Re-enable keystone testing in validation tests

charmed-kubernetes · Jun 12, 2024 · fcbc4db · fcbc4db
1 parent 007d71e
commit fcbc4db
Show file tree

Hide file tree

Showing 9 changed files with 408 additions and 228 deletions.
diff --git a/jobs/integration/conftest.py b/jobs/integration/conftest.py
@@ -36,7 +36,12 @@ def pytest_addoption(parser):
         "--controller", action="store", required=True, help="Juju controller to use"
     )
     parser.addoption("--model", action="store", required=True, help="Juju model to use")
-    parser.addoption("--series", action="store", default="bionic", help="Base series")
+    parser.addoption(
+        "--series",
+        action="store",
+        default=os.environ.get("SERIES", "focal"),
+        help="Base series",
+    )
     parser.addoption(
         "--cloud", action="store", default="aws/us-east-2", help="Juju cloud to use"
     )
@@ -152,6 +157,7 @@ async def _load(self):
         self.k8s_connection = f"{self.controller_name}:{self.k8s_model_name_full}"
         self.is_series_upgrade = request.config.getoption("--is-series-upgrade")
         self.charm_channel = request.config.getoption("--charm-channel")
+        self.snap_channel = request.config.getoption("--snap-channel")
         self.vault_unseal_command = request.config.getoption("--vault-unseal-command")
         self.juju_ssh_proxy = request.config.getoption("--juju-ssh-proxy")
         self.use_existing_ceph_apps = request.config.getoption(
@@ -448,7 +454,9 @@ def _charm_name(app):
     """Resolve charm_name from juju.applications.Application"""
     cs, charm_url = "cs:", app.data["charm-url"].rpartition("-")[0]
     if charm_url.startswith(cs):
-        return charm_url[len(cs) :]  # noqa: E203
+        charm_url = charm_url[len(cs) :]  # noqa: E203
+    elif any(charm_url.startswith(prefix) for prefix in ("ch:", "local:")):
+        charm_url = charm_url.split("/")[-1]  # noqa: E203
     return charm_url
 
 

