eve: Set up the company proxy for cluster nodes

The proxy is used only for yum repositories.

eve/workers/openstack-terraform/terraform/common.tf

@@ -28,6 +28,16 @@ variable "offline" {
   default = true
 }
 
+variable "proxy_ip" {
+  type    = string
+  default = "10.100.4.67"
+}
+
+variable "proxy_port" {
+  type    = string
+  default = "3128"
+}
+
 resource "random_string" "current" {
   length  = 5
   special = false

eve/workers/openstack-terraform/terraform/network.tf

@@ -79,6 +79,16 @@ resource "openstack_networking_secgroup_rule_v2" "egress_egress" {
   security_group_id = openstack_networking_secgroup_v2.egress.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "egress_proxy" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = var.proxy_port
+  port_range_max    = var.proxy_port
+  remote_ip_prefix  = "${var.proxy_ip}/32"
+  security_group_id = openstack_networking_secgroup_v2.egress.id
+}
+
 # Allow DNS queries to go out, especially because SSHd is doing
 # reverse DNS on incoming IPs, otherwise it could really slow down
 # connections
@@ -102,3 +112,18 @@ resource "openstack_networking_secgroup_rule_v2" "egress_metadata" {
   remote_ip_prefix  = "169.254.169.254/32"
   security_group_id = openstack_networking_secgroup_v2.egress.id
 }
+
+data "dns_a_record_set" "rhsm" {
+  host = "subscription.rhsm.redhat.com"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "egress_rhsm" {
+  count             = length(data.dns_a_record_set.rhsm.addrs)
+  direction         = "egress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "${element(data.dns_a_record_set.rhsm.addrs, count.index)}/32"
+  security_group_id = openstack_networking_secgroup_v2.egress.id
+}

eve/workers/openstack-terraform/terraform/nodes.tf

@@ -68,6 +68,14 @@ resource "openstack_compute_instance_v2" "bastion" {
     ]
   }
 
+  # Configure HTTP proxy for yum repositories
+  provisioner "remote-exec" {
+    inline = [
+      "sudo chmod +x scripts/proxy-setup.sh",
+      "sudo scripts/proxy-setup.sh '${var.proxy_ip}' '${var.proxy_port}'"
+    ]
+  }
+
   # Install Cypress requirements
   provisioner "remote-exec" {
     inline = [
@@ -162,6 +170,14 @@ resource "openstack_compute_instance_v2" "bootstrap" {
     ]
   }
 
+  # Configure HTTP proxy for yum repositories
+  provisioner "remote-exec" {
+    inline = [
+      "sudo chmod +x scripts/proxy-setup.sh",
+      "sudo scripts/proxy-setup.sh '${var.proxy_ip}' '${var.proxy_port}'"
+    ]
+  }
+
   # Register RHSM if OS = rhel
   provisioner "remote-exec" {
     inline = [
@@ -252,6 +268,14 @@ resource "openstack_compute_instance_v2" "nodes" {
     ]
   }
 
+  # Configure HTTP proxy for yum repositories
+  provisioner "remote-exec" {
+    inline = [
+      "sudo chmod +x scripts/proxy-setup.sh",
+      "sudo scripts/proxy-setup.sh '${var.proxy_ip}' '${var.proxy_port}'"
+    ]
+  }
+
   # Register RHSM if OS = rhel
   provisioner "remote-exec" {
     inline = [

eve/workers/openstack-terraform/terraform/scripts/proxy-setup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -euo pipefail
+
+PROXY_IP=${1:-}
+PROXY_PORT=${2:-3128}
+PROXY_URL=http://$PROXY_IP:$PROXY_PORT
+PROXY_CA_URL=https://eve.devsca.com/vault/v1/release_engineering_root_CA_prod/cert/ca
+PROXY_CA_PATH=/etc/pki/ca-trust/source/anchors/scality_internal_ca.crt
+
+
+if ! [[ $PROXY_IP ]]; then
+    echo "No proxy IP provided, exiting"
+    exit
+fi
+
+if ! [ -f /etc/redhat-release ]; then
+    echo "The proxy script only handle RedHat family dists."
+    exit 1
+fi
+
+curl -skx "$PROXY_URL" -L "$PROXY_CA_URL" \
+    | sed -e 's/.*"certificate":"\(.*\)","revocation_time".*/\1/' \
+          -e 's/\\n/\n/g' \
+    > "$PROXY_CA_PATH"
+
+update-ca-trust force-enable
+update-ca-trust extract
+
+yum-config-manager --save --setopt proxy="$PROXY_URL"