Merge branch 'main' into jph/designate

Author: jackhodgkiss

.terraform.lock.hcl

@@ -125,6 +125,10 @@ Generate Terraform variables:
    storage_flavor = "general.v1.small"
    storage_disk_size = 100
 
+   deploy_wazuh = true
+   infra_vm_flavor = "general.v1.small"
+   infra_vm_disk_size = 100
+
    EOF
 
 You will need to set the `multinode_flavor`, `multinode_keypair`, `prefix`,
@@ -136,6 +140,10 @@ nodes. Both virtual machines and baremetal are supported, but the
 `controller_disk_size` and `compute_disk_size` must be set to 0 when using
 baremetal host. This will stop a block device being allocated.
 
+If `deploy_wazuh` is set to true, an infrastructure VM will be created that
+hosts the Wazuh manager. The Wazuh deployment playbooks will also be triggered
+automatically to deploy Wazuh agents to the overcloud hosts.
+
 Generate a plan:
 
 .. code-block:: console

README.rst

@@ -49,6 +49,7 @@
       loop:
         - overcloud-host-configure/pre.d/
         - seed-host-configure/pre.d/
+        - infra-vm-host-configure/pre.d/
 
     - name: Ensure Kayobe hooks are present
       ansible.builtin.file:
@@ -63,6 +64,9 @@
         - { src: growroot.yml, dest: seed-host-configure/pre.d/5-growroot.yml }
         - { src: fix-networking.yml, dest: seed-host-configure/pre.d/15-fix-networking.yml }
         - { src: configure-vxlan.yml, dest: seed-host-configure/pre.d/20-configure-vxlan.yml }
+        - { src: growroot.yml, dest: infra-vm-host-configure/pre.d/5-growroot.yml }
+        - { src: fix-networking.yml, dest: infra-vm-host-configure/pre.d/15-fix-networking.yml }
+        - { src: configure-vxlan.yml, dest: infra-vm-host-configure/pre.d/20-configure-vxlan.yml }
 
 
     - name: Ensure Admin Overcloud Network file is present

ansible/deploy-openstack-config.yml

@@ -134,3 +134,27 @@ resource "openstack_compute_instance_v2" "storage" {
     create = "90m"
   }
 }
+
+resource "openstack_compute_instance_v2" "wazuh_manager" {
+  name         = format("%s-wazuh-manager-%02d", var.prefix, count.index + 1)
+  flavor_name  = var.infra_vm_flavor
+  key_pair     = resource.openstack_compute_keypair_v2.keypair.name
+  image_name   = var.multinode_image
+  config_drive = true
+  user_data    = file("templates/userdata.cfg.tpl")
+  count        = var.deploy_wazuh ? 1 : 0
+  network {
+    name = var.multinode_vm_network
+  }
+  block_device {
+    uuid                  = data.openstack_images_image_v2.multinode_image.id
+    source_type           = "image"
+    volume_size           = var.infra_vm_disk_size
+    boot_index            = 0
+    destination_type      = "volume"
+    delete_on_termination = true
+  }
+  timeouts {
+    create = "90m"
+  }
+}

compute_instances.tf

@@ -19,6 +19,7 @@ resource "local_file" "hosts" {
       ansible_control_hostname = openstack_compute_instance_v2.ansible_control.name
       storage_hostname         = openstack_compute_instance_v2.storage.*.name
       seed_hostname            = openstack_compute_instance_v2.seed.name
+      wazuh_manager_hostname   = openstack_compute_instance_v2.wazuh_manager.*.name
     }
   )
   filename        = "ansible/files/hosts"
@@ -40,6 +41,8 @@ resource "local_file" "admin_networks" {
       storage                  = openstack_compute_instance_v2.storage.*.access_ip_v4
       seed_hostname            = openstack_compute_instance_v2.seed.name
       seed                     = openstack_compute_instance_v2.seed.access_ip_v4
+      wazuh_manager_hostname   = openstack_compute_instance_v2.wazuh_manager.*.name
+      wazuh_manager            = openstack_compute_instance_v2.wazuh_manager.*.access_ip_v4
     }
   )
   filename        = "ansible/files/admin-oc-networks.yml"
@@ -62,8 +65,10 @@ resource "local_file" "deploy_openstack" {
   content = templatefile(
     "${path.module}/templates/deploy-openstack.tpl",
     {
-      seed_addr   = openstack_compute_instance_v2.seed.access_ip_v4
-      ssh_user    = var.ssh_user
+      seed_addr           = openstack_compute_instance_v2.seed.access_ip_v4,
+      ssh_user            = var.ssh_user,
+      deploy_wazuh        = var.deploy_wazuh
+      controller_hostname = openstack_compute_instance_v2.controller.*.name
     }
   )
   filename        = "ansible/files/deploy-openstack.sh"

outputs.tf

@@ -14,4 +14,7 @@ admin_oc_ips:
   ${seed_hostname}: ${seed}
 %{ for hostname, addr in zipmap(storage_hostname, storage) ~}
   ${ hostname }: ${ addr }
-%{ endfor ~}
+%{ endfor ~}
+%{ for hostname, addr in zipmap(wazuh_manager_hostname, wazuh_manager) ~}
+  ${ hostname }: ${ addr }
+%{ endfor ~}

templates/admin-oc-networks.tpl

@@ -42,17 +42,71 @@ set +x
 export KAYOBE_VAULT_PASSWORD=$(cat ~/vault.password)
 set -x
 
