openstack-k8s-operators · frenzyfriday · Mar 31, 2025 · Mar 5, 2025 · Feb 10, 2025 · Feb 27, 2025
@@ -0,0 +1,12 @@
+---
+name: Periodically sync branches
+on:
+  schedule:
+    - cron: '0 21 * * 1'
+
+jobs:
+  trigger_sync:
+    uses: openstack-k8s-operators/ci-framework/.github/workflows/sync_branches_reusable_workflow.yml@main
+    with:
+      main-branch: main
+      follower-branch: ananya-do-not-use-tmp
@@ -0,0 +1,39 @@
+---
+name: Sync a follower branch with Main
+on:
+  workflow_call:
+    inputs:
+      main-branch:
+        required: true
+        type: string
+      follower-branch:
+        required: true
+        type: string
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout main branch
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref:
+            ${{ inputs.main-branch }}
+
+      - name: Checkout, rebase and push to follower branch
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref:
+            ${{ inputs.follower-branch }}
+      - run: |
+          # Details about the GH action bot comes from
+          # https://api.github.com/users/github-actions%5Bbot%5D
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git rebase origin/${{ inputs.main-branch }}
+          git push origin ${{ inputs.follower-branch }}
@@ -8,20 +8,20 @@
     timeout: 3600
 - job:
     name: cifmw-molecule-openshift_login
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
 - job:
     name: cifmw-molecule-openshift_provisioner_node
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
 - job:
     name: cifmw-molecule-openshift_setup
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
 - job:
     name: cifmw-molecule-rhol_crc
-    nodeset: centos-9-crc-2-39-0-xxl
+    nodeset: centos-9-crc-2-48-0-xxl-ibm
     timeout: 5400
 - job:
     name: cifmw-molecule-operator_deploy
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl
 - job:
     name: cifmw-molecule-set_openstack_containers
     parent: cifmw-molecule-base-crc
@@ -45,13 +45,13 @@
 - job:
     name: cifmw-molecule-install_openstack_ca
     parent: cifmw-molecule-base-crc
-    nodeset: centos-9-crc-2-39-0-3xl
+    nodeset: centos-9-crc-2-48-0-3xl-ibm
     timeout: 5400
     extra-vars:
       crc_parameters: "--memory 29000 --disk-size 100 --cpus 8"
 - job:
     name: cifmw-molecule-reproducer
-    nodeset: centos-9-crc-2-39-0-xxl
+    nodeset: centos-9-crc-2-48-0-xxl-ibm
     timeout: 5400
     files:
       - ^roles/dnsmasq/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).*
@@ -62,10 +62,10 @@
       - ^roles/rhol_crc/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).*
 - job:
     name: cifmw-molecule-cert_manager
-    nodeset: centos-9-crc-2-39-0-xxl
+    nodeset: centos-9-crc-2-48-0-xxl-ibm
 - job:
     name: cifmw-molecule-env_op_images
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
 - job:
     name: cifmw_molecule-pkg_build
     files:
@@ -82,19 +82,19 @@
       - ^roles/repo_setup/(defaults|files|handlers|library|lookup_plugins|module_utils|tasks|templates|vars).*
 - job:
     name: cifmw-molecule-manage_secrets
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
 - job:
     name: cifmw-molecule-ci_local_storage
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
 - job:
     name: cifmw-molecule-networking_mapper
     nodeset: 4x-centos-9-medium
 - job:
     name: cifmw-molecule-openshift_obs
-    nodeset: centos-9-crc-2-39-0-xxl
+    nodeset: centos-9-crc-2-48-0-xxl-ibm
 - job:
     name: cifmw-molecule-sushy_emulator
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
 - job:
     name: cifmw-molecule-shiftstack
-    nodeset: centos-9-crc-2-39-0-xl
+    nodeset: centos-9-crc-2-48-0-xl-ibm
@@ -15,10 +15,14 @@
         path: "{{ ansible_user_dir }}/ci-framework-data/artifacts/edpm-ansible.yml"
       register: edpm_file
 
+    - name: Check if new ssh keypair exists
+      ansible.builtin.include_role:
+        name: recognize_ssh_keypair
+
     - name: Add crc node in local inventory
       ansible.builtin.add_host:
         name: crc
-        ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/id_ecdsa"
+        ansible_ssh_private_key_file: "{{ ansible_user_dir }}/.crc/machines/crc/{{ crc_ssh_keypair }}"
         ansible_ssh_user: core
         ansible_host: api.crc.testing
 

@@ -219,6 +219,7 @@ https
 ic
 icjbuue
 icokicagy
+IdP
 idrac
 iface
 igfsbg
@@ -254,6 +255,7 @@ jzxbol
 kcgpby
 keepalived
 kerberos
+keycloak
 keypair
 keyring
 keytab
@@ -527,6 +529,7 @@ tdciagigtlesa
 tempestconf
 testcases
 testenv
+testproject
 timestamper
 timesync
 tldca
@@ -598,6 +601,7 @@ workstream
 xargs
 xdg
 xoc
+xpath
 xpzw
 xvzy
 xz

