From 78f6fbb40e22048c7c77173abc47529b4bc2dbf3 Mon Sep 17 00:00:00 2001 From: Veronika Fisarova Date: Tue, 16 Apr 2024 10:10:26 +0200 Subject: [PATCH] [tls] Improve the TLS kuttl scenarios Signed-off-by: Veronika Fisarova --- Makefile | 2 +- .../core_v1beta1_openstackcontrolplane.yaml | 198 +++++++++++ .../openstackcontrolplane/kustomization.yaml | 10 + .../core_v1beta1_openstackcontrolplane.yaml | 214 +----------- .../samples/tls/custom_ca/kustomization.yaml | 14 + config/samples/tls/custom_ca/patch.yaml | 7 + .../tls/custom_duration/kustomization.yaml | 14 + config/samples/tls/custom_duration/patch.yaml | 27 ++ .../tls/custom_issuers/kustomization.yaml | 14 + config/samples/tls/custom_issuers/patch.yaml | 13 + .../common/assert-sample-deployment.yaml | 2 +- tests/kuttl/common/custom-ca.yaml | 10 + tests/kuttl/common/custom-ingress-issuer.yaml | 26 ++ .../kuttl/common/custom-internal-issuer.yaml | 26 ++ tests/kuttl/common/osp_check_cert_issuer.sh | 81 +++++ tests/kuttl/common/osp_check_fingerprints.sh | 24 ++ .../kuttl/common/osp_endpoint_fingerprints.sh | 17 + .../01-deploy-openstack.yaml | 2 +- .../02-assert-custom-cacert-secret.yaml | 4 + .../02-deploy-custom-cacert-secret.yaml | 6 + .../03-assert-deploy-custom-cacert.yaml | 105 ++++++ .../03-deploy-custom-cacert.yaml | 6 + .../04-assert-custom-cacert.yaml | 15 + .../{02-cleanup.yaml => 05-cleanup.yaml} | 5 +- ...rs-cleanup.yaml => 05-errors-cleanup.yaml} | 0 .../tests/ctlplane-collapsed/02-cleanup.yaml | 5 + .../ctlplane-galera-3replicas/02-cleanup.yaml | 3 + .../ctlplane-galera-basic/02-cleanup.yaml | 3 + .../01-assert-deploy-openstack.yaml | 1 + .../01-deploy-openstack.yaml | 5 + .../02-get-endpoints-certs.yaml | 6 + .../03-assert-new-certs.yaml | 317 ++++++++++++++++++ .../03-change-cert-duration.yaml | 6 + .../04-assert-service-cert-rotation.yaml | 11 + .../05-cleanup.yaml | 13 + .../05-errors-cleanup.yaml | 1 + .../00-assert-custom-issuers.yaml | 15 + .../00-deploy-custom-issuers.yaml | 6 + .../01-assert-deploy-openstack.yaml | 282 ++++++++++++++++ .../01-deploy-openstack.yaml | 6 + .../02-assert-service-certs-issuers.yaml | 11 + .../03-assert-deploy-openstack.yaml | 1 + .../03-deploy-openstack.yaml | 6 + ...-assert-service-certs-default-issuers.yaml | 15 + .../04-rotate-service-certs.yaml | 7 + .../05-cleanup.yaml | 13 + .../05-errors-cleanup.yaml | 1 + .../06-assert-deploy-openstack.yaml | 1 + .../06-deploy-openstack.yaml | 6 + ...-assert-service-certs-default-issuers.yaml | 11 + .../08-assert-custom-issuers.yaml | 15 + .../08-deploy-custom-issuers.yaml | 6 + .../09-assert-deploy-openstack.yaml | 282 ++++++++++++++++ .../09-deploy-openstack.yaml | 6 + .../10-assert-service-certs-issuers.yaml | 15 + .../10-rotate-service-certs.yaml | 7 + .../11-cleanup.yaml | 14 + .../11-errors-cleanup.yaml | 1 + 58 files changed, 1723 insertions(+), 217 deletions(-) create mode 100644 config/samples/base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml create mode 100644 config/samples/base/openstackcontrolplane/kustomization.yaml mode change 100644 => 120000 config/samples/core_v1beta1_openstackcontrolplane.yaml create mode 100644 config/samples/tls/custom_ca/kustomization.yaml create mode 100644 config/samples/tls/custom_ca/patch.yaml create mode 100644 config/samples/tls/custom_duration/kustomization.yaml create mode 100644 config/samples/tls/custom_duration/patch.yaml create mode 100644 config/samples/tls/custom_issuers/kustomization.yaml create mode 100644 config/samples/tls/custom_issuers/patch.yaml create mode 100644 tests/kuttl/common/custom-ca.yaml create mode 100644 tests/kuttl/common/custom-ingress-issuer.yaml create mode 100644 tests/kuttl/common/custom-internal-issuer.yaml create mode 100755 tests/kuttl/common/osp_check_cert_issuer.sh create mode 100755 tests/kuttl/common/osp_check_fingerprints.sh create mode 100755 tests/kuttl/common/osp_endpoint_fingerprints.sh create mode 100644 tests/kuttl/tests/ctlplane-basic-deployment/02-assert-custom-cacert-secret.yaml create mode 100644 tests/kuttl/tests/ctlplane-basic-deployment/02-deploy-custom-cacert-secret.yaml create mode 100644 tests/kuttl/tests/ctlplane-basic-deployment/03-assert-deploy-custom-cacert.yaml create mode 100644 tests/kuttl/tests/ctlplane-basic-deployment/03-deploy-custom-cacert.yaml create mode 100644 tests/kuttl/tests/ctlplane-basic-deployment/04-assert-custom-cacert.yaml rename tests/kuttl/tests/ctlplane-basic-deployment/{02-cleanup.yaml => 05-cleanup.yaml} (54%) rename tests/kuttl/tests/ctlplane-basic-deployment/{02-errors-cleanup.yaml => 05-errors-cleanup.yaml} (100%) create mode 120000 tests/kuttl/tests/ctlplane-tls-cert-rotation/01-assert-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-cert-rotation/01-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-cert-rotation/03-assert-new-certs.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-cert-rotation/05-cleanup.yaml create mode 120000 tests/kuttl/tests/ctlplane-tls-cert-rotation/05-errors-cleanup.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-custom-issuers.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/00-deploy-custom-issuers.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/01-assert-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/01-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml create mode 120000 tests/kuttl/tests/ctlplane-tls-custom-issuers/03-assert-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/03-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml create mode 120000 tests/kuttl/tests/ctlplane-tls-custom-issuers/05-errors-cleanup.yaml create mode 120000 tests/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/06-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/08-assert-custom-issuers.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/08-deploy-custom-issuers.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/09-deploy-openstack.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml create mode 100644 tests/kuttl/tests/ctlplane-tls-custom-issuers/11-cleanup.yaml create mode 120000 tests/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml diff --git a/Makefile b/Makefile index 99f742444..cd133166f 100644 --- a/Makefile +++ b/Makefile @@ -267,7 +267,7 @@ KUTTL ?= $(LOCALBIN)/kubectl-kuttl KUSTOMIZE_VERSION ?= v3.8.7 CONTROLLER_TOOLS_VERSION ?= v0.11.1 CRD_MARKDOWN_VERSION ?= v0.0.3 -KUTTL_VERSION ?= 0.15.0 +KUTTL_VERSION ?= 0.17.0 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize diff --git a/config/samples/base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml b/config/samples/base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml new file mode 100644 index 000000000..372a49c7e --- /dev/null +++ b/config/samples/base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml @@ -0,0 +1,198 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack-basic +spec: + secret: osp-secret + storageClass: local-storage + keystone: + template: + databaseInstance: openstack + secret: osp-secret + galera: + templates: + openstack: + storageClass: local-storage + storageRequest: 500M + secret: osp-secret + replicas: 1 + openstack-cell1: + storageClass: local-storage + storageRequest: 500M + secret: osp-secret + replicas: 1 + rabbitmq: + templates: + rabbitmq: + replicas: 1 + #resources: + # requests: + # cpu: 500m + # memory: 1Gi + # limits: + # cpu: 800m + # memory: 1Gi + rabbitmq-cell1: + replicas: 1 + memcached: + templates: + memcached: + replicas: 1 + barbican: + template: + databaseInstance: openstack + secret: osp-secret + barbicanAPI: + replicas: 1 + barbicanWorker: + replicas: 1 + barbicanKeystoneListener: + replicas: 1 + placement: + template: + databaseInstance: openstack + secret: osp-secret + glance: + template: + secret: osp-secret + databaseInstance: openstack + storage: + storageClass: "" + storageRequest: 10G + keystoneEndpoint: default + glanceAPIs: + default: + type: single + replicas: 1 + cinder: + template: + databaseInstance: openstack + secret: osp-secret + cinderAPI: + replicas: 1 + cinderScheduler: + replicas: 