From ba3ad82a8196d922615eae366dcfb46be85d3962 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Fri, 22 Sep 2023 11:49:05 -0400 Subject: [PATCH 1/7] Initial changes for QDR basicAuth --- .../infra.watch_servicetelemetrys_crd.yaml | 6 +++ ...fra.watch_v1beta1_servicetelemetry_cr.yaml | 1 + .../infra.watch_servicetelemetrys_crd.yaml | 7 +++ roles/servicetelemetry/defaults/main.yml | 1 + .../servicetelemetry/tasks/component_qdr.yml | 31 +++++++++++++ roles/servicetelemetry/tasks/pre.yml | 44 +++++++++++++++++++ 6 files changed, 90 insertions(+) diff --git a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml index 5821808aa..5f0579569 100644 --- a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml +++ b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml @@ -316,6 +316,12 @@ spec: enabled: description: Enable QDR data transort type: boolean + auth: + description: 'Auth type to use for incoming OSP connections. Options are "none", or "basic"' + type: string + enum: + - none + - basic web: description: QDR web configuration properties: diff --git a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml index 683019f2d..cee8e2c8a 100644 --- a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml +++ b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml @@ -110,6 +110,7 @@ spec: transports: qdr: enabled: true + auth: basic web: enabled: false certificates: diff --git a/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml b/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml index 1841298e1..47f92a54c 100644 --- a/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml +++ b/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml @@ -543,6 +543,13 @@ spec: qdr: description: QDR configuration for data transport properties: + auth: + description: Auth type to use for incoming OSP connections. + Options are "none", or "basic" + enum: + - none + - basic + type: string certificates: properties: caCertDuration: diff --git a/roles/servicetelemetry/defaults/main.yml b/roles/servicetelemetry/defaults/main.yml index 4f4e1ac54..4e841270a 100644 --- a/roles/servicetelemetry/defaults/main.yml +++ b/roles/servicetelemetry/defaults/main.yml @@ -92,6 +92,7 @@ servicetelemetry_defaults: deployment_size: 1 web: enabled: false + auth: basic certificates: endpoint_cert_duration: 70080h ca_cert_duration: 70080h diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml index 84fcd1beb..0d0263f10 100644 --- a/roles/servicetelemetry/tasks/component_qdr.yml +++ b/roles/servicetelemetry/tasks/component_qdr.yml @@ -149,6 +149,32 @@ sasldb_path: /tmp/qdrouterd.sasldb when: interconnect_manifest is not defined +- when: + - servicetelemetry_vars.transports.qdr.auth == "basic" + block: + - name: Get QDR BasicAuth secret + k8s_info: + api_version: interconnectedcloud.github.io/v1alpha1 + kind: Interconnect + name: "{{ ansible_operator_meta.name }}-interconnect" + namespace: "{{ ansible_operator_meta.namespace }}" + register: _qdr_basicauth_object + + # Because https://github.com/interconnectedcloud/qdr-operator/blob/576d2b33dac71437ea2b165caaaf6413220767fe/pkg/controller/interconnect/interconnect_controller.go#L634 + - name: Perform a one-time upgrade to the default generated password for QDR BasicAuth + k8s: + definition: + kind: Secret + apiVersion: + metadata: + name: "{{ ansible_operator_meta.name }}-interconnect-users" + namespace: "{{ ansible_operator_meta.namespace }}" + labels: + stf_one_time_upgrade: "{{ ansible_date_time.iso8601 }}" + stringData: + guest: "{{ lookup('password', '/dev/null') }}" + when: + - _qdr_basicauth_object[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined - name: Set default Interconnect manifest set_fact: @@ -183,7 +209,12 @@ - expose: true host: 0.0.0.0 port: 5671 + {% if servicetelemetry_vars.transports.qdr.auth == "basic" %} + saslMechanisms: PLAIN + authenticatePeer: true + {% elif servicetelemetry_vars.transports.qdr.auth == "none" %} saslMechanisms: ANONYMOUS + {% endif %} sslProfile: openstack - port: 5673 linkCapacity: 25000 diff --git a/roles/servicetelemetry/tasks/pre.yml b/roles/servicetelemetry/tasks/pre.yml index 0fd1bb59b..de49d069e 100644 --- a/roles/servicetelemetry/tasks/pre.yml +++ b/roles/servicetelemetry/tasks/pre.yml @@ -127,6 +127,50 @@ - _community_prom_object.resources[0] is not defined - _stf_object.resources[0].spec.observabilityStrategy is not defined +- name: Get QDR objects + k8s_info: + api_version: interconnectedcloud.github.io/v1alpha1 + kind: Interconnect + name: "{{ ansible_operator_meta.name }}-interconnect" + namespace: "{{ ansible_operator_meta.namespace }}" + register: _qdr_object + +- block: + - name: Apply legacy auth=none for QDR if missing on the STF object and it's currently deployed that way + k8s: + definition: + apiVersion: infra.watch/v1beta1 + kind: ServiceTelemetry + metadata: + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.namespace }}" + spec: + transports: + qdr: + auth: none + - name: Set auth=none for remainder of this run + set_fact: + servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206 + when: + - _stf_object.resources[0].spec.transports.qdr.auth is not defined + - _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS" + +- name: Apply default auth for QDR if missing on a new STF object with no associated auth=none QDR + k8s: + definition: + apiVersion: infra.watch/v1beta1 + kind: ServiceTelemetry + metadata: + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.namespace }}" + spec: + transports: + qdr: + auth: "{{ servicetelemetry_defaults.transports.qdr.auth }}" + when: + - _stf_object.resources[0].spec.transports.qdr.auth is not defined + - _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS" + - name: Set ephemeral_storage_enabled to true when storage strategy is ephemeral set_fact: _ephemeral_storage_enabled: true From 6b26a83ef9844b5d01d64f3719d439bdc6410987 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Mon, 25 Sep 2023 17:28:22 -0400 Subject: [PATCH 2/7] Update roles/servicetelemetry/tasks/pre.yml Co-authored-by: Leif Madsen --- roles/servicetelemetry/tasks/pre.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/servicetelemetry/tasks/pre.yml b/roles/servicetelemetry/tasks/pre.yml index de49d069e..06663e9da 100644 --- a/roles/servicetelemetry/tasks/pre.yml +++ b/roles/servicetelemetry/tasks/pre.yml @@ -148,6 +148,7 @@ transports: qdr: auth: none + - name: Set auth=none for remainder of this run set_fact: servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206 From 52c592e7d91ef5423c702855590fa817c0f4fe05 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Mon, 25 Sep 2023 17:29:24 -0400 Subject: [PATCH 3/7] correct API version on secret --- roles/servicetelemetry/tasks/component_qdr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml index 0d0263f10..1dcdd43a7 100644 --- a/roles/servicetelemetry/tasks/component_qdr.yml +++ b/roles/servicetelemetry/tasks/component_qdr.yml @@ -165,7 +165,7 @@ k8s: definition: kind: Secret - apiVersion: + apiVersion: v1 metadata: name: "{{ ansible_operator_meta.name }}-interconnect-users" namespace: "{{ ansible_operator_meta.namespace }}" From 5ba52d4538d4c0b92ddcefa01eacbdbf49340923 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Tue, 26 Sep 2023 11:15:15 -0400 Subject: [PATCH 4/7] Touchups from fresh environment test --- roles/servicetelemetry/tasks/component_qdr.yml | 2 +- roles/servicetelemetry/tasks/pre.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml index 1dcdd43a7..0710112e6 100644 --- a/roles/servicetelemetry/tasks/component_qdr.yml +++ b/roles/servicetelemetry/tasks/component_qdr.yml @@ -174,7 +174,7 @@ stringData: guest: "{{ lookup('password', '/dev/null') }}" when: - - _qdr_basicauth_object[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined + - _qdr_basicauth_object.resources[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined - name: Set default Interconnect manifest set_fact: diff --git a/roles/servicetelemetry/tasks/pre.yml b/roles/servicetelemetry/tasks/pre.yml index 06663e9da..38477b02b 100644 --- a/roles/servicetelemetry/tasks/pre.yml +++ b/roles/servicetelemetry/tasks/pre.yml @@ -154,7 +154,7 @@ servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206 when: - _stf_object.resources[0].spec.transports.qdr.auth is not defined - - _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS" + - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS" - name: Apply default auth for QDR if missing on a new STF object with no associated auth=none QDR k8s: @@ -170,7 +170,7 @@ auth: "{{ servicetelemetry_defaults.transports.qdr.auth }}" when: - _stf_object.resources[0].spec.transports.qdr.auth is not defined - - _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS" + - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS" - name: Set ephemeral_storage_enabled to true when storage strategy is ephemeral set_fact: From 2be4905fb6a43838345fe6806fe8d39e1cff219f Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Tue, 26 Sep 2023 12:01:34 -0400 Subject: [PATCH 5/7] swap ansible_date_time for a filter that doesnt required facts ...and adheres to the rules for label text --- roles/servicetelemetry/tasks/component_qdr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml index 0710112e6..64489ff74 100644 --- a/roles/servicetelemetry/tasks/component_qdr.yml +++ b/roles/servicetelemetry/tasks/component_qdr.yml @@ -170,7 +170,7 @@ name: "{{ ansible_operator_meta.name }}-interconnect-users" namespace: "{{ ansible_operator_meta.namespace }}" labels: - stf_one_time_upgrade: "{{ ansible_date_time.iso8601 }}" + stf_one_time_upgrade: "{{ lookup('pipe', 'date +%s') }}" stringData: guest: "{{ lookup('password', '/dev/null') }}" when: From 2913fb7938e3d22c48b46f3e2d73ed1c504c33fd Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Tue, 26 Sep 2023 13:01:41 -0400 Subject: [PATCH 6/7] Update CSV --- .../service-telemetry-operator.clusterserviceversion.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml index 7722b2ba9..83e72ed2d 100644 --- a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml @@ -164,6 +164,7 @@ metadata: "observabilityStrategy": "use_redhat", "transports": { "qdr": { + "auth": "basic", "certificates": { "caCertDuration": "70080h", "endpointCertDuration": "70080h" From d0cbf68a50965c1b2c0faba7f797adb5191ebb05 Mon Sep 17 00:00:00 2001 From: Chris Sibbitt Date: Wed, 27 Sep 2023 15:11:32 -0400 Subject: [PATCH 7/7] Adding QDR basic auth to smoke tests --- tests/smoketest/minimal-collectd.conf.template | 2 ++ tests/smoketest/smoketest.sh | 14 +++++++++++++- tests/smoketest/smoketest_ceilometer_entrypoint.sh | 4 ++-- tests/smoketest/smoketest_collectd_entrypoint.sh | 3 ++- tests/smoketest/smoketest_job.yaml.template | 9 +++++++-- 5 files changed, 26 insertions(+), 6 deletions(-) diff --git a/tests/smoketest/minimal-collectd.conf.template b/tests/smoketest/minimal-collectd.conf.template index e6cf09189..67fb7f2a5 100644 --- a/tests/smoketest/minimal-collectd.conf.template +++ b/tests/smoketest/minimal-collectd.conf.template @@ -13,6 +13,8 @@ LoadPlugin amqp1 Host "default-interconnect" Port "5671" + User "guest@default-interconnect" + Password "<>" Address "collectd" Format JSON diff --git a/tests/smoketest/smoketest.sh b/tests/smoketest/smoketest.sh index 4204398f2..22eb0f3d2 100755 --- a/tests/smoketest/smoketest.sh +++ b/tests/smoketest/smoketest.sh @@ -50,6 +50,9 @@ ELASTICSEARCH_AUTH_PASS=$(oc get secret elasticsearch-es-elastic-user -ogo-templ echo "*** [INFO] Getting Prometheus authentication password" PROMETHEUS_AUTH_PASS=$(oc get secret default-prometheus-htpasswd -ogo-template='{{ .data.password | base64decode }}') +echo "*** [INFO] Getting QDR authentication password" +QDR_AUTH_PASS=$(oc get secret default-interconnect-users -ogo-template='{{ .data.guest | base64decode }}') + echo "*** [INFO] Setting namepsace for collectd-sensubility config" sed "s/<>/${OCP_PROJECT}/g" "${REL}/collectd-sensubility.conf" > /tmp/collectd-sensubility.conf @@ -62,10 +65,19 @@ oc create configmap stf-smoketest-collectd-entrypoint-script --from-file "${REL} oc create configmap stf-smoketest-ceilometer-publisher --from-file "${REL}/ceilometer_publish.py" oc create configmap stf-smoketest-ceilometer-entrypoint-script --from-file "${REL}/smoketest_ceilometer_entrypoint.sh" +echo "*** [INFO] Building smoketest containers..." +oc delete buildconfig openstack-collectd +oc delete is openstack-collectd:latest +oc delete buildconfig openstack-ceilometer-notification +oc delete is