diff --git a/.github/workflows/sync_branches_periodically.yml b/.github/workflows/sync_branches_periodically.yml new file mode 100644 index 0000000000..3afb031a75 --- /dev/null +++ b/.github/workflows/sync_branches_periodically.yml @@ -0,0 +1,12 @@ +--- +name: Periodically sync branches +on: + schedule: + - cron: '0 21 * * 1' + +jobs: + trigger_sync: + uses: openstack-k8s-operators/ci-framework/.github/workflows/sync_branches_reusable_workflow.yml@main + with: + main-branch: main + follower-branch: ananya-do-not-use-tmp diff --git a/.github/workflows/sync_branches_reusable_workflow.yml b/.github/workflows/sync_branches_reusable_workflow.yml new file mode 100644 index 0000000000..4171dd5c6b --- /dev/null +++ b/.github/workflows/sync_branches_reusable_workflow.yml @@ -0,0 +1,39 @@ +--- +name: Sync a follower branch with Main +on: + workflow_call: + inputs: + main-branch: + required: true + type: string + follower-branch: + required: true + type: string + +jobs: + sync: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout main branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: + ${{ inputs.main-branch }} + + - name: Checkout, rebase and push to follower branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: + ${{ inputs.follower-branch }} + - run: | + # Details about the GH action bot comes from + # https://api.github.com/users/github-actions%5Bbot%5D + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git rebase origin/${{ inputs.main-branch }} + git push origin ${{ inputs.follower-branch }} diff --git a/OWNERS b/OWNERS deleted file mode 100644 index 2de4f58d3d..0000000000 --- a/OWNERS +++ /dev/null @@ -1,30 +0,0 @@ -approvers: - - abays - - bshewale - - cescgina - - evallesp - - frenzyfriday - - fultonj - - lewisdenny - - pablintino - -reviewers: - - adrianfusco - - afazekas - - arxcruz - - bshewale - - cescgina - - dasm - - dpinhas - - dsariel - - eurijon - - frenzyfriday - - hjensas - - lewisdenny - - marios - - katarimanojk - - pojadhav - - queria - - rachael-george - - rlandy - - viroel diff --git a/ci/config/molecule.yaml b/ci/config/molecule.yaml index 8555b7e6b4..67821bec97 100644 --- a/ci/config/molecule.yaml +++ b/ci/config/molecule.yaml @@ -8,20 +8,20 @@ timeout: 3600 - job: name: cifmw-molecule-openshift_login - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm - job: name: cifmw-molecule-openshift_provisioner_node - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm - job: name: cifmw-molecule-openshift_setup - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm - job: name: cifmw-molecule-rhol_crc - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm timeout: 5400 - job: name: cifmw-molecule-operator_deploy - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl - job: name: cifmw-molecule-set_openstack_containers parent: cifmw-molecule-base-crc @@ -45,13 +45,13 @@ - job: name: cifmw-molecule-install_openstack_ca parent: cifmw-molecule-base-crc - nodeset: centos-9-crc-2-39-0-3xl + nodeset: centos-9-crc-2-48-0-3xl-ibm timeout: 5400 extra-vars: crc_parameters: "--memory 29000 --disk-size 100 --cpus 8" - job: name: cifmw-molecule-reproducer - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm timeout: 5400 files: - ^roles/dnsmasq/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).* @@ -62,10 +62,10 @@ - ^roles/rhol_crc/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).* - job: name: cifmw-molecule-cert_manager - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm - job: name: cifmw-molecule-env_op_images - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm - job: name: cifmw_molecule-pkg_build files: @@ -82,19 +82,19 @@ - ^roles/repo_setup/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).* - job: name: cifmw-molecule-manage_secrets - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm - job: name: cifmw-molecule-ci_local_storage - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm - job: name: cifmw-molecule-networking_mapper nodeset: 4x-centos-9-medium - job: name: cifmw-molecule-openshift_obs - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm - job: name: cifmw-molecule-sushy_emulator - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm - job: name: cifmw-molecule-shiftstack - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm diff --git a/ci/playbooks/edpm_baremetal_deployment/run.yml b/ci/playbooks/edpm_baremetal_deployment/run.yml index ddfab78ba7..79e76a2b4d 100644 --- a/ci/playbooks/edpm_baremetal_deployment/run.yml +++ b/ci/playbooks/edpm_baremetal_deployment/run.yml @@ -15,10 +15,14 @@ path: "{{ ansible_user_dir }}/ci-framework-data/artifacts/edpm-ansible.yml" register: edpm_file + - name: Check if new ssh keypair exists + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: Add crc node in local inventory ansible.builtin.add_host: name: crc - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/id_ecdsa" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/{{ crc_ssh_keypair }}" ansible_ssh_user: core ansible_host: api.crc.testing diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt index 350e41b7fd..3139e7802e 100644 --- a/docs/dictionary/en-custom.txt +++ b/docs/dictionary/en-custom.txt @@ -219,6 +219,7 @@ https ic icjbuue icokicagy +IdP idrac iface igfsbg @@ -254,6 +255,7 @@ jzxbol kcgpby keepalived kerberos +keycloak keypair keyring keytab @@ -527,6 +529,7 @@ tdciagigtlesa tempestconf testcases testenv +testproject timestamper timesync tldca @@ -598,6 +601,7 @@ workstream xargs xdg xoc +xpath xpzw xvzy xz diff --git a/hooks/playbooks/federation-controlplane-config.yml b/hooks/playbooks/federation-controlplane-config.yml new file mode 100644 index 0000000000..bd9b9b76f9 --- /dev/null +++ b/hooks/playbooks/federation-controlplane-config.yml @@ -0,0 +1,103 @@ +--- +- name: Create kustomization to update Keystone to use Federation + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Create file to customize keystone for Federation resources deployed in the control plane + ansible.builtin.copy: + dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml" + content: |- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + - namespace: {{ namespace }} + patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: add + path: /spec/tls + value: {} + - op: add + path: /spec/tls/caBundleSecretName + value: keycloakca + - op: add + path: /spec/keystone/template/httpdCustomization + value: + customConfigSecret: keystone-httpd-override + - op: add + path: /spec/keystone/template/customServiceConfig + value: | + [DEFAULT] + insecure_debug=true + debug=true + [federation] + trusted_dashboard={{ '{{ .KeystoneEndpointPublic }}' }}/dashboard/auth/websso/ + [openid] + remote_id_attribute=HTTP_OIDC_ISS + [auth] + methods = password,token,oauth1,mapped,application_credential,openid + + - name: Get ingress operator CA cert + ansible.builtin.slurp: + src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}" + register: federation_sso_ca + + - name: Add Keycloak CA secret + kubernetes.core.k8s: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + state: present + definition: + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: keycloakca + namespace: "openstack" + data: + KeyCloakCA: "{{ federation_sso_ca.content }}" + + - name: Create Keystone httpd override secret for Federation + kubernetes.core.k8s: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: keystone-httpd-override + namespace: openstack + type: Opaque + stringData: + federation.conf: | + OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}" + OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}" + OIDCScope "{{ cifmw_keystone_OIDC_Scope }}" + OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}" + OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}" + OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}" + OIDCCacheType "{{ cifmw_keystone_OIDC_CacheType }}" + OIDCMemCacheServers "{{ '{{ .MemcachedServers }}' }}" + OIDCProviderMetadataURL "{{ cifmw_keystone_OIDC_ProviderMetadataURL }}" + OIDCClientID "{{ cifmw_keystone_OIDC_ClientID }}" + OIDCClientSecret "{{ cifmw_keystone_OIDC_ClientSecret }}" + OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}" + OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}" + OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}" + OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}" + OIDCRedirectURI "{{ '{{ .KeystoneEndpointPublic }}' }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso" + + + AuthType "openid-connect" + Require valid-user + + + + AuthType oauth20 + Require valid-user + + + + AuthType "openid-connect" + Require valid-user + diff --git a/hooks/playbooks/federation-post-deploy.yml b/hooks/playbooks/federation-post-deploy.yml new file