1 + cinderBackup: + replicas: 0 # backend needs to be configured + cinderVolumes: + volume1: + replicas: 0 # backend needs to be configured + manila: + template: + manilaAPI: + replicas: 1 + manilaScheduler: + replicas: 1 + manilaShares: + share1: + replicas: 1 + ovn: + template: + ovnDBCluster: + ovndbcluster-nb: + replicas: 1 + dbType: NB + storageRequest: 10G + ovndbcluster-sb: + replicas: 1 + dbType: SB + storageRequest: 10G + ovnNorthd: + replicas: 1 + ovnController: {} + neutron: + template: + databaseInstance: openstack + secret: osp-secret + horizon: + template: + replicas: 1 + secret: osp-secret + nova: + template: + secret: osp-secret + heat: + enabled: false + template: + databaseInstance: openstack + heatAPI: + replicas: 1 + heatEngine: + replicas: 1 + secret: osp-secret + ironic: + enabled: false + template: + databaseInstance: openstack + ironicAPI: + replicas: 1 + ironicConductors: + - replicas: 1 + storageRequest: 10G + ironicInspector: + replicas: 1 + ironicNeutronAgent: + replicas: 1 + secret: osp-secret + telemetry: + enabled: true + template: + metricStorage: + enabled: false + monitoringStack: + alertingEnabled: true + scrapeInterval: 30s + storage: + strategy: persistent + retention: 24h + persistent: + pvcStorageRequest: 20G + autoscaling: + enabled: false + aodh: + passwordSelectors: + databaseAccount: aodh + databaseInstance: openstack + secret: osp-secret + heatInstance: heat + ceilometer: + enabled: true + secret: osp-secret + logging: + enabled: false + network: internalapi + ipaddr: 172.17.0.80 + port: 10514 + cloNamespace: openshift-logging + swift: + enabled: true + template: + swiftRing: + ringReplicas: 1 + swiftStorage: + replicas: 1 + swiftProxy: + replicas: 1 + octavia: + enabled: false + template: + databaseInstance: openstack + octaviaAPI: + replicas: 1 + secret: osp-secret + designate: + template: + databaseInstance: openstack + secret: osp-secret + designateAPI: + replicas: 1 + designateCentral: + replicas: 0 # backend needs to be configured + designateWorker: + replicas: 0 # backend needs to be configured + designateProducer: + replicas: 0 # backend needs to be configured + designateMdns: + replicas: 0 # backend needs to be configured + designateBackendbind9: + replicas: 0 # backend needs to be configured diff --git a/config/samples/base/openstackcontrolplane/kustomization.yaml b/config/samples/base/openstackcontrolplane/kustomization.yaml new file mode 100644 index 000000000..49681507c --- /dev/null +++ b/config/samples/base/openstackcontrolplane/kustomization.yaml @@ -0,0 +1,10 @@ +resources: +- core_v1beta1_openstackcontrolplane.yaml +patches: + - target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: replace + path: /metadata/name + value: openstack diff --git a/config/samples/core_v1beta1_openstackcontrolplane.yaml b/config/samples/core_v1beta1_openstackcontrolplane.yaml deleted file mode 100644 index abc222eb6..000000000 --- a/config/samples/core_v1beta1_openstackcontrolplane.yaml +++ /dev/null @@ -1,213 +0,0 @@ -apiVersion: core.openstack.org/v1beta1 -kind: OpenStackControlPlane -metadata: - name: openstack-basic -spec: - secret: osp-secret - storageClass: local-storage - keystone: - template: - databaseInstance: openstack - secret: osp-secret - galera: - templates: - openstack: - storageClass: local-storage - storageRequest: 500M - secret: osp-secret - replicas: 1 - openstack-cell1: - storageClass: local-storage - storageRequest: 500M - secret: osp-secret - replicas: 1 - rabbitmq: - templates: - rabbitmq: - replicas: 1 - #resources: - # requests: - # cpu: 500m - # memory: 1Gi - # limits: - # cpu: 800m - # memory: 1Gi - rabbitmq-cell1: - replicas: 1 - memcached: - templates: - memcached: - replicas: 1 - barbican: - template: - databaseInstance: openstack - secret: osp-secret - barbicanAPI: - replicas: 1 - barbicanWorker: - replicas: 1 - barbicanKeystoneListener: - replicas: 1 - placement: - template: - databaseInstance: openstack - secret: osp-secret - glance: - template: - secret: osp-secret - databaseInstance: openstack - storage: - storageClass: "" - storageRequest: 10G - keystoneEndpoint: default - glanceAPIs: - default: - type: single - replicas: 1 - cinder: - template: - databaseInstance: openstack - secret: osp-secret - cinderAPI: - replicas: 1 - cinderScheduler: - replicas: 1 - cinderBackup: - replicas: 0 # backend needs to be configured - cinderVolumes: - volume1: - replicas: 0 # backend needs to be configured - manila: - template: - manilaAPI: - replicas: 1 - manilaScheduler: - replicas: 1 - manilaShares: - share1: - replicas: 1 - ovn: - template: - ovnDBCluster: - ovndbcluster-nb: - replicas: 1 - dbType: NB - storageRequest: 10G - ovndbcluster-sb: - replicas: 1 - dbType: SB - storageRequest: 10G - ovnNorthd: - replicas: 1 - ovnController: {} - neutron: - template: - databaseInstance: openstack - secret: osp-secret - horizon: - template: - replicas: 1 - secret: osp-secret - nova: - template: - cellTemplates: - cell0: - cellDatabaseAccount: nova-cell0 - cellDatabaseInstance: openstack - cellMessageBusInstance: rabbitmq - conductorServiceTemplate: - replicas: 1 - hasAPIAccess: true - cell1: - cellDatabaseAccount: nova-cell1 - cellDatabaseInstance: openstack-cell1 - cellMessageBusInstance: rabbitmq-cell1 - conductorServiceTemplate: - replicas: 1 - hasAPIAccess: true - secret: osp-secret - heat: - enabled: false - template: - databaseInstance: openstack - heatAPI: - replicas: 1 - heatEngine: - replicas: 1 - secret: osp-secret - ironic: - enabled: false - template: - databaseInstance: openstack - ironicAPI: - replicas: 1 - ironicConductors: - - replicas: 1 - storageRequest: 10G - ironicInspector: - replicas: 1 - ironicNeutronAgent: - replicas: 1 - secret: osp-secret - telemetry: - enabled: true - template: - metricStorage: - enabled: false - monitoringStack: - alertingEnabled: true - scrapeInterval: 30s - storage: - strategy: persistent - retention: 24h - persistent: - pvcStorageRequest: 20G - autoscaling: - enabled: false - aodh: - passwordSelectors: - databaseAccount: aodh - databaseInstance: openstack - secret: osp-secret - heatInstance: heat - ceilometer: - enabled: true - secret: osp-secret - logging: - enabled: false - network: internalapi - ipaddr: 172.17.0.80 - port: 10514 - cloNamespace: openshift-logging - swift: - enabled: true - template: - swiftRing: - ringReplicas: 1 - swiftStorage: - replicas: 1 - swiftProxy: - replicas: 1 - octavia: - enabled: false - template: - databaseInstance: openstack - octaviaAPI: - replicas: 1 - secret: osp-secret - designate: - template: - databaseInstance: openstack - secret: osp-secret - designateAPI: - replicas: 1 - designateCentral: - replicas: 0 # backend needs to be configured - designateWorker: - replicas: 0 # backend needs to be configured - designateProducer: - replicas: 0 # backend needs to be configured - designateMdns: - replicas: 0 # backend needs to be configured - designateBackendbind9: - replicas: 0 # backend needs to be configured diff --git a/config/samples/core_v1beta1_openstackcontrolplane.yaml b/config/samples/core_v1beta1_openstackcontrolplane.yaml new file mode 120000 index 000000000..eda53456e --- /dev/null +++ b/config/samples/core_v1beta1_openstackcontrolplane.yaml @@ -0,0 +1 @@ +base/openstackcontrolplane/core_v1beta1_openstackcontrolplane.yaml \ No newline at end of file diff --git a/config/samples/tls/custom_ca/kustomization.yaml b/config/samples/tls/custom_ca/kustomization.yaml new file mode 100644 index 000000000..94aa1cafb --- /dev/null +++ b/config/samples/tls/custom_ca/kustomization.yaml @@ -0,0 +1,14 @@ +resources: +- ../../base/openstackcontrolplane + +patches: +- target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: replace + path: /metadata/name + value: openstack +- target: + kind: OpenStackControlPlane + path: patch.yaml diff --git a/config/samples/tls/custom_ca/patch.yaml b/config/samples/tls/custom_ca/patch.yaml new file mode 100644 index 000000000..928a2d784 --- /dev/null +++ b/config/samples/tls/custom_ca/patch.yaml @@ -0,0 +1,7 