Support using local hashicorp consul/vault images

This requires stackhpc.hashicorp 2.4.0.

Author: priteau

etc/kayobe/ansible/requirements.yml

@@ -5,7 +5,7 @@ collections:
   - name: stackhpc.pulp
     version: 0.4.1
   - name: stackhpc.hashicorp
-    version: 2.3.0
+    version: 2.4.0
 roles:
   - src: stackhpc.vxlan
   - name: ansible-lockdown.rhel8_cis

etc/kayobe/ansible/vault-deploy-overcloud.yml

@@ -60,10 +60,15 @@
     - import_role:
         name: stackhpc.hashicorp.vault
       vars:
+        hashicorp_registry_url: "{{ overcloud_hashicorp_registry_url }}"
+        hashicorp_registry_username: "{{ overcloud_hashicorp_registry_username }}"
+        hashicorp_registry_password: "{{ overcloud_hashicorp_registry_password }}"
+        consul_docker_image: "{{ overcloud_consul_docker_image }}"
         consul_docker_tag: "{{ overcloud_consul_docker_tag }}"
         vault_config_dir: "/opt/kayobe/vault"
         vault_cluster_name: "overcloud"
         vault_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
+        vault_docker_image: "{{ overcloud_vault_docker_image }}"
         vault_docker_tag: "{{ overcloud_vault_docker_tag }}"
         vault_tls_cert: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         vault_tls_key: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"

etc/kayobe/ansible/vault-deploy-seed.yml

@@ -36,9 +36,14 @@
     - import_role:
         name: stackhpc.hashicorp.vault
       vars:
+        hashicorp_registry_url: "{{ seed_hashicorp_registry_url }}"
+        hashicorp_registry_username: "{{ seed_hashicorp_registry_username }}"
+        hashicorp_registry_password: "{{ seed_hashicorp_registry_password }}"
+        consul_docker_image: "{{ seed_consul_docker_image }}"
         consul_docker_tag: "{{ seed_consul_docker_tag }}"
         vault_config_dir: "/opt/kayobe/vault"
         vault_cluster_name: "seed"
+        vault_docker_image: "{{ seed_vault_docker_image }}"
         vault_docker_tag: "{{ seed_vault_docker_tag }}"
         vault_write_keys_file: true
         vault_write_keys_file_path: "{{ kayobe_env_config_path }}/vault/seed-vault-keys.json"

etc/kayobe/inventory/group_vars/all/vault

@@ -1,9 +1,20 @@
 ###############################################################################
 # Hashicorp Vault deployment configuration.
 
+# Registry information for seed.
+seed_hashicorp_registry_url: "{{ stackhpc_docker_registry if stackhpc_sync_hashicorp_images | bool else '' }}"
+seed_hashicorp_registry_username: "{{ stackhpc_docker_registry_username if stackhpc_sync_hashicorp_images | bool else '' }}"
+seed_hashicorp_registry_password: "{{ stackhpc_docker_registry_password if stackhpc_sync_hashicorp_images | bool else '' }}"
+
+# Seed Consul container image.
+seed_consul_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/consul"
+
 # Seed Consul container image tag.
 seed_consul_docker_tag: "1.16"
 
+# Seed Vault container image.
+seed_vault_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/vault"
+
 # Seed Vault container image tag.
 seed_vault_docker_tag: "1.14"
 
@@ -27,9 +38,20 @@ seed_vault_pki_roles:
       organization: ["StackHPC"]
       ou: ["OpenStack"]
 
+# Registry information for overcloud.
+overcloud_hashicorp_registry_url: "{{ stackhpc_docker_registry if stackhpc_sync_hashicorp_images | bool else '' }}"
+overcloud_hashicorp_registry_username: "{{ stackhpc_docker_registry_username if stackhpc_sync_hashicorp_images | bool else '' }}"
+overcloud_hashicorp_registry_password: "{{ stackhpc_docker_registry_password if stackhpc_sync_hashicorp_images | bool else '' }}"
+
+# Overcloud Consul container image.
+overcloud_consul_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/consul"
+
 # Overcloud Consul container image tag.
 overcloud_consul_docker_tag: "1.16"
 
+# Overcloud Vault container image.
+overcloud_vault_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/vault"
+
 # Overcloud Vault container image tag.
 overcloud_vault_docker_tag: "1.14"
 

etc/kayobe/pulp.yml

@@ -797,12 +797,47 @@ stackhpc_pulp_distribution_container_ceph:
     state: present
     required: "{{ stackhpc_sync_ceph_images | bool }}"
 
+# Whether to sync HashiCorp container images.
+stackhpc_sync_hashicorp_images: false
+
+# List of HashiCorp container image repositories.
+stackhpc_pulp_repository_container_repos_hashicorp:
+  - name: "hashicorp/consul"
+    url: "https://registry-1.docker.io"
+    policy: on_demand
+    proxy_url: "{{ pulp_proxy_url }}"
+    state: present
+    include_tags: "{{ overcloud_consul_docker_tag }}"
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+  - name: "hashicorp/vault"
+    url: "https://registry-1.docker.io"
+    policy: on_demand
+    proxy_url: "{{ pulp_proxy_url }}"
+    state: present
+    include_tags: "{{ overcloud_vault_docker_tag }}"
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+
+# List of HashiCorp container image distributions.
+stackhpc_pulp_distribution_container_hashicorp:
+  - name: consul
+    repository: hashicorp/consul
+    base_path: hashicorp/consul
+    state: present
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+  - name: vault
+    repository: hashicorp/vault
+    base_path: hashicorp/vault
+    state: present
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+
 # List of container image repositories.
 stackhpc_pulp_repository_container_repos: >-
   {{ (stackhpc_pulp_repository_container_repos_kolla +
-      stackhpc_pulp_repository_container_repos_ceph) | selectattr('required') }}
+      stackhpc_pulp_repository_container_repos_ceph +
+      stackhpc_pulp_repository_container_repos_hashicorp) | selectattr('required') }}
 
 # List of container image distributions.
 stackhpc_pulp_distribution_container: >-
   {{ (stackhpc_pulp_distribution_container_kolla +
-      stackhpc_pulp_distribution_container_ceph) | selectattr('required') }}
+      stackhpc_pulp_distribution_container_ceph +
+      stackhpc_pulp_distribution_container_hashicorp) | selectattr('required') }}

etc/kayobe/vault.yml

@@ -2,9 +2,20 @@
 ###############################################################################
 # Hashicorp Vault deployment configuration.
 
+# Registry information for seed.
+# seed_hashicorp_registry_url:
+# seed_hashicorp_registry_username:
+# seed_hashicorp_registry_password:
+
+# Seed Consul container image.
+# seed_consul_docker_image:
+
 # Seed Consul container image tag.
 # seed_consul_docker_tag:
 
+# Seed Vault container image.
+# seed_vault_docker_image:
+
 # Seed Vault container image tag.
 # seed_vault_docker_tag:
 
@@ -14,9 +25,20 @@
 # Seed Vault PKI Roles definition
 # seed_vault_pki_roles: []
 
+# Registry information for overcloud.
+# overcloud_hashicorp_registry_url:
+# overcloud_hashicorp_registry_username:
+# overcloud_hashicorp_registry_password:
+
+# Overcloud Consul container image.
+# overcloud_consul_docker_image:
+
 # Overcloud Consul container image tag.
 # overcloud_consul_docker_tag:
 
+# Overcloud Vault container image.
+# overcloud_vault_docker_image:
+
 # Overcloud Vault container image tag.
 # overcloud_vault_docker_tag: