-
Notifications
You must be signed in to change notification settings - Fork 79
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[kuttl] add test to enable tls as day2 in ctlplane-tls-cert-rotation
Changes the ctlplane-tls-cert-rotation tls kuttl test to start with a deployment where only the ingress/routes are configured to have tls. The podLevel tls is disabled. Later it gets enabled and the usual test steps to run. Signed-off-by: Martin Schuppert <[email protected]>
- Loading branch information
Showing
5 changed files
with
348 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
resources: | ||
- ../../base/openstackcontrolplane | ||
|
||
patches: | ||
- target: | ||
kind: OpenStackControlPlane | ||
name: .* | ||
patch: |- | ||
- op: replace | ||
path: /metadata/name | ||
value: openstack | ||
- target: | ||
kind: OpenStackControlPlane | ||
path: patch.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: core.openstack.org/v1beta1 | ||
kind: OpenStackControlPlane | ||
metadata: | ||
name: openstack | ||
spec: | ||
tls: | ||
podLevel: | ||
enabled: false |
304 changes: 304 additions & 0 deletions
304
tests/kuttl/tests/ctlplane-tls-cert-rotation/00-assert-deploy-openstack.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,304 @@ | ||
apiVersion: core.openstack.org/v1beta1 | ||
kind: OpenStackControlPlane | ||
metadata: | ||
name: openstack | ||
spec: | ||
secret: osp-secret | ||
keystone: | ||
template: | ||
databaseInstance: openstack | ||
secret: osp-secret | ||
galera: | ||
enabled: true | ||
templates: | ||
openstack: | ||
storageRequest: 500M | ||
secret: osp-secret | ||
replicas: 1 | ||
openstack-cell1: | ||
storageRequest: 500M | ||
secret: osp-secret | ||
replicas: 1 | ||
rabbitmq: | ||
templates: | ||
rabbitmq: | ||
replicas: 1 | ||
rabbitmq-cell1: | ||
replicas: 1 | ||
memcached: | ||
templates: | ||
memcached: | ||
replicas: 1 | ||
placement: | ||
template: | ||
databaseInstance: openstack | ||
secret: osp-secret | ||
glance: | ||
template: | ||
databaseInstance: openstack | ||
secret: osp-secret | ||
glanceAPIs: | ||
default: | ||
replicas: 1 | ||
storage: | ||
storageRequest: 10G | ||
cinder: | ||
template: | ||
databaseInstance: openstack | ||
secret: osp-secret | ||
cinderAPI: | ||
replicas: 1 | ||
cinderScheduler: | ||
replicas: 1 | ||
cinderBackup: | ||
replicas: 0 # backend needs to be configured | ||
cinderVolumes: | ||
volume1: | ||
replicas: 0 # backend needs to be configured | ||
manila: | ||
template: | ||
manilaAPI: | ||
replicas: 1 | ||
manilaScheduler: | ||
replicas: 1 | ||
manilaShares: | ||
share1: | ||
replicas: 1 | ||
ovn: | ||
template: | ||
ovnDBCluster: | ||
ovndbcluster-nb: | ||
replicas: 1 | ||
dbType: NB | ||
storageRequest: 10G | ||
ovndbcluster-sb: | ||
replicas: 1 | ||
dbType: SB | ||
storageRequest: 10G | ||
ovnNorthd: | ||
replicas: 1 | ||
ovnController: | ||
external-ids: | ||
system-id: "random" | ||
ovn-bridge: "br-int" | ||
ovn-encap-type: "geneve" | ||
neutron: | ||
template: | ||
databaseInstance: openstack | ||
secret: osp-secret | ||
horizon: | ||
template: | ||
replicas: 1 | ||
secret: osp-secret | ||
nova: | ||
template: | ||
secret: osp-secret | ||
heat: | ||
enabled: false | ||
template: | ||
databaseInstance: openstack | ||
heatAPI: | ||
replicas: 1 | ||
heatEngine: | ||
replicas: 1 | ||
secret: osp-secret | ||
octavia: | ||
enabled: false | ||
template: | ||
databaseInstance: openstack | ||
octaviaAPI: | ||
replicas: 1 | ||
secret: osp-secret | ||
ironic: | ||
enabled: false | ||
template: | ||
databaseInstance: openstack | ||
ironicAPI: | ||
replicas: 1 | ||
ironicConductors: | ||
- replicas: 1 | ||
storageRequest: 10G | ||
ironicInspector: | ||
replicas: 1 | ||
ironicNeutronAgent: | ||
replicas: 1 | ||
secret: osp-secret | ||
telemetry: | ||
enabled: true | ||
template: | ||
autoscaling: | ||
aodh: | ||
secret: osp-secret | ||
serviceUser: aodh | ||
ceilometer: | ||
passwordSelector: | ||
ceilometerService: CeilometerPassword | ||
secret: osp-secret | ||
serviceUser: ceilometer | ||
swift: | ||
enabled: true | ||
template: | ||
swiftRing: | ||
ringReplicas: 1 | ||
swiftStorage: | ||
replicas: 1 | ||
swiftProxy: | ||
replicas: 1 | ||
designate: | ||
enabled: false | ||
template: | ||
databaseInstance: openstack | ||
secret: osp-secret | ||
designateAPI: | ||
replicas: 1 | ||
designateCentral: | ||
replicas: 0 # backend needs to be configured | ||
designateWorker: | ||
replicas: 0 # backend needs to be configured | ||
designateProducer: | ||
replicas: 0 # backend needs to be configured | ||
designateBackendbind9: | ||
replicas: 0 # backend needs to be configured | ||
barbican: | ||
enabled: true | ||
template: | ||
databaseInstance: openstack | ||
secret: osp-secret | ||
barbicanAPI: | ||
replicas: 1 | ||
barbicanWorker: | ||
replicas: 1 | ||
barbicanKeystoneListener: | ||
replicas: 1 | ||
tls: | ||
ingress: | ||
ca: | ||
duration: 87600h0m0s | ||
cert: | ||
duration: 43800h0m0s | ||
enabled: true | ||
podLevel: | ||
enabled: false | ||
status: | ||
conditions: | ||
- message: Setup complete | ||
reason: Ready | ||
status: "True" | ||
type: Ready | ||
