diff --git a/config/samples/base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml b/config/samples/base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml new file mode 100644 index 000000000..3167b86e4 --- /dev/null +++ b/config/samples/base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml @@ -0,0 +1,197 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack-basic +spec: + secret: osp-secret + storageClass: local-storage + keystone: + template: + databaseInstance: openstack + secret: osp-secret + galera: + templates: + openstack: + storageClass: local-storage + storageRequest: 500M + secret: osp-secret + replicas: 1 + openstack-cell1: + storageClass: local-storage + storageRequest: 500M + secret: osp-secret + replicas: 1 + rabbitmq: + templates: + rabbitmq: + replicas: 1 + #resources: + # requests: + # cpu: 500m + # memory: 1Gi + # limits: + # cpu: 800m + # memory: 1Gi + rabbitmq-cell1: + replicas: 1 + memcached: + templates: + memcached: + replicas: 1 + barbican: + template: + databaseInstance: openstack + secret: osp-secret + barbicanAPI: + replicas: 1 + barbicanWorker: + replicas: 1 + barbicanKeystoneListener: + replicas: 1 + placement: + template: + databaseInstance: openstack + secret: osp-secret + glance: + template: + secret: osp-secret + databaseInstance: openstack + storageClass: "" + storageRequest: 10G + keystoneEndpoint: default + glanceAPIs: + default: + type: single + replicas: 1 + cinder: + template: + databaseInstance: openstack + secret: osp-secret + cinderAPI: + replicas: 1 + cinderScheduler: + replicas: 1 + cinderBackup: + replicas: 0 # backend needs to be configured + cinderVolumes: + volume1: + replicas: 0 # backend needs to be configured + manila: + template: + manilaAPI: + replicas: 1 + manilaScheduler: + replicas: 1 + manilaShares: + share1: + replicas: 1 + ovn: + template: + ovnDBCluster: + ovndbcluster-nb: + replicas: 1 + dbType: NB + storageRequest: 10G + ovndbcluster-sb: + replicas: 1 + dbType: SB + storageRequest: 10G + ovnNorthd: + replicas: 1 + ovnController: {} + neutron: + template: + databaseInstance: openstack + secret: osp-secret + horizon: + template: + replicas: 1 + secret: osp-secret + nova: + template: + secret: osp-secret + heat: + enabled: false + template: + databaseInstance: openstack + heatAPI: + replicas: 1 + heatEngine: + replicas: 1 + secret: osp-secret + ironic: + enabled: false + template: + databaseInstance: openstack + ironicAPI: + replicas: 1 + ironicConductors: + - replicas: 1 + storageRequest: 10G + ironicInspector: + replicas: 1 + ironicNeutronAgent: + replicas: 1 + secret: osp-secret + telemetry: + enabled: true + template: + metricStorage: + enabled: false + monitoringStack: + alertingEnabled: true + scrapeInterval: 30s + storage: + strategy: persistent + retention: 24h + persistent: + pvcStorageRequest: 20G + autoscaling: + enabled: false + aodh: + passwordSelectors: + databaseAccount: aodh + databaseInstance: openstack + secret: osp-secret + heatInstance: heat + ceilometer: + enabled: true + secret: osp-secret + logging: + enabled: false + network: internalapi + ipaddr: 172.17.0.80 + port: 10514 + cloNamespace: openshift-logging + swift: + enabled: true + template: + swiftRing: + ringReplicas: 1 + swiftStorage: + replicas: 1 + swiftProxy: + replicas: 1 + octavia: + enabled: false + template: + databaseInstance: openstack + octaviaAPI: + replicas: 1 + secret: osp-secret + designate: + template: + databaseInstance: openstack + secret: osp-secret + designateAPI: + replicas: 1 + designateCentral: + replicas: 0 # backend needs to be configured + designateWorker: + replicas: 0 # backend needs to be configured + designateProducer: + replicas: 0 # backend needs to be configured + designateMdns: + replicas: 0 # backend needs to be configured + designateBackendbind9: + replicas: 0 # backend needs to be configured diff --git a/config/samples/base/openstackcontrolplane/kustomization.yaml b/config/samples/base/openstackcontrolplane/kustomization.yaml