Skip to content

Add workflow for checking Octavia cert expiry #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add workflow for checking Octavia cert expiry #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
91c0dca
Add workflow for checking Octavia cert expiry
MoteHue Dec 19, 2023
322a01b
Set expiry time check from user input
MoteHue Dec 20, 2023
988463f
Also include support for cron scheduling
MoteHue Dec 20, 2023
fd163a8
Linting fix
MoteHue Apr 16, 2024
134e9c3
default+extra github_workflows
MoteHue May 13, 2024
f7562cd
Allow dispatch when using scheudled
MoteHue May 13, 2024
456c5c2
Correct jinja templating + update docs
MoteHue May 23, 2024
2b4d3de
Linter fix (again)
MoteHue May 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion roles/github/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ github_buildx_inline_config: |

`github_tempest_test_suites`: provide a list of load lists to be made available within the drop-down list for running tempest. Defaults to `default` and `tempest-full`.

If you are using the workflow `github_run_kolla_ansible_octavia_certificates` to check for the expiry of Octavia Amphora certificates, by default it will allow for manual execution via workflow_dispatch. You can also have this run automatically on a schedule by setting `github_octavia_certificates_schedule` to a cron schedule. If you want to change the number of days checked, set the variable `github_default_octavia_certificates_expiry_time`.

If you wish to make more impactful changes such as which workflows are built and what they contain then see the list of dictionaries called `workflows` in `defaults/main.yml`

`github_workflows:` is a list of dictionaries that contains each of the workflows described above. A given list element is made up of the following:
Expand All @@ -87,7 +89,16 @@ If you wish to make more impactful changes such as which workflows are built and

- `use_bespoke`: As mentioned in `path_override` some workflows require a more specific template to meet their needs. Setting this to true would create a workflow from a bespoke template if one exists within the roles `templates` directory. Note this is intended for **internal use only**.

The following will override `github_workflows` to ensure only `Build Kayobe Image` and `Run Kolla Config Diff` is generated.
By default, most workflows are built as they are part of the list `github_workflows_default`. If you want to add additional workflows, you can add them to the list `github_workflows_extra`.

For example, you can set the following to additionally build `Run Kolla Ansible Octavia Certificates Check Expiry`.

```yaml
github_workflows_extra:
- "{{ github_run_kolla_ansible_octavia_certificates }}"
```