@@ -0,0 +1,103 @@
+---
+- name: Create kustomization to update Keystone to use Federation
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize keystone for Federation resources deployed in the control plane
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/keystone_federation.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          - namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/tls
+                value: {}
+              - op: add
+                path: /spec/tls/caBundleSecretName
+                value: keycloakca
+              - op: add
+                path: /spec/keystone/template/httpdCustomization
+                value:
+                  customConfigSecret: keystone-httpd-override
+              - op: add
+                path: /spec/keystone/template/customServiceConfig
+                value: |
+                  [DEFAULT]
+                  insecure_debug=true
+                  debug=true
+                  [federation]
+                  trusted_dashboard={{ '{{ .KeystoneEndpointPublic }}' }}/dashboard/auth/websso/
+                  [openid]
+                  remote_id_attribute=HTTP_OIDC_ISS
+                  [auth]
+                  methods = password,token,oauth1,mapped,application_credential,openid
+
+    - name: Get ingress operator CA cert
+      ansible.builtin.slurp:
+        src: "{{ [ ansible_user_dir, 'ci-framework-data', 'tmp', 'ingress-operator-ca.crt'] | path_join }}"
+      register: federation_sso_ca
+
+    - name: Add Keycloak CA secret
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          type: Opaque
+          metadata:
+            name: keycloakca
+            namespace: "openstack"
+          data:
+            KeyCloakCA: "{{ federation_sso_ca.content }}"
+
+    - name: Create Keystone httpd override secret for Federation
+      kubernetes.core.k8s:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: keystone-httpd-override
+            namespace: openstack
+          type: Opaque
+          stringData:
+            federation.conf: |
+              OIDCClaimPrefix "{{ cifmw_keystone_OIDC_ClaimPrefix }}"
+              OIDCResponseType "{{ cifmw_keystone_OIDC_ResponseType }}"
+              OIDCScope "{{ cifmw_keystone_OIDC_Scope }}"
+              OIDCClaimDelimiter "{{ cifmw_keystone_OIDC_ClaimDelimiter }}"
+              OIDCPassUserInfoAs "{{ cifmw_keystone_OIDC_PassUserInfoAs }}"
+              OIDCPassClaimsAs "{{ cifmw_keystone_OIDC_PassClaimsAs }}"
+              OIDCCacheType "{{ cifmw_keystone_OIDC_CacheType }}"
+              OIDCMemCacheServers "{{ '{{ .MemcachedServers }}' }}"
+              OIDCProviderMetadataURL "{{ cifmw_keystone_OIDC_ProviderMetadataURL }}"
+              OIDCClientID "{{ cifmw_keystone_OIDC_ClientID }}"
+              OIDCClientSecret "{{ cifmw_keystone_OIDC_ClientSecret }}"
+              OIDCCryptoPassphrase "{{ cifmw_keystone_OIDC_CryptoPassphrase }}"
+              OIDCOAuthClientID "{{ cifmw_keystone_OIDC_OAuthClientID }}"
+              OIDCOAuthClientSecret "{{ cifmw_keystone_OIDC_OAuthClientSecret }}"
+              OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_OIDC_OAuthIntrospectionEndpoint }}"
+              OIDCRedirectURI "{{ '{{ .KeystoneEndpointPublic }}' }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso"
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/websso">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>
+
+              <Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_keystone_OIDC_provider_name }}/protocols/openid/auth">
+                AuthType oauth20
+                Require valid-user
+              </Location>
+
+              <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
+                AuthType "openid-connect"
+                Require valid-user
+              </LocationMatch>
@@ -0,0 +1,41 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run federation setup on openstack post reproducer deploy
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Run federation setup on OSP
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_openstack_setup.yml
+
+    - name: Run federation OSP User Auth test
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_openstack_auth_test.yml
@@ -0,0 +1,41 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run federation SSO setup on reproducer
+  hosts: "{{ cifmw_target_host | default('localhost') }}"
+  gather_facts: true
+  tasks:
+    - name: Set urls for install type uni
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps.ocp.openstack.lab'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps.ocp.openstack.lab'
+      when: cifmw_federation_deploy_type == "uni"
+
+    - name: Set urls for install type crc
+      ansible.builtin.set_fact:
+        cifmw_federation_keycloak_url: 'https://keycloak-openstack.apps-crc.testing'
+        cifmw_federation_keystone_url: 'https://keystone-public-openstack.apps-crc.testing'
+      when: cifmw_federation_deploy_type == "crc"
+
+    - name: Run SSO pod setup on Openshift
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_keycloak_setup.yml
+
+    - name: Run SSO realm setup for OSP
+      ansible.builtin.import_role:
+        name: federation
+        tasks_from: run_keycloak_realm_setup.yml