Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding QDR basic auth to smoke tests #492

Closed
wants to merge 11 commits into from
Closed

Adding QDR basic auth to smoke tests #492

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
ba3ad82
Initial changes for QDR basicAuth
csibbitt Sep 22, 2023
9328239
Merge branch 'master' into csibbitt/STF-1502/qdr_auth
csibbitt Sep 25, 2023
6b26a83
Update roles/servicetelemetry/tasks/pre.yml
csibbitt Sep 25, 2023
52c592e
correct API version on secret
csibbitt Sep 25, 2023
2bd2c2b
Merge branch 'master' into csibbitt/STF-1502/qdr_auth
csibbitt Sep 26, 2023
5ba52d4
Touchups from fresh environment test
csibbitt Sep 26, 2023
2be4905
swap ansible_date_time for a filter that doesnt required facts
csibbitt Sep 26, 2023
acbb564
Merge branch 'master' into csibbitt/STF-1502/qdr_auth
csibbitt Sep 26, 2023
2913fb7
Update CSV
csibbitt Sep 26, 2023
d0cbf68
Adding QDR basic auth to smoke tests
csibbitt Sep 27, 2023
db705c6
Merge branch 'master' into qdr_auth_in_smoketest
csibbitt Oct 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions deploy/crds/infra.watch_servicetelemetrys_crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,12 @@ spec:
enabled:
description: Enable QDR data transort
type: boolean
auth:
description: 'Auth type to use for incoming OSP connections. Options are "none", or "basic"'
type: string
enum:
- none
- basic
web:
description: QDR web configuration
properties:
Expand Down
1 change: 1 addition & 0 deletions deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ spec:
transports:
qdr:
enabled: true
auth: basic
web:
enabled: false
certificates:
Expand Down
7 changes: 7 additions & 0 deletions ...y/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -543,6 +543,13 @@ spec:
qdr:
description: QDR configuration for data transport
properties:
auth:
description: Auth type to use for incoming OSP connections.
Options are "none", or "basic"
enum:
- none
- basic
type: string
certificates:
properties:
caCertDuration:
Expand Down
1 change: 1 addition & 0 deletions ...ervice-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ metadata:
"observabilityStrategy": "use_redhat",
"transports": {
"qdr": {
"auth": "basic",
"certificates": {
"caCertDuration": "70080h",
"endpointCertDuration": "70080h"
Expand Down
1 change: 1 addition & 0 deletions roles/servicetelemetry/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ servicetelemetry_defaults:
deployment_size: 1
web:
enabled: false
auth: basic
certificates:
endpoint_cert_duration: 70080h
ca_cert_duration: 70080h
Expand Down
31 changes: 31 additions & 0 deletions roles/servicetelemetry/tasks/component_qdr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,32 @@
sasldb_path: /tmp/qdrouterd.sasldb
when: interconnect_manifest is not defined

- when:
- servicetelemetry_vars.transports.qdr.auth == "basic"
block:
- name: Get QDR BasicAuth secret
k8s_info:
api_version: interconnectedcloud.github.io/v1alpha1
kind: Interconnect
name: "{{ ansible_operator_meta.name }}-interconnect"
namespace: "{{ ansible_operator_meta.namespace }}"
register: _qdr_basicauth_object

# Because https://github.com/interconnectedcloud/qdr-operator/blob/576d2b33dac71437ea2b165caaaf6413220767fe/pkg/controller/interconnect/interconnect_controller.go#L634
- name: Perform a one-time upgrade to the default generated password for QDR BasicAuth
k8s:
definition:
kind: Secret
apiVersion: v1
metadata:
name: "{{ ansible_operator_meta.name }}-interconnect-users"
namespace: "{{ ansible_operator_meta.namespace }}"
labels:
stf_one_time_upgrade: "{{ lookup('pipe', 'date +%s') }}"
stringData:
guest: "{{ lookup('password', '/dev/null') }}"
when:
- _qdr_basicauth_object.resources[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined

- name: Set default Interconnect manifest
set_fact:
Expand Down Expand Up @@ -183,7 +209,12 @@
- expose: true
host: 0.0.0.0
port: 5671
{% if servicetelemetry_vars.transports.qdr.auth == "basic" %}
saslMechanisms: PLAIN
authenticatePeer: true
{% elif servicetelemetry_vars.transports.qdr.auth == "none" %}
saslMechanisms: ANONYMOUS
{% endif %}
sslProfile: openstack
- port: 5673
linkCapacity: 25000
Expand Down
45 changes: 45 additions & 0 deletions roles/servicetelemetry/tasks/pre.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,51 @@
- _community_prom_object.resources[0] is not defined
- _stf_object.resources[0].spec.observabilityStrategy is not defined