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + tls: + caBundleSecretName: ca-custom-kuttl diff --git a/config/samples/tls/custom_duration/kustomization.yaml b/config/samples/tls/custom_duration/kustomization.yaml new file mode 100644 index 000000000..94aa1cafb --- /dev/null +++ b/config/samples/tls/custom_duration/kustomization.yaml @@ -0,0 +1,14 @@ +resources: +- ../../base/openstackcontrolplane + +patches: +- target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: replace + path: /metadata/name + value: openstack +- target: + kind: OpenStackControlPlane + path: patch.yaml diff --git a/config/samples/tls/custom_duration/patch.yaml b/config/samples/tls/custom_duration/patch.yaml new file mode 100644 index 000000000..a86bb729f --- /dev/null +++ b/config/samples/tls/custom_duration/patch.yaml @@ -0,0 +1,27 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + tls: + ingress: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + podLevel: + internal: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + libvirt: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + ovn: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s diff --git a/config/samples/tls/custom_issuers/kustomization.yaml b/config/samples/tls/custom_issuers/kustomization.yaml new file mode 100644 index 000000000..94aa1cafb --- /dev/null +++ b/config/samples/tls/custom_issuers/kustomization.yaml @@ -0,0 +1,14 @@ +resources: +- ../../base/openstackcontrolplane + +patches: +- target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: replace + path: /metadata/name + value: openstack +- target: + kind: OpenStackControlPlane + path: patch.yaml diff --git a/config/samples/tls/custom_issuers/patch.yaml b/config/samples/tls/custom_issuers/patch.yaml new file mode 100644 index 000000000..65226ba20 --- /dev/null +++ b/config/samples/tls/custom_issuers/patch.yaml @@ -0,0 +1,13 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + tls: + ingress: + ca: + customIssuer: rootca-ingress-custom + podLevel: + internal: + ca: + customIssuer: rootca-internal-custom diff --git a/tests/kuttl/common/assert-sample-deployment.yaml b/tests/kuttl/common/assert-sample-deployment.yaml index 8d8f83928..d3f254cb4 100644 --- a/tests/kuttl/common/assert-sample-deployment.yaml +++ b/tests/kuttl/common/assert-sample-deployment.yaml @@ -1,7 +1,7 @@ apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane metadata: - name: openstack-basic + name: openstack spec: secret: osp-secret keystone: diff --git a/tests/kuttl/common/custom-ca.yaml b/tests/kuttl/common/custom-ca.yaml new file mode 100644 index 000000000..65ddf95e4 --- /dev/null +++ b/tests/kuttl/common/custom-ca.yaml @@ -0,0 +1,10 @@ +# Secret to test the custom CA cert added to the bundle deployed by the os-operator +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: ca-custom-kuttl + labels: + combined-ca-bundle: "" +data: + ca-custom-kuttl.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lSQU5TYWxJeHdEclZ5TVBLS3RHK0lLbzB3Q2dZSUtvWkl6ajBFQXdJd0lERWUKTUJ3R0ExVUVBeE1WY205dmRHTmhMV3QxZEhSc0xXbHVkR1Z5Ym1Gc01CNFhEVEkwTURJeU1qRTBNRGcwTTFvWApEVE0wTURJeE9URTBNRGcwTTFvd0lERWVNQndHQTFVRUF4TVZjbTl2ZEdOaExXdDFkSFJzTFdsdWRHVnlibUZzCk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTQzd2xOK05BQzhYZnkzSk43S1VaSVMvMjE2OTIKNXpWdHVyYnlpNllmZ3hXbFFONGV4ZU5IcVpGT3ZRcUVoZUVVSFR5K2lpWEVpWDVGcytCeit1eUZWYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDRHJnYkhICjh4WmlKbnBKY2gzaEZyZEJLL3lKTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNTY3A2QlE3eldQdnlobW9uK00KcTlvbk1PNlRYSVArczdtZjJGaXkvWkVsQWlFQXRxbkF3VE40UXRKQzIrMUZGVUNNd3dpSTZJTmM5blBDVHc1dgo5M1ZWR2ZNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t diff --git a/tests/kuttl/common/custom-ingress-issuer.yaml b/tests/kuttl/common/custom-ingress-issuer.yaml new file mode 100644 index 000000000..76ea57699 --- /dev/null +++ b/tests/kuttl/common/custom-ingress-issuer.yaml @@ -0,0 +1,26 @@ +# Create a custom Issuer +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-ingress-custom +spec: + ca: + secretName: rootca-ingress-custom + +--- +# Create the CA for the custom issuer +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: rootca-ingress-custom +spec: + commonName: rootca-ingress-custom + isCA: true + duration: 87600h + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + secretName: rootca-ingress-custom diff --git a/tests/kuttl/common/custom-internal-issuer.yaml b/tests/kuttl/common/custom-internal-issuer.yaml new file mode 100644 index 000000000..84d6f7505 --- /dev/null +++ b/tests/kuttl/common/custom-internal-issuer.yaml @@ -0,0 +1,26 @@ +# Create a custom Issuer +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-internal-custom +spec: + ca: + secretName: rootca-internal-custom + +--- +# Create the CA for the custom issuer +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: rootca-internal-custom +spec: + commonName: rootca-internal-custom + isCA: true + duration: 87600h + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + secretName: rootca-internal-custom diff --git a/tests/kuttl/common/osp_check_cert_issuer.sh b/tests/kuttl/common/osp_check_cert_issuer.sh new file mode 100755 index 000000000..16c412a84 --- /dev/null +++ b/tests/kuttl/common/osp_check_cert_issuer.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +set -x + +EXPECTED_ISSUER="$1" +ENDPOINT_TYPE="$2" +ISSUER_MISMATCHES="" +ALL_MATCHED=1 + +function extract_host_port { + local endpoint_url=$1 + local host_port + + if [[ "$ENDPOINT_TYPE" == "public" ]]; then + # Extract the hostname and port for public endpoints + host_port=$(echo "$endpoint_url" | sed -E 's|^[^:/]+://([^:/]+).*|\1|') + else + # Extract the hostname and port for internal endpoints, keeping the port if specified + host_port=$(echo "$endpoint_url" | sed -E 's|^[^:/]+://([^:/]+(:[0-9]+)?).*|\1|') + fi + + # If no port is specified, add :443 + if [[ ! "$host_port" =~ :[0-9]+$ ]]; then + host_port="${host_port}:443" + fi + + echo "$host_port" +} + +function check_keystone_endpoint { + local endpoint_url=$1 + + echo "Checking Keystone endpoint $endpoint_url ..." + http_status=$(curl -s -o /dev/null -w "%{http_code}" "$endpoint_url") + + if [[ "$http_status" -ge 200 && "$http_status" -lt 400 ]]; then + return 0 + else + return 1 + fi +} + +keystone_url=$(openstack endpoint list -c URL -f value | grep 'keystone-public') +keystone_host_port=$(extract_host_port "$keystone_url") + +if ! check_keystone_endpoint "$keystone_url"; then + echo "Failed to connect to Keystone public endpoint." + exit 1 +fi + +# Determine endpoint filter +if [[ "$ENDPOINT_TYPE" == "public" ]]; then + endpoint_filter='public' +else + endpoint_filter='svc' +fi + +# Check endpoints for the expected issuer +for url in $(openstack endpoint list -c URL -f value | grep "$endpoint_filter"); do + host_port=$(extract_host_port "$url") + + echo "Checking $host_port ..." + if [[ "$ENDPOINT_TYPE" == "public" ]]; then + ISSUER=$(echo | openssl s_client -connect "$host_port" 2>/dev/null | openssl x509 -noout -issuer | sed -n 's/^.*CN=\([^,]*\).*$/\1/p') + else + ISSUER=$(openssl s_client -connect $host_port < /dev/null 2>/dev/null | openssl x509 -issuer -noout -in /dev/stdin) + fi + + if [[ "$ISSUER" != "$EXPECTED_ISSUER" ]]; then + ISSUER_MISMATCHES+="$host_port issued by $ISSUER, expected $EXPECTED_ISSUER\n" + ALL_MATCHED=0 + fi +done + +if [ "$ALL_MATCHED" -eq 1 ]; then + echo "All certificates match the custom issuer $EXPECTED_ISSUER" + exit 0 +else + echo -e "Mismatched issuers found:\n$ISSUER_MISMATCHES" + exit 1 +fi diff --git a/tests/kuttl/common/osp_check_fingerprints.sh b/tests/kuttl/common/osp_check_fingerprints.sh new file mode 100755 index 000000000..ed80c019a --- /dev/null +++ b/tests/kuttl/common/osp_check_fingerprints.