- message: OpenStackControlPlane Barbican completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneBarbicanReady | ||
- message: OpenStackControlPlane CAs completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneCAReadyCondition | ||
- message: OpenStackControlPlane Cinder completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneCinderReady | ||
- message: OpenStackControlPlane Client completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneClientReady | ||
- message: OpenStackControlPlane barbican service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposeBarbicanReady | ||
- message: OpenStackControlPlane cinder service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposeCinderReady | ||
- message: OpenStackControlPlane glance service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposeGlanceReady | ||
- message: OpenStackControlPlane keystone service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposeKeystoneAPIReady | ||
- message: OpenStackControlPlane neutron service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposeNeutronReady | ||
- message: OpenStackControlPlane nova service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposeNovaReady | ||
- message: OpenStackControlPlane placement service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposePlacementAPIReady | ||
- message: OpenStackControlPlane swift service exposed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneExposeSwiftReady | ||
- message: OpenStackControlPlane Glance completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneGlanceReady | ||
- message: OpenStackControlPlane InstanceHa CM is available | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneInstanceHaCMReadyCondition | ||
- message: OpenStackControlPlane KeystoneAPI completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneKeystoneAPIReady | ||
- message: OpenStackControlPlane MariaDB completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneMariaDBReady | ||
- message: OpenStackControlPlane Memcached completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneMemcachedReady | ||
- message: OpenStackControlPlane Neutron completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneNeutronReady | ||
- message: OpenStackControlPlane Nova completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneNovaReady | ||
- message: OpenStackControlPlane OVN completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneOVNReady | ||
- message: OpenStackControlPlane PlacementAPI completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlanePlacementAPIReady | ||
- message: OpenStackControlPlane RabbitMQ completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneRabbitMQReady | ||
- message: OpenStackControlPlane Swift completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneSwiftReady | ||
- message: OpenStackControlPlane Telemetry completed | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneTelemetryReady | ||
- message: OpenStackControlPlane Test Operator CM is available | ||
reason: Ready | ||
status: "True" | ||
type: OpenStackControlPlaneTestCMReadyCondition | ||
--- | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestAssert | ||
timeout: 30 | ||
commands: | ||
- script: | | ||
echo "Fail if internal https endpoints are registered" | ||
oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface public -f value -c URL" | grep 'https:' && exit 1 | ||
exit 0 | ||
- script: | | ||
echo "Fail if ovn sb DB use ssl address" | ||
oc exec -i ovsdbserver-sb-0 -n $NAMESPACE -- bash -c "ovs-appctl -t /tmp/ovnsb_db.ctl cluster/status OVN_Southbound" | grep Address: | grep ssl && exit 1 | ||
exit 0 | ||
- script: | | ||
echo "Fail if nova transport url ssl address" | ||
oc exec -i nova-cell1-conductor-0 -n $NAMESPACE -- bash -c "grep transport_url /etc/nova/nova.conf.d/01-nova.conf" | grep "ssl=1" | exit 1 | ||
exit 0 |
5 changes: 5 additions & 0 deletions
5
tests/kuttl/tests/ctlplane-tls-cert-rotation/00-deploy-openstack-tls-ingress-only.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestStep | ||
commands: | ||
- script: | | ||
oc kustomize ../../../../config/samples/tls/tls_ingress | oc apply -n $NAMESPACE -f - |
17 changes: 17 additions & 0 deletions
17
tests/kuttl/tests/ctlplane-tls-cert-rotation/02-assert-endpoint-proto.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
--- | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestAssert | ||
timeout: 30 | ||
commands: | ||
- script: | | ||
echo "Fail if internal http endpoints are registered" | ||
oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface public -f value -c URL" | grep 'http:' && exit 1 | ||
exit 0 | ||
- script: | | ||
echo "Fail if ovn sb DB use tcp address" | ||
oc exec -i ovsdbserver-sb-0 -n $NAMESPACE -- bash -c "ovs-appctl -t /tmp/ovnsb_db.ctl cluster/status OVN_Southbound" | grep Address: | grep tcp && exit 1 | ||
exit 0 | ||
- script: | | ||
echo "Fail if nova transport url not ssl address" | ||
oc exec -i nova-cell1-conductor-0 -n $NAMESPACE -- bash -c "grep transport_url /etc/nova/nova.conf.d/01-nova.conf" | grep "ssl=0" | exit 1 | ||
exit 0 |