- name: Get QDR objects
k8s_info:
api_version: interconnectedcloud.github.io/v1alpha1
kind: Interconnect
name: "{{ ansible_operator_meta.name }}-interconnect"
namespace: "{{ ansible_operator_meta.namespace }}"
register: _qdr_object

- block:
- name: Apply legacy auth=none for QDR if missing on the STF object and it's currently deployed that way
k8s:
definition:
apiVersion: infra.watch/v1beta1
kind: ServiceTelemetry
metadata:
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
spec:
transports:
qdr:
auth: none

- name: Set auth=none for remainder of this run
set_fact:
servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206
when:
- _stf_object.resources[0].spec.transports.qdr.auth is not defined
- _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS"

- name: Apply default auth for QDR if missing on a new STF object with no associated auth=none QDR
k8s:
definition:
apiVersion: infra.watch/v1beta1
kind: ServiceTelemetry
metadata:
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
spec:
transports:
qdr:
auth: "{{ servicetelemetry_defaults.transports.qdr.auth }}"
when:
- _stf_object.resources[0].spec.transports.qdr.auth is not defined
- _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS"

- name: Set ephemeral_storage_enabled to true when storage strategy is ephemeral
set_fact:
_ephemeral_storage_enabled: true
Expand Down
2 changes: 2 additions & 0 deletions tests/smoketest/minimal-collectd.conf.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ LoadPlugin amqp1
<Transport "name">
Host "default-interconnect"
Port "5671"
User "guest@default-interconnect"
Password "<<QDR_AUTH_PASS>>"
Address "collectd"
<Instance "cloud1-telemetry">
Format JSON
Expand Down
14 changes: 13 additions & 1 deletion tests/smoketest/smoketest.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ ELASTICSEARCH_AUTH_PASS=$(oc get secret elasticsearch-es-elastic-user -ogo-templ
echo "*** [INFO] Getting Prometheus authentication password"
PROMETHEUS_AUTH_PASS=$(oc get secret default-prometheus-htpasswd -ogo-template='{{ .data.password | base64decode }}')

echo "*** [INFO] Getting QDR authentication password"
QDR_AUTH_PASS=$(oc get secret default-interconnect-users -ogo-template='{{ .data.guest | base64decode }}')

echo "*** [INFO] Setting namepsace for collectd-sensubility config"
sed "s/<<NAMESPACE>>/${OCP_PROJECT}/g" "${REL}/collectd-sensubility.conf" > /tmp/collectd-sensubility.conf

Expand All @@ -62,10 +65,19 @@ oc create configmap stf-smoketest-collectd-entrypoint-script --from-file "${REL}
oc create configmap stf-smoketest-ceilometer-publisher --from-file "${REL}/ceilometer_publish.py"
oc create configmap stf-smoketest-ceilometer-entrypoint-script --from-file "${REL}/smoketest_ceilometer_entrypoint.sh"

echo "*** [INFO] Building smoketest containers..."
oc delete buildconfig openstack-collectd
oc delete is openstack-collectd:latest
oc delete buildconfig openstack-ceilometer-notification
oc delete is openstack-ceilometer-notification
Comment on lines +77 to +79
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One of the oc delete is has a tag and the other does not. Missed tag, or superfluous tag?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first one is probably superfluous/wrong


oc new-build -D $'FROM quay.io/tripleomaster/openstack-collectd:current-tripleo\nUSER 0\nRUN rpm -i http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/cyrus-sasl-plain-2.1.27-5.el8.x86_64.rpm'
oc new-build -D $'FROM quay.io/tripleomaster/openstack-ceilometer-notification:current-tripleo\nUSER 0\nRUN rpm -i http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/cyrus-sasl-plain-2.1.27-5.el8.x86_64.rpm'
Comment on lines +81 to +82
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure this is fine in downstream testing as well... does CVP run this? Pretty sure the lack of pulling is simply a build system thing, so shouldn't be an issue. Just thinking out loud for possible gotchas.


echo "*** [INFO] Creating smoketest jobs..."
oc delete job -l app=stf-smoketest
for NAME in "${CLOUDNAMES[@]}"; do
oc create -f <(sed -e "s/<<CLOUDNAME>>/${NAME}/;s/<<ELASTICSEARCH_AUTH_PASS>>/${ELASTICSEARCH_AUTH_PASS}/;s/<<PROMETHEUS_AUTH_PASS>>/${PROMETHEUS_AUTH_PASS}/" ${REL}/smoketest_job.yaml.template)
oc create -f <(sed -e "s/<<CLOUDNAME>>/${NAME}/;s/<<ELASTICSEARCH_AUTH_PASS>>/${ELASTICSEARCH_AUTH_PASS}/;s/<<PROMETHEUS_AUTH_PASS>>/${PROMETHEUS_AUTH_PASS}/;s/<<QDR_AUTH_PASS>>/${QDR_AUTH_PASS}/;s/<<NAMESPACE>>/${OCP_PROJECT}/;" ${REL}/smoketest_job.yaml.template)
done

