Merge pull request #570 from stackhpc/hashicorp-images

markgoddard · web-flow · commit eaad4bdc6086 · 2023-08-10T10:21:29.000+01:00
Support using local hashicorp consul/vault images
diff --git a/doc/source/configuration/release-train.rst b/doc/source/configuration/release-train.rst
@@ -115,6 +115,13 @@ Ceph container images
 By default, Ceph images are not synced from quay.io to the local Pulp. To sync
 these images, set ``stackhpc_sync_ceph_images`` to ``true``.
 
+HashiCorp container images
+--------------------------
+
+By default, HashiCorp images (Consul and Vault) are not synced from Docker Hub
+to the local Pulp. To sync these images, set ``stackhpc_sync_hashicorp_images``
+to ``true``.
+
 Usage
 =====
 
diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
@@ -39,6 +39,11 @@ Before beginning the deployment of vault for openstack internal TLS and backend
   * Ansible Galaxy dependencies installed: ``kayobe control host bootstrap``
   * Python dependencies installed: ``pip install -r kayobe-config/requirements.txt``
 
+By default, Consul and Vault images are not synced from Docker Hub to the local
+Pulp. To sync these images, set ``stackhpc_sync_hashicorp_images`` to ``true``.
+The Vault deployment configuration will be automatically updated to pull images
+from Pulp.
+
 Deployment
 ==========
 
diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml
@@ -5,7 +5,7 @@ collections:
   - name: stackhpc.pulp
     version: 0.4.1
   - name: stackhpc.hashicorp
-    version: 2.3.0
+    version: 2.4.0
 roles:
   - src: stackhpc.vxlan
   - name: ansible-lockdown.rhel8_cis
diff --git a/etc/kayobe/ansible/vault-deploy-overcloud.yml b/etc/kayobe/ansible/vault-deploy-overcloud.yml
@@ -60,10 +60,15 @@
     - import_role:
         name: stackhpc.hashicorp.vault
       vars:
+        hashicorp_registry_url: "{{ overcloud_hashicorp_registry_url }}"
+        hashicorp_registry_username: "{{ overcloud_hashicorp_registry_username }}"
+        hashicorp_registry_password: "{{ overcloud_hashicorp_registry_password }}"
+        consul_docker_image: "{{ overcloud_consul_docker_image }}"
         consul_docker_tag: "{{ overcloud_consul_docker_tag }}"
         vault_config_dir: "/opt/kayobe/vault"
         vault_cluster_name: "overcloud"
         vault_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
+        vault_docker_image: "{{ overcloud_vault_docker_image }}"
         vault_docker_tag: "{{ overcloud_vault_docker_tag }}"
         vault_tls_cert: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         vault_tls_key: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
diff --git a/etc/kayobe/ansible/vault-deploy-seed.yml b/etc/kayobe/ansible/vault-deploy-seed.yml
@@ -36,9 +36,14 @@
     - import_role:
         name: stackhpc.hashicorp.vault
       vars:
+        hashicorp_registry_url: "{{ seed_hashicorp_registry_url }}"
+        hashicorp_registry_username: "{{ seed_hashicorp_registry_username }}"
+        hashicorp_registry_password: "{{ seed_hashicorp_registry_password }}"
+        consul_docker_image: "{{ seed_consul_docker_image }}"
         consul_docker_tag: "{{ seed_consul_docker_tag }}"
         vault_config_dir: "/opt/kayobe/vault"
         vault_cluster_name: "seed"
+        vault_docker_image: "{{ seed_vault_docker_image }}"
         vault_docker_tag: "{{ seed_vault_docker_tag }}"
         vault_write_keys_file: true
         vault_write_keys_file_path: "{{ kayobe_env_config_path }}/vault/seed-vault-keys.json"
diff --git a/etc/kayobe/inventory/group_vars/all/vault b/etc/kayobe/inventory/group_vars/all/vault
@@ -1,9 +1,20 @@
 ###############################################################################
 # Hashicorp Vault deployment configuration.
 
+# Registry information for seed.
+seed_hashicorp_registry_url: "{{ stackhpc_docker_registry if stackhpc_sync_hashicorp_images | bool else '' }}"
+seed_hashicorp_registry_username: "{{ stackhpc_docker_registry_username if stackhpc_sync_hashicorp_images | bool else '' }}"
+seed_hashicorp_registry_password: "{{ stackhpc_docker_registry_password if stackhpc_sync_hashicorp_images | bool else '' }}"
+
+# Seed Consul container image.
+seed_consul_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/consul"
+
 # Seed Consul container image tag.
 seed_consul_docker_tag: "1.16"
 
+# Seed Vault container image.
+seed_vault_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/vault"
+
 # Seed Vault container image tag.
 seed_vault_docker_tag: "1.14"
 
