openstack/tacker
Code Issues Proposed changes
4467f162c0
tacker/.zuul.yaml
Qibin Yao 57902730d6 Add OpenID Connect Token Auth for k8s 
This patch adds openid token auth support when calling k8s APIs.

Openid token auth of k8s relies on an external openid provider,
and Keycloak acts as the openid provider in this implementation.

Implements: blueprint support-openid-k8s-vim
Change-Id: Ie5e080a20cba3ba0ed514ede7955eb16729d797c
2022-09-12 01:26:53 +00:00

615 lines
21 KiB
YAML
Raw Blame History

- nodeset:
name: openstack-4-nodes-focal
nodes:
- name: controller
label: ubuntu-focal
- name: controller-tacker
label: ubuntu-focal
- name: compute1
label: ubuntu-focal
- name: compute2
label: ubuntu-focal
groups:
# Nodes running the compute service
- name: compute
nodes:
- compute1
- compute2
# Nodes that are not the controller
- name: subnode
nodes:
- controller-tacker
- compute1
- compute2
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- controller-tacker
- compute1
- compute2
- nodeset:
name: openstack-k8s-4-nodes-focal
nodes:
- name: controller
label: ubuntu-focal
- name: controller-tacker
label: ubuntu-focal
- name: controller-k8s
label: ubuntu-focal
- name: compute1
label: ubuntu-focal
groups:
- name: compute
nodes:
- controller-k8s
- compute1
- name: subnode
nodes:
- controller-tacker
- controller-k8s
- compute1
- name: switch
nodes:
- controller
- name: peers
nodes:
- controller-tacker
- controller-k8s
- compute1
- job:
name: tacker-functional-devstack-multinode-legacy
parent: devstack
description: |
Base multinodes job for devstack-based functional tests
nodeset: openstack-4-nodes-focal
pre-run: playbooks/devstack/pre.yaml
run: playbooks/devstack/run.yaml
post-run: playbooks/devstack/post.yaml
roles:
- zuul: openstack-infra/devstack
timeout: 10800
required-projects:
- openstack/cinder
- openstack/glance
- openstack/keystone
- openstack/neutron
- openstack/nova
- openstack/placement
- openstack/aodh
- openstack/blazar
- openstack/blazar-nova
- openstack/horizon
- openstack/barbican
#- openstack/ceilometer
- openstack/heat
- openstack/mistral
- openstack/mistral-dashboard
- openstack/networking-sfc
# TODO(ueha): Remove after the following hotfix is applied to
# python-aodhclient installed by pip.
# https://review.opendev.org/c/openstack/python-aodhclient/+/819393
- openstack/python-aodhclient
- openstack/python-barbicanclient
- openstack/python-blazarclient
- openstack/python-mistralclient
- openstack/python-tackerclient
- openstack/tacker
- openstack/tacker-horizon
- x/fenix
vars:
devstack_localrc:
CELLSV2_SETUP: singleconductor
PHYSICAL_NETWORK: mgmtphysnet0
OVS_BRIDGE_MAPPINGS: public:br-ex,mgmtphysnet0:br-infra
DATABASE_TYPE: mysql
KEYSTONE_SERVICE_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
MYSQL_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
GNOCCHI_SERVICE_HOST: "{{ hostvars['controller-tacker']['nodepool']['private_ipv4'] }}"
Q_SERVICE_PLUGIN_CLASSES: ovn-router,networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin,neutron.services.qos.qos_plugin.QoSPlugin,qos
L2_AGENT_EXTENSIONS: qos
DEVSTACK_PARALLEL: True
OVN_L3_CREATE_PUBLIC_NETWORK: true
OVN_DBS_LOG_LEVEL: dbg
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
test_matrix_configs: [neutron]
zuul_work_dir: src/opendev.org/openstack/tacker
host-vars:
controller:
devstack_local_conf:
post-config:
$NEUTRON_DHCP_CONF:
DEFAULT:
enable_isolated_metadata: True
$CINDER_CONF:
lvmdriver-1:
image_volume_cache_enabled: False
devstack_plugins:
