Support app credentials in tests

.ci/testruns/default/templates/testrun.yaml

@@ -66,7 +66,7 @@ spec:
           key: floatingPoolName
     - name: REGION
       type: env
-      value: eu-nl-1
+      value: eu-de-1
 
   testflow:
     - name: infrastructure-test
@@ -81,4 +81,4 @@ spec:
             value: g_c2_m4
           - name: IMAGE_REF
             type: env
-            value: 68e60d5b-2f6c-43d0-a8b2-d820fe84e3aa # id of gardenlinux-1312.3
+            value: gardenlinux-1312.3

Makefile

@@ -32,9 +32,30 @@ REGION             := .kube-secrets/openstack/region.secret
 AUTH_URL           := .kube-secrets/openstack/auth_url.secret
 DOMAIN_NAME        := .kube-secrets/openstack/domain_name.secret
 FLOATING_POOL_NAME := .kube-secrets/openstack/floating_pool_name.secret
-PASSWORD           := .kube-secrets/openstack/password.secret
 TENANT_NAME        := .kube-secrets/openstack/tenant_name.secret
+# for bastion test
+IMAGE_REF          := gardenlinux-318.9
+FLAVOR_REF         := g_c2_m4
+# either authenticate with username/password credentials
 USER_NAME          := .kube-secrets/openstack/user_name.secret
+PASSWORD           := .kube-secrets/openstack/password.secret
+# or application credentials
+APP_ID             := .kube-secrets/openstack/app_id.secret
+APP_NAME           := .kube-secrets/openstack/app_name.secret
+APP_SECRET         := .kube-secrets/openstack/app_secret.secret
+
+INFRA_TEST_FLAGS   := --v -ginkgo.v -ginkgo.progress \
+                      --kubeconfig=${KUBECONFIG} \
+                      --auth-url='$(shell cat $(AUTH_URL))' \
+                      --domain-name='$(shell cat $(DOMAIN_NAME))' \
+                      --floating-pool-name='$(shell cat $(FLOATING_POOL_NAME))' \
+                      --password='$(shell cat $(PASSWORD))' \
+                      --tenant-name='$(shell cat $(TENANT_NAME))' \
+                      --user-name='$(shell cat $(USER_NAME))' \
+                      --region='$(shell cat $(REGION))' \
+                      --app-id='$(shell cat $(APP_ID))' \
+                      --app-name='$(shell cat $(APP_NAME))' \
+                      --app-secret='$(shell cat $(APP_SECRET))'
 
 ifneq ($(strip $(shell git status --porcelain 2>/dev/null)),)
 	EFFECTIVE_VERSION := $(EFFECTIVE_VERSION)-dirty
@@ -163,26 +184,10 @@ verify-extended: check-generate check format test-cov test-clean
 
 .PHONY: integration-test-infra
 integration-test-infra:
-	@go test -timeout=0 ./test/integration/infrastructure \
-		--v -ginkgo.v -ginkgo.progress \
-		--kubeconfig=${KUBECONFIG} \
-		--auth-url='$(shell cat $(AUTH_URL))' \
-		--domain-name='$(shell cat $(DOMAIN_NAME))' \
-		--floating-pool-name='$(shell cat $(FLOATING_POOL_NAME))' \
-		--password='$(shell cat $(PASSWORD))' \
-		--tenant-name='$(shell cat $(TENANT_NAME))' \
-		--user-name='$(shell cat $(USER_NAME))' \
-		--region='$(shell cat $(REGION))'
+	@go test -timeout=0 ./test/integration/infrastructure $(INFRA_TEST_FLAGS)
 
