This patch removes the hard-coded 'key-manager:service-admin' role from
the base test class because the role is not available in deployments
with the new Secure RBAC policies enabled.
There is only one test that still requires this role in the API quotas
tests, so we generate a dynamic user there and only use it in this
class. This test is skipped when SRBAC is enabled.
Change-Id: I6fbfe43f821d9315e01d3bdfd6f5d4edf4e552b7
stable/yoga and older branches are no longer supported by current
tempest so remove tests for these branches from gate.
Also fix the missing 2023.2 branch job.
Change-Id: I2feca9dba2e42e113277d5bca96188db092d098a
Tempest and a few other plugins such as manila-tempest-plugin registers
the option to enable scope enforcement tests in the [enforce_scope]
option. This renames the option so that this plugin follows that
standard.
Change-Id: Ibd6962947c64f04ff1948a19c4afe9f26d0b47bb
There is an issue with multiple secret stores which is being tracked in
this launchpad [1]. This issue is blocking patches in
barbican-tempest-plugin. Let's remove the testing for multiple secret
stores until the bug gets resolved.
There was also an update of the secret:delete and secret:get policies
[2]. This patch updates the corresponding SRBAC tests so that we test
the policies correctly.
[1] https://bugs.launchpad.net/barbican/+bug/2043457
[2] https://review.opendev.org/c/openstack/barbican/+/884181
Related-Bug: #2043457
Change-Id: I86335a1cb54b6aa2f74e148416ef6af7c27fff61
Let's pin barbican-tempest-plugin for jobs that run code from branches in extended maintenance.
This change is required because these jobs install older version of tempest that does not contain all functions consumed by master barbicna-tempest-plugin.
Change-Id: Ia4a30d12de1a58b93a06979188e662edeef21ec6
As 2023.1 is released, we should add its job on master
gate to keep branchless tempest plugins compatible
to stable branch.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: I59f29bcbf667f6598b00022eff4088ed324f1610
The test_get_effective_quotas test uses key-manager:service-admin
legacy role to get the effective quotas. Using a user with only this
role should lead to an ERROR in an SRBAC environment.
This patch changes the test so that it checks whether the ERROR
occurred when the test tried to get quotas in SRBAC environment.
Also, auth.tempest_roles = member was removed from tempest.conf
as it is not necessary and causes a failure of the modified
test and it might cause unwanted problems in the future.
Change-Id: Ib106f5e760d3a5253968e2fe13ec576107a98c74
This patch enables test_secret_stores tests in the SRBAC job. The tests
were previously fixed in this patch [1].
This change builds on the fix. It modifies the configuration of
the SRBAC job so that it is deployed with enabled multiple secret
stores.
[1] https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/883482
Change-Id: I60305a35528fd16ac4e995d11d6d0999a6440e44
As zed is released, we should add its job on master
gate to keep branchless tempest plugins compatible
to stable branch.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: Ia20cec2a500943a7f954c34614102c4d17a01c34
In 2023.1 cycle. we are moving the default distro
version of Ubuntu to Jammy (22.04)[1] so we need to pin
the nodeset for stable branch job in master gate so that
they continue run on their supporting distro version which is
Ubuntu Focal since stable/victoria.
[1] https://governance.openstack.org/tc/goals/selected/migrate-ci-jobs-to-ubuntu-jammy.html
Change-Id: I7c9c57d2ca1d3d6536b24f29c89b465059a3cec4
This patch adds the missing train, ussuri, and victoria jobs to the zuul
config. This should help fix the gates for those stable banches which
are currently failing because they are attempting to test newer APIs
(e.g. Secret Consumers)
Change-Id: I34753317a8a80656a460c2fc6104fd2c9827f838
With 1.1 coming in zed, we need to version the old jobs to prevent
1.1 tests (secret consumers) being run and failing on old branches.
Change-Id: Iae1dfea83a6584a95fb73488ad0ba988ded371ca
The "member" role is needed by the scenario tests to create secrets when
Secure RBAC is enabled i.e. enable_scope=True
Change-Id: I16ed904eeb27ab7110a7e4e56ef7ea89c8c3c2ab
We have stable/yoga released and stable/ussuri is in
'Extended Maintenance' state. Current 'Maintained'
stable branches are yoga, xena, wallaby, and victoria.
As per tempest stable branch testing policy[1], adding the
newly released stable/yoga job and remove the EM stable/ussuri
and stable/victoria job.
[1] https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: I9df1b691a9d142997a3d3ee5e115187c0923e85d
There was an issue with s-rbac and tempest when isolated networks
were enabled in tempest.conf.
This is no longer an issue as test that were failing with
create_isolated_networks=true and s-rbac enabled are now
passing successfully.
Change-Id: Iae8eac5dffe3c5d15e38a6acd69f2bad95f3f238
We have stable/xena released so we should add
their job on master gate to keep branchless tempest
plugins compatible to stable branch.
This also removes the stable/train job as that is in EM
state now.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: I7d69623c23e2337dde320bcab81f6a0f5c10b289
Ensure that the Barbican service is configured to use scoped
tokens when checking RBAC policy.
Depends-On: Id399d2220118efe1033426c658d1834cbff02f94
Change-Id: Id7aa02ea4862242fa34140166d634f30af721c22
Stable/wallaby is released so we should add
their job on master gate to keep branchless tempest
plugins compatible to stable branch.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: I3e8534fdc91a9e94fa82ce6504f36f3d0b5aed6c
This patch adds a gate to test the new secure-rbac policy.
Currently, Tempest is unable to create system admin credentials
when the isolated networks option is set to true, so we disable
that option for this gate.
This patch also includes fixes needed to get the existing tests
to pass, as well as some skips for scenario tests that require
isolated networks.
We should be able to remove the skips once Tempest is fixed to
work with system admin.
Depends-On: I584f7b67f2f95caa7c4db3d9d9222d0a9d38442d
Change-Id: I0129ab6d15bc42d98a19e3551b8d009f9ad05e10
As per victoria cycle testing runtime and community goal
we need to migrate upstream CI/CD to Ubuntu Focal(20.04).
Tempest based jobs are migrated automatically via devstack
base job start running on Focal but stable jobs testing stable
branch needs to keep running on their supported
distro version which is bionic from train till ussuri.
Also, remove stein support (removed from tempest)
and add a job for victoria.
Change-Id: I3d792925e81172ae8abe75c5ceb2d5a039fc84f7
Story: #2007865
Task: #40184
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Change-Id: Ia59a23a36ebb8548a20e894000f7342c73012eac
Define here the barbican tempest plugin which rely on
barbican-tempest-plugin, following the common patterns:
- follow the rules for naming (repository name as prefix,
remove some redundant details);
- define branch-specific jobs from the most basic job
to catch regressions against older branches;
- remove barbican-simple-crypto-devstack-tempest-py35,
long gone, from the experimental queue.
Change-Id: I106addbe99b1bd4ed72ab07aba16031067503483
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: I145f449d42c0d9a9102ae5216dde4d75d9c37855
Story: #2002586
Task: #24285
Zuul no longer requires the project-name for in-repo configuration.
Omitting it makes forking or renaming projects easier.
Change-Id: Idc5de89c7b7504d067a19c35e41d0c3a0fee24c8
Add barbican jobs, these are all defined in barbican repository and thus
can be reused here.
Change-Id: Ifdd003c43f506cc837876149147cc5aa0241b9ca
Needed-By: I254d891ec32c7c3dee7e5fd5ced1823d9b2952f8