Merge branch 'stackhpc/2024.1' into caracal-to-epoxy-sync

Author: seunghun1ee

.github/workflows/stackhpc-all-in-one.yml

@@ -7,11 +7,10 @@ name: All in one
 on:
   workflow_call:
     inputs:
-      runner:
-        required: false
+      runner_env:
+        description: Which cloud to run on?
         type: string
-        description: 'Runner name'
-        default: 'arc-skc-aio-runner'
+        default: SMS Lab
       kayobe_image:
         description: Kayobe container image
         type: string
@@ -40,18 +39,6 @@ on:
         description: Default network interface name
         type: string
         default: ens3
-      vm_flavor:
-        description: Flavor for the all-in-one VM
-        type: string
-        default: en1.medium
-      vm_network:
-        description: Network for the all-in-one VM
-        type: string
-        default: stackhpc-ci
-      vm_subnet:
-        description: Subnet for the all-in-one VM
-        type: string
-        default: stackhpc-ci
       OS_CLOUD:
         description: Name of cloud in clouds.yaml
         type: string
@@ -87,11 +74,18 @@ on:
         required: true
 
 jobs:
+  runner-selection:
+    uses: ./.github/workflows/runner-selector.yml
+    with:
+      runner_env: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }}
   # NOTE: Runner needs unzip and nodejs packages.
   all-in-one:
     name: All in one
     if: ${{ inputs.if && !cancelled() }}
-    runs-on: ${{ inputs.runner }}
+    environment: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }}
+    runs-on: ${{ needs.runner-selection.outputs.runner_name_aio }}
+    needs:
+      - runner-selection
     permissions: {}
     env:
       KAYOBE_ENVIRONMENT: ci-aio
@@ -170,9 +164,9 @@ jobs:
           aio_vm_interface = "${{ env.VM_INTERFACE }}"
           aio_vm_name = "${{ env.VM_NAME }}"
           aio_vm_image = "${{ env.VM_IMAGE }}"
-          aio_vm_flavor = "${{ env.VM_FLAVOR }}"
-          aio_vm_network = "${{ env.VM_NETWORK }}"
-          aio_vm_subnet = "${{ env.VM_SUBNET }}"
+          aio_vm_flavor = "${{ vars.HOST_IMAGE_BUILD_FLAVOR }}"
+          aio_vm_network = "${{ vars.HOST_IMAGE_BUILD_NETWORK }}"
+          aio_vm_subnet = "${{ vars.HOST_IMAGE_BUILD_SUBNET }}"
           aio_vm_volume_size = "${{ env.VM_VOLUME_SIZE }}"
           aio_vm_tags = ${{ env.VM_TAGS }}
           EOF
@@ -181,9 +175,6 @@ jobs:
           SSH_USERNAME: "${{ inputs.ssh_username }}"
           VM_NAME: "skc-ci-aio-${{ inputs.neutron_plugin }}-${{ github.run_id }}"
           VM_IMAGE: ${{ steps.image_name.outputs.image_name }}
-          VM_FLAVOR: ${{ inputs.vm_flavor }}
-          VM_NETWORK: ${{ inputs.vm_network }}
-          VM_SUBNET: ${{ inputs.vm_subnet }}
           VM_INTERFACE: ${{ inputs.vm_interface }}
           VM_VOLUME_SIZE: ${{ inputs.upgrade && '65' || '50' }}
           VM_TAGS: '["skc-ci-aio", "PR=${{ github.event.number }}"]'
@@ -192,7 +183,7 @@ jobs:
         run: terraform plan
         working-directory: ${{ github.workspace }}/terraform/aio
         env:
-          OS_CLOUD: ${{ inputs.OS_CLOUD }}
+          OS_CLOUD: ${{ vars.OS_CLOUD }}
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
 
@@ -213,7 +204,7 @@ jobs:
           exit 1
         working-directory: ${{ github.workspace }}/terraform/aio
         env:
-          OS_CLOUD: ${{ inputs.OS_CLOUD }}
+          OS_CLOUD: ${{ vars.OS_CLOUD }}
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
 