new file mode 100644 index 000000000..49681507c --- /dev/null +++ b/config/samples/base/openstackcontrolplane/kustomization.yaml @@ -0,0 +1,10 @@ +resources: +- core_v1beta1_openstackcontrolplane.yaml +patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: replace + path: /metadata/name + value: openstack diff --git a/config/samples/core_v1beta1_openstackcontrolplane.yaml b/config/samples/core_v1beta1_openstackcontrolplane.yaml deleted file mode 100644 index 3167b86e4..000000000 --- a/config/samples/core_v1beta1_openstackcontrolplane.yaml +++ /dev/null @@ -1,197 +0,0 @@ -apiVersion: core.openstack.org/v1beta1 -kind: OpenStackControlPlane -metadata: - name: openstack-basic -spec: - secret: osp-secret - storageClass: local-storage - keystone: - template: - databaseInstance: openstack - secret: osp-secret - galera: - templates: - openstack: - storageClass: local-storage - storageRequest: 500M - secret: osp-secret - replicas: 1 - openstack-cell1: - storageClass: local-storage - storageRequest: 500M - secret: osp-secret - replicas: 1 - rabbitmq: - templates: - rabbitmq: - replicas: 1 - #resources: - # requests: - # cpu: 500m - # memory: 1Gi - # limits: - # cpu: 800m - # memory: 1Gi - rabbitmq-cell1: - replicas: 1 - memcached: - templates: - memcached: - replicas: 1 - barbican: - template: - databaseInstance: openstack - secret: osp-secret - barbicanAPI: - replicas: 1 - barbicanWorker: - replicas: 1 - barbicanKeystoneListener: - replicas: 1 - placement: - template: - databaseInstance: openstack - secret: osp-secret - glance: - template: - secret: osp-secret - databaseInstance: openstack - storageClass: "" - storageRequest: 10G - keystoneEndpoint: default - glanceAPIs: - default: - type: single - replicas: 1 - cinder: - template: - databaseInstance: openstack - secret: osp-secret - cinderAPI: - replicas: 1 - cinderScheduler: - replicas: 1 - cinderBackup: - replicas: 0 # backend needs to be configured - cinderVolumes: - volume1: - replicas: 0 # backend needs to be configured - manila: - template: - manilaAPI: - replicas: 1 - manilaScheduler: - replicas: 1 - manilaShares: - share1: - replicas: 1 - ovn: - template: - ovnDBCluster: - ovndbcluster-nb: - replicas: 1 - dbType: NB - storageRequest: 10G - ovndbcluster-sb: - replicas: 1 - dbType: SB - storageRequest: 10G - ovnNorthd: - replicas: 1 - ovnController: {} - neutron: - template: - databaseInstance: openstack - secret: osp-secret - horizon: - template: - replicas: 1 - secret: osp-secret - nova: - template: - secret: osp-secret - heat: - enabled: false - template: - databaseInstance: openstack - heatAPI: - replicas: 1 - heatEngine: - replicas: 1 - secret: osp-secret - ironic: - enabled: false - template: - databaseInstance: openstack - ironicAPI: - replicas: 1 - ironicConductors: - - replicas: 1 - storageRequest: 10G - ironicInspector: - replicas: 1 - ironicNeutronAgent: - replicas: 1 - secret: osp-secret - telemetry: - enabled: true - template: - metricStorage: - enabled: false - monitoringStack: - alertingEnabled: true - scrapeInterval: 30s - storage: - strategy: persistent - retention: 24h - persistent: - pvcStorageRequest: 20G - autoscaling: - enabled: false - aodh: - passwordSelectors: - databaseAccount: aodh - databaseInstance: openstack - secret: osp-secret - heatInstance: heat - ceilometer: - enabled: true - secret: osp-secret - logging: - enabled: false - network: internalapi - ipaddr: 172.17.0.80 - port: 10514 - cloNamespace: openshift-logging - swift: - enabled: true - template: - swiftRing: - ringReplicas: 1 - swiftStorage: - replicas: 1 - swiftProxy: - replicas: 1 - octavia: - enabled: false - template: - databaseInstance: openstack - octaviaAPI: - replicas: 1 - secret: osp-secret - designate: - template: - databaseInstance: openstack - secret: osp-secret - designateAPI: - replicas: 1 - designateCentral: - replicas: 0 # backend needs to be configured - designateWorker: - replicas: 0 # backend needs to be configured - designateProducer: - replicas: 