heat: https://opendev.org/openstack/heat
networking-sfc: https://opendev.org/openstack/networking-sfc
aodh: https://opendev.org/openstack/aodh
# TODO(ueha): Remove after the following hotfix is applied to
# python-aodhclient installed by pip.
# https://review.opendev.org/c/openstack/python-aodhclient/+/819393
python-aodhclient: https://opendev.org/openstack/python-aodhclient
barbican: https://opendev.org/openstack/barbican
mistral: https://opendev.org/openstack/mistral
blazar: https://opendev.org/openstack/blazar
fenix: https://opendev.org/x/fenix
devstack_services:
# Core services enabled for this branch.
# This list replaces the test-matrix.
# Shared services
mysql: true
rabbit: true
tls-proxy: false
# Keystone services
key: true
# Glance services
g-api: true
# Nova services
n-api: true
n-api-meta: true
n-cond: true
n-cpu: false
n-novnc: true
n-sch: true
placement-api: true
# OVN services
ovn-controller: true
ovn-northd: true
ovs-vswitchd: true
ovsdb-server: true
# Neutron services
q-svc: true
q-qos: true
q-ovn-metadata-agent: true
# Cinder services
c-api: true
c-sch: true
c-vol: true
cinder: true
# Services we don't need.
# This section is not really needed, it's for readability.
horizon: false
tempest: false
swift: false
s-account: false
s-container: false
s-object: false
s-proxy: false
c-bak: false
tox_install_siblings: false
controller-tacker:
devstack_plugins:
#ceilometer: https://opendev.org/openstack/ceilometer
tacker: https://opendev.org/openstack/tacker
devstack_services:
# OVN services
ovn-controller: true
ovs-vswitchd: true
ovsdb-server: true
# Neutron services
q-ovn-metadata-agent: true
# Ceilometer services
#ceilometer-acompute: false
#ceilometer-acentral: true
#ceilometer-aipmi: false
#ceilometer-anotification: true
# Tacker services
tacker: true
tacker-conductor: true
tox_envlist: dsvm-functional-legacy
group-vars:
compute:
# Since a VirtualInterfaceCreateException occurs during a test,
# the setting of network-vif-plugged is changed by the reference of
# the following URL.
# https://bugs.launchpad.net/heat/+bug/1694371
devstack_local_conf:
post-config:
$NOVA_CONF:
DEFAULT:
vif_plugging_is_fatal: False
subnode:
devstack_localrc:
CELLSV2_SETUP: singleconductor
PHYSICAL_NETWORK: mgmtphysnet0
OVS_BRIDGE_MAPPINGS: public:br-ex,mgmtphysnet0:br-infra
DATABASE_TYPE: mysql
KEYSTONE_SERVICE_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
MYSQL_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
GNOCCHI_SERVICE_HOST: "{{ hostvars['controller-tacker']['nodepool']['private_ipv4'] }}"
TACKER_HOST: "{{ hostvars['controller-tacker']['nodepool']['private_ipv4'] }}"
TACKER_MODE: standalone
IS_ZUUL_FT: True
# NOTES:
# - Without this ugly inline template, we would have to overwrite devstack_localrc
# as a whole in some way. However keeping up with parent jobs' definitions would
# be too costly. E.g., ADMIN_PASSWORD, NETWORK_GATEWAY, etc. Too many variables.
# - The reason we set CEILOMETER_BACKEND=none for compute nodes is that otherwise
# gnocchi setup would run on every compute nodes (esp. multiple asynchronous calls
# of recreate_database() would be disastrous). Unused api servers would also be
# deployed on each compute node.
#CEILOMETER_BACKEND: "{% if 'compute' in group_names %}none{% else %}gnocchi{% endif %}"
Q_SERVICE_PLUGIN_CLASSES: "qos,\
networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin,\
neutron.services.qos.qos_plugin.QoSPlugin,\
ovn-router"
L2_AGENT_EXTENSIONS: qos
ENABLE_CHASSIS_AS_GW: false
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
#devstack_plugins:
#ceilometer: https://opendev.org/openstack/ceilometer
devstack_services:
