commit 3d1ae2c49cc0ddb6e8ec94a619afb4a394353733 Author: Felipe Reyes Date: Tue Jul 19 17:50:32 2022 -0400 Initial import diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..89b61c9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +venv/ +build/ +*.charm +.tox/ +.coverage +__pycache__/ +*.py[cod] diff --git a/.jujuignore b/.jujuignore new file mode 100644 index 0000000..6ccd559 --- /dev/null +++ b/.jujuignore @@ -0,0 +1,3 @@ +/venv +*.py[cod] +*.charm diff --git a/.zuul.yaml b/.zuul.yaml new file mode 100644 index 0000000..7ffc71c --- /dev/null +++ b/.zuul.yaml @@ -0,0 +1,4 @@ +- project: + templates: + - openstack-python3-charm-yoga-jobs + - openstack-cover-jobs diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..234cb9b --- /dev/null +++ b/README.md @@ -0,0 +1,44 @@ +# Overview + +This subordinate charm provides a way to integrate a Open ID Connect based +identity provider with Keystone using +[mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc). Apache +operates as a OpenID Connect Relaying Party towards an OpenID Connect +Provider. + +# Usage + +Use this charm with the [Keystone charm](https://charmhub.io/keystone): + + juju deploy keystone + juju deploy openstack-dashboard + juju deploy keystone-openidc + juju add-relation keystone:keystone-fid-service-provider keystone-openidc:keystone-fid-service-provider + juju add-relation openstack-dashboard:websso-fid-service-provider keystone-openidc:websso-fid-service-provider + + +In a bundle: + +```yaml +applications: + keystone-openidc: + charm: ch:keystone-openid + num_units: 0 +relations: +- - keystone:keystone-fid-service-provider + - keystone-openidc:keystone-fid-service-provider +``` + +# Prerequisites + + +# Bugs + +Please report bugs on [Launchpad][lp-bugs-charm-keystone-openidc]. + +For general charm questions refer to the [OpenStack Charm Guide][cg]. + + + +[cg]: https://docs.openstack.org/charm-guide +[lp-bugs-charm-keystone-openidc]: https://bugs.launchpad.net/charm-keystone-openidc/+filebug diff --git a/build-requirements.txt b/build-requirements.txt new file mode 100644 index 0000000..e69de29 diff --git a/charmcraft.yaml b/charmcraft.yaml new file mode 100644 index 0000000..2109518 --- /dev/null +++ b/charmcraft.yaml @@ -0,0 +1,21 @@ +type: charm + +parts: + charm: + build-packages: + - git + +bases: + - build-on: + - name: ubuntu + channel: "20.04" + architectures: [amd64] + run-on: + - name: ubuntu + channel: "20.04" + architectures: [amd64, s390x, ppc64el, arm64] + run-on: + - name: ubuntu + channel: "22.04" + architectures: [amd64, s390x, ppc64el, arm64] + diff --git a/config.yaml b/config.yaml new file mode 100644 index 0000000..086d02c --- /dev/null +++ b/config.yaml @@ -0,0 +1,5 @@ +options: + debug: + default: False + description: Enable debugging. + type: boolean diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 0000000..3a4fb49 --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,31 @@ +name: keystone-openidc +subordinate: true +maintainer: OpenStack Charmers +display-name: Keystone OpenID Connect +summary: Federated identity with OpenID Connect for Keystone +description: | + This subordinate charm provides a way to integrate a Open ID Connect based + identity provider with Keystone using + [mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc). Apache + operates as a OpenID Connect Relaying Party towards an OpenID Connect + Provider. + +tags: + - openstack + - identity + - federation + - openidc +series: + - focal + - jammy +provides: + keystone-fid-service-provider: + interface: keystone-fid-service-provider + scope: container + websso-fid-service-provider: + interface: websso-fid-service-provider + scope: global +requires: + container: + interface: juju-info + scope: container diff --git a/osci.yaml b/osci.yaml new file mode 100644 index 0000000..cebbab8 --- /dev/null +++ b/osci.yaml @@ -0,0 +1,9 @@ +- project: + templates: + - charm-yoga-unit-jobs + - charm-xena-functional-jobs + - charm-yoga-functional-jobs + vars: + needs_charm_build: true + charm_build_name: keystone-openidc + build_type: charmcraft diff --git a/rename.sh b/rename.sh new file mode 100755 index 0000000..d0c35c9 --- /dev/null +++ b/rename.sh @@ -0,0 +1,13 @@ +#!