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -x + +# Check if all services from before are present in after and have valid fingerprints +while IFS= read -r before; do + eval $(echo "$before" | awk '{print "service_name="$1" fp_before="$2}') + fp_after=$(grep -F "$service_name" /tmp/endpoint_fingerprints_after | awk '{ print $2}') + + echo -n "Endpoint $service_name - " + + if [ -z "$fp_after" ]; then + echo "not found in endpoint_fingerprints_after" + exit 1 + fi + + if [ "$fp_before" = "$fp_after" ]; then + echo "ERROR cert not rotated - before: $fp_before - after: $fp_after" + exit 1 + fi + + echo "OK cert rotated - before: $fp_before - after: $fp_after" +done < /tmp/endpoint_fingerprints_before + +exit 0 diff --git a/tests/kuttl/common/osp_endpoint_fingerprints.sh b/tests/kuttl/common/osp_endpoint_fingerprints.sh new file mode 100755 index 000000000..9d57c65ba --- /dev/null +++ b/tests/kuttl/common/osp_endpoint_fingerprints.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -x + +for url in $(openstack endpoint list -c URL -f value | awk -F/ '{print $3}'); do + # Extract the hostname and port + host_port=$(echo "$url" | sed -E 's|^[^:/]+://([^:/]+)(:([0-9]+))?.*|\1:\3|') + + # If no port is specified, add :443 + if [[ ! "$host_port" =~ :[0-9]+$ ]]; then + host_port="${host_port}:443" + fi + + finger_print=$(openssl s_client -connect $host_port < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | sed 's/.* Fingerprint=//') + if [[ -n "$finger_print" ]]; then + echo "$host_port $finger_print" + fi +done diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/01-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/01-deploy-openstack.yaml index 67c4eb347..6c9d0887d 100644 --- a/tests/kuttl/tests/ctlplane-basic-deployment/01-deploy-openstack.yaml +++ b/tests/kuttl/tests/ctlplane-basic-deployment/01-deploy-openstack.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - oc apply -n $NAMESPACE -f ../../../../config/samples/core_v1beta1_openstackcontrolplane.yaml + oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/02-assert-custom-cacert-secret.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/02-assert-custom-cacert-secret.yaml new file mode 100644 index 000000000..2d2b2c4df --- /dev/null +++ b/tests/kuttl/tests/ctlplane-basic-deployment/02-assert-custom-cacert-secret.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ca-custom-kuttl diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/02-deploy-custom-cacert-secret.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/02-deploy-custom-cacert-secret.yaml new file mode 100644 index 000000000..586b50326 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-basic-deployment/02-deploy-custom-cacert-secret.yaml @@ -0,0 +1,6 @@ +# Deploys the custom CA to be added to the combined-ca-bundle by operator +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc apply -n $NAMESPACE -f ../../common/custom-ca.yaml diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/03-assert-deploy-custom-cacert.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/03-assert-deploy-custom-cacert.yaml new file mode 100644 index 000000000..1c87deecb --- /dev/null +++ b/tests/kuttl/tests/ctlplane-basic-deployment/03-assert-deploy-custom-cacert.yaml @@ -0,0 +1,105 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + tls: + caBundleSecretName: ca-custom-kuttl +status: + conditions: + - message: Setup complete + reason: Ready + status: "True" + type: Ready + - message: OpenStackControlPlane Barbican completed + reason: Ready + status: "True" + type: OpenStackControlPlaneBarbicanReady + - message: OpenStackControlPlane CAs completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCAReadyCondition + - message: OpenStackControlPlane Cinder completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCinderReady + - message: OpenStackControlPlane Client completed + reason: Ready + status: "True" + type: OpenStackControlPlaneClientReady + - message: OpenStackControlPlane barbican service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeBarbicanReady + - message: OpenStackControlPlane cinder service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeCinderReady + - message: OpenStackControlPlane glance service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeGlanceReady + - message: OpenStackControlPlane keystone service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeKeystoneAPIReady + - message: OpenStackControlPlane neutron service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNeutronReady + - message: OpenStackControlPlane nova service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNovaReady + - message: OpenStackControlPlane placement service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposePlacementAPIReady + - message: OpenStackControlPlane swift service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeSwiftReady + - message: OpenStackControlPlane Glance completed + reason: Ready + status: "True" + type: OpenStackControlPlaneGlanceReady + - message: OpenStackControlPlane KeystoneAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlaneKeystoneAPIReady + - message: OpenStackControlPlane MariaDB completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMariaDBReady + - message: OpenStackControlPlane Memcached completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMemcachedReady + - message: OpenStackControlPlane Neutron completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNeutronReady + - message: OpenStackControlPlane Nova completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNovaReady + - message: OpenStackControlPlane OVN completed + reason: Ready + status: "True" + type: OpenStackControlPlaneOVNReady + - message: OpenStackControlPlane PlacementAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlanePlacementAPIReady + - message: OpenStackControlPlane RabbitMQ completed + reason: Ready + status: "True" + type: OpenStackControlPlaneRabbitMQReady + - message: OpenStackControlPlane Swift completed + reason: Ready + status: "True" + type: OpenStackControlPlaneSwiftReady + - message: OpenStackControlPlane Telemetry completed + reason: Ready + status: "True" + type: OpenStackControlPlaneTelemetryReady diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/03-deploy-custom-cacert.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/03-deploy-custom-cacert.yaml new file mode 100644 index 000000000..70b04687d --- /dev/null +++ b/tests/kuttl/tests/ctlplane-basic-deployment/03-deploy-custom-cacert.yaml @@ -0,0 +1,6 @@ +# Deploys the custom CA to be added to the combined-ca-bundle by operator +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/tls/custom_ca | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/04-assert-custom-cacert.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/04-assert-custom-cacert.yaml new file mode 100644 index 000000000..f935d7db6 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-basic-deployment/04-assert-custom-cacert.yaml @@ -0,0 +1,15 @@ +# Checks the presence of the ca-custom-kuttl cert data in the combined-ca-bundle secret +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: | + echo "Checking ca-custom-kuttl.pem is present in combined-ca-bundle..." + CUSTOM_CERT_CONTENT=$(oc get secret ca-custom-kuttl -n $NAMESPACE -o jsonpath="{.data['ca-custom-kuttl\.pem']}" | base64 --decode | tr -d '\n') + TLS_BUNDLE_CONTENT=$(oc get secret combined-ca-bundle -n $NAMESPACE -o jsonpath="{.data['tls-ca-bundle\.pem']}" | base64 --decode | tr -d '\n') + if [[ "$TLS_BUNDLE_CONTENT" == *"$CUSTOM_CERT_CONTENT"* ]]; then + echo "OK" + exit 0 + else + echo "Not present" + exit 1 + fi diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/02-cleanup.