@@ -27,9 +38,20 @@ seed_vault_pki_roles:
       organization: ["StackHPC"]
       ou: ["OpenStack"]
 
+# Registry information for overcloud.
+overcloud_hashicorp_registry_url: "{{ stackhpc_docker_registry if stackhpc_sync_hashicorp_images | bool else '' }}"
+overcloud_hashicorp_registry_username: "{{ stackhpc_docker_registry_username if stackhpc_sync_hashicorp_images | bool else '' }}"
+overcloud_hashicorp_registry_password: "{{ stackhpc_docker_registry_password if stackhpc_sync_hashicorp_images | bool else '' }}"
+
+# Overcloud Consul container image.
+overcloud_consul_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/consul"
+
 # Overcloud Consul container image tag.
 overcloud_consul_docker_tag: "1.16"
 
+# Overcloud Vault container image.
+overcloud_vault_docker_image: "{{ stackhpc_docker_registry ~ '/' if stackhpc_sync_hashicorp_images | bool else '' }}hashicorp/vault"
+
 # Overcloud Vault container image tag.
 overcloud_vault_docker_tag: "1.14"
 
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -1217,12 +1217,47 @@ stackhpc_pulp_distribution_container_ceph:
     state: present
     required: "{{ stackhpc_sync_ceph_images | bool }}"
 
+# Whether to sync HashiCorp container images.
+stackhpc_sync_hashicorp_images: false
+
+# List of HashiCorp container image repositories.
+stackhpc_pulp_repository_container_repos_hashicorp:
+  - name: "hashicorp/consul"
+    url: "https://registry-1.docker.io"
+    policy: on_demand
+    proxy_url: "{{ pulp_proxy_url }}"
+    state: present
+    include_tags: "{{ overcloud_consul_docker_tag }}"
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+  - name: "hashicorp/vault"
+    url: "https://registry-1.docker.io"
+    policy: on_demand
+    proxy_url: "{{ pulp_proxy_url }}"
+    state: present
+    include_tags: "{{ overcloud_vault_docker_tag }}"
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+
+# List of HashiCorp container image distributions.
+stackhpc_pulp_distribution_container_hashicorp:
+  - name: consul
+    repository: hashicorp/consul
+    base_path: hashicorp/consul
+    state: present
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+  - name: vault
+    repository: hashicorp/vault
+    base_path: hashicorp/vault
+    state: present
+    required: "{{ stackhpc_sync_hashicorp_images | bool }}"
+
 # List of container image repositories.
 stackhpc_pulp_repository_container_repos: >-
   {{ (stackhpc_pulp_repository_container_repos_kolla +
-      stackhpc_pulp_repository_container_repos_ceph) | selectattr('required') }}
+      stackhpc_pulp_repository_container_repos_ceph +
+      stackhpc_pulp_repository_container_repos_hashicorp) | selectattr('required') }}
 
 # List of container image distributions.
 stackhpc_pulp_distribution_container: >-
   {{ (stackhpc_pulp_distribution_container_kolla +
-      stackhpc_pulp_distribution_container_ceph) | selectattr('required') }}
+      stackhpc_pulp_distribution_container_ceph +
+      stackhpc_pulp_distribution_container_hashicorp) | selectattr('required') }}
diff --git a/etc/kayobe/vault.yml b/etc/kayobe/vault.yml
@@ -2,9 +2,20 @@
 ###############################################################################
 # Hashicorp Vault deployment configuration.
 
+# Registry information for seed.
+# seed_hashicorp_registry_url:
+# seed_hashicorp_registry_username:
+# seed_hashicorp_registry_password:
+
+# Seed Consul container image.
+# seed_consul_docker_image:
+
 # Seed Consul container image tag.
 # seed_consul_docker_tag:
 
+# Seed Vault container image.
+# seed_vault_docker_image:
+
 # Seed Vault container image tag.
 # seed_vault_docker_tag:
 
@@ -14,9 +25,20 @@
 # Seed Vault PKI Roles definition
 # seed_vault_pki_roles: []
 
+# Registry information for overcloud.
+# overcloud_hashicorp_registry_url:
+# overcloud_hashicorp_registry_username:
+# overcloud_hashicorp_registry_password:
+
+# Overcloud Consul container image.
+# overcloud_consul_docker_image:
+
 # Overcloud Consul container image tag.
 # overcloud_consul_docker_tag:
 
+# Overcloud Vault container image.
+# overcloud_vault_docker_image:
+
 # Overcloud Vault container image tag.
 # overcloud_vault_docker_tag:
 
diff --git a/releasenotes/notes/hashicorp-sync-images-96dc726e85323104.yaml b/releasenotes/notes/hashicorp-sync-images-96dc726e85323104.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for synchronising HashiCorp Consul and Vault images to a local
+    Pulp registry.