mode 100644 index 0000000000..bb2ad638df --- /dev/null +++ b/hooks/playbooks/federation-post-deploy.yml @@ -0,0 +1,41 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run federation setup on openstack post reproducer deploy + hosts: "{{ cifmw_target_host | default('localhost') }}" + gather_facts: true + tasks: + - name: Set urls for install type uni + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' + when: cifmw_federation_deploy_type == "uni" + + - name: Set urls for install type crc + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' + when: cifmw_federation_deploy_type == "crc" + + - name: Run federation setup on OSP + ansible.builtin.import_role: + name: federation + tasks_from: run_openstack_setup.yml + + - name: Run federation OSP User Auth test + ansible.builtin.import_role: + name: federation + tasks_from: run_openstack_auth_test.yml diff --git a/hooks/playbooks/federation-pre-deploy.yml b/hooks/playbooks/federation-pre-deploy.yml new file mode 100644 index 0000000000..3b974b390a --- /dev/null +++ b/hooks/playbooks/federation-pre-deploy.yml @@ -0,0 +1,41 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run federation SSO setup on reproducer + hosts: "{{ cifmw_target_host | default('localhost') }}" + gather_facts: true + tasks: + - name: Set urls for install type uni + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab' + when: cifmw_federation_deploy_type == "uni" + + - name: Set urls for install type crc + ansible.builtin.set_fact: + cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing' + cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing' + when: cifmw_federation_deploy_type == "crc" + + - name: Run SSO pod setup on Openshift + ansible.builtin.import_role: + name: federation + tasks_from: run_keycloak_setup.yml + + - name: Run SSO realm setup for OSP + ansible.builtin.import_role: + name: federation + tasks_from: run_keycloak_realm_setup.yml diff --git a/roles/artifacts/README.md b/roles/artifacts/README.md index e2ca414c0c..fa5d84df7b 100644 --- a/roles/artifacts/README.md +++ b/roles/artifacts/README.md @@ -10,6 +10,7 @@ None - writes happen only in the user home. * `cifmw_artifacts_crc_host`: (String) Hostname of the CRC instance. Defaults to `api.crc.testing`. * `cifmw_artifacts_crc_user`: (String) Username to connect to the CRC instance. Defaults to `core`. * `cifmw_artifacts_crc_sshkey`: (String) Path to the private SSH key to connect to CRC. Defaults to `~/.crc/machines/crc/id_ecdsa`. +* `cifmw_artifacts_crc_sshkey_ed25519`: (String) Path to the private SSH key to connect to CRC (newer CRC images). Defaults to `~/.crc/machines/crc/id_ed25519`. * `cifmw_artifacts_gather_logs`: (Boolean) Enables must-gather logs fetching. Defaults to `true` ## Examples diff --git a/roles/artifacts/defaults/main.yml b/roles/artifacts/defaults/main.yml index 357f73bc79..572093fc15 100644 --- a/roles/artifacts/defaults/main.yml +++ b/roles/artifacts/defaults/main.yml @@ -21,4 +21,5 @@ cifmw_artifacts_basedir: "{{ cifmw_basedir | default(ansible_user_dir ~ '/ci-fra cifmw_artifacts_crc_host: "api.crc.testing" cifmw_artifacts_crc_user: "core" cifmw_artifacts_crc_sshkey: "~/.crc/machines/crc/id_ecdsa" +cifmw_artifacts_crc_sshkey_ed25519: "~/.crc/machines/crc/id_ed25519" cifmw_artifacts_gather_logs: true diff --git a/roles/artifacts/tasks/crc.yml b/roles/artifacts/tasks/crc.yml index b857ee95d2..7d6a302d38 100644 --- a/roles/artifacts/tasks/crc.yml +++ b/roles/artifacts/tasks/crc.yml @@ -18,12 +18,22 @@ - crc_host_key.rc is defined - crc_host_key.rc == 0 block: + - name: Recognize new keypair + ansible.builtin.stat: + path: "{{ cifmw_artifacts_crc_sshkey_ed25519 }}" + register: _sshkeypair + + - name: Set fact if new keypair exists + when: _sshkeypair.stat.exists + ansible.builtin.set_fact: + new_keypair_path: "{{ cifmw_artifacts_crc_sshkey_ed25519 }}" + - name: Prepare root ssh accesses ignore_errors: true # noqa: ignore-errors ci_script: output_dir: "{{ cifmw_artifacts_basedir }}/artifacts" script: |- - ssh -i {{ cifmw_artifacts_crc_sshkey }} {{ cifmw_artifacts_crc_user }}@{{ cifmw_artifacts_crc_host }} <- - scp -v -r -i {{ cifmw_artifacts_crc_sshkey }} + scp -v -r -i {{ new_keypair_path | default(cifmw_artifacts_crc_sshkey) }} root@{{ cifmw_artifacts_crc_host }}:/ostree/deploy/rhcos/var/log/pods {{ cifmw_artifacts_basedir }}/logs/crc/ diff --git a/roles/artifacts/tasks/edpm.yml b/roles/artifacts/tasks/edpm.yml index 84a868e0a1..2c05a49b80 100644 --- a/roles/artifacts/tasks/edpm.yml +++ b/roles/artifacts/tasks/edpm.yml @@ -31,25 +31,24 @@ - name: Extract Compute and Networker from zuul mapping if any when: - cifmw_edpm_deploy_extra_vars is defined + - _edpm_vms_data | length > 0 vars: _inv_data: "{{ _cifmw_artifacs_inventory_slurp['content'] | b64decode | from_yaml }}" + # _edpm_vms_data is a list of dictionaries, each one with only one entry + # that corresponds with a compute or a networker node _edpm_vms_data: >- - {{ - (_inv_data['computes']['hosts'] | combine(_inv_data['networkers']['hosts'])) - if 'computes' in _inv_data and 'networkers' in _inv_data - else ((_inv_data['computes']['hosts']) if 'computes' in _inv_data else - (_inv_data['all']['hosts'] | default({}))) - }} + {{ + _inv_data | dict2items | + selectattr('key', 'match', '^.*(compute|networker).*$') | + map(attribute='value.hosts') | flatten + }} + # each item is the single-entry dict + _edpm_vms_item: "{{ item | dict2items | first }}" ansible.builtin.set_fact: ssh_key_file: "{{ cifmw_edpm_deploy_extra_vars.SSH_KEY_FILE }}" - ssh_user: "{{ hostvars['compute-0'].ansible_user | default('zuul') }}" - edpm_vms: >- - {{ - _edpm_vms_data | dict2items | - selectattr('value.ansible_host', 'defined') | - selectattr('key', 'match', '^(compute|networker).*$') | - map(attribute='value.ansible_host') - }} + ssh_user: "{{ _edpm_vms_item.value.ansible_user | default('zuul') }}" # all EDPM nodes have a common ansible_user + edpm_vms: "{{ edpm_vms | default([]) + [_edpm_vms_item.value.ansible_host] }}" + loop: "{{ _edpm_vms_data }}" - name: Generate logs on EDPM vms when: diff --git a/roles/build_openstack_packages/tasks/parse_and_build_pkgs.yml b/roles/build_openstack_packages/tasks/parse_and_build_pkgs.yml index 92352610b7..34380f1cde 100644 --- a/roles/build_openstack_packages/tasks/parse_and_build_pkgs.yml +++ b/roles/build_openstack_packages/tasks/parse_and_build_pkgs.yml @@ -19,6 +19,7 @@ 'project': item.project.name, 'branch': item.branch, 'change': item.change, + 'src_dir': item.project.src_dir, 'refspec': '/'.join(['refs', 'changes', item.change[-2:], item.change, diff --git a/roles/build_openstack_packages/tasks/run_dlrn.yml b/roles/build_openstack_packages/tasks/run_dlrn.yml index 3ef88d9feb..31da6ed4a9 100644 --- a/roles/build_openstack_packages/tasks/run_dlrn.yml +++ b/roles/build_openstack_packages/tasks/run_dlrn.yml @@ -114,29 +114,15 @@ dest: '{{ cifmw_bop_build_repo_dir }}/DLRN/data/{{ project_name_mapped.stdout }}' version: '{{ _change.branch }}' - - name: "Clone {{ project_name_mapped.stdout }} from Github" # noqa: name[template] + - name: "Symlink {{ project_name_mapped.stdout }} from Zuul clonned repos" # noqa: name[template] when: - cifmw_bop_openstack_project_path | length == 0 - not repo_status.stat.exists - - "'host' in _change" - - "'github.com' in _change.host" - ansible.builtin.git: - repo: '{{ _change.host }}/{{ _change.project }}' - dest: '{{ cifmw_bop_build_repo_dir }}/DLRN/data/{{ project_name_mapped.stdout }}' - refspec: "+refs/pull/*:refs/remotes/origin/pr/*" - version: 'origin/pr/{{ _change.change }}/head' - - - name: "Clone Openstack {{ project_name_mapped.stdout }}" # noqa: name[template] - when: - - cifmw_bop_openstack_project_path | length == 0 - - not repo_status.stat.exists - - "'host' in _change" - - "'opendev' in _change.host" - ansible.builtin.git: - repo: '{{ _change.host }}/{{ _change.project }}' - dest: '{{ cifmw_bop_build_repo_dir }}/DLRN/data/{{ project_name_mapped.stdout }}' - refspec: "{{ _change.refspec }}" - version: 'FETCH_HEAD' + - "'src_dir' in _change" + ansible.builtin.file: + src: '{{ ansible_user_dir }}/{{ _change.src_dir }}' + path: '{{ cifmw_bop_build_repo_dir }}/DLRN/data/{{ project_name_mapped.stdout }}' + state: link - name: "Update packages.yml to use zuul repo for {{ project_name_mapped.stdout }}" # noqa: name[template], command-instead-of-module vars: diff --git a/roles/ci_local_storage/molecule/default/converge.yml b/roles/ci_local_storage/molecule/default/converge.yml index a8c493c58d..74526bc50d 100644 --- a/roles/ci_local_storage/molecule/default/converge.yml +++ b/roles/ci_local_storage/molecule/default/converge.yml @@ -26,10 +26,14 @@ cifmw_cls_storage_capacity: 100Mi cifmw_cls_local_storage_name: /mnt/openstack tasks: + - name: Check if new ssh keypair exists + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: Add the crc host dynamically ansible.builtin.add_host: name: crc - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/id_ecdsa" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/{{ crc_ssh_keypair }}" ansible_ssh_user: core - name: Run ci_local_storage role diff --git a/roles/ci_multus/molecule/default/converge.yml b/roles/ci_multus/molecule/default/converge.yml index 07d790fef9..01fbfaf3a8 100644 --- a/roles/ci_multus/molecule/default/converge.yml +++ b/roles/ci_multus/molecule/default/converge.yml @@ -24,10 +24,14 @@ path: /etc/hosts line: "192.168.130.11 crc" + - name: Check if new ssh keypair exists + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: Add the crc host dynamically ansible.builtin.add_host: name: crc - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/id_ecdsa" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/{{ crc_ssh_keypair }}" ansible_ssh_user: core - name: Fetch crc network facts diff --git a/roles/ci_nmstate/molecule/default/converge.yml b/roles/ci_nmstate/molecule/default/converge.yml index a458cb9ef5..8c43e260ab 100644 --- a/roles/ci_nmstate/molecule/default/converge.yml +++ b/roles/ci_nmstate/molecule/default/converge.yml @@ -26,10 +26,14 @@ path: /etc/hosts line: "192.168.130.11 crc" + - name: Check if new ssh keypair exists + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: Add the crc host dynamically ansible.builtin.add_host: name: crc - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/id_ecdsa" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/{{ crc_ssh_keypair }}" ansible_ssh_user: core cifmw_molecule_ci_nmstate_crc_mac: "{{ cifmw_molecule_ci_nmstate_crc_mac }}" diff --git a/roles/devscripts/README.md b/roles/devscripts/README.md index 4974d08c02..8f068e4eae 100644 --- a/roles/devscripts/README.md +++ b/roles/devscripts/README.md @@ -76,6 +76,11 @@ If you provide neither, or both, it will fail. ### Supported keys in cifmw_devscripts_config_overrides +The `openshift_version` value can be set to either a minor version "X.Y.Z" (e.g. +4.16.0) or a stable version "stable-X.Y" (e.g. stable-4.16), which would be +translated to the corresponding minor version. +Allowed values can be found [here](https://mirror.openshift.com/pub/openshift-v4/clients/ocp/) + | Key | Default Value | Description | | --- | ------------- | ----------- | | working_dir | `/home/dev-scripts` | Path to the directory to store script artifacts. | diff --git a/roles/devscripts/tasks/build_config.yml b/roles/devscripts/tasks/build_config.yml index cc3588ae4a..7667cc7d52 100644 --- a/roles/devscripts/tasks/build_config.yml +++ b/roles/devscripts/tasks/build_config.yml @@ -40,6 +40,16 @@ devscripts_config_patches }} +- name: Replace OCP version if "stable-" alias used + when: + - cifmw_devscripts_config.openshift_version.startswith("stable-") + vars: + _ocp_release_txt: "{{ lookup('ansible.builtin.url', 'https://mirror.openshift.com/pub/openshift-v4/clients/ocp/' ~ cifmw_devscripts_config.openshift_version ~ '/release.txt', split_lines=False) }}" + _ocp_release_name: "{{ _ocp_release_txt | regex_search('^Name:.*', multiline=True) }}" + _ocp_release_version: "{{ _ocp_release_name.split()[1] }}" + ansible.builtin.set_fact: + cifmw_devscripts_config: "{{ cifmw_devscripts_config | combine({'openshift_version': _ocp_release_version}) }}" + - name: Ensure output directory exists become: true ansible.builtin.file: diff --git a/roles/dlrn_report/README.md b/roles/dlrn_report/README.md index 1baae516cb..04709dff4f 100644 --- a/roles/dlrn_report/README.md +++ b/roles/dlrn_report/README.md @@ -22,6 +22,7 @@ This role does not need privilege escalation. * `cifmw_dlrn_report_zuul_log_path`: (string) Zuul log path url. * `cifmw_dlrn_report_promote_source`: (string) DLRN tag against which job status should be reported. It works with `cifmw_repo_setup_promotion` var. When the Deployment is prepared with `current-podified`. But the job needs to be reported against `podified-ci-testing`. In that case, We can user `cifmw_dlrn_report_promote_source`. +* `cifmw_dlrn_report_force`: (boolean) By default, dlrn do not report for testproject, you need to force reporting setting this variable to true. ## Dependencies diff --git a/roles/dlrn_report/defaults/main.yml b/roles/dlrn_report/defaults/main.yml index 519a443e8f..2fb646d9f4 100644 --- a/roles/dlrn_report/defaults/main.yml +++ b/roles/dlrn_report/defaults/main.yml @@ -27,3 +27,4 @@ cifmw_dlrn_report_keytab: "" cifmw_dlrn_report_krb_user_realm: "" cifmw_dlrn_report_zuul_log_path: "https://logserver.rdoproject.org" cifmw_dlrn_report_promote_source: "" +cifmw_dlrn_report_force: false diff --git a/roles/dlrn_report/molecule/default/tests/test_dlrn_report.py b/roles/dlrn_report/molecule/default/tests/test_dlrn_report.py new file mode 100644 index 0000000000..4bfedaf467 --- /dev/null +++ b/roles/dlrn_report/molecule/default/tests/test_dlrn_report.py @@ -0,0 +1,20 @@ +import os +import pytest +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ["MOLECULE_INVENTORY_FILE"] +).get_hosts("all") + + +@pytest.mark.parametrize("var_value,expected", [(True, True), (False, False)]) +def test_debug_task_execution(host, var_value, expected): + # Fetch Ansible facts + ansible_facts = host.ansible("setup")["ansible_facts"] + + # Retrieve our custom fact set in `set_fact` + debug_executed = ansible_facts.get("cifmw_dlrn_report_force_executed", None) + + assert ( + debug_executed == expected + ), f"Expected cifmw_dlrn_report_force_executed={expected}, but got {debug_executed}" diff --git a/roles/dlrn_report/tasks/main.yml b/roles/dlrn_report/tasks/main.yml index e7e18ac18c..243b2ceee7 100644 --- a/roles/dlrn_report/tasks/main.yml +++ b/roles/dlrn_report/tasks/main.yml @@ -14,8 +14,20 @@ # License for the specific language governing permissions and limitations # under the License. +- name: Warning if DLRN is not running + ansible.builtin.debug: + msg: "DLRN will not be executed if it is a testproject, make sure you set cifmw_dlrn_report_force to true if you want to report to DLRN" + when: + - zuul is defined + - zuul.project is defined + - ('testproject' in zuul.project.name) and not (cifmw_dlrn_report_force | bool) + - name: Only report DLRN results when var is set - when: cifmw_dlrn_report_result | bool + when: + - zuul is defined + - zuul.project is defined + - ('testproject' not in zuul.project.name) or (cifmw_dlrn_report_force | bool) + - cifmw_dlrn_report_result | bool block: - name: Install dlrnapi-client ansible.builtin.import_tasks: install.yml diff --git a/roles/env_op_images/tasks/main.yml b/roles/env_op_images/tasks/main.yml index 17b852d580..7822587d95 100644 --- a/roles/env_op_images/tasks/main.yml +++ b/roles/env_op_images/tasks/main.yml @@ -54,37 +54,28 @@ -o yaml register: _csvs_out + - name: Get the images name + ansible.builtin.shell: > + set -o pipefail; + oc get ClusterServiceVersion + -l operators.coreos.com/openstack-operator.openstack-operators + --all-namespaces + -o json | + jq -r ' + [.items[]? | + .spec.install.spec.deployments[]? | + .spec.template.spec.containers[]? | + .env[]? | + select(.name? | test("^RELATED_IMAGE")) | + select(.name | contains("MANAGER")) | + {(.name): .value} ]' + register: _sa_images_content + args: + executable: /bin/bash + - name: Extract env variable name and images ansible.builtin.set_fact: - cifmw_openstack_service_images_content: >- - {{ - cifmw_openstack_service_images_content | - default({}) | - combine( - { - item.name: item.value - } - ) - }} - loop: >- - {{ - (_csvs_out.stdout | from_yaml)['items'] | - flatten(levels=1) | - selectattr('spec.install.spec.deployments', 'defined') | - map(attribute='spec.install.spec.deployments') | - flatten(levels=1) | - selectattr('spec.template.spec.containers', 'defined') | - map(attribute='spec.template.spec.containers') | - flatten(levels=1) | - selectattr('name', 'defined') | - selectattr('name', 'equalto', 'manager') | - selectattr('env', 'defined') | - map(attribute='env') | - flatten(levels=1) | - selectattr("name", "match", "^RELATED_IMAGE") - }} - loop_control: - label: "{{ item.name }}" + cifmw_openstack_service_images_content: "{{ _sa_images_content.stdout | from_json }}" - name: Get all the pods in openstack-operator namespace vars: diff --git a/roles/federation/README.md b/roles/federation/README.md new file mode 100644 index 0000000000..21ce43cec7 --- /dev/null +++ b/roles/federation/README.md @@ -0,0 +1,4 @@ +federation +========= + +This role will setup Openstack for user federation. The keycloak system will be used for the IdP provider. diff --git a/roles/federation/defaults/main.yml