starlingx/upstream
Code Issues Proposed changes
Files
master
upstream/openstack/python-platformclients/debian/stx-platformclients.stable_docker_image
Italo Lemos 8b09707ac7 Add platform-util package to stx-platformclients 
image

This change is also part of the OIDC authentication support and adds
common utility packages required by the stx-platformclients image
to enable OIDC-based authentication.

The packages oic, pyjwkest, and platform-util are introduced
to support token validation, JWT/JWK handling, and shared
authentication utilities. These components are referenced and
used by changes introduced in [1] and [2].

[1] https://review.opendev.org/c/starlingx/integ/+/970455
[2] https://review.opendev.org/c/starlingx/utilities/+/963220

Test case:
PASS: Build the platformclients image successfully.
PASS: Load a remote-cli environment using the built image
      and run software client commands successfully
      (e.g. `software list`).

Story: 2011603
Task: 53707
Closes-Bug: 2138764

Change-Id: Ia938d94110ec2b6a04d55d2bcb66bdbafec08eed
Signed-off-by: Italo Lemos <Italo.doRegoLemos@windriver.com>
2026-02-04 07:46:19 +00:00

133 lines
4.5 KiB
Plaintext
Raw Permalink Blame History

BUILDER=loci
LABEL=stx-platformclients
PROJECT=infra
PROJECT_REPO=nil
DIST_REPOS="OS"
DIST_PACKAGES="python3-dev libffi-dev libssl-dev libcurl4-openssl-dev libfile-which-perl bash-completion vim helm kubernetes-1.32.2-client kubernetes-1.33.0-client kubernetes-1.34.1-client kubelogin keyutils platform-util"
PIP_PACKAGES="pycryptodomex httplib2 pyopenssl ndg-httpsclient pyasn1 \
six prettytable PyYAML python-keystoneclient python-barbicanclient \
python-openstackclient cgtsclient fmclient distributedcloud_client \
osprofiler beautifulsoup4 oidcauthtools mechanize html5lib webencodings \
nfv-client software-client tsconfig pyjwkest oic"
# ln Workaround: keyutils installs keyctl in /bin, but client code expects /usr/bin/keyctl
CUSTOMIZATION="ln -sf /bin/keyctl /usr/bin/keyctl && \
echo '$(base64 -w0 <<'EOL'
#!/bin/bash
#
# Copyright (c) 2025 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# All Rights Reserved.
#
# Function to print warnings
warn() {
echo -e "\e[1;33m[WARN]\e[0m $1" >&2
}
# Function to compare versions
version_gt() { [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n 1)" = "$2" ]; }
# Function to get the expected k8s client version
get_client_version() {
local VERSION="${MIN_KUBE_VERSION}"
local SUPPORTED="false"
if [[ -n "${KUBE_SERVER_VERSION}" && ( "${KUBE_AVAILABLE_VERSIONS}" == *"${KUBE_SERVER_VERSION}"* ) ]]; then
VERSION="${KUBE_SERVER_VERSION}"
local SUPPORTED="true"
elif version_gt "${KUBE_SERVER_VERSION}" "${MAX_KUBE_VERSION}"; then
VERSION="${MAX_KUBE_VERSION}"
fi
echo "${VERSION} ${SUPPORTED}"
}
# Function to request k8s apiserver version anonymously
get_server_version_with_request() {
export KUBE_APISERVER_URL
KUBE_APISERVER_URL=$(awk '/server:/ {print $2}' ~/.kube/config)
if [[ -z "${KUBE_APISERVER_URL}" ]]; then
warn "Kube-apiserver address not yet configured in kubeconfig."
return
fi
local KUBE_APISERVER_VERSION=$(python3 - <<-'PY'
import requests, os
try:
print(
requests.get(
os.environ.get("KUBE_APISERVER_URL") + "/version",
verify=os.environ.get("OS_CACERT"),
timeout=10,
).json()["gitVersion"].lstrip("v")
)
except Exception:
pass
PY
)
if [[ -z "${KUBE_APISERVER_VERSION}" ]]; then
warn "Kube-apiserver version could not be retrieved."
return
fi
echo "${KUBE_APISERVER_VERSION}"
}
# Function to get the k8s server version
get_server_version() {
local VERSION=$(echo "${KUBE_SERVER_VERSION}" || echo "")
# Get the last time that the server version file have been updated.
local TIME_DIFF=0
if [[ -f "${KUBE_SERVER_VERSION_FILE}" ]]; then
local FILE_MOD_TIME=$(stat -c %Y "${KUBE_SERVER_VERSION_FILE}")
local CURRENT_TIME=$(date +%s)
TIME_DIFF=$((CURRENT_TIME - FILE_MOD_TIME))
fi
# If the k8s server version is empty or
# the k8s server version file was updated more than 30min,
# get the version from the k8s server version file
if [[ -z "${VERSION}" || "${TIME_DIFF}" -gt 1800 ]]; then
VERSION=$(get_server_version_with_request)
[[ -z "${VERSION}" || ( ! "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ) ]] && VERSION="${KUBE_CLIENT_VERSION}"
echo "${VERSION}" > "${KUBE_SERVER_VERSION_FILE}"
fi
echo "${VERSION}"
}
BASE_VOLUME="/wd"
KUBE_BASE_PATH="/usr/local/kubernetes/"
KUBE_SERVER_VERSION_FILE="${BASE_VOLUME}"/.kube_server_version
KUBE_AVAILABLE_VERSIONS=$(ls "${KUBE_BASE_PATH}" | sort -V)
MIN_KUBE_VERSION=$(echo "${KUBE_AVAILABLE_VERSIONS}" | head -n1)
MAX_KUBE_VERSION=$(echo "${KUBE_AVAILABLE_VERSIONS}" | tail -n1)
KUBE_CLIENT_VERSION="${MIN_KUBE_VERSION}"
KUBE_SERVER_VERSION=$(cat "${KUBE_SERVER_VERSION_FILE}" 2> /dev/null)
if [[ "${KUBE_SERVER_VERSION}" == "${MAX_KUBE_VERSION}" ]]; then
KUBE_CLIENT_VERSION="${KUBE_SERVER_VERSION}"
else
KUBE_SERVER_VERSION=$(get_server_version)
read KUBE_CLIENT_VERSION KUBE_SERVER_VERSION_IS_SUPPORTED <<< $(get_client_version)
if [[ "${KUBE_SERVER_VERSION_IS_SUPPORTED}" == "false" ]]; then
warn "Detected a mismatch between Kubernetes client and server versions."
warn "Continuing with client version v${KUBE_CLIENT_VERSION} and server version v${KUBE_SERVER_VERSION}."
fi
fi
KUBE_BIN_PATH=$(find "${KUBE_BASE_PATH}${KUBE_CLIENT_VERSION}"/*/usr/bin/ -name "kubectl")
exec "${KUBE_BIN_PATH}" "$@"
EOL
)' | base64 -d > /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl"
View Git Blame Copy Permalink