@@ -471,7 +462,7 @@ jobs:
         run: terraform destroy -auto-approve
         working-directory: ${{ github.workspace }}/terraform/aio
         env:
-          OS_CLOUD: ${{ inputs.OS_CLOUD }}
+          OS_CLOUD: ${{ vars.OS_CLOUD }}
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
         if: always()

.github/workflows/update-dependencies.yml

@@ -14,6 +14,7 @@ on:
 
 jobs:
   propose_github_release_updates:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
     runs-on: ubuntu-22.04
     strategy:
       matrix:

.github/workflows/upstream-sync.yml

@@ -0,0 +1,38 @@
+---
+name: Upstream Sync
+'on':
+  schedule:
+    - cron: "15 8 * * 1"
+  workflow_dispatch:
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  synchronise-2023-1:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise 2023.1
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: 2023.1
+      upstream: openstack/kayobe-config
+  synchronise-2024-1:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise 2024.1
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: 2024.1
+      upstream: openstack/kayobe-config
+  synchronise-2025-1:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise 2025.1
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: 2025.1
+      upstream: openstack/kayobe-config
+  synchronise-master:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise master
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: master
+      upstream: openstack/kayobe-config

doc/source/configuration/ipa.rst

@@ -11,7 +11,7 @@ StackHPC provides prebuilt Ironic Python Agent (IPA) images in Release Train
 through Ark.
 
 These images are built in CI using a GitHub workflow and are configured in this
-repository. See  :kayobe-doc: `Kayobe documentation
+repository. See :kayobe-doc:`Kayobe documentation
 <configuration/reference/ironic-python-agent.html>` for more details on IPA.
 
 Release Train IPA images are used by Bifrost and Overcloud Ironic by default in

doc/source/configuration/monitoring.rst

@@ -169,12 +169,18 @@ for the exporter.
 If you are deploying in a cloud with internal TLS, you may be required
 to provide a CA certificate for the OpenStack Capacity exporter if your
 certificate is not signed by a trusted CA. For example, to use a CA certificate
-named ``vault.crt`` that is also added to the Kolla containers:
+named ``vault.crt`` or ``openbao.crt`` that is also added to the Kolla containers:
 
 .. code-block:: yaml
 
     stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"
 
+or
+
+.. code-block:: yaml
+
+    stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt"
+
 Alternatively, to disable certificate verification for the OpenStack Capacity
 exporter:
 

doc/source/configuration/release-train.rst

@@ -52,16 +52,29 @@ The Pulp container is deployed on the seed by default, but may be disabled by
 setting ``seed_pulp_container_enabled`` to ``false`` in
 ``etc/kayobe/seed.yml``.
 
-The URL and credentials of the local Pulp server are configured in
-``etc/kayobe/pulp.yml`` via ``pulp_url``, ``pulp_username`` and
-``pulp_password``. In most cases, the default values should be sufficient.
-An admin password must be generated and set as the value of a
-``secrets_pulp_password`` variable, typically in an Ansible Vault encrypted
-``etc/kayobe/secrets.yml`` file. This password will be automatically set on
-Pulp startup.
-
-If a proxy is required to access the Internet from the seed, ``pulp_proxy_url``
-may be used.
+The URL for the local Pulp server is configured by ``pulp_url`` within
+``etc/kayobe/pulp.yml``.
+
+The Pulp service can be configured with two sets of credentials; one for
+administrator operations and another read-only for overcloud hosts
+to use.
+The administrator credentials can be configured ``pulp_username``,
+``pulp_password``
+The basic user account credentials can be configured with ``pulp_stack_username``
+and ``pulp_stack_password``.
+Both sets of credentials can be found within ``etc/kayobe/pulp.yml``.
+
+Both the ``pulp_password`` and ``pulp_stack_password`` are intended to be
+configured via their ``secrets_*`` counterparts, i.e.
+``secrets_pulp_password`` and ``secrets_pulp_stack_password``. These variables
+are expected to be set in an Ansible Vault encrypted
+``etc/kayobe/secrets.yml`` file.
+
+Passwords can be generated using ``OpenSSL``
+
+.. code-block:: console
+
+  openssl rand -base64 32
 