/bin/bash +charm=$(grep "charm_build_name" osci.yaml | awk '{print $2}') +echo "renaming ${charm}_*.charm to ${charm}.charm" +echo -n "pwd: " +pwd +ls -al +echo "Removing bad downloaded charm maybe?" +if [[ -e "${charm}.charm" ]]; +then + rm "${charm}.charm" +fi +echo "Renaming charm here." +mv ${charm}_*.charm ${charm}.charm diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..b8a4bc5 --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +ops>=1.5.0 diff --git a/src/charm.py b/src/charm.py new file mode 100755 index 0000000..6157007 --- /dev/null +++ b/src/charm.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 +# Copyright 2022 Felipe +# See LICENSE file for licensing details. +# +# Learn more at: https://juju.is/docs/sdk + +"""Charm the service. + +Refer to the following post for a quick-start guide that will help you +develop a new k8s charm using the Operator Framework: + + https://discourse.charmhub.io/t/4208 +""" + +import logging + +from ops.charm import CharmBase +from ops.framework import StoredState +from ops.main import main +from ops.model import ActiveStatus + +logger = logging.getLogger(__name__) + + +class KeystoneOpenidcCharm(CharmBase): + """Charm the service.""" + + _stored = StoredState() + + def __init__(self, *args): + super().__init__(*args) + self.framework.observe(self.on.install, self._on_install) + self.framework.observe(self.on.config_changed, self._on_config_changed) + + def _on_config_changed(self, _): + pass + + def _on_install(self, event): + pass + + +if __name__ == "__main__": + main(KeystoneOpenidcCharm) diff --git a/test-requirements.txt b/test-requirements.txt new file mode 100644 index 0000000..a98a042 --- /dev/null +++ b/test-requirements.txt @@ -0,0 +1,4 @@ +coverage +flake8 +git+https://github.com/openstack-charmers/zaza.git#egg=zaza +git+https://github.com/openstack-charmers/zaza-openstack-tests.git#egg=zaza.openstack diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..d002a1e --- /dev/null +++ b/tests/README.md @@ -0,0 +1,18 @@ +# Overview + +This directory provides Zaza test definitions and bundles to verify basic +deployment functionality from the perspective of this charm, its requirements +and its features, as exercised in a subset of the full OpenStack deployment +test bundle topology. + +Run the smoke tests with: + +```bash +cd ../ +tox -e build +tox -e func-smoke +``` + +For full details on functional testing of OpenStack charms please refer to +the [functional testing](https://docs.openstack.org/charm-guide/latest/reference/testing.html#functional-testing) +section of the OpenStack Charm Guide. diff --git a/tests/bundles/focal-xena.yaml b/tests/bundles/focal-xena.yaml new file mode 100644 index 0000000..00a702d --- /dev/null +++ b/tests/bundles/focal-xena.yaml @@ -0,0 +1,304 @@ +variables: + openstack-origin: &openstack-origin cloud:focal-xena + +local_overlay_enabled: False + +series: focal + +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + constraints: mem=3072M + '2': + constraints: mem=3072M + +applications: + + keystone-mysql-router: + charm: ch:mysql-router + channel: latest/edge + neutron-api-mysql-router: + charm: ch:mysql-router + channel: latest/edge + glance-mysql-router: + charm: ch:mysql-router + channel: latest/edge + openstack-dashboard-mysql-router: + charm: ch:mysql-router + channel: latest/edge + nova-cloud-controller-mysql-router: + charm: ch:mysql-router + channel: latest/edge + cinder-mysql-router: + charm: ch:mysql-router + channel: latest/edge + vault-mysql-router: + charm: ch:mysql-router + channel: latest/edge + placement-mysql-router: + charm: ch:mysql-router + channel: latest/edge + + mysql-innodb-cluster: + charm: ch:mysql-innodb-cluster + num_units: 3 + options: + source: *openstack-origin + to: + - '0' + - '1' + - '2' + channel: latest/edge + + cinder: + num_units: 1 + charm: ch:cinder + options: + openstack-origin: *openstack-origin + glance-api-version: 2 + block-device: None + channel: latest/edge + + glance: + charm: ch:glance + num_units: 1 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + keystone: + charm: ch:keystone + num_units: 3 + options: + openstack-origin: *openstack-origin + token-provider: 'fernet' + channel: latest/edge + + neutron-api: + charm: ch:neutron-api + num_units: 1 + options: + openstack-origin: *openstack-origin + manage-neutron-plugin-legacy-mode: true + flat-network-providers: physnet1 + neutron-security-groups: true + channel: latest/edge + + neutron-gateway: + charm: ch:neutron-gateway + num_units: 1 + options: + openstack-origin: *openstack-origin + bridge-mappings: physnet1:br-ex + channel: latest/edge + + neutron-openvswitch: + charm: ch:neutron-openvswitch + num_units: 0 + channel: latest/edge + + nova-cloud-controller: + charm: ch:nova-cloud-controller + num_units: 1 + options: + openstack-origin: *openstack-origin + network-manager: Neutron + channel: latest/edge + + nova-compute: + charm: ch:nova-compute + num_units: 2 + options: + openstack-origin: *openstack-origin + config-flags: default_ephemeral_format=ext4 + enable-live-migration: true + enable-resize: true + migration-auth-type: ssh + channel: latest/edge + + ntp: + charm: ch:ntp + num_units: 0 + + openstack-dashboard: + charm: ch:openstack-dashboard + num_units: 3 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + rabbitmq-server: + charm: ch:rabbitmq-server + num_units: 1 + options: + source: *openstack-origin + channel: latest/edge + + vault: + num_units: 1 + charm: ch:vault + channel: latest/edge + + placement: + charm: ch:placement + num_units: 1 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + keystone-openidc: + charm: ../../keystone-openidc.charm + num_units: 0 + +relations: + + - - 'nova-compute:amqp' + - 'rabbitmq-server:amqp' + + - - 'neutron-gateway:amqp' + - 'rabbitmq-server:amqp' + + - - 'keystone:shared-db' + - 'keystone-mysql-router:shared-db' + - - 'keystone-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:identity-service' + - 'keystone:identity-service' + + - - 'glance:identity-service' + - 'keystone:identity-service' + + - - 'neutron-api:identity-service' + - 'keystone:identity-service' + + - - 'neutron-openvswitch:neutron-plugin-api' + - 'neutron-api:neutron-plugin-api' + + - - 'neutron-api:shared-db' + - 'neutron-api-mysql-router:shared-db' + - - 'neutron-api-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'neutron-api:amqp' + - 'rabbitmq-server:amqp' + + - - 'neutron-gateway:neutron-plugin-api' + - 'neutron-api:neutron-plugin-api' + + - - 'glance:shared-db' + - 'glance-mysql-router:shared-db' + - - 'glance-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'glance:amqp' + - 'rabbitmq-server:amqp' + + - - 'nova-cloud-controller:image-service' + - 'glance:image-service' + + - - 'nova-compute:image-service' + - 'glance:image-service' + + - - 'nova-cloud-controller:cloud-compute' + - 'nova-compute:cloud-compute' + + - - 'nova-cloud-controller:amqp' + - 'rabbitmq-server:amqp' + + - - 'nova-cloud-controller:quantum-network-service' + - 'neutron-gateway:quantum-network-service' + + - - 'nova-compute:neutron-plugin' + - 'neutron-openvswitch:neutron-plugin' + + - - 'neutron-openvswitch:amqp' + - 'rabbitmq-server:amqp' + + - - 'openstack-dashboard:identity-service' + - 'keystone:identity-service' + + - - 'openstack-dashboard:shared-db' + - 'openstack-dashboard-mysql-router:shared-db' + - - 'openstack-dashboard-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:shared-db' + - 'nova-cloud-controller-mysql-router:shared-db' + - - 'nova-cloud-controller-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:neutron-api' + - 'neutron-api:neutron-api' + + - - 'cinder:image-service' + - 'glance:image-service' + + - - 'cinder:amqp' + - 'rabbitmq-server:amqp' + + - - 'cinder:identity-service' + - 'keystone:identity-service' + + - - 'cinder:cinder-volume-service' + - 'nova-cloud-controller:cinder-volume-service' + + - - 'cinder:shared-db' + - 'cinder-mysql-router:shared-db' + - - 'cinder-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'ntp:juju-info' + - 'nova-compute:juju-info' + + - - 'ntp:juju-info' + - 'neutron-gateway:juju-info' + + - - 'keystone' + - 'keystone-openidc' + + - - 'vault:shared-db' + - 'vault-mysql-router:shared-db' + - - 'vault-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'vault:certificates' + - 'keystone:certificates' + + - - 'vault:certificates' + - 'glance:certificates' + + - - 'vault:certificates' + - 'openstack-dashboard:certificates' + + - - 'openstack-dashboard' + - 'keystone-openidc' + + - - 'keystone:websso-trusted-dashboard' + - 