#ceilometer-acompute: true
# To override the parent job's definitions.
tls-proxy: false
# OVN services
ovn-controller: true
ovs-vswitchd: true
ovsdb-server: true
# Neutron services
q-ovn-metadata-agent: true
- job:
name: tacker-functional-devstack-multinode-sol
parent: tacker-functional-devstack-multinode-legacy
description: |
Multinodes job for SOL devstack-based functional tests
host-vars:
controller-tacker:
tox_envlist: dsvm-functional-sol
- job:
name: tacker-functional-devstack-multinode-sol-v2
parent: tacker-functional-devstack-multinode-sol
description: |
Multinodes job for SOL V2 devstack-based functional tests
host-vars:
controller-tacker:
tox_envlist: dsvm-functional-sol-v2
- job:
name: tacker-functional-devstack-multinode-sol-multi-tenant
parent: tacker-functional-devstack-multinode-sol
description: |
Multinodes job for SOL Multi tenant devstack-based functional tests
host-vars:
controller-tacker:
tox_envlist: dsvm-functional-sol-multi-tenant
vars:
setup_multi_tenant: true
- job:
name: tacker-functional-devstack-multinode-sol-separated-nfvo
parent: tacker-functional-devstack-multinode-sol
description: |
Multinodes job for SOL devstack-based functional tests
with separated NFVO
host-vars:
controller-tacker:
devstack_local_conf:
post-config:
$TACKER_CONF:
connect_vnf_packages:
base_url: http://127.0.0.1:9990/vnfpkgm/v1/vnf_packages
pipeline: package_content,vnfd,artifacts
connect_grant:
base_url: http://127.0.0.1:9990/grant/v1/grants
openstack_vim:
stack_retries: 120
tox_envlist: dsvm-functional-sol-separated-nfvo
- job:
name: tacker-functional-devstack-multinode-sol-separated-nfvo-v2
parent: tacker-functional-devstack-multinode-sol
description: |
Multinodes job for SOL devstack-based functional tests
with separated V2 NFVO
host-vars:
controller-tacker:
devstack_local_conf:
post-config:
$TACKER_CONF:
v2_nfvo:
use_external_nfvo: True
endpoint: http://127.0.0.1:9990
token_endpoint: http://127.0.0.1:9990
client_id: 229ec984de7547b2b662e968961af5a4
client_password: devstack
tox_envlist: dsvm-functional-sol-separated-nfvo-v2
- job:
name: tacker-functional-devstack-multinode-sol-kubernetes
parent: devstack
description: |
Multinodes job for SOL devstack-based kubernetes functional tests
nodeset: openstack-k8s-4-nodes-focal
pre-run: playbooks/devstack/pre.yaml
run: playbooks/devstack/run.yaml
post-run: playbooks/devstack/post.yaml
roles:
- zuul: openstack-infra/devstack
timeout: 10800
required-projects:
- openstack/barbican
- openstack/cinder
- openstack/devstack-gate
- openstack/devstack-plugin-container
- openstack/glance
- openstack/heat
- openstack/horizon
- openstack/keystone
- openstack/kuryr-kubernetes
- openstack/mistral
- openstack/neutron
- openstack/nova
- openstack/octavia
- openstack/placement
- openstack/python-barbicanclient
- openstack/python-blazarclient
- openstack/python-mistralclient
- openstack/python-octaviaclient
- openstack/python-tackerclient
- openstack/tacker
- openstack/tacker-horizon
host-vars:
controller:
devstack_plugins:
barbican: https://opendev.org/openstack/barbican
heat: https://opendev.org/openstack/heat
mistral: https://opendev.org/openstack/mistral
neutron: https://opendev.org/openstack/neutron
octavia: https://opendev.org/openstack/octavia
devstack_services:
base: false
c-api: true
c-bak: false
c-sch: true
c-vol: true
cinder: true
coredns: false
etcd3: true
g-api: true
g-reg: true
horizon: false
key: true
mysql: true