 Host images are not synchronised to the local Pulp server, since they should
 only be pulled to the seed node once. More information on host images can be

etc/kayobe/ansible/cephadm-gather-keys.yml

@@ -68,6 +68,7 @@
         # Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf.
         content: |
           {{ cephadm_ceph_conf.stdout | regex_replace('\t') }}
+          {{ kolla_ceph_conf_append if kolla_ceph_conf_append is defined }}
         dest: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_conf_dir[item.0.name] }}/ceph.conf"
       loop: "{{ query('subelements', kolla_ceph_services | selectattr('required'), 'keys') }}"
       loop_control:

etc/kayobe/ansible/check-kayobe-version.yml

@@ -8,6 +8,7 @@
   tasks:
     - name: Check version
       when: stackhpc_enable_kayobe_check
+      check_mode: false
       block:
         - name: Get package info
           community.general.pip_package_info:

etc/kayobe/ansible/check-kolla-ansible-version.yml

@@ -6,6 +6,7 @@
   tasks:
     - name: Check version
       when: stackhpc_enable_kolla_ansible_check
+      check_mode: false
       block:
         - name: Get current Kolla-Ansible tag
           ansible.builtin.command:

etc/kayobe/ansible/openbao-deploy-overcloud.yml

@@ -21,7 +21,12 @@
   gather_facts: true
   hosts: controllers
   vars:
-    openbao_bind_address: "{{ internal_net_name | net_ip }}"
+    openbao_bind_addr: "{{ internal_net_name | net_ip }}"
+    # This is the IP address of the first controller and therefore the leader within
+    # OpenBao. This could be replaced with the VIP address of the internal network if
+    # HAProxy has been configured to load balance the OpenBao API.
+    openbao_raft_leaders:
+      - "{{ internal_net_name | net_ip(inventory_hostname=groups['controllers'][0]) }}"
   tasks:
     - name: Set a fact about the virtualenv on the remote system
       ansible.builtin.set_fact:
@@ -46,7 +51,7 @@
 
     - name: Template out TLS key and cert
       ansible.builtin.copy:
-        # Within the OpenBao container these uids & gids map to the vault user
+        # Within the OpenBao container these uids & gids map to the openbao user
         src: "{{ kayobe_env_config_path }}/openbao/{{ item }}"
         dest: /opt/kayobe/openbao/{{ item }}
         owner: 100
@@ -55,6 +60,7 @@
       loop:
         - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
+        - "OS-TLS-INT.crt"
       become: true
 
     - name: Apply OpenBao role
@@ -71,6 +77,7 @@
         openbao_docker_tag: "{{ overcloud_openbao_docker_tag }}"
         openbao_tls_cert: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         openbao_tls_key: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
+        openbao_tls_ca: "OS-TLS-INT.crt"
         copy_self_signed_ca: true
         openbao_api_addr: https://{{ internal_net_name | net_ip }}:8200
         openbao_write_keys_file: true
@@ -91,6 +98,28 @@
         vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
       environment:
         https_proxy: ""
+      run_once: true
+
+      # As the first instance is now unsealed the other instances will now need some
+      # time to connect before we can proceed.
+    - name: Wait for OpenBao Raft peers to connect
+      ansible.builtin.wait_for:
+        timeout: 30
+      delegate_to: localhost
+
+      # Raft peers take few seconds before they report an unsealed state therefore
+      # we must wait.
+    - name: Unseal OpenBao
+      ansible.builtin.import_role:
+        name: stackhpc.hashicorp.vault_unseal
+      vars:
+        vault_api_addr: https://{{ internal_net_name | net_ip }}:8200
+        vault_unseal_token: "{{ openbao_keys.root_token }}"
+        vault_unseal_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
+        vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
+        vault_unseal_timeout: 10
+      environment:
+        https_proxy: ""
 