diff --git a/jobs/integration/templates/keystone/keystone-apiserver-webhook.yaml b/jobs/integration/templates/keystone/keystone-apiserver-webhook.yaml
@@ -0,0 +1,17 @@
+# https://github.com/kubernetes/cloud-provider-openstack/blob/release-1.30/examples/webhook/keystone-apiserver-webhook.yaml
+apiVersion: v1
+kind: Config
+preferences: {}
+clusters:
+  - cluster:
+      insecure-skip-tls-verify: true
+      server: https://{{ keystone_auth_service_ip }}:8443/webhook
+    name: webhook
+users:
+  - name: webhook
+contexts:
+  - context:
+      cluster: webhook
+      user: webhook
+    name: webhook
+current-context: webhook
diff --git a/jobs/integration/templates/keystone/keystone-deployment.yaml b/jobs/integration/templates/keystone/keystone-deployment.yaml
@@ -0,0 +1,47 @@
+# https://github.com/kubernetes/cloud-provider-openstack/blob/release-1.30/examples/webhook/keystone-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-keystone-auth
+  namespace: kube-system
+  labels:
+    app: k8s-keystone-auth
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: k8s-keystone-auth
+  template:
+    metadata:
+      labels:
+        app: k8s-keystone-auth
+    spec:
+      serviceAccountName: k8s-keystone
+      containers:
+        - name: k8s-keystone-auth
+          image: rocks.canonical.com:443/cdk/provider-os/k8s-keystone-auth:v1.28.1
+          args:
+            - ./bin/k8s-keystone-auth
+          env:
+            - name: OS_AUTH_URL
+              value: {{ keystone_server_url }}
+            - name: TLS_CERT_FILE
+              value: /etc/pki/tls.crt
+            - name: TLS_PRIVATE_KEY_FILE
+              value: /etc/pki/tls.key
+            - name: KEYSTONE_POLICY_CONFIGMAP_NAME
+              value: k8s-auth-policy
+            {% if keystone_server_ca %}
+            - name: KEYSTONE_CA_FILE
+              value: /etc/pki/ca.crt
+            {% endif %}
+          volumeMounts:
+            - mountPath: /etc/pki
+              name: certs
+              readOnly: true
+          ports:
+            - containerPort: 8443
+      volumes:
+      - name: certs
+        secret:
+          secretName: keystone-auth-certs
diff --git a/jobs/integration/templates/keystone/keystone-kubeconfig.yaml b/jobs/integration/templates/keystone/keystone-kubeconfig.yaml
@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: Config
+users:
+- name: good-user
+  user:
+    exec:
+      command: "/snap/bin/client-keystone-auth"
+
+      # API version to use when encoding and decoding the ExecCredentials
+      # resource. Required.
+      #
+      # The API version returned by the plugin MUST match the version encoded.
+      apiVersion: "client.authentication.k8s.io/v1beta1"
+
+      # Environment variables to set when executing the plugin. Optional.
+      env:
+      - name: "OS_USERNAME"
+        value: "{{ keystone_user }}"
+      - name: "OS_PASSWORD"
+        value: "{{ keystone_password }}"
+      - name: "OS_PROJECT_NAME"
+        value: "{{ keystone_project }}"
+
+      # Arguments to pass when executing the plugin. Optional.
+      args:
+      - "--domain-name={{ keystone_domain }}"
+      - "--keystone-url={{ keystone_server_url }}"
+- name: bad-user
+  user:
+    exec:
+      command: "/snap/bin/client-keystone-auth"
+
+      # API version to use when encoding and decoding the ExecCredentials
+      # resource. Required.
+      #
+      # The API version returned by the plugin MUST match the version encoded.
+      apiVersion: "client.authentication.k8s.io/v1beta1"
+
+      # Environment variables to set when executing the plugin. Optional.
+      env:
+      - name: "OS_USERNAME"
+        value: "fake"
+      - name: "OS_PASSWORD"
+        value: "bad"
+      - name: "OS_PROJECT_NAME"
+        value: "{{ keystone_project }}"
+
+      # Arguments to pass when executing the plugin. Optional.
+      args:
+      - "--domain-name={{ keystone_domain }}"
+      - "--keystone-url={{ keystone_server_url }}"
+- name: bad-password
+  user:
+    exec:
+      command: "/snap/bin/client-keystone-auth"
+
+      # API version to use when encoding and decoding the ExecCredentials
+      # resource. Required.
+      #
+      # The API version returned by the plugin MUST match the version encoded.
+      apiVersion: "client.authentication.k8s.io/v1beta1"
+
+      # Environment variables to set when executing the plugin. Optional.
+      env:
+      - name: "OS_USERNAME"
+        value: "{{ keystone_user }}"
+      - name: "OS_PASSWORD"
+        value: "bad"
+      - name: "OS_PROJECT_NAME"
+        value: "{{ keystone_project }}"
+
+      # Arguments to pass when executing the plugin. Optional.
+      args:
+      - "--domain-name={{ keystone_domain }}"
+      - "--keystone-url={{ keystone_server_url }}"
+clusters:
+- name: my-cluster
+  cluster:
+    server: {{ kubernetes_api_server }}
+    insecure-skip-tls-verify: true
+contexts:
+- name: good-context
+  context:
+    cluster: my-cluster
+    user: good-user
+- name: bad-user-context
+  context:
+    cluster: my-cluster
+    user: bad-user
+- name: bad-password-context
+  context:
+    cluster: my-cluster
+    user: bad-password
+current-context: good-context
diff --git a/jobs/integration/templates/keystone/keystone-policy-configmap.yaml b/jobs/integration/templates/keystone/keystone-policy-configmap.yaml
@@ -0,0 +1,19 @@
+# https://github.com/kubernetes/cloud-provider-openstack/blob/release-1.30/examples/webhook/keystone-policy-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k8s-auth-policy
+  namespace: kube-system
+data:
+  policies: |
+    [
+      {
+        "users": {
+          "projects": ["admin"],
+          "user": ["admin"]
+        },
+        "resource_permissions": {
+          "default/pods": ["get", "list", "watch"]
+        }
+      }
+    ]
diff --git a/jobs/integration/templates/keystone/keystone-rbac.yaml b/jobs/integration/templates/keystone/keystone-rbac.yaml
@@ -0,0 +1,33 @@
+# https://github.com/kubernetes/cloud-provider-openstack/blob/release-1.30/examples/webhook/keystone-rbac.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: k8s-keystone-auth
+  name: k8s-keystone-auth
+rules:
+  # Allow k8s-keystone-auth to get k8s-auth-policy configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8s-keystone-auth
+  labels:
+    k8s-app: k8s-keystone-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8s-keystone-auth
+subjects:
+- kind: ServiceAccount
+  name: k8s-keystone
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-keystone
+  namespace: kube-system
diff --git a/jobs/integration/templates/keystone/keystone-secret.yaml b/jobs/integration/templates/keystone/keystone-secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-auth-certs
+  namespace: kube-system
+type: Opaque
+data:
+  tls.crt: {{ keystone_auth_crt }}
+  tls.key: {{ keystone_auth_key }}
+{% if keystone_server_ca %}
+  ca.crt: {{ keystone_server_ca }}
+{% endif %}
diff --git a/jobs/integration/templates/keystone/keystone-service.yaml b/jobs/integration/templates/keystone/keystone-service.yaml
@@ -0,0 +1,13 @@
+# https://github.com/kubernetes/cloud-provider-openstack/blob/release-1.30/examples/webhook/keystone-service.yaml
+kind: Service
+apiVersion: v1
+metadata:
+  name: k8s-keystone-auth-service
+  namespace: kube-system
+spec:
+  selector:
+    app: k8s-keystone-auth
+  ports:
+    - protocol: TCP
+      port: 8443
+      targetPort: 8443