Add workflow for checking Octavia cert expiry

MoteHue · MoteHue · commit 91c0dca3c98e · 2023-12-19T17:10:02.000Z
diff --git a/roles/github/defaults/main.yml b/roles/github/defaults/main.yml
@@ -31,6 +31,8 @@ github_buildx_enable_provenance: false
 
 github_timeout: 360
 
+github_octavia_certificates_expiry_time: 30
+
 github_tempest_test_suites: |
   - default
   - tempest-full
@@ -74,6 +76,7 @@ github_workflows:
   - "{{ github_run_infra_vm_host_package_update }}"
   - "{{ github_run_infra_vm_provision }}"
   - "{{ github_run_infra_vm_service_deploy }}"
+  - "{{ github_run_kolla_ansible_octavia_certificates }}"
   - "{{ github_run_network_connectivity_check }}"
   - "{{ github_run_overcloud_container_image_pull }}"
   - "{{ github_run_overcloud_database_backup }}"
@@ -131,6 +134,15 @@ github_run_infra_vm_service_deploy:
   arguments: "{{ github_kayobe_task_arguments }}"
   concurrency_group: infra
 
+github_run_kolla_ansible_octavia_certificates:
+  file_name: run-kolla-ansible-octavia-certificates-check-expiry.yml
+  use_bespoke: true
+  expiry_time: "{{ github_octavia_certificates_expiry_time }}"
+  trigger:
+    workflow_dispatch: "{{ github_kayobe_dispatch_inputs }}"
+  arguments: "{{ github_kayobe_task_arguments }}"
+  concurrency_group: overcloud
+
 github_run_network_connectivity_check:
   file_name: run-network-connectivity-check.yml
   trigger:
diff --git a/roles/github/templates/run-kolla-ansible-octavia-certificates-check-expiry.yml.j2 b/roles/github/templates/run-kolla-ansible-octavia-certificates-check-expiry.yml.j2
@@ -0,0 +1,72 @@
+<%- if github_environment_selector == 'input' -%>
+<%- set github_runs_on = github_runs_on + ['${{ inputs.kayobe_environment }}'] -%>
+<%- set _ = workflow.update({"concurrency_group": "format('{0}-{1}', " + workflow.concurrency_group + ", '${{ inputs.kayobe_environment }}')" })  -%>
+<%- set _ = github_default_registry.update({"url": "${{ vars[format('{0}_REGISTRY_URL', inputs.kayobe_environment)] }}" }) -%>
+<%- set _ = github_default_registry.update({"username": "${{ vars[format('{0}_REGISTRY_USERNAME', inputs.kayobe_environment)] }}" }) -%>
+<%- set _ = github_default_registry.update({"password": "${{ secrets[format('{0}_REGISTRY_PASSWORD', inputs.kayobe_environment)] }}" }) -%>
+<%- set _ = github_default_kayobe_arguments.update({"KAYOBE_AUTOMATION_SSH_PRIVATE_KEY": "${{ secrets[format('{0}_KAYOBE_AUTOMATION_SSH_PRIVATE_KEY', inputs.kayobe_environment)] }}" }) -%>
+<%- set _ = github_default_kayobe_arguments.update({"KAYOBE_VAULT_PASSWORD": "${{ secrets[format('{0}_KAYOBE_VAULT_PASSWORD', inputs.kayobe_environment)] }}" }) -%>
+<%- set _ = github_kayobe_arguments.update({"KAYOBE_ENVIRONMENT": '${{ inputs.kayobe_environment }}'}) -%>
+<%- endif -%>
+<%- if github_environment_selector == 'single' -%>
+<%- set _ = github_kayobe_arguments.update({"KAYOBE_ENVIRONMENT": github_kayobe_environments | first}) -%>
+<%- endif -%>
+%% lookup('template', 'header.yml.j2') %%
+jobs:
+  prepare-runner:
+    uses: ./.github/workflows/prepare-runner.yml
+  %% format_file_name(workflow.file_name) %%:
+    runs-on: %% github_runs_on %%
+    permissions:
+      contents: read
+      packages: %% 'read' if (github_registry.url | default(github_default_registry.url)) == 'ghcr.io' else 'none' %%
+      pull-requests: none
+    container:
+      image: %% github_registry.url | default(github_default_registry.url) %%/%% github_image_name %%:%% github_image_tag %%
+      credentials:
+        username: %% github_registry.username | default(github_default_registry.username) %%
+        password: %% github_registry.password | default(github_default_registry.password) %%
+    concurrency:
+      group: %% workflow.concurrency_group %%
+      cancel-in-progress: false
+    timeout-minutes: %% github_timeout %%
+    needs: prepare-runner
+    steps:
+<% if github_checkout_hook | length >= 1 %>
+      %% github_checkout_hook | indent(width=6, first=false) %%
+<% endif %>
+      - name: Checkout kayobe config
+        uses: actions/checkout@v3
+        with:
+          submodules: true
+          path: kayobe-config
+
+<% if github_kayobe_hook | length >= 1 %>
+      %% github_kayobe_hook | indent(width=6, first=false) %%
+<% endif %>
+      - name: Symlink source checkout to expected location
+        run: sudo ln -s $PWD/kayobe-config /src
+
+      - name: Generate Kolla Ansible configuration
+        run: |
+          /src/.automation/pipeline/overcloud-service-configuration-generate.sh "/tmp/ignore"
+        env:
+<% if github_environment_selector is not none %>
+          KAYOBE_ENVIRONMENT: '%% github_kayobe_arguments.KAYOBE_ENVIRONMENT %%'
+<% endif %>
+          HOME: '%% github_kayobe_arguments.HOME | default(github_default_kayobe_arguments.HOME) %%'
+          KOLLA_TAGS: none
+
+      - name: Check Octavia certificates expiry
+        run: |
+          /src/.automation/pipeline/kolla-ansible-run.sh "octavia-certificates --check-expiry %% workflow.expiry_time %%"
+        env:
+<% if github_environment_selector is not none %>
+          KAYOBE_ENVIRONMENT: '%% github_kayobe_arguments.KAYOBE_ENVIRONMENT %%'
+<% endif %>
+          KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: "%% github_kayobe_arguments.KAYOBE_AUTOMATION_SSH_PRIVATE_KEY | default(github_default_kayobe_arguments.KAYOBE_AUTOMATION_SSH_PRIVATE_KEY) %%"
+          KAYOBE_VAULT_PASSWORD: "%% github_kayobe_arguments.KAYOBE_VAULT_PASSWORD | default(github_default_kayobe_arguments.KAYOBE_VAULT_PASSWORD) %%"
+          HOME: '%% github_kayobe_arguments.HOME | default(github_default_kayobe_arguments.HOME) %%'
+<% if github_final_hook | length >= 1 +%>
+      %% github_final_hook | indent(width=6, first=false) -%%
+<% endif %>
