Commit Graph

87 Commits

Author SHA1 Message Date
Douglas Mendizábal 8f92d6f508 Update devstack plugin for Secure RBAC
This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.

The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.

Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
2024-03-01 14:09:27 -05:00
Zuul 2316790cda Merge "Enable SRBAC test" 2024-01-31 06:10:42 +00:00
Takashi Kajinami d3445bd6ec Fix zuul config warning
This change resolves the following warning detected by zuul.

  All regular expressions must conform to RE2 syntax, but an
  expression using the deprecated Perl-style syntax has been detected.
  Adjust the configuration to conform to RE2 syntax.

  The RE2 syntax error is: invalid perl operator: (?!

Change-Id: I0c1be68030470b88dd4268d509e4c445667dc645
2023-11-25 20:46:17 +09:00
Stephen Finucane b35c41f6d1 Add job to test with SQLAlchemy master (2.x)
Change-Id: I1283c057d804aa12ea09dad2ca467d2287bf7384
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2023-07-13 10:01:19 +01:00
Douglas Mendizábal 2b95fbdd44 Enable SRBAC test
The previous patch in this chain disables rbac to work around a chicken
and egg problem with updating the tempest tests.

This patch re-enables the SRBAC test.

Depends-On: I735cefe2b1cb4eb09c9770f0bdc738ffeee34f0e
Change-Id: I239c3e9980a1fff1cdc0e72f75e861ded8248857
2023-06-07 17:41:17 +00:00
Zuul 5a1b80f38a Merge "Remove System scope from policy" 2023-06-07 10:53:19 +00:00
Douglas Mendizábal 116a9045eb Remove System scope from policy
As specified in Phase 1 of the Consistent and Secure Default RBAC
goal [1] policies have been updated to remove "system" scope and
only use "project" scope in all policies.

APIs with policies that previously required "system" scope have been
updated to accept "project" scoped tokens with the "admin" role instead.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1

Change-Id: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
2023-06-05 15:03:06 -04:00
Douglas Mendizábal 3c1c30918d Make FIPS job non-voting
Temporarly prevent the FIPS job from voting to unblock the gate.

We'll need to revert back to voting once devstack is working under FIPS
again. [1]

[1] https://review.opendev.org/c/openstack/devstack/+/884277

Change-Id: I2f946125d447d960e96dfac4699c557288750c3c
2023-05-24 17:09:00 -04:00
Takashi Kajinami e8b9768881 Remove TripleO job
This job has actually attracted no interest and has been kept
experimental. Now TripleO project is being deprecated so we should
drop this unused job.

Change-Id: Ifab4ef02d8bf6d0713e70e225f32b1d51bd2a7ce
2023-03-14 14:28:51 +09:00
OpenStack Release Bot 08972d6a24 Switch to 2023.1 Python3 unit tests and generic template name
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for antelope. Also,
updating the template name to generic one.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I7c81e16652fbcc44eb4e1d42d89a8fb105cf774c
2022-09-26 15:24:53 +00:00
Douglas Mendizábal d8ffdf91e5 Fix Barbican gate
This patch fixes a zuul syntax error due to a deprecated definition that
was still in use in our configuration.

It also makes the grenade job non-voting as it is currently failing.  A
follow up patch will fix grenade and re-enable voting.

Change-Id: I271a3d50dba5f1c7c58c01838fa68b4c8adbd72c
2022-09-23 11:54:54 -04:00
Luigi Toscano 1ed258e940 zuul: fix the grenade job to actually test barbican
Add the required services and run a few barbican-specific tests
to validate the upgrade.

The grenade plugin contains a few settings which don't need to be
set anymore explicitly and they are not in the job configuration
(as devstack/upgrade/settings is not used anymore):
- all the image-related variables don't need to be overridden anymore,
  the default one from devstack should be used
- Image API v1 has been disabled since tempest 20.0

The job can be switched to voting again.