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/05-cleanup.yaml similarity index 54% rename from tests/kuttl/tests/ctlplane-basic-deployment/02-cleanup.yaml rename to tests/kuttl/tests/ctlplane-basic-deployment/05-cleanup.yaml index 41d34afad..6b4992512 100644 --- a/tests/kuttl/tests/ctlplane-basic-deployment/02-cleanup.yaml +++ b/tests/kuttl/tests/ctlplane-basic-deployment/05-cleanup.yaml @@ -3,8 +3,11 @@ kind: TestStep delete: - apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane - name: openstack-basic + name: openstack commands: - script: | oc delete --ignore-not-found=true -n $NAMESPACE pvc \ srv-swift-storage-0 + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-basic-deployment/02-errors-cleanup.yaml b/tests/kuttl/tests/ctlplane-basic-deployment/05-errors-cleanup.yaml similarity index 100% rename from tests/kuttl/tests/ctlplane-basic-deployment/02-errors-cleanup.yaml rename to tests/kuttl/tests/ctlplane-basic-deployment/05-errors-cleanup.yaml diff --git a/tests/kuttl/tests/ctlplane-collapsed/02-cleanup.yaml b/tests/kuttl/tests/ctlplane-collapsed/02-cleanup.yaml index 455b07e46..0f45e50bc 100644 --- a/tests/kuttl/tests/ctlplane-collapsed/02-cleanup.yaml +++ b/tests/kuttl/tests/ctlplane-collapsed/02-cleanup.yaml @@ -4,3 +4,8 @@ delete: - apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane name: openstack-collapsed-cell +commands: +- script: | + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-galera-3replicas/02-cleanup.yaml b/tests/kuttl/tests/ctlplane-galera-3replicas/02-cleanup.yaml index 095e1978f..22507881a 100644 --- a/tests/kuttl/tests/ctlplane-galera-3replicas/02-cleanup.yaml +++ b/tests/kuttl/tests/ctlplane-galera-3replicas/02-cleanup.yaml @@ -13,3 +13,6 @@ commands: mysql-db-openstack-cell1-galera-0 \ mysql-db-openstack-cell1-galera-1 \ mysql-db-openstack-cell1-galera-2 + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-galera-basic/02-cleanup.yaml b/tests/kuttl/tests/ctlplane-galera-basic/02-cleanup.yaml index 7dd0adf99..1067fba89 100644 --- a/tests/kuttl/tests/ctlplane-galera-basic/02-cleanup.yaml +++ b/tests/kuttl/tests/ctlplane-galera-basic/02-cleanup.yaml @@ -10,3 +10,6 @@ commands: mysql-db-openstack-galera-0 \ mysql-db-openstack-cell1-galera-0 \ srv-swift-storage-0 + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/01-assert-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/01-assert-deploy-openstack.yaml new file mode 120000 index 000000000..762a8cf31 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/01-assert-deploy-openstack.yaml @@ -0,0 +1 @@ +../../common/assert-sample-deployment.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/01-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/01-deploy-openstack.yaml new file mode 100644 index 000000000..6c9d0887d --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/01-deploy-openstack.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml new file mode 100644 index 000000000..7719160a1 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + echo "Get fingerprints of all service certs" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_before diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/03-assert-new-certs.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/03-assert-new-certs.yaml new file mode 100644 index 000000000..ecb93f1e1 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/03-assert-new-certs.yaml @@ -0,0 +1,317 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: keystone-public-route +spec: + duration: 500h0m0s +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: keystone-public-svc +spec: + duration: 500h0m0s +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: keystone-internal-svc +spec: + duration: 500h0m0s +--- +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + secret: osp-secret + keystone: + template: + databaseInstance: openstack + secret: osp-secret + galera: + enabled: true + templates: + openstack: + storageRequest: 500M + secret: osp-secret + replicas: 1 + openstack-cell1: + storageRequest: 500M + secret: osp-secret + replicas: 1 + rabbitmq: + templates: + rabbitmq: + replicas: 1 + rabbitmq-cell1: + replicas: 1 + memcached: + templates: + memcached: + replicas: 1 + placement: + template: + databaseInstance: openstack + secret: osp-secret + glance: + template: + databaseInstance: openstack + secret: osp-secret + glanceAPIs: + default: + replicas: 1 + storage: + storageRequest: 10G + cinder: + template: + databaseInstance: openstack + secret: osp-secret + cinderAPI: + replicas: 1 + cinderScheduler: + replicas: 1 + cinderBackup: + replicas: 0 # backend needs to be configured + cinderVolumes: + volume1: + replicas: 0 # backend needs to be configured + manila: + template: + manilaAPI: + replicas: 1 + manilaScheduler: + replicas: 1 + manilaShares: + share1: + replicas: 1 + ovn: + template: + ovnDBCluster: + ovndbcluster-nb: + replicas: 1 + dbType: NB + storageRequest: 10G + ovndbcluster-sb: + replicas: 1 + dbType: SB + storageRequest: 10G + ovnNorthd: + replicas: 1 + ovnController: + external-ids: + system-id: "random" + ovn-bridge: "br-int" + ovn-encap-type: "geneve" + neutron: + template: + databaseInstance: openstack + secret: osp-secret + horizon: + template: + replicas: 1 + secret: osp-secret + nova: + template: + secret: osp-secret + heat: + enabled: false + template: + databaseInstance: openstack + heatAPI: + replicas: 1 + heatEngine: + replicas: 1 + secret: osp-secret + octavia: + enabled: false + template: + databaseInstance: openstack + octaviaAPI: + replicas: 1 + secret: osp-secret + ironic: + enabled: false + template: + databaseInstance: openstack + ironicAPI: + replicas: 1 + ironicConductors: + - replicas: 1 + storageRequest: 10G + ironicInspector: + replicas: 1 + ironicNeutronAgent: + replicas: 1 + secret: osp-secret + telemetry: + enabled: true + template: + autoscaling: + aodh: + secret: osp-secret + serviceUser: aodh + ceilometer: + passwordSelector: + ceilometerService: CeilometerPassword + secret: osp-secret + serviceUser: ceilometer + swift: + enabled: true + template: + swiftRing: + ringReplicas: 1 + swiftStorage: + replicas: 1 + swiftProxy: + replicas: 1 + designate: + enabled: false + template: + databaseInstance: openstack + secret: osp-secret + designateAPI: + replicas: 1 + designateCentral: + replicas: 0 # backend needs to be configured + designateWorker: + replicas: 0 # backend needs to be configured + designateProducer: + replicas: 0 # backend needs to be configured + designateMdns: + replicas: 0 # backend needs to be configured + designateBackendbind9: + replicas: 0 # backend needs to be configured + barbican: + enabled: true + template: + databaseInstance: openstack + secret: osp-secret + barbicanAPI: + replicas: 1 + barbicanWorker: + replicas: 1 + barbicanKeystoneListener: + replicas: 1 + tls: + ingress: + enabled: true + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + podLevel: + enabled: true + internal: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + libvirt: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s + ovn: + ca: + duration: 1000h0m0s + cert: + duration: 500h0m0s +status: + conditions: + - message: Setup complete + reason: Ready + status: "True" + type: Ready + - message: OpenStackControlPlane Barbican completed + reason: Ready + status: "True" + type: OpenStackControlPlaneBarbicanReady + - message: OpenStackControlPlane CAs completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCAReadyCondition + - message: OpenStackControlPlane Cinder completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCinderReady + - message: OpenStackControlPlane Client completed + reason: Ready + status: "True" + type: OpenStackControlPlaneClientReady + - message: OpenStackControlPlane barbican service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeBarbicanReady + - message: OpenStackControlPlane cinder service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeCinderReady + - message: OpenStackControlPlane glance service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeGlanceReady + - message: OpenStackControlPlane keystone service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeKeystoneAPIReady + - message: OpenStackControlPlane neutron service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNeutronReady + - message: OpenStackControlPlane nova service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNovaReady + - message: OpenStackControlPlane placement service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposePlacementAPIReady + - message: OpenStackControlPlane swift service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeSwiftReady + - message: OpenStackControlPlane Glance