b/roles/federation/defaults/main.yml new file mode 100644 index 0000000000..44a835be2a --- /dev/null +++ b/roles/federation/defaults/main.yml @@ -0,0 +1,25 @@ +--- +# defaults file for federation +# +cifmw_federation_keycloak_namespace: openstack +cifmw_federation_keycloak_realm: openstack +cifmw_federation_keycloak_admin_username: admin +cifmw_federation_keycloak_admin_password: nomoresecrets +cifmw_federation_keycloak_testuser1_username: kctestuser1 +cifmw_federation_keycloak_testuser1_password: nomoresecrets1 +cifmw_federation_keycloak_testuser2_username: kctestuser2 +cifmw_federation_keycloak_testuser2_password: nomoresecrets2 +cifmw_federation_keycloak_testgroup1_name: kctestgroup1 +cifmw_federation_keycloak_testgroup2_name: kctestgroup2 +cifmw_federation_keycloak_client_id: rhoso +cifmw_federation_keycloak_client_secret: COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f +cifmw_federation_keycloak_url_validate_certs: false +cifmw_federation_run_osp_cmd_namespace: openstack +cifmw_federation_domain: SSO +cifmw_federation_IdpName: kcIDP +cifmw_federation_remote_id: '{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}' +cifmw_federation_project_name: SSOproject +cifmw_federation_group_name: SSOgroup +cifmw_federation_mapping_name: SSOmap +cifmw_federation_rules_file: rules.json +cifmw_federation_clame_id: OIDC-preferred_username diff --git a/roles/federation/tasks/run_keycloak_realm_setup.yml b/roles/federation/tasks/run_keycloak_realm_setup.yml new file mode 100644 index 0000000000..cdd840be0a --- /dev/null +++ b/roles/federation/tasks/run_keycloak_realm_setup.yml @@ -0,0 +1,129 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Create a Keycloak realm + community.general.keycloak_realm: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + id: "{{ cifmw_federation_keycloak_realm }}" + realm: "{{ cifmw_federation_keycloak_realm }}" + enabled: true + state: present + +- name: Create Keycloak client + community.general.keycloak_client: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + realm: "{{ cifmw_federation_keycloak_realm }}" + client_id: "{{ cifmw_federation_keycloak_client_id }}" + id: 3fb4f68d-ad2c-46e7-a579-ea418f5d150b + name: 'RHOSO Client' + description: 'RHOSO client for keystone federation' + root_url: "{{ cifmw_federation_keystone_url }}" + admin_url: "{{ cifmw_federation_keystone_url }}" + base_url: '/projects/dashboard' + enabled: true + client_authenticator_type: client-secret + secret: "{{ cifmw_federation_keycloak_client_secret }}" + redirect_uris: + - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/kcIDP/protocols/openid/websso" + - "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/websso/openid" + web_origins: + - "{{ cifmw_federation_keystone_url }}" + bearer_only: false + public_client: false + protocol: openid-connect + +- name: Create a Keycloak group1 + community.general.keycloak_group: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + name: "{{ cifmw_federation_keycloak_testgroup1_name }}" + realm: "{{ cifmw_federation_keycloak_realm }}" + +- name: Create a Keycloak group2 + community.general.keycloak_group: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + name: "{{ cifmw_federation_keycloak_testgroup2_name }}" + realm: "{{ cifmw_federation_keycloak_realm }}" + +- name: Create keycloak user1 + community.general.keycloak_user: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + realm: "{{ cifmw_federation_keycloak_realm }}" + username: "{{ cifmw_federation_keycloak_testuser1_username }}" + firstName: firstname1 + lastName: lastname1 + email: "{{ cifmw_federation_keycloak_testuser1_username }}@ocp.openstack.lab" + enabled: true + emailVerified: false + credentials: + - type: password + value: "{{ cifmw_federation_keycloak_testuser1_password }}" + temporary: false + groups: + - name: "{{ cifmw_federation_keycloak_testgroup1_name }}" + state: present + +- name: Create keycloak user2 + community.general.keycloak_user: + auth_client_id: admin-cli + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + auth_keycloak_url: "{{ cifmw_federation_keycloak_url }}/auth" + auth_realm: master + auth_username: "{{ cifmw_federation_keycloak_admin_username }}" + auth_password: "{{ cifmw_federation_keycloak_admin_password }}" + state: present + realm: "{{ cifmw_federation_keycloak_realm }}" + username: "{{ cifmw_federation_keycloak_testuser2_username }}" + firstName: firstname2 + lastName: lastname2 + email: "{{ cifmw_federation_keycloak_testuser2_username }}@ocp.openstack.lab" + enabled: true + emailVerified: false + credentials: + - type: password + value: "{{ cifmw_federation_keycloak_testuser2_password }}" + temporary: false + groups: + - name: "{{ cifmw_federation_keycloak_testgroup2_name }}" + state: present diff --git a/roles/federation/tasks/run_keycloak_setup.yml b/roles/federation/tasks/run_keycloak_setup.yml new file mode 100644 index 0000000000..769fd46526 --- /dev/null +++ b/roles/federation/tasks/run_keycloak_setup.yml @@ -0,0 +1,132 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Create kube dir for config + ansible.builtin.file: + path: "{{ [ ansible_user_dir, '.kube' ] | path_join }}" + state: directory + mode: '0770' + when: cifmw_federation_deploy_type == "crc" + +- name: Link kubeconfg for comparability + ansible.builtin.copy: + src: "{{ [ ansible_user_dir, '.crc', 'machines', 'src', 'kubeconfig' ] | path_join }}" + dest: "{{ [ ansible_user_dir, '.kube', 'config' ] | path_join }}" + when: cifmw_federation_deploy_type == "crc" + +- name: Create namespace + kubernetes.core.k8s: + name: "{{ cifmw_federation_keycloak_namespace }}" + api_version: v1 + kind: Namespace + state: present + +- name: Read federation rhsso operator template + ansible.builtin.template: + src: rhsso-operator-olm.yaml.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'rhsso-operator-olm.yaml' ] | path_join }}" + +- name: Install federation rhsso operator + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: "oc apply -f {{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'rhsso-operator-olm.yaml' ] | path_join }}" + +- name: Wait for the rhsso install plan to be present + kubernetes.core.k8s_info: + api_version: operators.coreos.com/v1alpha1 + kind: InstallPlan + register: ip_list + until: >- + {{ + ip_list.resources | + map(attribute='metadata.labels') | + select('match', '.*rhsso-operator.*') + }} + retries: 30 + delay: 40 + +- name: Approve rhsso operator install plan + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.shell: >- + oc patch installplan + $(oc get ip + -o=jsonpath='{.items[].metadata.name}') + --type merge --patch '{"spec":{"approved":true}}' + +- name: Add sso admin user secret + kubernetes.core.k8s: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + state: present + definition: + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: credential-sso + namespace: "{{ cifmw_federation_keycloak_namespace }}" + data: + ADMIN_USERNAME: "{{ cifmw_federation_keycloak_admin_username | b64encode }}" + ADMIN_PASSWORD: "{{ cifmw_federation_keycloak_admin_password | b64encode }}" + +- name: Read federation sso template + ansible.builtin.template: + src: sso.yaml.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'sso.yaml' ] | path_join }}" + +- name: Install federation sso pod + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: "oc apply -n {{ cifmw_federation_keycloak_namespace }} -f {{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'sso.yaml' ] | path_join }}" + +- name: Add CRC IP address to hosts + become: true + ansible.builtin.blockinfile: + path: /etc/hosts + block: | + {{ hostvars['crc'].ansible_host }} api.crc.testing + {{ hostvars['crc'].ansible_host }} oauth-openshift.apps-crc.testing + {{ hostvars['crc'].ansible_host }} keycloak-openstack.apps-crc.testing + when: cifmw_federation_deploy_type == "crc" + +- name: Wait for SSO pod to be avalable + ansible.builtin.uri: + url: "{{ cifmw_federation_keycloak_url }}" + follow_redirects: none + method: GET + validate_certs: "{{ cifmw_federation_keycloak_url_validate_certs }}" + register: _result + until: _result.status == 200 + retries: 48 # wait at least 4 min for the to pod come online then fail + delay: 5 + +- name: Get ingress operator CA cert + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc extract secret/router-ca --to={{ [ ansible_user_dir , 'ci-framework-data','tmp'] | path_join }} --keys=tls.crt -n openshift-ingress-operator --confirm + +- name: Store ingress operator CA to file for openstackclient pod + ansible.builtin.copy: + src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'tls.crt'] | path_join }}" + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}" diff --git a/roles/federation/tasks/run_openstack_auth_test.yml b/roles/federation/tasks/run_openstack_auth_test.yml new file mode 100644 index 0000000000..ffbbda6e1e --- /dev/null +++ b/roles/federation/tasks/run_openstack_auth_test.yml @@ -0,0 +1,94 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Read federation get token script + ansible.builtin.template: + src: get-token.sh.