 .PHONY: integration-test-bastion
 integration-test-bastion:
-	@go test -timeout=0 ./test/integration/bastion \
-		--v -ginkgo.v -ginkgo.progress \
-		--kubeconfig=${KUBECONFIG} \
-		--auth-url='$(shell cat $(AUTH_URL))' \
-		--domain-name='$(shell cat $(DOMAIN_NAME))' \
-		--floating-pool-name='$(shell cat $(FLOATING_POOL_NAME))' \
-		--password='$(shell cat $(PASSWORD))' \
-		--tenant-name='$(shell cat $(TENANT_NAME))' \
-		--user-name='$(shell cat $(USER_NAME))' \
-		--region='$(shell cat $(REGION))'
+	@go test -timeout=0 ./test/integration/bastion $(INFRA_TEST_FLAGS) \
+		--flavor-ref='$(FLAVOR_REF)' \
+		--image-ref='$(IMAGE_REF)'

hack/api-reference/config.md

@@ -125,7 +125,7 @@ string
 </em>
 </td>
 <td>
-<p>ImageRef is the openstack image reference</p>
+<p>ImageRef is the openstack image reference (name or id)</p>
 </td>
 </tr>
 <tr>

pkg/apis/config/types.go

@@ -52,7 +52,7 @@ type ETCDBackup struct {
 
 // BastionConfig is the config for the Bastion
 type BastionConfig struct {
-	// ImageRef is the openstack image reference
+	// ImageRef is the openstack image reference (name or id)
 	ImageRef string
 	// FlavorRef is the openstack flavorRef reference
 	FlavorRef string

pkg/apis/config/v1alpha1/types.go

@@ -59,7 +59,7 @@ type ETCDBackup struct {
 
 // BastionConfig is the config for the Bastion
 type BastionConfig struct {
-	// ImageRef is the openstack image reference
+	// ImageRef is the openstack image reference (name or id)
 	ImageRef string `json:"imageRef,omitempty"`
 	// FlavorRef is the openstack flavorRef reference
 	FlavorRef string `json:"flavorRef,omitempty"`

pkg/controller/bastion/actuator_reconcile.go

@@ -18,6 +18,7 @@ import (
 	"github.com/gophercloud/gophercloud"
 	computefip "github.com/gophercloud/gophercloud/openstack/compute/v2/extensions/floatingips"
 	"github.com/gophercloud/gophercloud/openstack/compute/v2/servers"
+	"github.com/gophercloud/gophercloud/openstack/imageservice/v2/images"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/floatingips"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/rules"
@@ -72,6 +73,11 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, bastion *exte
 		return util.DetermineError(err, helper.KnownCodes)
 	}
 
+	imageClient, err := openstackClientFactory.Images()
+	if err != nil {
+		return util.DetermineError(err, helper.KnownCodes)
+	}
+
 	networkingClient, err := openstackClientFactory.Networking()
 	if err != nil {
 		return util.DetermineError(err, helper.KnownCodes)
@@ -97,7 +103,7 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, bastion *exte
 		return util.DetermineError(err, helper.KnownCodes)
 	}
 
-	instance, err := ensureComputeInstance(log, computeClient, a.bastionConfig, infraStatus, opt)
+	instance, err := ensureComputeInstance(log, computeClient, imageClient, a.bastionConfig, infraStatus, opt)
 	if err != nil || instance == nil {
 		return util.DetermineError(err, helper.KnownCodes)
 	}
@@ -201,7 +207,7 @@ func ensurePublicIPAddress(opt *Options, log logr.Logger, client openstackclient
 	return fip, nil
 }
 
-func ensureComputeInstance(log logr.Logger, client openstackclient.Compute, bastionConfig *config.BastionConfig, infraStatus *openstackapi.InfrastructureStatus, opt *Options) (*servers.Server, error) {
+func ensureComputeInstance(log logr.Logger, client openstackclient.Compute, imageClient openstackclient.Images, bastionConfig *config.BastionConfig, infraStatus *openstackapi.InfrastructureStatus, opt *Options) (*servers.Server, error) {
 	instances, err := getBastionInstance(client, opt.BastionInstanceName)
 	if openstackclient.IgnoreNotFoundError(err) != nil {
 		return nil, err
@@ -226,23 +232,27 @@ func ensureComputeInstance(log logr.Logger, client openstackclient.Compute, bast
 		return nil, errors.New("flavorID not found")
 	}
 