0 # backend needs to be configured - designateMdns: - replicas: 0 # backend needs to be configured - designateBackendbind9: - replicas: 0 # backend needs to be configured diff --git a/config/samples/core_v1beta1_openstackcontrolplane.yaml b/config/samples/core_v1beta1_openstackcontrolplane.yaml new file mode 120000 index 000000000..eda53456e --- /dev/null +++ b/config/samples/core_v1beta1_openstackcontrolplane.yaml @@ -0,0 +1 @@ +base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml \ No newline at end of file diff --git a/config/samples/tls/custom_tls_config/core_v1beta1_openstackcontrolplane.yaml b/config/samples/tls/custom_tls_config/core_v1beta1_openstackcontrolplane.yaml new file mode 100644 index 000000000..962233112 --- /dev/null +++ b/config/samples/tls/custom_tls_config/core_v1beta1_openstackcontrolplane.yaml @@ -0,0 +1,31 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + tls: + ingress: + enabled: true + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + podLevel: + enabled: true + internal: + ca: + customIssuer: rootca-internal-custom + duration: 1000h0m0s + cert: + duration: 500h0m0s + libvirt: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + ovn: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + caBundleSecretName: ca-custom-kuttl diff --git a/config/samples/tls/custom_tls_config/kustomization.yaml b/config/samples/tls/custom_tls_config/kustomization.yaml new file mode 100644 index 000000000..0309650d3 --- /dev/null +++ b/config/samples/tls/custom_tls_config/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../base/openstackcontrolplane +patches: + - path: core_v1beta1_openstackcontrolplane.yaml diff --git a/tests/kuttl/common/assert-sample-deployment.yaml b/tests/kuttl/common/assert-sample-deployment.yaml index 6d3ad50ac..dea43f1cb 100644 --- a/tests/kuttl/common/assert-sample-deployment.yaml +++ b/tests/kuttl/common/assert-sample-deployment.yaml @@ -1,7 +1,7 @@ apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane metadata: - name: openstack-basic + name: openstack spec: secret: osp-secret keystone: diff --git a/tests/kuttl/common/custom-ca.yaml b/tests/kuttl/common/custom-ca.yaml new file mode 100644 index 000000000..65ddf95e4 --- /dev/null +++ b/tests/kuttl/common/custom-ca.yaml @@ -0,0 +1,10 @@ +# Secret to test the custom CA cert added to the bundle deployed by the os-operator +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: ca-custom-kuttl + labels: + combined-ca-bundle: "" +data: + ca-custom-kuttl.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lSQU5TYWxJeHdEclZ5TVBLS3RHK0lLbzB3Q2dZSUtvWkl6ajBFQXdJd0lERWUKTUJ3R0ExVUVBeE1WY205dmRHTmhMV3QxZEhSc0xXbHVkR1Z5Ym1Gc01CNFhEVEkwTURJeU1qRTBNRGcwTTFvWApEVE0wTURJeE9URTBNRGcwTTFvd0lERWVNQndHQTFVRUF4TVZjbTl2ZEdOaExXdDFkSFJzTFdsdWRHVnlibUZzCk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTQzd2xOK05BQzhYZnkzSk43S1VaSVMvMjE2OTIKNXpWdHVyYnlpNllmZ3hXbFFONGV4ZU5IcVpGT3ZRcUVoZUVVSFR5K2lpWEVpWDVGcytCeit1eUZWYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDRHJnYkhICjh4WmlKbnBKY2gzaEZyZEJLL3lKTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNTY3A2QlE3eldQdnlobW9uK00KcTlvbk1PNlRYSVArczdtZjJGaXkvWkVsQWlFQXRxbkF3VE40UXRKQzIrMUZGVUNNd3dpSTZJTmM5blBDVHc1dgo5M1ZWR2ZNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t diff --git a/tests/kuttl/common/custom-internal-issuer.yaml b/tests/kuttl/common/custom-internal-issuer.yaml new file mode 100644 index 000000000..84d6f7505 --- /dev/null +++ b/tests/kuttl/common/custom-internal-issuer.yaml @@ -0,0 +1,26 @@ +# Create a custom Issuer +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-internal-custom +spec: + ca: + secretName: rootca-internal-custom + +--- +# Create the CA for the custom issuer +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: rootca-internal-custom +spec: + commonName: rootca-internal-custom + isCA: true + duration: 87600h + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + secretName: rootca-internal-custom diff --git a/tests/kuttl/common/osp_endpoint_fingerprints.sh b/tests/kuttl/common/osp_endpoint_fingerprints.sh new file mode 100755 index 000000000..354075eab --- /dev/null +++ b/tests/kuttl/common/osp_endpoint_fingerprints.