+# Configure hosts
 kayobe control host bootstrap
 kayobe seed host configure
 kayobe overcloud host configure
+%{ if deploy_wazuh }kayobe infra vm host configure%{ endif }
 
+# Deploy Ceph
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-deploy.yml
 sleep 30
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml
 kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml
 
+pip install -r $${config_directories[kayobe]}/requirements.txt
+
+# Deploy hashicorp vault to the seed
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-seed.yml
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/OS-TLS-INT.pem
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/seed-vault-keys.json
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud.key
+
+kayobe overcloud service deploy -kt haproxy
+
+# Deploy hashicorp vault to the controllers
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-overcloud.yml
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
+
+# Generate internal tls certificates
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-internal-tls.yml
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy-internal.pem
+
+# Generate backend tls certificates
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-backend-tls.yml
+%{ for hostname in controller_hostname ~}
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/${ hostname }-key.pem
+%{ endfor ~}
+
+# Set config to use tls
+sed -i 's/# kolla_enable_tls_internal: true/kolla_enable_tls_internal: true/g' $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla.yml
+cat $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals-tls-config.yml >> $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/globals.yml
+
+# Create vault configuration for barbican
+cat << EOF >> $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
+---
+secrets_barbican_approle_secret_id: $(uuidgen)
+EOF
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-deploy-barbican.yml
+ansible-vault decrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
+cat << EOF >> $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
+secrets_barbican_approle_role_id: $(cat /tmp/barbican-role-id)
+EOF
+ansible-vault encrypt --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/secrets.yml
+rm /tmp/barbican-role-id
+
+# Deploy all services
 kayobe overcloud service deploy
 
+%{ if deploy_wazuh }
+# Deploy Wazuh
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-secrets.yml
+ansible-vault encrypt --vault-password-file ~/vault.password  $KAYOBE_CONFIG_PATH/environments/ci-multinode/wazuh-secrets.yml
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-manager.yml
+kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-agent.yml
+%{ endif }
+
 activate_virt_env "openstack"
 activate_kayobe_env
 
@@ -75,10 +129,11 @@ set +x
 export KAYOBE_AUTOMATION_SSH_PRIVATE_KEY=$(cat ~/.ssh/id_rsa)
 set -x
 
+# Run tempest
 sudo -E docker run --detach --rm --network host -v $${config_directories[kayobe]}:/stack/kayobe-automation-env/src/kayobe-config -v $${config_directories[kayobe]}/tempest-artifacts:/stack/tempest-artifacts -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY kayobe:latest /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/tempest.sh -e ansible_user=stack
 
 # During the initial deployment the seed node must receive the `gwee/rally` image before we can follow the logs.
 # Therefore, we must wait a reasonable amount time before attempting to do so.
 sleep 360
 
-ssh -oStrictHostKeyChecking=no ${ ssh_user }@${ seed_addr } 'sudo docker logs --follow $(sudo docker ps -q)'
+ssh -oStrictHostKeyChecking=no ${ ssh_user }@${ seed_addr } 'sudo docker logs --follow $(sudo docker ps -q | head -n 1)'

templates/deploy-openstack.tpl

@@ -39,3 +39,11 @@ ${ element }
 
 [monitoring:children]
 controllers
+
+[wazuh-manager]
+%{ for element in wazuh_manager_hostname ~}
+${ element }
+%{ endfor ~}
+
+[infra-vms:children]
+wazuh-manager

templates/hosts.tpl

@@ -51,6 +51,10 @@ variable "storage_flavor" {
   type = string
 }
 
+variable "infra_vm_flavor" {
+  type = string
+}
+
 variable "multinode_vm_network" {
   type = string
 }
@@ -86,3 +90,15 @@ variable "storage_disk_size" {
   type = number
   default = 100
 }
+
+variable "infra_vm_disk_size" {
+  description = "Block storage root disk size for infrastructure VMs."
+  type = number
+  default = 100
+}
+
+variable "deploy_wazuh" {
+  description = "Bool, whether or not to deploy Wazuh."
+  type = bool
+  default = false
+}