If you don't want to build all workflows, the following will override `github_workflows` to ensure only `Build Kayobe Image` and `Run Kolla Config Diff` are generated.

```yaml
github_workflows:
Expand Down
35 changes: 34 additions & 1 deletion roles/github/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ github_buildx_enable_provenance: false

github_timeout: 360

github_default_octavia_certificates_expiry_time: 30

github_octavia_certificates_schedule:

github_tempest_test_suites: |
- default
- tempest-full
Expand Down Expand Up @@ -66,7 +70,18 @@ github_kayobe_environment_input: |
options: {{ github_kayobe_environments }}
{%- endif -%}

github_workflows:
github_octavia_certificates_input: |
expiry_time:
description: |
Check if the Octavia Amphora certificates will expire within this
number of days (integer).
type: string
required: true
default: '{{ github_default_octavia_certificates_expiry_time }}'

github_workflows: "{{ github_workflows_default + github_workflows_extra }}"

github_workflows_default:
- "{{ github_prepare_runner }}"
- "{{ github_build_kayobe_image }}"
- "{{ github_run_kolla_config_diff }}"
Expand All @@ -91,6 +106,8 @@ github_workflows:
- "{{ github_run_seed_vm_provision }}"
- "{{ github_run_tempest }}"

github_workflows_extra: []

github_prepare_runner:
file_name: prepare-runner.yml
use_bespoke: true
Expand Down Expand Up @@ -131,6 +148,22 @@ github_run_infra_vm_service_deploy:
arguments: "{{ github_kayobe_task_arguments }}"
concurrency_group: infra

github_octavia_certificates_schedule_trigger:
schedule:
cron: "{{ github_octavia_certificates_schedule }}"

github_octavia_certificates_workflow_dispatch_trigger:
workflow_dispatch: "{{ github_octavia_certificates_input }}"

github_run_kolla_ansible_octavia_certificates:
file_name: run-kolla-ansible-octavia-certificates-check-expiry.yml
use_bespoke: true
expiry_time: "{{ github_default_octavia_certificates_expiry_time }}"
trigger: >-
{{ github_octavia_certificates_workflow_dispatch_trigger | combine(github_octavia_certificates_schedule_trigger)
if github_octavia_certificates_schedule else github_octavia_certificates_workflow_dispatch_trigger }}
concurrency_group: overcloud

github_run_network_connectivity_check:
file_name: run-network-connectivity-check.yml
trigger:
Expand Down
72 changes: 72 additions & 0 deletions roles/github/templates/run-kolla-ansible-octavia-certificates-check-expiry.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
<%- if github_environment_selector == 'input' -%>
<%- set github_runs_on = github_runs_on + ['${{ inputs.kayobe_environment }}'] -%>
<%- set _ = workflow.update({"concurrency_group": "format('{0}-{1}', " + workflow.concurrency_group + ", '${{ inputs.kayobe_environment }}')" }) -%>
<%- set _ = github_default_registry.update({"url": "${{ vars[format('{0}_REGISTRY_URL', inputs.kayobe_environment)] }}" }) -%>
<%- set _ = github_default_registry.update({"username": "${{ vars[format('{0}_REGISTRY_USERNAME', inputs.kayobe_environment)] }}" }) -%>
<%- set _ = github_default_registry.update({"password": "${{ secrets[format('{0}_REGISTRY_PASSWORD', inputs.kayobe_environment)] }}" }) -%>
<%- set _ = github_default_kayobe_arguments.update({"KAYOBE_AUTOMATION_SSH_PRIVATE_KEY": "${{ secrets[format('{0}_KAYOBE_AUTOMATION_SSH_PRIVATE_KEY', inputs.kayobe_environment)] }}" }) -%>
<%- set _ = github_default_kayobe_arguments.update({"KAYOBE_VAULT_PASSWORD": "${{ secrets[format('{0}_KAYOBE_VAULT_PASSWORD', inputs.kayobe_environment)] }}" }) -%>
<%- set _ = github_kayobe_arguments.update({"KAYOBE_ENVIRONMENT": '${{ inputs.kayobe_environment }}'}) -%>
<%- endif -%>
<%- if github_environment_selector == 'single' -%>
<%- set _ = github_kayobe_arguments.update({"KAYOBE_ENVIRONMENT": github_kayobe_environments | first}) -%>
<%- endif -%>
%% lookup('template', 'header.yml.j2') %%
jobs:
prepare-runner:
uses: ./.github/workflows/prepare-runner.yml
%% format_file_name(workflow.file_name) %%:
runs-on: %% github_runs_on %%
permissions:
contents: read
packages: %% 'read' if (github_registry.url | default(github_default_registry.url)) == 'ghcr.io' else 'none' %%
pull-requests: none
container:
image: %% github_registry.url | default(github_default_registry.url) %%/%% github_image_name %%:%% github_image_tag %%
credentials:
username: %% github_registry.username | default(github_default_registry.username) %%
password: %% github_registry.password | default(github_default_registry.password) %%
concurrency:
group: %% workflow.concurrency_group %%
cancel-in-progress: false
timeout-minutes: %% github_timeout %%
needs: prepare-runner
steps:
<% if github_checkout_hook | length >= 1 %>
%% github_checkout_hook | indent(width=6, first=false) %%
<% endif %>
- name: Checkout kayobe config
uses: actions/checkout@v3
with:
submodules: true
path: kayobe-config

<% if github_kayobe_hook | length >= 1 %>
%% github_kayobe_hook | indent(width=6, first=false) %%
<% endif %>
- name: Symlink source checkout to expected location
run: sudo ln -s $PWD/kayobe-config /src

- name: Generate Kolla Ansible configuration
run: |
/src/.automation/pipeline/overcloud-service-configuration-generate.sh "/tmp/ignore"
env:
<% if github_environment_selector is not none %>
KAYOBE_ENVIRONMENT: '%% github_kayobe_arguments.KAYOBE_ENVIRONMENT %%'
<% endif %>
HOME: '%% github_kayobe_arguments.HOME | default(github_default_kayobe_arguments.HOME) %%'
KOLLA_TAGS: none

- name: Check Octavia certificates expiry
run: |
/src/.automation/pipeline/kolla-ansible-run.sh "octavia-certificates --check-expiry <%- if github_octavia_certificates_schedule %> %% workflow.expiry_time %% <%- else %> ${{ inputs.expiry_time }} <%- endif -%>"
env:
<% if github_environment_selector is not none %>
KAYOBE_ENVIRONMENT: '%% github_kayobe_arguments.KAYOBE_ENVIRONMENT %%'
<% endif %>
KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: "%% github_kayobe_arguments.KAYOBE_AUTOMATION_SSH_PRIVATE_KEY | default(github_default_kayobe_arguments.KAYOBE_AUTOMATION_SSH_PRIVATE_KEY) %%"
KAYOBE_VAULT_PASSWORD: "%% github_kayobe_arguments.KAYOBE_VAULT_PASSWORD | default(github_default_kayobe_arguments.KAYOBE_VAULT_PASSWORD) %%"
HOME: '%% github_kayobe_arguments.HOME | default(github_default_kayobe_arguments.HOME) %%'
<% if github_final_hook | length >= 1 +%>
%% github_final_hook | indent(width=6, first=false) -%%
<% endif %>