-	image, err := client.FindImageByID(bastionConfig.ImageRef)
+	imageRes, err := imageClient.ListImages(images.ListOpts{
+		ID:         bastionConfig.ImageRef,
+		Visibility: "all",
+	})
 	if err != nil {
-		return nil, err
-	}
-	// image not found case
-	if image == nil {
-		images, err := client.FindImages(bastionConfig.ImageRef)
+		log.Info("image not found by id")
+	}
+	// we didn't find any image by ID. We will try to find by name.
+	if len(imageRes) == 0 {
+		imageRes, err = imageClient.ListImages(images.ListOpts{
+			Name:       bastionConfig.ImageRef,
+			Visibility: "all",
+		})
 		if err != nil {
 			return nil, err
 		}
-
-		if len(images) == 0 {
-			return nil, errors.New("imageID not found")
-		}
-
-		image = &images[0]
 	}
+	if len(imageRes) == 0 {
+		return nil, fmt.Errorf("imageRef: '%s' not found neither by id or name", bastionConfig.ImageRef)
+	}
+	image := &imageRes[0]
 
 	createOpts := servers.CreateOpts{
 		Name:           opt.BastionInstanceName,

pkg/openstack/client/client.go

@@ -209,6 +209,23 @@ func (oc *OpenstackClientFactory) SharedFilesystem(options ...Option) (SharedFil
 	}, nil
 }
 
+// Images creates a Images client
+func (oc *OpenstackClientFactory) Images(options ...Option) (Images, error) {
+	eo := gophercloud.EndpointOpts{}
+	for _, opt := range options {
+		eo = opt(eo)
+	}
+
+	client, err := openstack.NewImageServiceV2(oc.providerClient, eo)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ImageClient{
+		client: client,
+	}, nil
+}
+
 // IsNotFoundError checks if an error returned by OpenStack is caused by HTTP 404 status code.
 func IsNotFoundError(err error) bool {
 	if err == nil {

pkg/openstack/client/images.go

@@ -0,0 +1,19 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package client
+
+import (
+	"github.com/gophercloud/gophercloud/openstack/imageservice/v2/images"
+)
+
+// ListImages lists all images filtered by listOpts
+func (c *ImageClient) ListImages(listOpts images.ListOpts) ([]images.Image, error) {
+	pages, err := images.List(c.client, listOpts).AllPages()
+	if err != nil {
+		return nil, err
+	}
+
+	return images.ExtractImages(pages)
+}

pkg/openstack/client/networking.go

@@ -92,6 +92,12 @@ func (c *NetworkingClient) GetNetworkByName(name string) ([]networks.Network, er
 	return c.ListNetwork(listOpts)
 }
 
+// GetNetworkByID return a network info by id
+func (c *NetworkingClient) GetNetworkByID(id string) (*networks.Network, error) {
+	network, err := networks.Get(c.client, id).Extract()
+	return network, IgnoreNotFoundError(err)
+}
+
 // CreateNetwork creates a network
 func (c *NetworkingClient) CreateNetwork(opts networks.CreateOpts) (*networks.Network, error) {
 	return networks.Create(c.client, opts).Extract()
@@ -234,6 +240,12 @@ func (c *NetworkingClient) CreateSubnet(createOpts subnets.CreateOpts) (*subnets
 	return subnets.Create(c.client, createOpts).Extract()
 }
 
+// GetSubnetByID return a subnet info by id
+func (c *NetworkingClient) GetSubnetByID(id string) (*subnets.Subnet, error) {
+	subnet, err := subnets.Get(c.client, id).Extract()
+	return subnet, IgnoreNotFoundError(err)
+}
+
 // ListSubnets returns a list of subnets
 func (c *NetworkingClient) ListSubnets(listOpts subnets.ListOpts) ([]subnets.Subnet, error) {
 	page, err := subnets.List(c.client, listOpts).AllPages()