completed + reason: Ready + status: "True" + type: OpenStackControlPlaneGlanceReady + - message: OpenStackControlPlane KeystoneAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlaneKeystoneAPIReady + - message: OpenStackControlPlane MariaDB completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMariaDBReady + - message: OpenStackControlPlane Memcached completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMemcachedReady + - message: OpenStackControlPlane Neutron completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNeutronReady + - message: OpenStackControlPlane Nova completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNovaReady + - message: OpenStackControlPlane OVN completed + reason: Ready + status: "True" + type: OpenStackControlPlaneOVNReady + - message: OpenStackControlPlane PlacementAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlanePlacementAPIReady + - message: OpenStackControlPlane RabbitMQ completed + reason: Ready + status: "True" + type: OpenStackControlPlaneRabbitMQReady + - message: OpenStackControlPlane Swift completed + reason: Ready + status: "True" + type: OpenStackControlPlaneSwiftReady + - message: OpenStackControlPlane Telemetry completed + reason: Ready + status: "True" + type: OpenStackControlPlaneTelemetryReady diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml new file mode 100644 index 000000000..c76a4806e --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml @@ -0,0 +1,6 @@ +# Deploys with custom tls service certs and CA certs duration +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/tls/custom_duration | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml new file mode 100644 index 000000000..35b4c4583 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 900 +commands: + - script: | + echo "Get fingerprints of all service certs" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_after + + - script: | + echo "Check if all services from before are present in after and have valid fingerprints" + bash -s < ../../common/osp_check_fingerprints.sh diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/05-cleanup.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/05-cleanup.yaml new file mode 100644 index 000000000..6b4992512 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/05-cleanup.yaml @@ -0,0 +1,13 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: core.openstack.org/v1beta1 + kind: OpenStackControlPlane + name: openstack +commands: +- script: | + oc delete --ignore-not-found=true -n $NAMESPACE pvc \ + srv-swift-storage-0 + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-tls-cert-rotation/05-errors-cleanup.yaml b/tests/kuttl/tests/ctlplane-tls-cert-rotation/05-errors-cleanup.yaml new file mode 120000 index 000000000..4d7b8362e --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-cert-rotation/05-errors-cleanup.yaml @@ -0,0 +1 @@ +../../common/errors_cleanup_openstack.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-custom-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-custom-issuers.yaml new file mode 100644 index 000000000..071d1eec8 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-custom-issuers.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-internal-custom +spec: + ca: + secretName: rootca-internal-custom +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-ingress-custom +spec: + ca: + secretName: rootca-ingress-custom diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/00-deploy-custom-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/00-deploy-custom-issuers.yaml new file mode 100644 index 000000000..7ddb06de7 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/00-deploy-custom-issuers.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc apply -n $NAMESPACE -f ../../common/custom-internal-issuer.yaml + oc apply -n $NAMESPACE -f ../../common/custom-ingress-issuer.yaml diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/01-assert-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/01-assert-deploy-openstack.yaml new file mode 100644 index 000000000..e4ffd98cc --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/01-assert-deploy-openstack.yaml @@ -0,0 +1,282 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + secret: osp-secret + keystone: + template: + databaseInstance: openstack + secret: osp-secret + galera: + enabled: true + templates: + openstack: + storageRequest: 500M + secret: osp-secret + replicas: 1 + openstack-cell1: + storageRequest: 500M + secret: osp-secret + replicas: 1 + rabbitmq: + templates: + rabbitmq: + replicas: 1 + rabbitmq-cell1: + replicas: 1 + memcached: + templates: + memcached: + replicas: 1 + placement: + template: + databaseInstance: openstack + secret: osp-secret + glance: + template: + databaseInstance: openstack + secret: osp-secret + glanceAPIs: + default: + replicas: 1 + storage: + storageRequest: 10G + cinder: + template: + databaseInstance: openstack + secret: osp-secret + cinderAPI: + replicas: 1 + cinderScheduler: + replicas: 1 + cinderBackup: + replicas: 0 # backend needs to be configured + cinderVolumes: + volume1: + replicas: 0 # backend needs to be configured + manila: + template: + manilaAPI: + replicas: 1 + manilaScheduler: + replicas: 1 + manilaShares: + share1: + replicas: 1 + ovn: + template: + ovnDBCluster: + ovndbcluster-nb: + replicas: 1 + dbType: NB + storageRequest: 10G + ovndbcluster-sb: + replicas: 1 + dbType: SB + storageRequest: 10G + ovnNorthd: + replicas: 1 + ovnController: + external-ids: + system-id: "random" + ovn-bridge: "br-int" + ovn-encap-type: "geneve" + neutron: + template: + databaseInstance: openstack + secret: osp-secret + horizon: + template: + replicas: 1 + secret: osp-secret + nova: + template: + secret: osp-secret + heat: + enabled: false + template: + databaseInstance: openstack + heatAPI: + replicas: 1 + heatEngine: + replicas: 1 + secret: osp-secret + octavia: + enabled: false + template: + databaseInstance: openstack + octaviaAPI: + replicas: 1 + secret: osp-secret + ironic: + enabled: false + template: + databaseInstance: openstack + ironicAPI: + replicas: 1 + ironicConductors: + - replicas: 1 + storageRequest: 10G + ironicInspector: + replicas: 1 + ironicNeutronAgent: + replicas: 1 + secret: osp-secret + telemetry: + enabled: true + template: + autoscaling: + aodh: + secret: osp-secret + serviceUser: aodh + ceilometer: + passwordSelector: + ceilometerService: CeilometerPassword + secret: osp-secret + serviceUser: ceilometer + swift: + enabled: true + template: + swiftRing: + ringReplicas: 1 + swiftStorage: + replicas: 1 + swiftProxy: + replicas: 1 + designate: + enabled: false + template: + databaseInstance: openstack + secret: osp-secret + designateAPI: + replicas: 1 + designateCentral: + replicas: 0 # backend needs to be configured + designateWorker: + replicas: 0 # backend needs to be configured + designateProducer: + replicas: 0 # backend needs to be configured + designateMdns: + replicas: 0 # backend needs to be configured + designateBackendbind9: + replicas: 0 # backend needs to be configured + barbican: + enabled: true + template: + databaseInstance: openstack + secret: osp-secret + barbicanAPI: + replicas: 1 + barbicanWorker: + replicas: 1 + barbicanKeystoneListener: + replicas: 1 + tls: + ingress: + enabled: true + ca: + customIssuer: rootca-ingress-custom + podLevel: + enabled: true + internal: + ca: + customIssuer: rootca-internal-custom +status: + conditions: + - message: Setup complete + reason: Ready + status: "True" + type: Ready + - message: OpenStackControlPlane Barbican completed + reason: Ready + status: "True" + type: OpenStackControlPlaneBarbicanReady + - message: OpenStackControlPlane CAs completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCAReadyCondition + - message: OpenStackControlPlane Cinder completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCinderReady + - message: OpenStackControlPlane Client completed + reason: Ready + status: "True" + type: OpenStackControlPlaneClientReady + - message: OpenStackControlPlane