openstack-ceilometer-notification + +oc new-build -D $'FROM quay.io/tripleomaster/openstack-collectd:current-tripleo\nUSER 0\nRUN rpm -i http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/cyrus-sasl-plain-2.1.27-5.el8.x86_64.rpm' +oc new-build -D $'FROM quay.io/tripleomaster/openstack-ceilometer-notification:current-tripleo\nUSER 0\nRUN rpm -i http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/cyrus-sasl-plain-2.1.27-5.el8.x86_64.rpm' + echo "*** [INFO] Creating smoketest jobs..." oc delete job -l app=stf-smoketest for NAME in "${CLOUDNAMES[@]}"; do - oc create -f <(sed -e "s/<>/${NAME}/;s/<>/${ELASTICSEARCH_AUTH_PASS}/;s/<>/${PROMETHEUS_AUTH_PASS}/" ${REL}/smoketest_job.yaml.template) + oc create -f <(sed -e "s/<>/${NAME}/;s/<>/${ELASTICSEARCH_AUTH_PASS}/;s/<>/${PROMETHEUS_AUTH_PASS}/;s/<>/${QDR_AUTH_PASS}/;s/<>/${OCP_PROJECT}/;" ${REL}/smoketest_job.yaml.template) done echo "*** [INFO] Triggering an alertmanager notification..." diff --git a/tests/smoketest/smoketest_ceilometer_entrypoint.sh b/tests/smoketest/smoketest_ceilometer_entrypoint.sh index 674a6e203..c122747c3 100644 --- a/tests/smoketest/smoketest_ceilometer_entrypoint.sh +++ b/tests/smoketest/smoketest_ceilometer_entrypoint.sh @@ -6,14 +6,14 @@ PROMETHEUS=${PROMETHEUS:-"https://default-prometheus-proxy:9092"} ELASTICSEARCH=${ELASTICSEARCH:-"https://elasticsearch-es-http:9200"} ELASTICSEARCH_AUTH_PASS=${ELASTICSEARCH_AUTH_PASS:-""} PROMETHEUS_AUTH_PASS=${PROMETHEUS_AUTH_PASS:-""} +QDR_AUTH_PASS=${QDR_AUTH_PASS:-""} CLOUDNAME=${CLOUDNAME:-"smoke1"} POD=$(hostname) - echo "*** [INFO] My pod is: ${POD}" # Run ceilometer_publisher script -python3 /ceilometer_publish.py default-interconnect:5671 'driver=amqp&topic=cloud1-metering' 'driver=amqp&topic=cloud1-event' +python3 /ceilometer_publish.py "guest%40default-interconnect:${QDR_AUTH_PASS}@default-interconnect:5671" 'driver=amqp&topic=cloud1-metering' 'driver=amqp&topic=cloud1-event' # Sleeping to produce data echo "*** [INFO] Sleeping for 20 seconds to produce all metrics and events" diff --git a/tests/smoketest/smoketest_collectd_entrypoint.sh b/tests/smoketest/smoketest_collectd_entrypoint.sh index a8ce1103f..7700cc020 100755 --- a/tests/smoketest/smoketest_collectd_entrypoint.sh +++ b/tests/smoketest/smoketest_collectd_entrypoint.sh @@ -6,11 +6,12 @@ PROMETHEUS=${PROMETHEUS:-"https://default-prometheus-proxy:9092"} ELASTICSEARCH=${ELASTICSEARCH:-"https://elasticsearch-es-http:9200"} ELASTICSEARCH_AUTH_PASS=${ELASTICSEARCH_AUTH_PASS:-""} PROMETHEUS_AUTH_PASS=${PROMETHEUS_AUTH_PASS:-""} +QDR_AUTH_PASS=${QDR_AUTH_PASS:-""} CLOUDNAME=${CLOUDNAME:-"smoke1"} POD=$(hostname) # Render our config template -sed -e "s/<>/${CLOUDNAME}/" /etc/minimal-collectd.conf.template > /tmp/collectd.conf +sed -e "s/<>/${CLOUDNAME}/;s/<>/${QDR_AUTH_PASS}/" /etc/minimal-collectd.conf.template > /tmp/collectd.conf echo "*** [INFO] My pod is: ${POD}" diff --git a/tests/smoketest/smoketest_job.yaml.template b/tests/smoketest/smoketest_job.yaml.template index 4a9c20cc9..4c031e524 100644 --- a/tests/smoketest/smoketest_job.yaml.template +++ b/tests/smoketest/smoketest_job.yaml.template @@ -14,7 +14,7 @@ spec: restartPolicy: Never containers: - name: smoketest-collectd - image: quay.io/tripleomaster/openstack-collectd:current-tripleo + image: image-registry.openshift-image-registry.svc:5000/<>/openstack-collectd:latest command: - /smoketest_collectd_entrypoint.sh env: @@ -24,6 +24,8 @@ spec: value: "<>" - name: PROMETHEUS_AUTH_PASS value: "<>" + - name: QDR_AUTH_PASS + value: "<>" - name: OBSERVABILITY_STRATEGY value: "<>" volumeMounts: @@ -43,7 +45,7 @@ spec: allowPrivilegeEscalation: false - name: smoketest-ceilometer - image: quay.io/tripleomaster/openstack-ceilometer-notification:current-tripleo + image: image-registry.openshift-image-registry.svc:5000/<>/openstack-ceilometer-notification:latest command: - /smoketest_ceilometer_entrypoint.sh env: @@ -53,6 +55,8 @@ spec: value: "<>" - name: PROMETHEUS_AUTH_PASS value: "<>" + - name: QDR_AUTH_PASS + value: "<>" - name: OBSERVABILITY_STRATEGY value: "<>" volumeMounts: @@ -84,3 +88,4 @@ spec: configMap: name: stf-smoketest-ceilometer-publisher defaultMode: 0555 +