n-api-meta: true
n-api: true
n-cond: true
n-cpu: false
n-novnc: true
n-sch: true
neutron: true
o-api: true
o-cw: true
o-hk: true
o-hm: true
octavia: true
placement-api: true
placement-client: true
ovn-controller: true
ovn-northd: true
ovs-vswitchd: true
ovsdb-server: true
q-qos: true
q-svc: true
q-ovn-metadata-agent: true
rabbit: true
s-account: false
s-container: false
s-object: false
s-proxy: false
swift: false
tempest: false
tls-proxy: false
tox_install_siblings: false
controller-tacker:
devstack_local_conf:
post-config:
$TACKER_CONF:
kubernetes_vim:
stack_retries: 120
devstack_services:
ovn-controller: true
ovn-northd: true
ovs-vswitchd: true
ovsdb-server: true
q-ovn-metadata-agent: true
tacker: true
tacker-conductor: true
devstack_plugins:
tacker: https://opendev.org/openstack/tacker
tox_envlist: dsvm-functional-sol-kubernetes
controller-k8s:
devstack_local_conf: {}
devstack_plugins:
devstack-plugin-container: https://opendev.org/openstack/devstack-plugin-container
kuryr-kubernetes: https://opendev.org/openstack/kuryr-kubernetes
devstack_services:
etcd3: false
kubernetes-master: true
kuryr-daemon: true
kuryr-kubernetes: true
octavia: false
ovn-controller: true
ovn-northd: true
ovs-vswitchd: true
ovsdb-server: true
q-ovn-metadata-agent: true
tox_install_siblings: false
group-vars:
subnode:
devstack_localrc:
CELLSV2_SETUP: singleconductor
DATABASE_TYPE: mysql
IS_ZUUL_FT: True
K8S_API_SERVER_IP: "{{ hostvars['controller-k8s']['nodepool']['private_ipv4'] }}"
KEYSTONE_SERVICE_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
KURYR_FORCE_IMAGE_BUILD: true
KURYR_K8S_API_PORT: 6443
KURYR_K8S_API_URL: "https://{{ hostvars['controller-k8s']['nodepool']['private_ipv4'] }}:${KURYR_K8S_API_PORT}"
KURYR_K8S_CONTAINERIZED_DEPLOYMENT: false
KURYR_NEUTRON_DEFAULT_SUBNETPOOL_ID: shared-default-subnetpool-v4
# TODO(YiFeng): At present, the version of kubernetes should be
# 1.23.3, and the returned response can pass the verification of
# kubernetes-client (1.23.3). This configuration will be removed
# after kuryr-kubernetes fixes the following bug.
# https://bugs.launchpad.net/kuryr-kubernetes/+bug/1968960
KURYR_KUBERNETES_VERSION: 1.23.3
MYSQL_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
OCTAVIA_AMP_IMAGE_FILE: "/tmp/test-only-amphora-x64-haproxy-ubuntu-bionic.qcow2"
OCTAVIA_AMP_IMAGE_NAME: "test-only-amphora-x64-haproxy-ubuntu-bionic"
OCTAVIA_AMP_IMAGE_SIZE: 3
OVS_BRIDGE_MAPPINGS: public:br-ex,mgmtphysnet0:br-infra
PHYSICAL_NETWORK: mgmtphysnet0
TACKER_HOST: "{{ hostvars['controller-tacker']['nodepool']['private_ipv4'] }}"
TACKER_MODE: standalone
USE_PYTHON3: true
ENABLE_CHASSIS_AS_GW: false
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
devstack_services:
dstat: false
horizon: false
n-api-meta: false
n-api: false
n-cauth: false
n-cond: false
n-cpu: true
n-novnc: false
n-obj: false
n-sch: false
ovn-controller: true
ovs-vswitchd: true
ovsdb-server: true
q-ovn-metadata-agent: true
tls-proxy: false
vars:
devstack_localrc:
CELLSV2_SETUP: singleconductor
DATABASE_TYPE: mysql
ETCD_USE_RAMDISK: true
IS_ZUUL_FT: True
KEYSTONE_SERVICE_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
L2_AGENT_EXTENSIONS: qos
MYSQL_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
OCTAVIA_AMP_IMAGE_FILE: "/tmp/test-only-amphora-x64-haproxy-ubuntu-bionic.qcow2"
OCTAVIA_AMP_IMAGE_NAME: "test-only-amphora-x64-haproxy-ubuntu-bionic"
OCTAVIA_AMP_IMAGE_SIZE: 3