barbican service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeBarbicanReady + - message: OpenStackControlPlane cinder service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeCinderReady + - message: OpenStackControlPlane glance service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeGlanceReady + - message: OpenStackControlPlane keystone service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeKeystoneAPIReady + - message: OpenStackControlPlane neutron service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNeutronReady + - message: OpenStackControlPlane nova service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNovaReady + - message: OpenStackControlPlane placement service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposePlacementAPIReady + - message: OpenStackControlPlane swift service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeSwiftReady + - message: OpenStackControlPlane Glance completed + reason: Ready + status: "True" + type: OpenStackControlPlaneGlanceReady + - message: OpenStackControlPlane KeystoneAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlaneKeystoneAPIReady + - message: OpenStackControlPlane MariaDB completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMariaDBReady + - message: OpenStackControlPlane Memcached completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMemcachedReady + - message: OpenStackControlPlane Neutron completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNeutronReady + - message: OpenStackControlPlane Nova completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNovaReady + - message: OpenStackControlPlane OVN completed + reason: Ready + status: "True" + type: OpenStackControlPlaneOVNReady + - message: OpenStackControlPlane PlacementAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlanePlacementAPIReady + - message: OpenStackControlPlane RabbitMQ completed + reason: Ready + status: "True" + type: OpenStackControlPlaneRabbitMQReady + - message: OpenStackControlPlane Swift completed + reason: Ready + status: "True" + type: OpenStackControlPlaneSwiftReady + - message: OpenStackControlPlane Telemetry completed + reason: Ready + status: "True" + type: OpenStackControlPlaneTelemetryReady diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/01-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/01-deploy-openstack.yaml new file mode 100644 index 000000000..5a0acbebb --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/01-deploy-openstack.yaml @@ -0,0 +1,6 @@ +# Deploy with custom internal and ingress issuers +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/tls/custom_issuers | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml new file mode 100644 index 000000000..ec986a033 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 60 +commands: + - script: | + echo "Checking issuer of internal certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal-custom" "internal" + + - script: | + echo "Checking issuer of ingress certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-ingress-custom" "public" diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/03-assert-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/03-assert-deploy-openstack.yaml new file mode 120000 index 000000000..762a8cf31 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/03-assert-deploy-openstack.yaml @@ -0,0 +1 @@ +../../common/assert-sample-deployment.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/03-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/03-deploy-openstack.yaml new file mode 100644 index 000000000..71ac2044c --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/03-deploy-openstack.yaml @@ -0,0 +1,6 @@ +# Deploy with default internal and ingress issuers +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml new file mode 100644 index 000000000..3228171eb --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml @@ -0,0 +1,15 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 500 +commands: + - script: | + echo "Waiting for OpenStack control plane to be ready..." + oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane + + - script: | + echo "Checking issuer of internal certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal" "internal" + + - script: | + echo "Checking issuer of ingress certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-public" "public" diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml new file mode 100644 index 000000000..d0fc5e349 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + echo "Deleting secrets..." + oc get secret -l service-cert -n $NAMESPACE -o name > /tmp/deleted-secrets.txt + oc delete secret -l service-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml new file mode 100644 index 000000000..6b4992512 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml @@ -0,0 +1,13 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: core.openstack.org/v1beta1 + kind: OpenStackControlPlane + name: openstack +commands: +- script: | + oc delete --ignore-not-found=true -n $NAMESPACE pvc \ + srv-swift-storage-0 + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/05-errors-cleanup.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/05-errors-cleanup.yaml new file mode 120000 index 000000000..4d7b8362e --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/05-errors-cleanup.yaml @@ -0,0 +1 @@ +../../common/errors_cleanup_openstack.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml new file mode 120000 index 000000000..762a8cf31 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml @@ -0,0 +1 @@ +../../common/assert-sample-deployment.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/06-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/06-deploy-openstack.yaml new file mode 100644 index 000000000..71ac2044c --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/06-deploy-openstack.yaml @@ -0,0 +1,6 @@ +# Deploy with default internal and ingress issuers +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml new file mode 100644 index 000000000..c663b6e54 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 60 +commands: + - script: | + echo "Checking issuer of internal certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal" "internal" + + - script: | + echo "Checking issuer of ingress certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-public" "public" diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/08-assert-custom-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/08-assert-custom-issuers.yaml new file mode 100644 index 000000000..071d1eec8 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/08-assert-custom-issuers.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-internal-custom +spec: + ca: + secretName: rootca-internal-custom +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: rootca-ingress-custom +spec: + ca: + secretName: rootca-ingress-custom diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/08-deploy-custom-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/08-deploy-custom-issuers.yaml new file mode 100644 index 000000000..7ddb06de7 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/08-deploy-custom-issuers.