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -x + +for url in $(openstack endpoint list -c URL -f value | awk -F/ '{print $3}'); do + # Extract the hostname and port + host_port=$(echo "$url" | sed -E 's|^[^:/]+://([^:/]+)(:([0-9]+))?.*|\1:\3|') + + # If no port is specified, add :443 + if [[ ! "$host_port" =~ :[0-9]+$ ]]; then + host_port="${host_port}:443" + fi + + echo -n "$host_port - " + openssl s_client -connect $host_port < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin +done diff --git a/tests/kuttl/common/osp_internal_cert_issuer.sh b/tests/kuttl/common/osp_internal_cert_issuer.sh new file mode 100755 index 000000000..d17776413 --- /dev/null +++ b/tests/kuttl/common/osp_internal_cert_issuer.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +set -x + +EXPECTED_ISSUER="issuer=CN=rootca-internal-custom" +ISSUER_MISMATCHES="" +ALL_MATCHED=1 + +for url in $(openstack endpoint list -c URL -f value | grep 'svc'); do + # Extract the hostname and port + host_port=$(echo "$url" | sed -E 's|^[^:/]+://([^:/]+)(:([0-9]+))?.*|\1:\3|') + + # If no port is specified, add :443 + if [[ ! "$host_port" =~ :[0-9]+$ ]]; then + host_port="${host_port}:443" + fi + + echo "Checking $host_port ..." + ISSUER=$(openssl s_client -connect $host_port < /dev/null 2>/dev/null | openssl x509 -issuer -noout -in /dev/stdin) + if [[ "$ISSUER" != "$EXPECTED_ISSUER" ]]; then + ISSUER_MISMATCHES+="$host_port issued by $ISSUER, expected $EXPECTED_ISSUER\n" + ALL_MATCHED=0 + fi +done + +if [ "$ALL_MATCHED" -eq 1 ]; then + echo "All internal certificates match the custom issuer $EXPECTED_ISSUER" + exit 0 +else + echo -e "Mismatched issuers found:\n$ISSUER_MISMATCHES" + exit 1 +fi diff --git a/tests/kuttl/tests/basic-deployment/01-deploy-openstack.yaml b/tests/kuttl/tests/basic-deployment/01-deploy-openstack.yaml index 67c4eb347..6c9d0887d 100644 --- a/tests/kuttl/tests/basic-deployment/01-deploy-openstack.yaml +++ b/tests/kuttl/tests/basic-deployment/01-deploy-openstack.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - oc apply -n $NAMESPACE -f ../../../../config/samples/core_v1beta1_openstackcontrolplane.yaml + oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/basic-deployment/02-assert-custom-cacert.yaml b/tests/kuttl/tests/basic-deployment/02-assert-custom-cacert.yaml new file mode 100644 index 000000000..49a683d3e --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/02-assert-custom-cacert.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ca-custom-kuttl +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-internal-custom +spec: + ca: + secretName: rootca-internal-custom diff --git a/tests/kuttl/tests/basic-deployment/02-deploy-custom-cacert-and-issuer.yaml b/tests/kuttl/tests/basic-deployment/02-deploy-custom-cacert-and-issuer.yaml new file mode 100644 index 000000000..e807c0b06 --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/02-deploy-custom-cacert-and-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc apply -n $NAMESPACE -f ../../common/custom-ca.yaml + oc apply -n $NAMESPACE -f ../../common/custom-internal-issuer.yaml diff --git a/tests/kuttl/tests/basic-deployment/03-assert-deploy-tls-changes.yaml b/tests/kuttl/tests/basic-deployment/03-assert-deploy-tls-changes.yaml new file mode 100644 index 000000000..9a9f150bc --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/03-assert-deploy-tls-changes.yaml @@ -0,0 +1,128 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + tls: + ingress: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + enabled: true + podLevel: + enabled: true + internal: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + libvirt: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + ovn: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + caBundleSecretName: ca-custom-kuttl +status: + conditions: + - message: Setup complete + reason: Ready + status: "True" + type: Ready + - message: OpenStackControlPlane Barbican completed + reason: Ready + status: "True" + type: OpenStackControlPlaneBarbicanReady + - message: OpenStackControlPlane CAs completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCAReadyCondition + - message: OpenStackControlPlane Cinder completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCinderReady + - message: OpenStackControlPlane Client completed + reason: Ready + status: "True" + type: OpenStackControlPlaneClientReady + - message: OpenStackControlPlane barbican service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeBarbicanReady + - message: OpenStackControlPlane cinder service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeCinderReady + - message: OpenStackControlPlane glance service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeGlanceReady + - message: OpenStackControlPlane keystone service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeKeystoneAPIReady + - message: OpenStackControlPlane neutron service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNeutronReady + - message: OpenStackControlPlane nova service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNovaReady + - message: OpenStackControlPlane placement service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposePlacementAPIReady + - message: OpenStackControlPlane swift service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeSwiftReady + - message: OpenStackControlPlane Glance completed + reason: Ready + status: "True" + type: OpenStackControlPlaneGlanceReady + - message: OpenStackControlPlane KeystoneAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlaneKeystoneAPIReady + - message: OpenStackControlPlane MariaDB completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMariaDBReady + - message: OpenStackControlPlane Memcached completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMemcachedReady + - message: OpenStackControlPlane Neutron completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNeutronReady + - message: OpenStackControlPlane Nova completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNovaReady + - message: OpenStackControlPlane OVN completed + reason: Ready + status: "True" + type: OpenStackControlPlaneOVNReady + - message: OpenStackControlPlane PlacementAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlanePlacementAPIReady + - message: OpenStackControlPlane RabbitMQ completed + reason: Ready + status: "True" + type: OpenStackControlPlaneRabbitMQReady + - message: OpenStackControlPlane Swift completed + reason: Ready + status: "True" + type: OpenStackControlPlaneSwiftReady + - message: OpenStackControlPlane Telemetry completed + reason: Ready + status: "True" + type: OpenStackControlPlaneTelemetryReady diff --git a/tests/kuttl/tests/basic-deployment/03-deploy-tls-changes.yaml b/tests/kuttl/tests/basic-deployment/03-deploy-tls-changes.yaml new file mode 100644 index 000000000..e53634ae6 --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/03-deploy-tls-changes.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/tls/custom_tls_config | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/basic-deployment/04-assert-service-ready.yaml b/tests/kuttl/tests/basic-deployment/04-assert-service-ready.yaml new file mode 100644 index 000000000..cd8e095f8 --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/04-assert-service-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: | + echo "Waiting for OpenStack control plane to be ready..." + oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane diff --git a/tests/kuttl/tests/basic-deployment/04-rotate-service-certs.yaml b/tests/kuttl/tests/basic-deployment/04-rotate-service-certs.yaml new file mode 100644 index 000000000..86c65769c --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/04-rotate-service-certs.yaml @@ -0,0 +1,15 