 - name: Configure PKI
   any_errors_fatal: true

etc/kayobe/ansible/openbao-deploy-seed.yml

@@ -4,8 +4,8 @@
   gather_facts: true
   hosts: seed
   vars:
-    openbao_bind_address: "{{ ansible_facts['lo'].ipv4.address }}"
-    openbao_api_addr: "http://{{ openbao_bind_address }}:8200"
+    openbao_bind_addr: "{{ ansible_facts['lo'].ipv4.address }}"
+    openbao_api_addr: "http://{{ openbao_bind_addr }}:8200"
   tasks:
     - name: Set a fact about the virtualenv on the remote system
       ansible.builtin.set_fact:

etc/kayobe/ansible/pci-passthrough.yml

@@ -11,7 +11,7 @@
     vfio_pci_ids: |-
       {% set gpu_list = [] %}
       {% set output = [] %}
-      {% for gpu_group in gpu_group_map | dict2items | default([]) %}
+      {% for gpu_group in (gpu_group_map | default({})) | dict2items %}
       {% if gpu_group.key in group_names %}
       {% set _ = gpu_list.append(gpu_group.value) %}
       {% endif %}

etc/kayobe/ansible/pulp-host-image-download.yml

@@ -7,18 +7,15 @@
     # password in the get_url task of this playbook
     stackhpc_overcloud_host_image_url_no_auth: "{{ stackhpc_release_pulp_content_url }}/kayobe-images/\
       {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\
-      {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\
       {{ stackhpc_overcloud_host_image_version }}/\
-      overcloud-{{ os_distribution }}-{{ os_release }}\
-      {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2"
+      overcloud-{{ os_distribution }}-{{ os_release }}.qcow2"
   tasks:
     - name: Print image information
       ansible.builtin.debug:
         msg: |
           OS Distribution: {{ os_distribution }}
           OS Release: {{ os_release }}
           Image tag: {{ stackhpc_overcloud_host_image_version }}
-          OFED: {{ stackhpc_overcloud_host_image_is_ofed }}
 
     # TODO: Add checksum support
     - name: Download image artifact

etc/kayobe/ansible/requirements.yml

@@ -9,7 +9,7 @@ collections:
   - name: stackhpc.pulp
     version: 0.5.5
   - name: stackhpc.hashicorp
-    version: 2.6.1
+    version: 2.7.1
   - name: stackhpc.kayobe_workflows
     version: 1.1.0
 roles:

etc/kayobe/ansible/smartmon-tools.yml

@@ -15,10 +15,8 @@
 
     - name: Ensure Python 3, venv, and pip are installed
       ansible.builtin.package:
-        name:
-          - python3
-          - python3-venv
-          - python3-pip
+        name: >
+          {{ ['python3', 'python3-pip'] + (['python3-venv'] if ansible_facts['distribution'] == 'Ubuntu' else []) }}
         state: present
       become: true
 

etc/kayobe/cephadm.yml

@@ -133,3 +133,6 @@ kolla_ceph_manila_required: "{{ kolla_enable_manila | bool }}"
 
 # Whether to generate Ceph configuration for Nova.
 kolla_ceph_nova_required: "{{ kolla_enable_nova | bool }}"
+
+# A (multiline) string to append to all Ceph configuration files.
+#kolla_ceph_conf_append:

etc/kayobe/containers/pulp/post.yml

@@ -28,6 +28,18 @@
     - stackhpc_pulp_sync_for_local_container_build | bool
     - pulp_settings.changed
 
+- name: Ensure Pulp stack user exists
+  ansible.builtin.include_role:
+    name: stackhpc.pulp.pulp_user
+  vars:
+    pulp_users:
+      - username: "{{ pulp_stack_username }}"
+        password: "{{ pulp_stack_password }}"
+        is_staff: false
+  when:
+    - pulp_stack_username is defined and pulp_stack_username | length > 0
+    - pulp_stack_password is defined and pulp_stack_password | length > 0
+
 - name: Login to docker registry
   docker_login:
     registry_url: "{{ kolla_docker_registry or omit }}"