'openstack-dashboard:websso-trusted-dashboard' + + - - 'vault:certificates' + - 'cinder:certificates' + + - - 'vault:certificates' + - 'neutron-api:certificates' + + - - 'vault:certificates' + - 'nova-cloud-controller:certificates' + + - - 'placement:identity-service' + - 'keystone:identity-service' + + - - 'placement:placement' + - 'nova-cloud-controller:placement' + + - - 'vault:certificates' + - 'placement:certificates' + + - - "placement:shared-db" + - "placement-mysql-router:shared-db" + - - "placement-mysql-router:db-router" + - "mysql-innodb-cluster:db-router" diff --git a/tests/bundles/focal-yoga.yaml b/tests/bundles/focal-yoga.yaml new file mode 100644 index 0000000..cfec29f --- /dev/null +++ b/tests/bundles/focal-yoga.yaml @@ -0,0 +1,304 @@ +variables: + openstack-origin: &openstack-origin cloud:focal-yoga + +local_overlay_enabled: False + +series: focal + +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + constraints: mem=3072M + '2': + constraints: mem=3072M + +applications: + + keystone-mysql-router: + charm: ch:mysql-router + channel: latest/edge + neutron-api-mysql-router: + charm: ch:mysql-router + channel: latest/edge + glance-mysql-router: + charm: ch:mysql-router + channel: latest/edge + openstack-dashboard-mysql-router: + charm: ch:mysql-router + channel: latest/edge + nova-cloud-controller-mysql-router: + charm: ch:mysql-router + channel: latest/edge + cinder-mysql-router: + charm: ch:mysql-router + channel: latest/edge + vault-mysql-router: + charm: ch:mysql-router + channel: latest/edge + placement-mysql-router: + charm: ch:mysql-router + channel: latest/edge + + mysql-innodb-cluster: + charm: ch:mysql-innodb-cluster + num_units: 3 + options: + source: *openstack-origin + to: + - '0' + - '1' + - '2' + channel: latest/edge + + cinder: + num_units: 1 + charm: ch:cinder + options: + openstack-origin: *openstack-origin + glance-api-version: 2 + block-device: None + channel: latest/edge + + glance: + charm: ch:glance + num_units: 1 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + keystone: + charm: ch:keystone + num_units: 3 + options: + openstack-origin: *openstack-origin + token-provider: 'fernet' + channel: latest/edge + + neutron-api: + charm: ch:neutron-api + num_units: 1 + options: + openstack-origin: *openstack-origin + manage-neutron-plugin-legacy-mode: true + flat-network-providers: physnet1 + neutron-security-groups: true + channel: latest/edge + + neutron-gateway: + charm: ch:neutron-gateway + num_units: 1 + options: + openstack-origin: *openstack-origin + bridge-mappings: physnet1:br-ex + channel: latest/edge + + neutron-openvswitch: + charm: ch:neutron-openvswitch + num_units: 0 + channel: latest/edge + + nova-cloud-controller: + charm: ch:nova-cloud-controller + num_units: 1 + options: + openstack-origin: *openstack-origin + network-manager: Neutron + channel: latest/edge + + nova-compute: + charm: ch:nova-compute + num_units: 2 + options: + openstack-origin: *openstack-origin + config-flags: default_ephemeral_format=ext4 + enable-live-migration: true + enable-resize: true + migration-auth-type: ssh + channel: latest/edge + + ntp: + charm: ch:ntp + num_units: 0 + + openstack-dashboard: + charm: ch:openstack-dashboard + num_units: 3 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + rabbitmq-server: + charm: ch:rabbitmq-server + num_units: 1 + options: + source: *openstack-origin + channel: latest/edge + + vault: + num_units: 1 + charm: ch:vault + channel: latest/edge + + placement: + charm: ch:placement + num_units: 1 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + keystone-openidc: + charm: ../../keystone-openidc.charm + num_units: 0 + +relations: + + - - 'nova-compute:amqp' + - 'rabbitmq-server:amqp' + + - - 'neutron-gateway:amqp' + - 'rabbitmq-server:amqp' + + - - 'keystone:shared-db' + - 'keystone-mysql-router:shared-db' + - - 'keystone-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:identity-service' + - 'keystone:identity-service' + + - - 'glance:identity-service' + - 'keystone:identity-service' + + - - 'neutron-api:identity-service' + - 'keystone:identity-service' + + - - 'neutron-openvswitch:neutron-plugin-api' + - 'neutron-api:neutron-plugin-api' + + - - 'neutron-api:shared-db' + - 