From 8db6775be54124615e24b350e7acdeaf97b09df5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Fri, 27 Oct 2023 11:53:27 +0200 Subject: [PATCH] Revert "[tls] Add CA bundle from OpenStackCtlplane to controller" This reverts commit 00e8d245d522fdf906b593a7d912e19e438542a9. We've seen constant failures in a CI job, linked to certificate validation: https://review.rdoproject.org/zuul/builds?job_name=podified-multinode-edpm-e2e-nobuild-tagged-crc&project=openstack-k8s-operators/ci-framework An example: FAILED - RETRYING: [localhost]: Wait for keystone endpoint to exist in DNS (1 retries left). fatal: [localhost]: FAILED! => {"attempts": 20, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 300, 301, 302, 401, 402, 403]: Request failed: ", "redirected": false, "status": -1, "url": "https://keystone-public-openstack.apps-crc.testing"} Reverting the CA verification toggle patch seems the safest way to get back to a green CI. Note: the new failure may be related to a recent patch: https://github.com/openstack-k8s-operators/openstack-operator/pull/502 --- ci_framework/roles/edpm_prepare/README.md | 2 +- .../roles/edpm_prepare/defaults/main.yml | 2 +- .../roles/edpm_prepare/tasks/main.yml | 28 ------------------- ci_framework/roles/os_net_setup/README.md | 2 +- .../roles/os_net_setup/defaults/main.yml | 2 +- ci_framework/roles/tempest/tasks/main.yml | 10 ------- ci_framework/roles/tempest/vars/main.yml | 2 ++ 7 files changed, 6 insertions(+), 42 deletions(-) diff --git a/ci_framework/roles/edpm_prepare/README.md b/ci_framework/roles/edpm_prepare/README.md index 3bac3d9686..3f7193e659 100644 --- a/ci_framework/roles/edpm_prepare/README.md +++ b/ci_framework/roles/edpm_prepare/README.md @@ -14,5 +14,5 @@ This role doesn't need privilege escalation. * `cifmw_edpm_prepare_oc_delay`: (Integer) Delay, in seconds, between failed oc call retries. Defaults to `30`. * `cifmw_edpm_prepare_update_os_containers`: (Boolean) Updates the openstack services containers env variable. Defaults to `false`. * `cifmw_edpm_prepare_timeout`: (Integer) Time, in minutes to wait for the deployment to be ready. Defaults to `30`. -* `cifmw_edpm_prepare_verify_tls`: (Boolean) In case of TLS enabled for OpenStack endpoint, validates against the CA. Defaults to `true`. +* `cifmw_edpm_prepare_verify_tls`: (Boolean) In case of TLS enabled for OpenStack endpoint, validates against the CA. Defaults to `false`. * `cifmw_edpm_prepare_skip_patch_ansible_runner`: (Boolean) Intentionally skips setting ansible runner image to `latest` from quay.io. Defaults to `False`. diff --git a/ci_framework/roles/edpm_prepare/defaults/main.yml b/ci_framework/roles/edpm_prepare/defaults/main.yml index e8b4b91f8c..4046ae5bb9 100644 --- a/ci_framework/roles/edpm_prepare/defaults/main.yml +++ b/ci_framework/roles/edpm_prepare/defaults/main.yml @@ -25,5 +25,5 @@ cifmw_edpm_prepare_dry_run: false cifmw_edpm_prepare_skip_crc_storage_creation: false cifmw_edpm_prepare_update_os_containers: false cifmw_edpm_prepare_timeout: 30 -cifmw_edpm_prepare_verify_tls: true +cifmw_edpm_prepare_verify_tls: false cifmw_edpm_prepare_skip_patch_ansible_runner: false diff --git a/ci_framework/roles/edpm_prepare/tasks/main.yml b/ci_framework/roles/edpm_prepare/tasks/main.yml index d93ee5301c..f38e92d3f4 100644 --- a/ci_framework/roles/edpm_prepare/tasks/main.yml +++ b/ci_framework/roles/edpm_prepare/tasks/main.yml @@ -224,34 +224,6 @@ --for=condition=ready --timeout={{ cifmw_edpm_prepare_timeout }}m - - name: Get CA bundle data - environment: - KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" - PATH: "{{ cifmw_path }}" - ansible.builtin.command: - cmd: 'oc get secret combined-ca-bundle -n openstack -o "jsonpath={.data.tls-ca-bundle\.pem}" --ignore-not-found' - register: ca_bundle_data - - - name: Get CA bundle - when: ca_bundle_data.stdout | length > 0 - ansible.builtin.set_fact: - ca_bundle: >- - {{ ca_bundle_data.stdout | ansible.builtin.b64decode }} - - - name: Creating tls-ca-bundle.pem - when: (ca_bundle is defined) and (ca_bundle | length > 0) - ansible.builtin.copy: - dest: "{{ cifmw_edpm_prepare_basedir }}/tls-ca-bundle.pem" - content: "{{ ca_bundle }}" - register: ca_bundle_file - - - name: Inject OpenStackControlplane CA bundle # noqa: no-handler - when: ca_bundle_file is changed - vars: - cifmw_install_ca_bundle_src: "{{ cifmw_edpm_prepare_basedir }}/tls-ca-bundle.pem" - ansible.builtin.include_role: - role: install_ca - - name: Wait for keystone to be ready tags: - control-plane diff --git a/ci_framework/roles/os_net_setup/README.md b/ci_framework/roles/os_net_setup/README.md index b0541f2eeb..34ed1bc617 100644 --- a/ci_framework/roles/os_net_setup/README.md +++ b/ci_framework/roles/os_net_setup/README.md @@ -11,4 +11,4 @@ That is provided by `openshift_login` role. * `cifmw_os_net_setup_config`: See an example in ci_framework/roles/os_net_setup/defaults/main.yml * `cifmw_os_net_setup_osp_calls_retries`: (Integer) Number of attempts to retry an OSP action if it fails. Defaults to `10`. * `cifmw_os_net_setup_osp_calls_delay`: (Integer) Delay, in seconds, between failed OSP call retries. Defaults to `5`. -* `cifmw_os_net_setup_verify_tls`: (Boolean) In case of TLS enabled for OpenStack endpoint, validates against the CA. Defaults to `true`. +* `cifmw_os_net_setup_verify_tls`: (Boolean) In case of TLS enabled for OpenStack endpoint, validates against the CA. Defaults to `false`. diff --git a/ci_framework/roles/os_net_setup/defaults/main.yml b/ci_framework/roles/os_net_setup/defaults/main.yml index e44842ccc6..5ad5ad4044 100644 --- a/ci_framework/roles/os_net_setup/defaults/main.yml +++ b/ci_framework/roles/os_net_setup/defaults/main.yml @@ -15,4 +15,4 @@ cifmw_os_net_setup_config: allocation_pool_end: 192.168.122.240 gateway_ip: 192.168.122.1 enable_dhcp: false -cifmw_os_net_setup_verify_tls: true +cifmw_os_net_setup_verify_tls: false diff --git a/ci_framework/roles/tempest/tasks/main.yml b/ci_framework/roles/tempest/tasks/main.yml index b3c9612d30..4110361c88 100644 --- a/ci_framework/roles/tempest/tasks/main.yml +++ b/ci_framework/roles/tempest/tasks/main.yml @@ -32,15 +32,6 @@ ansible.builtin.include_tasks: configure-tempest.yml when: not cifmw_tempest_dry_run | bool -- name: Copy CA bundle to cifmw_tempest_artifacts_basedir - ansible.builtin.copy: - src: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" - dest: "{{ cifmw_tempest_artifacts_basedir }}" - mode: '0444' - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - remote_src: true - - name: Set proper permission for tempest directory ansible.builtin.command: cmd: "podman unshare chown 42480:42480 -R {{ cifmw_tempest_artifacts_basedir }}" @@ -64,7 +55,6 @@ network: host volume: - "{{ cifmw_tempest_artifacts_basedir }}/:/var/lib/tempest/external_files:Z" - - "{{ cifmw_tempest_artifacts_basedir }}/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:Z" detach: false dns: "{{ cifmw_tempest_dns_servers }}" env: diff --git a/ci_framework/roles/tempest/vars/main.yml b/ci_framework/roles/tempest/vars/main.yml index cf6468e4ac..4c64c77407 100644 --- a/ci_framework/roles/tempest/vars/main.yml +++ b/ci_framework/roles/tempest/vars/main.yml @@ -1,3 +1,5 @@ cifmw_tempest_tempestconf_profile_default: overrides: identity.v3_endpoint_type: public + identity.disable_ssl_certificate_validation: true + dashboard.disable_ssl_certificate_validation: true