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'get-token.sh' ] | path_join }}" + mode: '0755' + +- name: Copy federation get token script file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/get-token.sh" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'get-token.sh' ] | path_join }}" + +- name: Read federation test user1 cloudrc template + ansible.builtin.template: + src: kctestuser1.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser1_username ] | path_join }}" + +- name: Copy federation test user1 cloudrc file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_keycloak_testuser1_username }}" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_keycloak_testuser1_username ] | path_join }}" + +- name: Copy system CA bundle + ansible.builtin.copy: + src: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" + +- name: Get ingress operator CA cert + ansible.builtin.slurp: + src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}" + register: federation_sso_ca + +- name: Add ingress operator CA to bundle + ansible.builtin.blockinfile: + path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" + block: "{{ federation_sso_ca.content | b64decode }}" + +- name: Copy CA bundle to openstackclient pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/full-ca-list.crt" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'full-ca-list.crt' ] | path_join }}" + +- name: Get test user1 token + vars: + _osp_cmd: "/home/cloud-admin/get-token.sh {{ cifmw_federation_keycloak_testuser1_username }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Read test user1 token info + ansible.builtin.set_fact: + federation_sso_testuser1_token_json: "{{ federation_run_ocp_cmd.stdout | from_json }}" + +- name: Output test user1 token info + ansible.builtin.debug: + msg: "{{ federation_sso_testuser1_token_json }}" + +- name: Get openstack project + vars: + _osp_cmd: "openstack project show {{ federation_sso_testuser1_token_json.project_id}} -f json" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Read openstack project info + ansible.builtin.set_fact: + federation_sso_ssoproject_json: "{{ federation_run_ocp_cmd.stdout | from_json }}" + +- name: Output openstack project info + ansible.builtin.debug: + msg: "{{ federation_sso_ssoproject_json }}" + +- name: Test user1 successful token + ansible.builtin.assert: + that: + - "cifmw_federation_project_name in federation_sso_ssoproject_json.name" + - federation_sso_testuser1_token_json.id|length >= 180 diff --git a/roles/federation/tasks/run_openstack_setup.yml b/roles/federation/tasks/run_openstack_setup.yml new file mode 100644 index 0000000000..593177a24d --- /dev/null +++ b/roles/federation/tasks/run_openstack_setup.yml @@ -0,0 +1,84 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Link kubeconfg for comparability + ansible.builtin.copy: + src: /home/zuul/.crc/machines/crc/kubeconfig + dest: /home/zuul/.kube/config + when: cifmw_federation_deploy_type == "crc" + +- name: Run federation create domain + vars: + _osp_cmd: "openstack domain create {{ cifmw_federation_domain }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation identity provider create + vars: + _osp_cmd: "openstack identity provider create + --remote-id {{ cifmw_federation_remote_id }} + --domain {{ cifmw_federation_domain }} + {{ cifmw_federation_IdpName }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Read federation rules json template + ansible.builtin.template: + src: rules.json.j2 + dest: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_rules_file ] | path_join }}" + +- name: Copy federation rules json file into pod + kubernetes.core.k8s_cp: + namespace: "{{ cifmw_federation_run_osp_cmd_namespace }}" + pod: openstackclient + remote_path: "/home/cloud-admin/{{ cifmw_federation_rules_file }}" + local_path: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', cifmw_federation_rules_file ] | path_join }}" + +- name: Run federation mapping create + vars: + _osp_cmd: "openstack mapping create + --rules {{ cifmw_federation_rules_file }} + {{ cifmw_federation_mapping_name }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation group create + vars: + _osp_cmd: "openstack group create + --domain {{ cifmw_federation_domain }} + {{ cifmw_federation_group_name }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation project create + vars: + _osp_cmd: "openstack project create + --domain {{ cifmw_federation_domain }} + {{ cifmw_federation_project_name }}" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation rule add + vars: + _osp_cmd: "openstack role add + --group {{ cifmw_federation_group_name }} + --group-domain {{ cifmw_federation_domain }} + --project {{ cifmw_federation_project_name }} + --project-domain {{ cifmw_federation_domain }} + member" + ansible.builtin.include_tasks: run_osp_cmd.yml + +- name: Run federation protocol create + vars: + _osp_cmd: "openstack federation protocol create openid + --mapping {{ cifmw_federation_mapping_name }} + --identity-provider {{ cifmw_federation_IdpName }}" + ansible.builtin.include_tasks: run_osp_cmd.yml diff --git a/roles/federation/tasks/run_osp_cmd.yml b/roles/federation/tasks/run_osp_cmd.yml new file mode 100644 index 0000000000..55415c5b1f --- /dev/null +++ b/roles/federation/tasks/run_osp_cmd.yml @@ -0,0 +1,28 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Run federation OCP CMD + environment: + KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}" + PATH: "{{ cifmw_path }}" + ansible.builtin.command: + cmd: >- + oc exec + -n {{ cifmw_federation_run_osp_cmd_namespace }} + -t openstackclient + -- + {{ _osp_cmd }} + register: federation_run_ocp_cmd diff --git a/roles/federation/templates/get-token.sh.j2 b/roles/federation/templates/get-token.sh.j2 new file mode 100644 index 0000000000..32c8876043 --- /dev/null +++ b/roles/federation/templates/get-token.sh.j2 @@ -0,0 +1,3 @@ +#!/bin/bash +source /home/cloud-admin/$1 +openstack token issue -f json diff --git a/roles/federation/templates/kctestuser1.j2 b/roles/federation/templates/kctestuser1.j2 new file mode 100644 index 0000000000..c64e21cb4c --- /dev/null +++ b/roles/federation/templates/kctestuser1.j2 @@ -0,0 +1,17 @@ +unset OS_CLOUD +export OS_CACERT=/home/cloud-admin/full-ca-list.crt +export OS_PROJECT_NAME="{{ cifmw_federation_project_name }}" +export OS_PROJECT_DOMAIN_NAME="{{ cifmw_federation_domain }}" +export OS_AUTH_URL="{{ cifmw_federation_keystone_url }}/v3" +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_PLUGIN=openid +export OS_AUTH_TYPE=v3oidcpassword +export OS_USERNAME="{{ cifmw_federation_keycloak_testuser1_username }}" +export OS_PASSWORD="{{ cifmw_federation_keycloak_testuser1_password }}" +export OS_IDENTITY_PROVIDER="{{ cifmw_federation_IdpName }}" +export OS_CLIENT_ID="{{ cifmw_federation_keycloak_client_id }}" +export OS_CLIENT_SECRET="{{ cifmw_federation_keycloak_client_secret }}" +export OS_OPENID_SCOPE="openid profile email" +export OS_PROTOCOL=openid +export OS_ACCESS_TOKEN_TYPE=access_token +export OS_DISCOVERY_ENDPOINT="{{ cifmw_federation_keycloak_url }}/auth/realms/{{ cifmw_federation_keycloak_realm }}/.well-known/openid-configuration" diff --git a/roles/federation/templates/rhsso-operator-olm.yaml.j2 b/roles/federation/templates/rhsso-operator-olm.yaml.j2 new file mode 100644 index 0000000000..410df19810 --- /dev/null +++ b/roles/federation/templates/rhsso-operator-olm.yaml.j2 @@ -0,0 +1,18 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: rhsso-operator-group +spec: + targetNamespaces: + - {{ cifmw_federation_keycloak_namespace }} +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: rhsso-operator +spec: + channel: stable + installPlanApproval: Manual + name: rhsso-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/roles/federation/templates/rules.json.j2 b/roles/federation/templates/rules.json.j2 new file mode 100644 index 0000000000..444f4e315d --- /dev/null +++ b/roles/federation/templates/rules.json.j2 @@ -0,0 +1,22 @@ +[ + { + "local": [ + { + "user": { + "name": "{0}" + }, + "group": { + "name": "{{ cifmw_federation_group_name }}", + "domain": { + "name": "{{ cifmw_federation_domain }}" + } + } + } + ], + "remote": [ + { + "type": "{{ cifmw_federation_clame_id }}" + } + ] + } +] diff --git a/roles/federation/templates/sso.yaml.j2 b/roles/federation/templates/sso.yaml.j2 new file mode 100644 index 0000000000..704c0d53d1 --- /dev/null +++ b/roles/federation/templates/sso.yaml.j2 @@ -0,0 +1,10 @@ +apiVersion: keycloak.org/v1alpha1 +kind: Keycloak +metadata: + name: sso + labels: + app: sso +spec: + instances: 1 + externalAccess: + enabled: True diff --git a/roles/install_openstack_ca/molecule/default/prepare.yml b/roles/install_openstack_ca/molecule/default/prepare.yml index cd00bd1cf7..92a724fc92 100644 --- a/roles/install_openstack_ca/molecule/default/prepare.yml +++ b/roles/install_openstack_ca/molecule/default/prepare.yml @@ -56,6 +56,11 @@ NETWORK_ISOLATION: false TIMEOUT: "600s" + - name: Install openstack operator and wait for openstackversion resource + ansible.builtin.include_role: + name: 'install_yamls_makes' + tasks_from: 'make_openstack_init' + - name: Deploy openstack controlplane ansible.builtin.include_role: name: 'install_yamls_makes' diff --git a/roles/install_yamls/tasks/zuul_set_operators_repo.yml b/roles/install_yamls/tasks/zuul_set_operators_repo.yml index fe64090a1d..e5a3b37e23 100644 --- a/roles/install_yamls/tasks/zuul_set_operators_repo.yml +++ b/roles/install_yamls/tasks/zuul_set_operators_repo.yml @@ -15,23 +15,43 @@ # under the License. # When using CI (Zuul) to deploy operators and its dependencies with install_yamls, -# it may be needed to set operator's repo variable to properly clone PR's -# code, instead of getting latest promoted content. This task search for all -# modified operators in zuul.items[] and set install_yaml variables. +# it may be needed to set operator's repo variable to properly clone PR's +# code, instead of getting latest promoted content. This task search for all +# modified operators in zuul.items[] and set install_yaml variables. + - name: Create variables with local repos based on Zuul items when: - zuul is defined - "'operator' in zuul_item.project.short_name" - "'openstack-k8s-operators' in zuul_item.project.name" - vars: - _repo_operator_name: "{{ zuul_item.project.short_name | regex_search('(?:openstack-)?(.*)-operator', '\\1') | first }}" - _repo_operator_info: - - key: "{{ _repo_operator_name | upper }}_REPO" - value: "{{ ansible_user_dir }}/{{ zuul_item.project.src_dir }}" - - key: "{{ _repo_operator_name | upper }}_BRANCH" - value: "" - ansible.builtin.set_fact: - cifmw_install_yamls_operators_repo: "{{ cifmw_install_yamls_operators_repo | default({}) | combine(_repo_operator_info | items2dict) }}" - loop: "{{ zuul['items'] }}" - loop_control: - loop_var: zuul_item + block: + - name: Set fact with local repos based on Zuul items + vars: + _repo_operator_name: "{{ zuul_item.project.short_name | regex_search('(?:openstack-)?(.*)-operator', '\\1') | first }}" + _repo_operator_info: + - key: "{{ _repo_operator_name | upper }}_REPO" + value: "{{ ansible_user_dir }}/{{ zuul_item.project.src_dir }}" + - key: "{{ _repo_operator_name | upper }}_BRANCH" + value: "" + ansible.builtin.set_fact: + cifmw_install_yamls_operators_repo: "{{ cifmw_install_yamls_operators_repo | default({}) | combine(_repo_operator_info | items2dict) }}" + loop: "{{ zuul['items'] }}" + loop_control: + loop_var: zuul_item + + - name: Print helpful data for debugging + vars: + _repo_operator_name: "{{ zuul_item.project.short_name | regex_search('(?:openstack-)?(.*)-operator', '\\1') | first }}" + _repo_operator_info: + - key: "{{ _repo_operator_name | upper }}_REPO" + value: "{{ ansible_user_dir }}/{{ zuul_item.project.src_dir }}" + - key: "{{ _repo_operator_name | upper }}_BRANCH" + value: "" + ansible.builtin.debug: + msg: | + _repo_operator_name: {{ _repo_operator_name }} + _repo_operator_info: {{ _repo_operator_info }} + cifmw_install_yamls_operators_repo: {{ cifmw_install_yamls_operators_repo }} + loop: "{{ zuul['items'] }}" + loop_control: + loop_var: zuul_item diff --git a/roles/libvirt_manager/tasks/manage_vms.yml b/roles/libvirt_manager/tasks/manage_vms.yml index 46f73f7664..c9c700d2e4 100644 --- a/roles/libvirt_manager/tasks/manage_vms.yml +++ b/roles/libvirt_manager/tasks/manage_vms.yml @@ -1,4 +1,9 @@ --- +- name: Check if new ssh keypair exists + when: vm_type == 'crc' + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: "Push ssh jumper/configuration for {{ vm }}" vars: _ocp_name: >- @@ -40,7 +45,7 @@ identity_file: >- {{ cifmw_libvirt_manager_basedir ~ '/artifacts/cifmw_ocp_access_key' if vm_type is match('^ocp.*') else - ansible_user_dir ~ '/.crc/machines/crc/id_ecdsa' if vm_type == 'crc' else + ansible_user_dir ~ '/.crc/machines/crc/' + crc_ssh_keypair if vm_type == 'crc' else ansible_user_dir ~ '/.ssh/cifmw_reproducer_key' }} config: >- diff --git a/roles/libvirt_manager/tasks/start_one_vm.yml b/roles/libvirt_manager/tasks/start_one_vm.yml new file mode 100644 index 0000000000..e03187fbb6 --- /dev/null +++ b/roles/libvirt_manager/tasks/start_one_vm.yml @@ -0,0 +1,10 @@ +--- +- name: Start vm + community.libvirt.virt: + name: "cifmw-{{ vm }}" + state: running + uri: "qemu:///system" + register: _vm_start_result + retries: 5 + delay: 30 + until: _vm_start_result is not failed diff --git a/roles/libvirt_manager/tasks/start_vms.yml b/roles/libvirt_manager/tasks/start_vms.yml index da1fb7cc85..5ab369f8f9 100644 --- a/roles/libvirt_manager/tasks/start_vms.yml +++ b/roles/libvirt_manager/tasks/start_vms.yml @@ -20,10 +20,8 @@ {{ _cifmw_libvirt_manager_layout.vms[vm_type] }} - community.libvirt.virt: - state: running - name: "cifmw-{{ vm }}" - uri: "qemu:///system" + ansible.builtin.include_tasks: + file: start_one_vm.yml loop: "{{ cifmw_libvirt_manager_all_vms | dict2items }}" loop_control: loop_var: _vm diff --git a/roles/openshift_obs/molecule/default/converge.yml b/roles/openshift_obs/molecule/default/converge.yml index 5bca0a9b34..fd3f722081 100644 --- a/roles/openshift_obs/molecule/default/converge.yml +++ b/roles/openshift_obs/molecule/default/converge.yml @@ -35,10 +35,14 @@ path: /etc/hosts line: "192.168.130.11 crc" + - name: Check if new ssh keypair exists + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: Add the crc host dynamically ansible.builtin.add_host: name: crc - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/id_ecdsa" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/{{ crc_ssh_keypair }}" ansible_ssh_user: core - name: Deploy Cluster observability Operator diff --git a/roles/recognize_ssh_keypair/tasks/main.yaml b/roles/recognize_ssh_keypair/tasks/main.yaml new file mode 100644 index 0000000000..d075261215 --- /dev/null +++ b/roles/recognize_ssh_keypair/tasks/main.yaml @@ -0,0 +1,15 @@ +--- +- name: Check if id_ed25519 key exists + ansible.builtin.stat: + path: "~/.crc/machines/crc/id_ed25519" + register: _ed25519_key + +- name: Set fact if new keypair exists + when: _ed25519_key.stat.exists + ansible.builtin.set_fact: + crc_ssh_keypair: "id_ed25519" + +- name: Set fact if new keypair does not exists + when: not _ed25519_key.stat.exists + ansible.builtin.set_fact: + crc_ssh_keypair: "id_ecdsa" diff --git a/roles/reproducer/tasks/crc_layout.yml b/roles/reproducer/tasks/crc_layout.yml index 24df6dd0df..e5ee295ecd 100644 --- a/roles/reproducer/tasks/crc_layout.yml +++ b/roles/reproducer/tasks/crc_layout.yml @@ -25,10 +25,14 @@ name: rhol_crc tasks_from: undefine.yml +- name: Check if new ssh keypair exists + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: Slurp ssh key for CRC access register: crc_priv_key ansible.builtin.slurp: - path: "{{ ansible_user_dir}}/.crc/machines/crc/id_ecdsa" + path: "{{ ansible_user_dir}}/.crc/machines/crc/{{ crc_ssh_keypair }}" - name: Get kubeconfig file from crc directory register: _crc_kubeconfig diff --git a/roles/rhol_crc/tasks/add_crc_creds.yml b/roles/rhol_crc/tasks/add_crc_creds.yml index 17b96cd26b..8e93cc7598 100644 --- a/roles/rhol_crc/tasks/add_crc_creds.yml +++ b/roles/rhol_crc/tasks/add_crc_creds.yml @@ -17,7 +17,9 @@ dest: ~/.bashrc create: true block: |- - eval $(crc oc-env) + if command -v crc; then + eval "$(crc oc-env --shell bash)" + fi export KUBECONFIG="{{ cifmw_rhol_crc_kubeconfig }}" mode: "0644" @@ -30,6 +32,8 @@ changed_when: false retries: 30 delay: 20 + args: + executable: /bin/bash - name: Check bashrc results ansible.builtin.debug: diff --git a/roles/shiftstack/templates/shiftstackclient_pod.yml.j2 b/roles/shiftstack/templates/shiftstackclient_pod.yml.j2 index 1ba3f474dc..eeddac0eea 100644 --- a/roles/shiftstack/templates/shiftstackclient_pod.yml.j2 +++ b/roles/shiftstack/templates/shiftstackclient_pod.yml.j2 @@ -13,7 +13,17 @@ spec: image: {{ cifmw_shiftstack_client_pod_image }} imagePullPolicy: Always name: {{ cifmw_shiftstack_client_pod_name }} +{% if 'crc' in cifmw_openshift_kubeconfig %} resources: {} +{% else %} + resources: + requests: + memory: "12Gi" + cpu: "4" + limits: + memory: "12Gi" + cpu: "4" +{% endif %} securityContext: privileged: true terminationMessagePath: /dev/termination-log diff --git a/roles/sushy_emulator/molecule/default/converge.yml b/roles/sushy_emulator/molecule/default/converge.yml index 9dd54790c9..f04597f565 100644 --- a/roles/sushy_emulator/molecule/default/converge.yml +++ b/roles/sushy_emulator/molecule/default/converge.yml @@ -50,10 +50,14 @@ file: input.yml name: cifmw_networking_definition + - name: Check if new ssh keypair exists + ansible.builtin.include_role: + name: recognize_ssh_keypair + - name: Add the crc host dynamically ansible.builtin.add_host: name: crc - ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/id_ecdsa" + ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/{{ crc_ssh_keypair }}" ansible_ssh_user: core - name: Add ansible_host entry to "{{ cifmw_sushy_emulator_hypervisor_target }}" diff --git a/roles/test_operator/README.md b/roles/test_operator/README.md index b4eb070ec8..1e87dd1639 100644 --- a/roles/test_operator/README.md +++ b/roles/test_operator/README.md @@ -216,6 +216,8 @@ Default value: {} * `cifmw_test_operator_horizontest_horizon_test_dir`: (String) The directory path for Horizon tests. Default value: `/var/lib/horizontest` * `cifmw_test_operator_horizontest_resources`: (Dict) A dictionary that specifies resources (cpu, memory) for the test pods. When kept untouched it defaults to the resource limits specified on the test-operator side. Default value: `{}` * `cifmw_test_operator_horizontest_debug`: (Bool) Run HorizonTest in debug mode, it keeps the operator pod sleeping infinitely (it must only set to `true` only for debugging purposes). Default value: `false` +* `cifmw_test_operator_horizontest_extra_flag`: (String) The extra flag to modify pytest command to include/exclude tests. Default value: `not pagination` +* `cifmw_test_operator_horizontest_project_name_xpath`: (String) The xpath to select project name based on dashboard theme. Default value: `//span[@class='rcueicon rcueicon-folder-open']/ancestor::li` * `cifmw_test_operator_horizontest_config`: (Dict) Definition of HorizonTest CR instance that is passed to the test-operator (see [the test-operator documentation](https://openstack-k8s-operators.github.io/test-operator/crds.html#horizontest-custom-resource)). Default value: ``` apiVersion: test.openstack.org/v1beta1 @@ -238,6 +240,8 @@ Default value: {} flavorName: "{{ cifmw_test_operator_horizontest_flavor_name }}" logsDirectoryName: "{{ cifmw_test_operator_horizontest_logs_directory_name }}" debug: "{{ cifmw_test_operator_horizontest_debug }}" + extraFlag: "{{ cifmw_test_operator_horizontest_extra_flag }}" + projectNameXpath "{{ cifmw_test_operator_horizontest_project_name_xpath }}" horizonTestDir: "{{ cifmw_test_operator_horizontest_horizon_test_dir }}" ``` diff --git a/roles/test_operator/defaults/main.yml b/roles/test_operator/defaults/main.yml index d063c75d85..c453324516 100644 --- a/roles/test_operator/defaults/main.yml +++ b/roles/test_operator/defaults/main.yml @@ -264,6 +264,8 @@ cifmw_test_operator_horizontest_flavor_name: "m1.tiny" cifmw_test_operator_horizontest_logs_directory_name: "horizon" cifmw_test_operator_horizontest_debug: false cifmw_test_operator_horizontest_horizon_test_dir: "/var/lib/horizontest" +cifmw_test_operator_horizontest_extra_flag: "not pagination" +cifmw_test_operator_horizontest_project_name_xpath: "//span[@class='rcueicon rcueicon-folder-open']/ancestor::li" cifmw_test_operator_horizontest_resources: {} cifmw_test_operator_horizontest_config: apiVersion: test.openstack.org/v1beta1 @@ -289,5 +291,7 @@ cifmw_test_operator_horizontest_config: flavorName: "{{ stage_vars_dict.cifmw_test_operator_horizontest_flavor_name }}" logsDirectoryName: "{{ stage_vars_dict.cifmw_test_operator_horizontest_logs_directory_name }}" debug: "{{ stage_vars_dict.cifmw_test_operator_horizontest_debug }}" + extraFlag: "{{ stage_vars_dict.cifmw_test_operator_horizontest_extra_flag }}" + projectNameXpath: "{{ stage_vars_dict.cifmw_test_operator_horizontest_project_name_xpath }}" horizonTestDir: "{{ stage_vars_dict.cifmw_test_operator_horizontest_horizon_test_dir }}" resources: "{{ stage_vars_dict.cifmw_test_operator_horizontest_resources }}" diff --git a/roles/test_operator/tasks/run-test-operator-job.yml b/roles/test_operator/tasks/run-test-operator-job.yml index 887bcd809c..1e3a0c95dc 100644 --- a/roles/test_operator/tasks/run-test-operator-job.yml +++ b/roles/test_operator/tasks/run-test-operator-job.yml @@ -111,6 +111,7 @@ api_key: "{{ cifmw_openshift_token | default(omit)}}" context: "{{ cifmw_openshift_context | default(omit)}}" state: present + wait: true definition: apiVersion: v1 kind: Pod diff --git a/zuul.d/adoption.yaml b/zuul.d/adoption.yaml index c75bc1f9c8..c435b374b9 100644 --- a/zuul.d/adoption.yaml +++ b/zuul.d/adoption.yaml @@ -152,8 +152,6 @@ - ^LICENSE$ - ^.github/.*$ - ^LICENSE$ - - ^OWNERS$ - - ^OWNERS_ALIASES$ - ^PROJECT$ - ^README.md$ - ^kuttl-test.yaml$ diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml index 1bf8a7f998..bb8caa3249 100644 --- a/zuul.d/base.yaml +++ b/zuul.d/base.yaml @@ -31,8 +31,6 @@ - .*/*.md - ^.github/.*$ - ^LICENSE$ - - ^OWNERS$ - - ^OWNERS_ALIASES$ - ^PROJECT$ - ^README.md$ - ^renovate.json$ diff --git a/zuul.d/end-to-end.yaml b/zuul.d/end-to-end.yaml index 176ffe3bc1..ab74f09a7e 100644 --- a/zuul.d/end-to-end.yaml +++ b/zuul.d/end-to-end.yaml @@ -49,7 +49,6 @@ - ^ci/templates - ^docs - ^.*/*.md - - ^OWNERS - ^.github vars: cifmw_extras: diff --git a/zuul.d/molecule-base.yaml b/zuul.d/molecule-base.yaml index 39d2c35940..dc9141a6d9 100644 --- a/zuul.d/molecule-base.yaml +++ b/zuul.d/molecule-base.yaml @@ -23,7 +23,7 @@ - job: name: cifmw-molecule-base-crc - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl parent: base-simple-crc provides: - cifmw-molecule diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index 353de98032..0b82ef1470 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -52,7 +52,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-cert_manager - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm parent: cifmw-molecule-base vars: TEST_RUN: cert_manager @@ -77,7 +77,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-ci_local_storage - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: ci_local_storage @@ -364,7 +364,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-env_op_images - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: env_op_images @@ -422,7 +422,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-install_openstack_ca - nodeset: centos-9-crc-2-39-0-3xl + nodeset: centos-9-crc-2-48-0-3xl-ibm parent: cifmw-molecule-base-crc timeout: 5400 vars: @@ -474,7 +474,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-manage_secrets - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: manage_secrets @@ -520,7 +520,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-openshift_login - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: openshift_login @@ -532,7 +532,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-openshift_obs - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm parent: cifmw-molecule-base vars: TEST_RUN: openshift_obs @@ -544,7 +544,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-openshift_provisioner_node - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: openshift_provisioner_node @@ -556,7 +556,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-openshift_setup - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: openshift_setup @@ -579,7 +579,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-operator_deploy - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl parent: cifmw-molecule-base vars: TEST_RUN: operator_deploy @@ -674,7 +674,7 @@ - ^roles/sushy_emulator/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).* - ^roles/rhol_crc/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).* name: cifmw-molecule-reproducer - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm parent: cifmw-molecule-base timeout: 5400 vars: @@ -687,7 +687,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-rhol_crc - nodeset: centos-9-crc-2-39-0-xxl + nodeset: centos-9-crc-2-48-0-xxl-ibm parent: cifmw-molecule-base timeout: 5400 vars: @@ -722,7 +722,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-shiftstack - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: shiftstack @@ -745,7 +745,7 @@ - ^ci/playbooks/molecule.* - ^.config/molecule/.* name: cifmw-molecule-sushy_emulator - nodeset: centos-9-crc-2-39-0-xl + nodeset: centos-9-crc-2-48-0-xl-ibm parent: cifmw-molecule-base vars: TEST_RUN: sushy_emulator @@ -873,6 +873,15 @@ - ^.config/molecule/.* name: cifmw-molecule-cifmw_external_dns parent: cifmw-molecule-noop +- job: + files: + - ^common-requirements.txt + - ^test-requirements.txt + - ^roles/federation/defaults|files|handlers|library|lookup_plugins|module_utils|molecule|tasks|templates|vars.* + - ^ci/playbooks/molecule.* + - ^.config/molecule/.* + name: cifmw-molecule-federation + parent: cifmw-molecule-noop - job: files: - ^common-requirements.txt @@ -909,6 +918,15 @@ - ^.config/molecule/.* name: cifmw-molecule-polarion parent: cifmw-molecule-noop +- job: + files: + - ^common-requirements.txt + - ^test-requirements.txt + - ^roles/recognize_ssh_keypair/defaults|files|handlers|library|lookup_plugins|module_utils|molecule|tasks|templates|vars.* + - ^ci/playbooks/molecule.* + - ^.config/molecule/.* + name: cifmw-molecule-recognize_ssh_keypair + parent: cifmw-molecule-noop - job: files: - ^common-requirements.txt diff --git a/zuul.d/nodeset.yaml b/zuul.d/nodeset.yaml index 0721fd29e1..22a6ae37c8 100644 --- a/zuul.d/nodeset.yaml +++ b/zuul.d/nodeset.yaml @@ -326,3 +326,300 @@ nodes: - name: controller label: centos-9-stream-crc-2-39-0-xl + + +# +# CRC-2.48 (OCP4.18) nodesets +# + +- nodeset: + name: centos-9-medium-crc-extracted-2-48-0-3xl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo-medium + - name: crc + label: crc-cloud-ocp-4-18-1-3xl + groups: + - name: computes + nodes: [] + - name: ocps + nodes: + - crc + +- nodeset: + name: centos-9-crc-2-48-0-xxl + nodes: + - name: controller + label: centos-9-stream-crc-2-48-0-xxl + +- nodeset: + name: centos-9-rhel-9-2-crc-extracted-2-48-0-3xl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo + - name: crc + label: crc-cloud-ocp-4-18-1-3xl + - name: standalone + label: cloud-rhel-9-2-tripleo + groups: + - name: computes + nodes: [] + - name: ocps + nodes: + - crc + - name: rh-subscription + nodes: + - standalone + +- nodeset: + name: centos-9-multinode-rhel-9-2-crc-extracted-2-48-0-3xl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo + - name: crc + label: crc-cloud-ocp-4-18-1-3xl + - name: undercloud + label: cloud-rhel-9-2-tripleo + - name: overcloud-controller-0 + label: cloud-rhel-9-2-tripleo + - name: overcloud-controller-1 + label: cloud-rhel-9-2-tripleo + - name: overcloud-controller-2 + label: cloud-rhel-9-2-tripleo + - name: overcloud-novacompute-0 + label: cloud-rhel-9-2-tripleo + - name: overcloud-novacompute-1 + label: cloud-rhel-9-2-tripleo + - name: overcloud-novacompute-2 + label: cloud-rhel-9-2-tripleo + groups: + - name: computes + nodes: [] + - name: ocps + nodes: + - crc + - name: rh-subscription + nodes: + - undercloud + - overcloud-controller-0 + - overcloud-controller-1 + - overcloud-controller-2 + - overcloud-novacompute-0 + - overcloud-novacompute-1 + - overcloud-novacompute-2 + - name: tripleo_controllers + nodes: + - overcloud-controller-0 + - overcloud-controller-1 + - overcloud-controller-2 + - name: tripleo_computes + nodes: + - overcloud-novacompute-0 + - overcloud-novacompute-1 + - overcloud-novacompute-2 + +- nodeset: + name: centos-9-multinode-rhel-9-2-crc-extracted-2-48-0-3xl-novacells + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo + - name: crc + label: crc-cloud-ocp-4-18-1-3xl + - name: undercloud + label: cloud-rhel-9-2-tripleo + - name: overcloud-controller-0 + label: cloud-rhel-9-2-tripleo + - name: cell1-controller-0 + label: cloud-rhel-9-2-tripleo + - name: cell1-compute-0 + label: cloud-rhel-9-2-tripleo + - name: cell2-controller-compute-0 + label: cloud-rhel-9-2-tripleo + groups: + - name: computes + nodes: [] + - name: ocps + nodes: + - crc + - name: rh-subscription + nodes: + - undercloud + - overcloud-controller-0 + - cell1-controller-0 + - cell2-controller-compute-0 + - cell1-compute-0 + - name: tripleo_controllers + nodes: + - overcloud-controller-0 + - cell1-controller-0 + - cell2-controller-compute-0 + - name: tripleo_computes + nodes: + - cell1-compute-0 + - cell2-controller-compute-0 + +- nodeset: + name: centos-9-medium-centos-9-crc-extracted-2-48-0-3xl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo-medium + - name: compute-0 + label: cloud-centos-9-stream-tripleo + - name: crc + label: crc-cloud-ocp-4-18-1-3xl + groups: + - name: computes + nodes: + - compute-0 + - name: ocps + nodes: + - crc + +- nodeset: + name: centos-9-crc-2-48-0-3xl + nodes: + - name: controller + label: centos-9-stream-crc-2-48-0-3xl + +- nodeset: + name: centos-9-medium-2x-centos-9-crc-extracted-2-48-0-xxl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo-medium + # Note(Chandan Kumar): Switch to xxl nodeset once RHOSZUUL-1940 resolves + - name: compute-0 + label: cloud-centos-9-stream-tripleo + - name: compute-1 + label: cloud-centos-9-stream-tripleo + - name: crc + label: crc-cloud-ocp-4-18-1-xxl + groups: + - name: computes + nodes: + - compute-0 + - compute-1 + - name: ocps + nodes: + - crc + +- nodeset: + name: centos-9-2x-centos-9-xxl-crc-extracted-2-48-0-xxl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo + - name: compute-0 + label: cloud-centos-9-stream-tripleo-xxl + - name: compute-1 + label: cloud-centos-9-stream-tripleo-xxl + - name: crc + label: crc-cloud-ocp-4-18-1-xxl + groups: + - name: computes + nodes: + - compute-0 + - compute-1 + - name: ocps + nodes: + - crc + +- nodeset: + name: centos-9-medium-3x-centos-9-crc-extracted-2-48-0-xxl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo-medium + - name: compute-0 + label: cloud-centos-9-stream-tripleo + - name: compute-1 + label: cloud-centos-9-stream-tripleo + - name: compute-2 + label: cloud-centos-9-stream-tripleo + - name: crc + label: crc-cloud-ocp-4-18-1-xxl + groups: + - name: computes + nodes: + - compute-0 + - compute-1 + - compute-2 + - name: ocps + nodes: + - crc + +- nodeset: + name: centos-9-medium-3x-centos-9-crc-extracted-2-48-0-3xl + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo-medium + - name: compute-0 + label: cloud-centos-9-stream-tripleo + - name: compute-1 + label: cloud-centos-9-stream-tripleo + - name: compute-2 + label: cloud-centos-9-stream-tripleo + - name: crc + label: crc-cloud-ocp-4-18-1-3xl + groups: + - name: computes + nodes: + - compute-0 + - compute-1 + - compute-2 + - name: ocps + nodes: + - crc + + +# todo: Remove. Temporal. Needed as the credentials used in ci-bootstrap jobs for IBM don't work +- nodeset: + name: centos-9-medium-centos-9-crc-extracted-2-48-0-3xl-vexxhost + nodes: + - name: controller + label: cloud-centos-9-stream-tripleo-vexxhost-medium + - name: compute-0 + label: cloud-centos-9-stream-tripleo-vexxhost + - name: crc + label: crc-cloud-ocp-4-18-1-3xl + groups: + - name: computes + nodes: + - compute-0 + - name: ocps + nodes: + - crc + +- nodeset: + name: centos-9-crc-2-48-0-6xlarge + nodes: + - name: controller + label: centos-9-stream-crc-2-48-0-6xlarge + +- nodeset: + name: centos-9-crc-2-48-0-xl + nodes: + - name: controller + label: centos-9-stream-crc-2-48-0-xl + +### Molecule jobs - force use IBM hosts ### +- nodeset: + name: centos-9-crc-2-48-0-xl-ibm + nodes: + - name: controller + label: centos-9-stream-crc-2-48-0-xl-ibm + +- nodeset: + name: centos-9-crc-2-48-0-xxl-ibm + nodes: + - name: controller + label: centos-9-stream-crc-2-48-0-xxl-ibm + +- nodeset: + name: centos-9-crc-2-48-0-3xl-ibm + nodes: + - name: controller + label: centos-9-stream-crc-2-48-0-3xl-ibm + +- nodeset: + name: centos-9-crc-2-39-0-6xlarge-ibm + nodes: + - name: controller + label: centos-9-stream-crc-2-39-0-6xlarge-ibm diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index bde81441fd..0c0e3a90ef 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -50,6 +50,7 @@ - cifmw-molecule-edpm_kustomize - cifmw-molecule-edpm_prepare - cifmw-molecule-env_op_images + - cifmw-molecule-federation - cifmw-molecule-hci_prepare - cifmw-molecule-hive - cifmw-molecule-idrac_configuration @@ -76,6 +77,7 @@ - cifmw-molecule-pkg_build - cifmw-molecule-podman - cifmw-molecule-polarion + - cifmw-molecule-recognize_ssh_keypair - cifmw-molecule-registry_deploy - cifmw-molecule-repo_setup - cifmw-molecule-reportportal diff --git a/zuul.d/whitebox_neutron_tempest_jobs.yaml b/zuul.d/whitebox_neutron_tempest_jobs.yaml index a5feeb9b3f..c800e6fad2 100644 --- a/zuul.d/whitebox_neutron_tempest_jobs.yaml +++ b/zuul.d/whitebox_neutron_tempest_jobs.yaml @@ -139,6 +139,8 @@ ^neutron_.*plugin..*scenario.test_.*macvtap # NOTE(mblue): If test skipped - please add related ticket to remove skip when issue resolved excludeList: | + # remove when this job use openstackclient version bigger than in antelope branch (no more releases) + ^whitebox_neutron_tempest_plugin.tests.scenario.test_ports.PortListLongOptSGsCmd # remove when bug OSPRH-9569 resolved ^whitebox_neutron_tempest_plugin.tests.scenario.test_metadata_rate_limiting # remove traffic logging tests when OSPRH-9203 resolved