'neutron-api-mysql-router:shared-db' + - - 'neutron-api-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'neutron-api:amqp' + - 'rabbitmq-server:amqp' + + - - 'neutron-gateway:neutron-plugin-api' + - 'neutron-api:neutron-plugin-api' + + - - 'glance:shared-db' + - 'glance-mysql-router:shared-db' + - - 'glance-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'glance:amqp' + - 'rabbitmq-server:amqp' + + - - 'nova-cloud-controller:image-service' + - 'glance:image-service' + + - - 'nova-compute:image-service' + - 'glance:image-service' + + - - 'nova-cloud-controller:cloud-compute' + - 'nova-compute:cloud-compute' + + - - 'nova-cloud-controller:amqp' + - 'rabbitmq-server:amqp' + + - - 'nova-cloud-controller:quantum-network-service' + - 'neutron-gateway:quantum-network-service' + + - - 'nova-compute:neutron-plugin' + - 'neutron-openvswitch:neutron-plugin' + + - - 'neutron-openvswitch:amqp' + - 'rabbitmq-server:amqp' + + - - 'openstack-dashboard:identity-service' + - 'keystone:identity-service' + + - - 'openstack-dashboard:shared-db' + - 'openstack-dashboard-mysql-router:shared-db' + - - 'openstack-dashboard-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:shared-db' + - 'nova-cloud-controller-mysql-router:shared-db' + - - 'nova-cloud-controller-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:neutron-api' + - 'neutron-api:neutron-api' + + - - 'cinder:image-service' + - 'glance:image-service' + + - - 'cinder:amqp' + - 'rabbitmq-server:amqp' + + - - 'cinder:identity-service' + - 'keystone:identity-service' + + - - 'cinder:cinder-volume-service' + - 'nova-cloud-controller:cinder-volume-service' + + - - 'cinder:shared-db' + - 'cinder-mysql-router:shared-db' + - - 'cinder-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'ntp:juju-info' + - 'nova-compute:juju-info' + + - - 'ntp:juju-info' + - 'neutron-gateway:juju-info' + + - - 'keystone' + - 'keystone-openidc' + + - - 'vault:shared-db' + - 'vault-mysql-router:shared-db' + - - 'vault-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'vault:certificates' + - 'keystone:certificates' + + - - 'vault:certificates' + - 'glance:certificates' + + - - 'vault:certificates' + - 'openstack-dashboard:certificates' + + - - 'openstack-dashboard' + - 'keystone-openidc' + + - - 'keystone:websso-trusted-dashboard' + - 'openstack-dashboard:websso-trusted-dashboard' + + - - 'vault:certificates' + - 'cinder:certificates' + + - - 'vault:certificates' + - 'neutron-api:certificates' + + - - 'vault:certificates' + - 'nova-cloud-controller:certificates' + + - - 'placement:identity-service' + - 'keystone:identity-service' + + - - 'placement:placement' + - 'nova-cloud-controller:placement' + + - - 'vault:certificates' + - 'placement:certificates' + + - - "placement:shared-db" + - "placement-mysql-router:shared-db" + - - "placement-mysql-router:db-router" + - "mysql-innodb-cluster:db-router" diff --git a/tests/bundles/jammy-yoga.yaml b/tests/bundles/jammy-yoga.yaml new file mode 100644 index 0000000..2a426d2 --- /dev/null +++ b/tests/bundles/jammy-yoga.yaml @@ -0,0 +1,304 @@ +variables: + openstack-origin: &openstack-origin distro + +local_overlay_enabled: False + +series: jammy + +comment: +- 'machines section to decide order of deployment. database sooner = faster' +machines: + '0': + constraints: mem=3072M + '1': + constraints: mem=3072M + '2': + constraints: mem=3072M + +applications: + + keystone-mysql-router: + charm: ch:mysql-router + channel: latest/edge + neutron-api-mysql-router: + charm: ch:mysql-router + channel: latest/edge + glance-mysql-router: + charm: ch:mysql-router + channel: latest/edge + openstack-dashboard-mysql-router: + charm: ch:mysql-router + channel: latest/edge + nova-cloud-controller-mysql-router: + charm: ch:mysql-router + channel: latest/edge + cinder-mysql-router: + charm: ch:mysql-router + channel: latest/edge + vault-mysql-router: + charm: ch:mysql-router + channel: latest/edge + placement-mysql-router: + charm: ch:mysql-router + channel: latest/edge + + mysql-innodb-cluster: + charm: ch:mysql-innodb-cluster + num_units: 3 + options: + source: *openstack-origin + to: + - '0' + - '1' + - '2' + channel: latest/edge + + cinder: + num_units: 1 + charm: ch:cinder + options: + openstack-origin: *openstack-origin + glance-api-version: 2 + block-device: None + channel: latest/edge + + glance: + charm: ch:glance + num_units: 1 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + keystone: + charm: ch:keystone + num_units: 3 + options: + openstack-origin: *openstack-origin + token-provider: 'fernet' + channel: latest/edge + + neutron-api: + charm: ch:neutron-api + num_units: 1 + options: + openstack-origin: *openstack-origin + manage-neutron-plugin-legacy-mode: true + flat-network-providers: physnet1 + neutron-security-groups: true + channel: latest/edge + + neutron-gateway: + charm: ch:neutron-gateway + num_units: 1 + options: + openstack-origin: *openstack-origin + bridge-mappings: physnet1:br-ex + channel: latest/edge + + neutron-openvswitch: + charm: ch:neutron-openvswitch + num_units: 0 + channel: latest/edge + + nova-cloud-controller: + charm: ch:nova-cloud-controller + num_units: 1 + options: + openstack-origin: *openstack-origin + network-manager: Neutron + channel: latest/edge + + nova-compute: + charm: ch:nova-compute + num_units: 2 + options: + openstack-origin: *openstack-origin + config-flags: default_ephemeral_format=ext4 + enable-live-migration: true + enable-resize: true + migration-auth-type: ssh + channel: latest/edge + + ntp: + charm: ch:ntp + num_units: 0 + + openstack-dashboard: + charm: ch:openstack-dashboard + num_units: 3 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + rabbitmq-server: + charm: ch:rabbitmq-server + num_units: 1 + options: + source: *openstack-origin + channel: latest/edge + + vault: + num_units: 1 + charm: ch:vault + channel: latest/edge + + placement: + charm: ch:placement + num_units: 1 + options: + openstack-origin: *openstack-origin + channel: latest/edge + + keystone-openidc: + charm: ../../keystone-openidc.charm + num_units: 0 + +relations: + + - - 'nova-compute:amqp' + - 'rabbitmq-server:amqp' + + - - 'neutron-gateway:amqp' + - 'rabbitmq-server:amqp' + + - - 'keystone:shared-db' + - 'keystone-mysql-router:shared-db' + - - 'keystone-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:identity-service' + - 'keystone:identity-service' + + - - 'glance:identity-service' + - 'keystone:identity-service' + + - - 'neutron-api:identity-service' + - 'keystone:identity-service' + + - - 'neutron-openvswitch:neutron-plugin-api' + - 'neutron-api:neutron-plugin-api' + + - - 'neutron-api:shared-db' + - 'neutron-api-mysql-router:shared-db' + - - 'neutron-api-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'neutron-api:amqp' + - 'rabbitmq-server:amqp' + + - - 'neutron-gateway:neutron-plugin-api' + - 'neutron-api:neutron-plugin-api' + + - - 'glance:shared-db' + - 'glance-mysql-router:shared-db' + - - 'glance-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'glance:amqp' + - 'rabbitmq-server:amqp' + + - - 'nova-cloud-controller:image-service' + - 'glance:image-service' + + - - 'nova-compute:image-service' + - 'glance:image-service' + + - - 'nova-cloud-controller:cloud-compute' + - 'nova-compute:cloud-compute' + + - - 'nova-cloud-controller:amqp' + - 'rabbitmq-server:amqp' + + - - 'nova-cloud-controller:quantum-network-service' + - 'neutron-gateway:quantum-network-service' + + - - 'nova-compute:neutron-plugin' + - 'neutron-openvswitch:neutron-plugin' + + - - 'neutron-openvswitch:amqp' + - 'rabbitmq-server:amqp' + + - - 'openstack-dashboard:identity-service' + - 'keystone:identity-service' + + - - 'openstack-dashboard:shared-db' + - 'openstack-dashboard-mysql-router:shared-db' + - - 'openstack-dashboard-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:shared-db' + - 'nova-cloud-controller-mysql-router:shared-db' + - - 'nova-cloud-controller-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'nova-cloud-controller:neutron-api' + - 'neutron-api:neutron-api' + + - - 'cinder:image-service' + - 'glance:image-service' + + - - 'cinder:amqp' + - 'rabbitmq-server:amqp' + + - - 'cinder:identity-service' + - 'keystone:identity-service' + + - - 'cinder:cinder-volume-service' + - 'nova-cloud-controller:cinder-volume-service' + + - - 'cinder:shared-db' + - 'cinder-mysql-router:shared-db' + - - 'cinder-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'ntp:juju-info' + - 'nova-compute:juju-info' + + - - 'ntp:juju-info' + - 'neutron-gateway:juju-info' + + - - 