d/project-templates.yaml @@ -172,6 +172,9 @@ - openstack-ansible-deploy-aio_metal_tls-ubuntu-jammy - openstack-ansible-upgrade-aio_metal-rockylinux-9 - openstack-ansible-upgrade-aio_metal-ubuntu-jammy + - openstack-ansible-upgrade-aio_metal_tls-rockylinux-9 + - openstack-ansible-upgrade-aio_metal_tls-ubuntu-jammy + gate: jobs: - openstack-ansible-deploy-aio_metal-debian-bullseye