This pulls the latest example file from the swift repo, which contains
the comment lines for a few additional services.
Change-Id: I162516b3f3535a10072245dd466ba4cf045d8836
This change enables Octavia in scenario004 integration job so that we
can validate deployment of Octavia by puppet-octavia.
Because of limited resource in CI, noop driver is used and all of
backend operations like amphora instance management are disabled. This
is the same method as is used in a CI job in Octavia itself.
Depends-on: https://review.opendev.org/828063
Change-Id: I627872dd81d5ca576ea33ecf4755bf8de43df76a
This change ensures that the new gpg key for puppet packages[1] are
install before installing puppet-agent, so that we can install any
package signed with the new gpg key.
[1] https://puppet.com/blog/updated-puppet-gpg-signing-key-2020-edition/
Closes-Bug: #1912871
Change-Id: I015770275192d9834e38593e249b472f56d7ccd4
At first, I thought this would go in puppet-ceph, but in fact,
every compute node needs a librados dependency which is in the
Ceph repo. So at then end, all nodes need GPG-KEY-ceph, so it
is a good idea to install the repository key there.
Change-Id: Ia33718a8350a60c69ce9632eddb6156f9b43c745
It appears that the puppetlabs Debian repository is set to always
install a repository for Xenial (instead of using lsb_release to
find the OS), and that the Puppetlabs repo GPG key is outdated. This
patch fixes that.
Change-Id: I35231cdf7503d129bb408bc5d29a2cfe95c4e08e
Currently we are setting "DNS.0 = ::1", but ::1 is not a valid
A-Label for IDNA so the certificate is not correct.
Additionally, we are setting wrong value for DNS.0 = 127.0.0.1
in the ipv4 certificate.
Finally, removing issuerAltName from both ipv4 and ipv6 certificates
as they are not needed for the jobs.
New versions of python-cryptography are more strict to check
certificates content and does not allow to have not compliant
DNS names so we need to fix the certificate to bump python-cryptography.
Note that horizont tempest plugin does not support ipaddress SANs based
certificate validation so I'm disablint certificate validation for
dashboard in this patch.
Depends-On: Iea7a4b85ac64572fac0f0ad871649a79fbc1c0f5
Change-Id: Ib519d222e07e26d3683b24359e2f67728cdd8029
Current SSL certificates have expired. This patch contain new ones
valid for 10 years and i've updated the ssl-ipv*.conf with the command
to create certificates with this expiration time.
Change-Id: Iaf4164149e3e28de8cf0367bc98e3e649bd10f87
A recent update to urllib tightened some checks around SSL [1].
This prompted an update to Devstack in order to work properly [2].
Jobs running into this problem without having a SubjectAltName
provided will see an error that looks like:
SSLError: hostname '127.0.0.1' doesn't match either of
'127.0.0.1', 'localhost'
Let's also update the certificates to provide the SubjectAltName
and provide a way to easily update the certificates if required
in the future.
[1]: df9d503a8e/CHANGES.rst (118-2016-09-26)
[2]: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=69e3c0aac99981f17c76c22111e5c397824b8428
Change-Id: I94a586b333ba6a99ef831c853a19ab127b502d6f
A new version of python urllib send us ugly warnings because our SSL
certificates don't have SubjectAltNames.
I re-generated some SSL certs with it, for both ipv4 & ipv6 deployments.
Change-Id: Ibed9f23869de9d2871c3d25e9bd24df809aa4c16
* Deploy Self-Signed Certificates for both IPv6 & IPv4 deployments.
* Disable IPv6 for RabbitMQ now, for SSL reasons, will be enabled again
later in a next iteration.
* Deploy Ironic API under WSGI instead of eventlet.
* Switch Glance API, Ironic API and Keystone to SSL.
* Configure Tempest with SSL endpoints when needed.
* Reduce the Ironic tests because of [1].
[1] https://bugs.launchpad.net/ironic/+bug/1554237
Note #1: puppet-swift, and puppet-cinder will require some work to support SSL, so it's not
implemented in this patch.
Note #2: we don't enable SSL for Neutron because of
https://bugs.launchpad.net/neutron/+bug/1514424
Change-Id: Ib2b5289b6f5e82f43cf60dee3152b2c2ddd5a014
* Manage Puppet OpenStack CI CA and create a common certificate,
auto-signed.
* Configure RabbitMQ to activate SSL on scenario002
* Configure OpenStack services that run on scenario002 to connect to
RabbitMQ using SSL protocol.
Change-Id: Ic435078472ba4e0e0eaf04a64e5bcb7aabba7b3d
Zuul