'keystone' + - 'keystone-openidc' + + - - 'vault:shared-db' + - 'vault-mysql-router:shared-db' + - - 'vault-mysql-router:db-router' + - 'mysql-innodb-cluster:db-router' + + - - 'vault:certificates' + - 'keystone:certificates' + + - - 'vault:certificates' + - 'glance:certificates' + + - - 'vault:certificates' + - 'openstack-dashboard:certificates' + + - - 'openstack-dashboard' + - 'keystone-openidc' + + - - 'keystone:websso-trusted-dashboard' + - 'openstack-dashboard:websso-trusted-dashboard' + + - - 'vault:certificates' + - 'cinder:certificates' + + - - 'vault:certificates' + - 'neutron-api:certificates' + + - - 'vault:certificates' + - 'nova-cloud-controller:certificates' + + - - 'placement:identity-service' + - 'keystone:identity-service' + + - - 'placement:placement' + - 'nova-cloud-controller:placement' + + - - 'vault:certificates' + - 'placement:certificates' + + - - "placement:shared-db" + - "placement-mysql-router:shared-db" + - - "placement-mysql-router:db-router" + - "mysql-innodb-cluster:db-router" diff --git a/tests/tests.yaml b/tests/tests.yaml new file mode 100644 index 0000000..c0c4dc9 --- /dev/null +++ b/tests/tests.yaml @@ -0,0 +1,31 @@ +charm_name: keystone-openidc + +smoke_bundles: +- focal-yoga + +gate_bundles: +- focal-xena +- focal-yoga +- jammy-yoga + +dev_bundles: +- jammy-yoga + +configure: +- zaza.openstack.charm_tests.vault.setup.auto_initialize +- zaza.openstack.charm_tests.keystone.setup.add_demo_user +- zaza.openstack.charm_tests.glance.setup.add_lts_image +- zaza.openstack.charm_tests.nova.setup.create_flavors +- zaza.openstack.charm_tests.nova.setup.manage_ssh_key +- zaza.openstack.charm_tests.neutron.setup.basic_overcloud_network + +tests: +- zaza.openstack.charm_tests.keystone.tests.AuthenticationAuthorizationTest + +target_deploy_status: + vault: + workload-status: blocked + workload-status-message-prefix: Vault needs to be initialized + +tests_options: + force_deploy: [] diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..722f662 --- /dev/null +++ b/tox.ini @@ -0,0 +1,140 @@ +# Operator charm (with zaza): tox.ini + +[tox] +envlist = pep8,py3 +skipsdist = True +# NOTE: Avoid build/test env pollution by not enabling sitepackages. +sitepackages = False +# NOTE: Avoid false positives by not skipping missing interpreters. +skip_missing_interpreters = False +# NOTES: +# * We avoid the new dependency resolver by pinning pip < 20.3, see +# https://github.com/pypa/pip/issues/9187 +# * Pinning dependencies requires tox >= 3.2.0, see +# https://tox.readthedocs.io/en/latest/config.html#conf-requires +# * It is also necessary to pin virtualenv as a newer virtualenv would still +# lead to fetching the latest pip in the func* tox targets, see +# https://stackoverflow.com/a/38133283 +# * It is necessary to declare setuptools as a dependency otherwise tox will +# fail very early at not being able to load it. The version pinning is in +# line with `pip.sh`. +requires = pip < 20.3 + virtualenv < 20.0 + setuptools < 50.0.0 +# NOTE: https://wiki.canonical.com/engineering/OpenStack/InstallLatestToxOnOsci +minversion = 3.2.0 + +[testenv] +setenv = VIRTUAL_ENV={envdir} + PYTHONHASHSEED=0 + CHARM_DIR={envdir} +install_command = + pip install {opts} {packages} +commands = stestr run --slowest {posargs} +allowlist_externals = + git + bash + charmcraft + rename.sh +passenv = HOME TERM CS_* OS_* TEST_* +deps = -r{toxinidir}/test-requirements.txt + +[testenv:py38] +basepython = python3.8 +deps = -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt + +[testenv:py39] +basepython = python3.9 +deps = -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt + +[testenv:py310] +basepython = python3.10 +deps = -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt + +[testenv:py3] +basepython = python3 +deps = -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt + +[testenv:pep8] +basepython = python3 +deps = -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt +commands = flake8 {posargs} src unit_tests tests + +[testenv:cover] +# Technique based heavily upon +# https://github.com/openstack/nova/blob/master/tox.ini +basepython = python3 +deps = -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt +setenv = + {[testenv]setenv} + PYTHON=coverage run +commands = + coverage erase + stestr run --slowest {posargs} + coverage combine + coverage html -d cover + coverage xml -o cover/coverage.xml + coverage report + +[coverage:run] +branch = True +concurrency = multiprocessing +parallel = True +source = + . +omit = + .tox/* + */charmhelpers/* + unit_tests/* + +[testenv:venv] +basepython = python3 +commands = {posargs} + +[testenv:build] +basepython = python3 +deps = -r{toxinidir}/build-requirements.txt +# NOTE(lourot): charmcraft 1.0.0 used to generate +# nova-compute-nvidia-vgpu.charm, which is the behaviour expected by OSCI. +# However charmcraft 1.2.1 now generates +# nova-compute-nvidia-vgpu_ubuntu-20.04-amd64.charm instead. In order to keep +# the old behaviour we rename the file at the end. +commands = + charmcraft clean + charmcraft -v pack + {toxinidir}/rename.sh + +[testenv:func-noop] +basepython = python3 +commands = + functest-run-suite --help + +[testenv:func] +basepython = python3 +commands = + functest-run-suite --keep-model + +[testenv:func-smoke] +basepython = python3 +commands = + functest-run-suite --keep-model --smoke + +[testenv:func-dev] +basepython = python3 +commands = + functest-run-suite --keep-model --dev + +[testenv:func-target] +basepython = python3 +commands = + functest-run-suite --keep-model --bundle {posargs} + +[flake8] +# Ignore E902 because the unit_tests directory is missing in the built charm. +ignore = E402,E226,W503,W504,E902 diff --git a/unit_tests/__init__.py b/unit_tests/__init__.py new file mode 100644 index 0000000..e163492 --- /dev/null +++ b/unit_tests/__init__.py @@ -0,0 +1,2 @@ +import ops.testing +ops.testing.SIMULATE_CAN_CONNECT = True diff --git a/unit_tests/test_charm.py b/unit_tests/test_charm.py new file mode 100644 index 0000000..1f5e6e6 --- /dev/null +++ b/unit_tests/test_charm.py @@ -0,0 +1,68 @@ +# Copyright 2022 Felipe +# See LICENSE file for licensing details. +# +# Learn more about testing at: https://juju.is/docs/sdk/testing + +import unittest +from unittest.mock import Mock + +from charm import KeystoneOpenidcCharm +from ops.model import ActiveStatus +from ops.testing import Harness + + +class TestCharm(unittest.TestCase): + def setUp(self): + self.harness = Harness(KeystoneOpenidcCharm) + self.addCleanup(self.harness.cleanup) + self.harness.begin() + + def test_config_changed(self): + self.assertEqual(list(self.harness.charm._stored.things), []) + self.harness.update_config({"thing": "foo"}) + self.assertEqual(list(self.harness.charm._stored.things), ["foo"]) + + def test_action(self): + # the harness doesn't (yet!) help much with actions themselves + action_event = Mock(params={"fail": ""}) + self.harness.charm._on_fortune_action(action_event) + + self.assertTrue(action_event.set_results.called) + + def test_action_fail(self): + action_event = Mock(params={"fail": "fail this"}) + self.harness.charm._on_fortune_action(action_event) + + self.assertEqual(action_event.fail.call_args, [("fail this",)]) + + def test_httpbin_pebble_ready(self): + # Simulate making the Pebble socket available + self.harness.set_can_connect("httpbin", True) + # Check the initial Pebble plan is empty + initial_plan = self.harness.get_container_pebble_plan("httpbin") + self.assertEqual(initial_plan.to_yaml(), "{}\n") + # Expected plan after Pebble ready with default config + expected_plan = { + "services": { + "httpbin": { + "override": "replace", + "summary": "httpbin", + "command": "gunicorn -b 0.0.0.0:80 httpbin:app -k gevent", + "startup": "enabled", + "environment": {"thing": "🎁"}, + } + }, + } + # Get the httpbin container from the model + container = self.harness.model.unit.get_container("httpbin") + # Emit the PebbleReadyEvent carrying the httpbin container + self.harness.charm.on.httpbin_pebble_ready.emit(container) + # Get the plan now we've run PebbleReady + updated_plan = self.harness.get_container_pebble_plan("httpbin").to_dict() + # Check we've got the plan we expected + self.assertEqual(expected_plan, updated_plan) + # Check the service was started + service = self.harness.model.unit.get_container("httpbin").get_service("httpbin") + self.assertTrue(service.is_running()) + # Ensure we set an ActiveStatus with no message + self.assertEqual(self.harness.model.unit.status, ActiveStatus())