CI: Add TLS tests

Add a TLS scenario in zuul to generate self signed certificates and
to configure TLS to be enabled in the open stack deployment.

Change-Id: If10a23dfa67212e843ef26486c9523074cc920e7
Partially-Implements: blueprint custom-cacerts

tests/check-config.sh

@@ -15,6 +15,8 @@ function check_config {
     # Ignore files generated by Zuul.
     for f in $(sudo find /etc/kolla \
                 -not -regex /etc/kolla/config.* \
+                -not -regex /etc/kolla/certificates.* \
+                -not -regex ".*ca-certificates.*" \
                 -not -path /etc/kolla \
                 -not -name admin-openrc.sh \
                 -not -name globals.yml \

tests/deploy.sh

@@ -15,6 +15,10 @@ function deploy {
 
     #TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
     sudo chmod -R 777 /etc/kolla
+    # generate self-signed certificates for the optional internal TLS tests
+    if [[ "$TLS_ENABLED" = "True" ]]; then
+        tools/kolla-ansible -i ${RAW_INVENTORY} -vvv certificates > /tmp/logs/ansible/certificates
+    fi
     # Actually do the deployment
     tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/deploy-prechecks
     # TODO(jeffrey4l): add pull action when we have a local registry

tests/run.yml

@@ -314,7 +314,8 @@
             cmd: deploy.sh
             executable: /bin/bash
             chdir: "{{ kolla_ansible_src_dir }}"
-
+          environment:
+            TLS_ENABLED: "{{ tls_enabled }}"
         # NOTE(yoctozepto): this is nice as the first step after the deployment
         # because it waits for the services to stabilize well enough so that
         # the dashboard is able to show the login prompt
@@ -323,6 +324,8 @@
             cmd: test-dashboard.sh
             executable: /bin/bash
             chdir: "{{ kolla_ansible_src_dir }}"
+          environment:
+            TLS_ENABLED: "{{ tls_enabled }}"
           when: dashboard_enabled
 
         - name: Run init-core-openstack.sh script

tests/templates/globals-default.j2

@@ -134,3 +134,16 @@ glance_backend_ceph: "yes"
 cinder_backend_ceph: "yes"
 nova_backend_ceph: "yes"
 {% endif %}
+
+{% if tls_enabled %}
+kolla_enable_tls_external: "yes"
+kolla_enable_tls_internal: "yes"
+kolla_verify_internal_ca_certs: "no"
+kolla_copy_ca_into_containers: "yes"
+{% if base_distro == "ubuntu" or base_distro == "debian" %}
+openstack_cacert: "/usr/local/share/ca-certificates/kolla-customca-haproxy-internal.crt"
+{% endif %}
+{% if base_distro == "centos" %}
+openstack_cacert: "/etc/pki/ca-trust/source/anchors/kolla-customca-haproxy-internal.crt"
+{% endif %}
+{% endif %}

tests/test-dashboard.sh

@@ -11,7 +11,15 @@ function check_dashboard {
     # page.
     DASHBOARD_URL=${OS_AUTH_URL%:*}
     output_path=$1
-    if ! curl --include --location --fail $DASHBOARD_URL > $output_path; then
+    args=(
+        --include
+        --location
+        --fail
+    )
+    if [[ "$TLS_ENABLED" = "True" ]]; then
+        args+=(--cacert $OS_CACERT)
+    fi
+    if ! curl "${args[@]}" $DASHBOARD_URL > $output_path; then
         return 1
     fi
     if ! grep Login $output_path >/dev/null; then

tests/upgrade.sh

@@ -9,7 +9,10 @@ export PYTHONUNBUFFERED=1
 
 function upgrade {
     RAW_INVENTORY=/etc/kolla/inventory
-
+    # generate self-signed certificates for the optional internal TLS tests
+    if [[ $SCENARIO == "tls" ]]; then
+        tools/kolla-ansible -i ${RAW_INVENTORY} -vvv certificates > /tmp/logs/ansible/certificates
+    fi
     tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks
     tools/kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade
     tools/kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade

zuul.d/base.yaml

@@ -31,6 +31,7 @@
       api_interface_name: vxlan0
       kolla_internal_vip_address: "192.0.2.10"
       address_family: 'ipv4'
+      tls_enabled: false
     roles:
       - zuul: zuul/zuul-jobs
 

zuul.d/jobs.yaml

@@ -24,6 +24,7 @@
     vars:
       base_distro: debian
       install_type: source
+      tls_enabled: true
 
 - job:
     name: kolla-ansible-ubuntu-source
@@ -32,6 +33,7 @@
     vars:
       base_distro: ubuntu
       install_type: source
+      tls_enabled: true
 
 - job:
     name: kolla-ansible-ubuntu-source-multinode-ipv6