echo "*** [INFO] Triggering an alertmanager notification..."
Expand Down
4 changes: 2 additions & 2 deletions tests/smoketest/smoketest_ceilometer_entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@ PROMETHEUS=${PROMETHEUS:-"https://default-prometheus-proxy:9092"}
ELASTICSEARCH=${ELASTICSEARCH:-"https://elasticsearch-es-http:9200"}
ELASTICSEARCH_AUTH_PASS=${ELASTICSEARCH_AUTH_PASS:-""}
PROMETHEUS_AUTH_PASS=${PROMETHEUS_AUTH_PASS:-""}
QDR_AUTH_PASS=${QDR_AUTH_PASS:-""}
CLOUDNAME=${CLOUDNAME:-"smoke1"}
POD=$(hostname)


echo "*** [INFO] My pod is: ${POD}"

# Run ceilometer_publisher script
python3 /ceilometer_publish.py default-interconnect:5671 'driver=amqp&topic=cloud1-metering' 'driver=amqp&topic=cloud1-event'
python3 /ceilometer_publish.py "guest%40default-interconnect:${QDR_AUTH_PASS}@default-interconnect:5671" 'driver=amqp&topic=cloud1-metering' 'driver=amqp&topic=cloud1-event'

# Sleeping to produce data
echo "*** [INFO] Sleeping for 20 seconds to produce all metrics and events"
Expand Down
3 changes: 2 additions & 1 deletion tests/smoketest/smoketest_collectd_entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ PROMETHEUS=${PROMETHEUS:-"https://default-prometheus-proxy:9092"}
ELASTICSEARCH=${ELASTICSEARCH:-"https://elasticsearch-es-http:9200"}
ELASTICSEARCH_AUTH_PASS=${ELASTICSEARCH_AUTH_PASS:-""}
PROMETHEUS_AUTH_PASS=${PROMETHEUS_AUTH_PASS:-""}
QDR_AUTH_PASS=${QDR_AUTH_PASS:-""}
CLOUDNAME=${CLOUDNAME:-"smoke1"}
POD=$(hostname)

# Render our config template
sed -e "s/<<CLOUDNAME>>/${CLOUDNAME}/" /etc/minimal-collectd.conf.template > /tmp/collectd.conf
sed -e "s/<<CLOUDNAME>>/${CLOUDNAME}/;s/<<QDR_AUTH_PASS>>/${QDR_AUTH_PASS}/" /etc/minimal-collectd.conf.template > /tmp/collectd.conf

echo "*** [INFO] My pod is: ${POD}"

Expand Down
9 changes: 7 additions & 2 deletions tests/smoketest/smoketest_job.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ spec:
restartPolicy: Never
containers:
- name: smoketest-collectd
image: quay.io/tripleomaster/openstack-collectd:current-tripleo
image: image-registry.openshift-image-registry.svc:5000/<<NAMESPACE>>/openstack-collectd:latest
command:
- /smoketest_collectd_entrypoint.sh
env:
Expand All @@ -24,6 +24,8 @@ spec:
value: "<<ELASTICSEARCH_AUTH_PASS>>"
- name: PROMETHEUS_AUTH_PASS
value: "<<PROMETHEUS_AUTH_PASS>>"
- name: QDR_AUTH_PASS
value: "<<QDR_AUTH_PASS>>"
- name: OBSERVABILITY_STRATEGY
value: "<<OBSERVABILITY_STRATEGY>>"
volumeMounts:
Expand All @@ -43,7 +45,7 @@ spec:
allowPrivilegeEscalation: false

- name: smoketest-ceilometer
image: quay.io/tripleomaster/openstack-ceilometer-notification:current-tripleo
image: image-registry.openshift-image-registry.svc:5000/<<NAMESPACE>>/openstack-ceilometer-notification:latest
leifmadsen marked this conversation as resolved.
Show resolved Hide resolved
command:
- /smoketest_ceilometer_entrypoint.sh
env:
Expand All @@ -53,6 +55,8 @@ spec:
value: "<<ELASTICSEARCH_AUTH_PASS>>"
- name: PROMETHEUS_AUTH_PASS
value: "<<PROMETHEUS_AUTH_PASS>>"
- name: QDR_AUTH_PASS
value: "<<QDR_AUTH_PASS>>"
- name: OBSERVABILITY_STRATEGY
value: "<<OBSERVABILITY_STRATEGY>>"
volumeMounts:
Expand Down Expand Up @@ -84,3 +88,4 @@ spec:
configMap:
name: stf-smoketest-ceilometer-publisher
defaultMode: 0555