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc apply -n $NAMESPACE -f ../../common/custom-internal-issuer.yaml + oc apply -n $NAMESPACE -f ../../common/custom-ingress-issuer.yaml diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml new file mode 100644 index 000000000..e4ffd98cc --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml @@ -0,0 +1,282 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + secret: osp-secret + keystone: + template: + databaseInstance: openstack + secret: osp-secret + galera: + enabled: true + templates: + openstack: + storageRequest: 500M + secret: osp-secret + replicas: 1 + openstack-cell1: + storageRequest: 500M + secret: osp-secret + replicas: 1 + rabbitmq: + templates: + rabbitmq: + replicas: 1 + rabbitmq-cell1: + replicas: 1 + memcached: + templates: + memcached: + replicas: 1 + placement: + template: + databaseInstance: openstack + secret: osp-secret + glance: + template: + databaseInstance: openstack + secret: osp-secret + glanceAPIs: + default: + replicas: 1 + storage: + storageRequest: 10G + cinder: + template: + databaseInstance: openstack + secret: osp-secret + cinderAPI: + replicas: 1 + cinderScheduler: + replicas: 1 + cinderBackup: + replicas: 0 # backend needs to be configured + cinderVolumes: + volume1: + replicas: 0 # backend needs to be configured + manila: + template: + manilaAPI: + replicas: 1 + manilaScheduler: + replicas: 1 + manilaShares: + share1: + replicas: 1 + ovn: + template: + ovnDBCluster: + ovndbcluster-nb: + replicas: 1 + dbType: NB + storageRequest: 10G + ovndbcluster-sb: + replicas: 1 + dbType: SB + storageRequest: 10G + ovnNorthd: + replicas: 1 + ovnController: + external-ids: + system-id: "random" + ovn-bridge: "br-int" + ovn-encap-type: "geneve" + neutron: + template: + databaseInstance: openstack + secret: osp-secret + horizon: + template: + replicas: 1 + secret: osp-secret + nova: + template: + secret: osp-secret + heat: + enabled: false + template: + databaseInstance: openstack + heatAPI: + replicas: 1 + heatEngine: + replicas: 1 + secret: osp-secret + octavia: + enabled: false + template: + databaseInstance: openstack + octaviaAPI: + replicas: 1 + secret: osp-secret + ironic: + enabled: false + template: + databaseInstance: openstack + ironicAPI: + replicas: 1 + ironicConductors: + - replicas: 1 + storageRequest: 10G + ironicInspector: + replicas: 1 + ironicNeutronAgent: + replicas: 1 + secret: osp-secret + telemetry: + enabled: true + template: + autoscaling: + aodh: + secret: osp-secret + serviceUser: aodh + ceilometer: + passwordSelector: + ceilometerService: CeilometerPassword + secret: osp-secret + serviceUser: ceilometer + swift: + enabled: true + template: + swiftRing: + ringReplicas: 1 + swiftStorage: + replicas: 1 + swiftProxy: + replicas: 1 + designate: + enabled: false + template: + databaseInstance: openstack + secret: osp-secret + designateAPI: + replicas: 1 + designateCentral: + replicas: 0 # backend needs to be configured + designateWorker: + replicas: 0 # backend needs to be configured + designateProducer: + replicas: 0 # backend needs to be configured + designateMdns: + replicas: 0 # backend needs to be configured + designateBackendbind9: + replicas: 0 # backend needs to be configured + barbican: + enabled: true + template: + databaseInstance: openstack + secret: osp-secret + barbicanAPI: + replicas: 1 + barbicanWorker: + replicas: 1 + barbicanKeystoneListener: + replicas: 1 + tls: + ingress: + enabled: true + ca: + customIssuer: rootca-ingress-custom + podLevel: + enabled: true + internal: + ca: + customIssuer: rootca-internal-custom +status: + conditions: + - message: Setup complete + reason: Ready + status: "True" + type: Ready + - message: OpenStackControlPlane Barbican completed + reason: Ready + status: "True" + type: OpenStackControlPlaneBarbicanReady + - message: OpenStackControlPlane CAs completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCAReadyCondition + - message: OpenStackControlPlane Cinder completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCinderReady + - message: OpenStackControlPlane Client completed + reason: Ready + status: "True" + type: OpenStackControlPlaneClientReady + - message: OpenStackControlPlane barbican service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeBarbicanReady + - message: OpenStackControlPlane cinder service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeCinderReady + - message: OpenStackControlPlane glance service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeGlanceReady + - message: OpenStackControlPlane keystone service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeKeystoneAPIReady + - message: OpenStackControlPlane neutron service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNeutronReady + - message: OpenStackControlPlane nova service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNovaReady + - message: OpenStackControlPlane placement service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposePlacementAPIReady + - message: OpenStackControlPlane swift service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeSwiftReady + - message: OpenStackControlPlane Glance completed + reason: Ready + status: "True" + type: OpenStackControlPlaneGlanceReady + - message: OpenStackControlPlane KeystoneAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlaneKeystoneAPIReady + - message: OpenStackControlPlane MariaDB completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMariaDBReady + - message: OpenStackControlPlane Memcached completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMemcachedReady + - message: OpenStackControlPlane Neutron completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNeutronReady + - message: OpenStackControlPlane Nova completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNovaReady + - message: OpenStackControlPlane OVN completed + reason: Ready + status: "True" + type: OpenStackControlPlaneOVNReady + - message: OpenStackControlPlane PlacementAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlanePlacementAPIReady + - message: OpenStackControlPlane RabbitMQ completed + reason: Ready + status: "True" + type: OpenStackControlPlaneRabbitMQReady + - message: OpenStackControlPlane Swift completed + reason: Ready + status: "True" + type: OpenStackControlPlaneSwiftReady + - message: OpenStackControlPlane Telemetry completed + reason: Ready + status: "True" + type: OpenStackControlPlaneTelemetryReady diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/09-deploy-openstack.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/09-deploy-openstack.yaml new file mode 100644 index 000000000..5a0acbebb --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/09-deploy-openstack.yaml @@ -0,0 +1,6 @@ +# Deploy with custom internal and ingress issuers +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/tls/custom_issuers | oc apply -n $NAMESPACE -f - diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml new file mode 100644 index 000000000..7327c8efa --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml @@ -0,0 +1,15 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 500 +commands: + - script: | + echo "Waiting for OpenStack control plane to be ready..." + oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane + + - script: | + echo "Checking issuer of internal certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "issuer=CN=rootca-internal-custom" "internal" + + - script: | + echo "Checking issuer of ingress certificates..." + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-ingress-custom" "public" diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml new file mode 100644 index 000000000..d0fc5e349 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + echo "Deleting secrets..." + oc get secret -l service-cert -n $NAMESPACE -o name > /tmp/deleted-secrets.txt + oc delete secret -l service-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/11-cleanup.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/11-cleanup.yaml new file mode 100644 index 000000000..6fdd31ed9 --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/11-cleanup.yaml @@ -0,0 +1,14 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: core.openstack.org/v1beta1 + kind: OpenStackControlPlane + name: openstack +commands: +- script: | + oc delete --ignore-not-found=true -n $NAMESPACE pvc \ + srv-swift-storage-0 + oc delete --ignore-not-found=true -n $NAMESPACE issuer rootca-internal-custom rootca-ingress-custom + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/tests/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml b/tests/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml new file mode 120000 index 000000000..4d7b8362e --- /dev/null +++ b/tests/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml @@ -0,0 +1 @@ +../../common/errors_cleanup_openstack.yaml \ No newline at end of file