OVS_BRIDGE_MAPPINGS: public:br-ex,mgmtphysnet0:br-infra
PHYSICAL_NETWORK: mgmtphysnet0
Q_SERVICE_PLUGIN_CLASSES: ovn-router,neutron.services.qos.qos_plugin.QoSPlugin,qos
TACKER_HOST: "{{ hostvars['controller-tacker']['nodepool']['private_ipv4'] }}"
TACKER_MODE: standalone
USE_PYTHON3: true
DEVSTACK_PARALLEL: True
OVN_L3_CREATE_PUBLIC_NETWORK: true
OVN_DBS_LOG_LEVEL: dbg
Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
devstack_local_conf:
post-config:
$NEUTRON_DHCP_CONF:
DEFAULT:
enable_isolated_metadata: True
$OCTAVIA_CONF:
controller_worker:
amp_active_retries: 9999
kuryr_k8s_api_url: "https://{{ hostvars['controller-k8s']['nodepool']['private_ipv4'] }}:6443"
k8s_ssl_verify: true
helm_version: "3.5.4"
test_matrix_configs: [neutron]
zuul_work_dir: src/opendev.org/openstack/tacker
zuul_copy_output:
'{{ devstack_log_dir }}/kubernetes': 'logs'
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- ^releasenotes/.*$
- ^contrib/.*$
- job:
name: tacker-functional-devstack-multinode-sol-kubernetes-multi-tenant
parent: tacker-functional-devstack-multinode-sol-kubernetes
description: |
Multinodes job for SOL Kubernetes Multi tenant devstack-based functional tests
host-vars:
controller-tacker:
tox_envlist: dsvm-functional-sol-kubernetes-multi-tenant
vars:
setup_multi_tenant: true
- job:
name: tacker-functional-devstack-multinode-libs-master
parent: tacker-functional-devstack-multinode-legacy
description: |
devstack-based functional tests with libs from the master branch
required-projects:
- openstack/heat-translator
- openstack/tosca-parser
- job:
name: tacker-functional-devstack-multinode-sol-kubernetes-v2
parent: tacker-functional-devstack-multinode-sol-kubernetes
description: |
Multinodes job for SOL Kubernetes V2 devstack-based functional tests
host-vars:
controller-tacker:
devstack_local_conf:
post-config:
$TACKER_CONF:
v2_vnfm:
kubernetes_vim_rsc_wait_timeout: 800
tox_envlist: dsvm-functional-sol-kubernetes-v2
- job:
name: tacker-functional-devstack-kubernetes-oidc-auth
parent: tacker-functional-devstack-multinode-sol-kubernetes-v2
description: |
Multinodes job for Kubernetes OIDC Auth tests
host-vars:
controller-tacker:
tox_envlist: dsvm-functional-sol_kubernetes_oidc_auth
vars:
keycloak_host: "{{ hostvars['controller-k8s']['nodepool']['private_ipv4'] }}"
keycloak_http_port: 8080
keycloak_https_port: 8443
- job:
name: tacker-compliance-devstack-multinode-sol
parent: tacker-functional-devstack-multinode-legacy
description: |
Multinodes job for SOL devstack-based compliance tests
host-vars:
controller-tacker:
tox_envlist: dsvm-compliance-sol-api
voting: false
- project:
templates:
- check-requirements
- openstack-cover-jobs
- openstack-python3-zed-jobs
- publish-openstack-docs-pti
- release-notes-jobs-python3
check:
jobs:
- tacker-functional-devstack-multinode-legacy
- tacker-functional-devstack-multinode-sol
- tacker-functional-devstack-multinode-sol-separated-nfvo
- tacker-functional-devstack-multinode-sol-kubernetes
- tacker-functional-devstack-multinode-libs-master
- tacker-functional-devstack-multinode-sol-v2
- tacker-functional-devstack-multinode-sol-separated-nfvo-v2
- tacker-functional-devstack-multinode-sol-kubernetes-v2
- tacker-functional-devstack-multinode-sol-multi-tenant
- tacker-functional-devstack-multinode-sol-kubernetes-multi-tenant
- tacker-functional-devstack-kubernetes-oidc-auth
- tacker-compliance-devstack-multinode-sol
View Git Blame Copy Permalink