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + echo "Waiting for OpenStack control plane to be ready..." + oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane + + - script: | + echo "Get fingerprints of all service certs" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_before + + - script: | + echo "Deleting secrets..." + oc get secret -l service-cert -n $NAMESPACE -o name > /tmp/deleted-secrets.txt + oc delete secret -l service-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/basic-deployment/05-assert-service-cert-rotation.yaml b/tests/kuttl/tests/basic-deployment/05-assert-service-cert-rotation.yaml new file mode 100644 index 000000000..37da8e999 --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/05-assert-service-cert-rotation.yaml @@ -0,0 +1,30 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 30 +commands: + # FIX PWD after kuttl#519 released + - script: | + echo "Get fingerprints of all service certs" + echo "PWD $PWD" + BASE_DIR=$(pwd) + SCRIPT_PATH="$BASE_DIR/out/operator/openstack-operator/tests/kuttl/common/osp_endpoint_fingerprints.sh" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < $SCRIPT_PATH > /tmp/endpoint_fingerprints_after + + - script: | + echo "Check fingerprints" + any_cert_not_rotated=0 + while IFS= read -r fp; do + if grep -qF "$fp" /tmp/endpoint_fingerprints_before; then + echo "Cert not rotated - $fp" + any_cert_not_rotated=1 + fi + done < /tmp/endpoint_fingerprints_after + + - script: | + if [ "$any_cert_not_rotated" -eq 1 ]; then + echo "Some certificates were not rotated" + exit 1 + else + echo "All certificates were rotated successfully" + exit 0 + fi diff --git a/tests/kuttl/tests/basic-deployment/06-assert-custom-ca.yaml b/tests/kuttl/tests/basic-deployment/06-assert-custom-ca.yaml new file mode 100644 index 000000000..1acd084b0 --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/06-assert-custom-ca.yaml @@ -0,0 +1,14 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: | + echo "Checking ca-custom-kuttl.pem is present in combined-ca-bundle..." + CUSTOM_CERT_CONTENT=$(oc get secret ca-custom-kuttl -n $NAMESPACE -o jsonpath="{.data['ca-custom-kuttl\.pem']}" | base64 --decode | tr -d '\n') + TLS_BUNDLE_CONTENT=$(oc get secret combined-ca-bundle -n $NAMESPACE -o jsonpath="{.data['tls-ca-bundle\.pem']}" | base64 --decode | tr -d '\n') + if [[ "$TLS_BUNDLE_CONTENT" == *"$CUSTOM_CERT_CONTENT"* ]]; then + echo "OK" + exit 0 + else + echo "Not present" + exit 1 + fi diff --git a/tests/kuttl/tests/basic-deployment/07-assert-custom-issuer.yaml b/tests/kuttl/tests/basic-deployment/07-assert-custom-issuer.yaml new file mode 100644 index 000000000..46a46e285 --- /dev/null +++ b/tests/kuttl/tests/basic-deployment/07-assert-custom-issuer.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 30 +commands: + - script: | + echo "Checking issuer of internal certificates..." + echo "PWD $PWD" + BASE_DIR=$(pwd) + SCRIPT_PATH="$BASE_DIR/out/operator/openstack-operator/tests/kuttl/common/osp_internal_cert_issuer.sh" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < $SCRIPT_PATH diff --git a/tests/kuttl/tests/basic-deployment/02-cleanup.yaml b/tests/kuttl/tests/basic-deployment/08-cleanup.yaml similarity index 90% rename from tests/kuttl/tests/basic-deployment/02-cleanup.yaml rename to tests/kuttl/tests/basic-deployment/08-cleanup.yaml index 41d34afad..a8bb50add 100644 --- a/tests/kuttl/tests/basic-deployment/02-cleanup.yaml +++ b/tests/kuttl/tests/basic-deployment/08-cleanup.yaml @@ -3,7 +3,7 @@ kind: TestStep delete: - apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane - name: openstack-basic + name: openstack commands: - script: | oc delete --ignore-not-found=true -n $NAMESPACE pvc \ diff --git a/tests/kuttl/tests/basic-deployment/02-errors-cleanup.yaml b/tests/kuttl/tests/basic-deployment/08-errors-cleanup.yaml similarity index 100% rename from tests/kuttl/tests/basic-deployment/02-errors-cleanup.yaml rename to tests/kuttl/tests/basic-deployment/08-errors-cleanup.yaml