Change-Id: Id0682aea57d4d1fc49334f2dd11ef9a0ffb355fb
2022-08-23 01:32:26 +02:00
Zuul 1abd566686 Merge "Revert "Temporarily disable voting for FIPS job"" 2022-07-11 17:36:03 +00:00
Ade Lee aac3061fad Revert "Temporarily disable voting for FIPS job"
This reverts commit 57fb686b20.

Reason for revert: FIPS job working now
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/844704

Change-Id: I262ace1bb54192a9c998cf17a0dcd2b9fc7ae0a2
2022-06-04 16:38:32 +00:00
Takashi Kajinami 50c713769a Remove undercloud job
... because Barbican is no longer used in Undercloud.

Change-Id: I63747e39a7dbb7b328798054fa8f023bfbb535c7
2022-05-18 00:01:38 +09:00
Douglas Mendizábal 57fb686b20 Temporarily disable voting for FIPS job
The gate job barbican-tox-functional-fips is failing at the gate due to
a dependency issue when building the environment.  Specifically, it
appears that the package "liberasurecode-devel" fails to be found in the
CentOS 9 repositories.

This patch temporarily disables gate-voting for the FIPS job.  We should
be able to re-enable voting once this dependency issue is solved.

Change-Id: I9d8028454468f95bae405677dcd492fa2e52f93f
2022-05-09 12:45:55 -05:00
Douglas Mendizábal 935c7158b0 Replace TripleO CentOS 8 jobs with CentOS 9 jobs
The TripleO team has replaced their CentOS 8 jobs with CentOS 9.
Unfortunately, this broke our gate because we're still looking for the
CentOS 8 jobs.  This patch updates our jobs to use CentOS 9, which
should fix the gate.

Change-Id: Id54d0581dfc1426fea50302ea6b5b5ab217fe48d
2022-05-04 10:00:53 -05:00
OpenStack Release Bot a61bfdeb36 Add Python3 zed unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for zed.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I701083129c93255f21597bb20b843053e05175ab
2022-03-11 11:29:11 +00:00
Douglas Mendizábal 9dbd83138f Move DogTag functional tests to experimental
Temporarily moving the Dogtag test to the experimental pipeline.  The
tests has not passed in months and we won't be fixing it any time soon
so we should stop wasting resources.

Change-Id: Ie3fce8f4dda33d0eff166d1b1698f001f4d74e8f
2021-11-29 11:50:18 -06:00
Zuul 476a5b73e8 Merge "Run TripleO jobs on CentOS8 instead of CentOS7" 2021-09-17 16:15:09 +00:00
OpenStack Release Bot a2afbbf2ad Add Python3 yoga unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for yoga.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I5d3bf5fdef9a8e6c337909110829dfac83086599
2021-09-16 11:02:56 +00:00
Bhagyashri Shewale 1138643598 Run TripleO jobs on CentOS8 instead of CentOS7
As we are cleaning up the c7 jobs and obselete featuresets [1].
This change replaces usage of CentOS7 in TripleO jobs by CentOS8.

[1]: https://review.opendev.org/q/topic:%22cleanup_featuresets%22+(status:open%20OR%20status:merged)

Change-Id: I5795d58c58b04ed7283d9ba1aad7aa9364a5e475
2021-09-13 14:13:13 +05:30
Ade Lee 94a45c1ecd Add FIPS gate job
Add a new FIPS enabled gate job  This job will be
for Centos 8 with FIPS enabled, and will use a playbook in
zuul-jobs to enable FIPS.

The dogtag bindep dependencies are curently broken.  Lets
temporarily remove them here until we can figure out how to
fix them and thereby fix the dogtag gate.

Change-Id: Ibcd8cb6fc356e27266ba04cd972834dcd97c1a9b
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/788778
2021-06-10 17:59:07 -04:00
Mark Goddard 21661bebd9 Fix Vault functional test
It was previously using the wrong Devstack service name.

Change-Id: I52838cfe63d5a0b81757c278b9bfad516a442274
2021-04-16 21:01:08 +00:00
Zuul 5257006dd1 Merge "Add Python3 xena unit tests" 2021-04-13 14:16:31 +00:00
Douglas Mendizábal ced3e5c029 Add secure-rbac gate
Add the secure-rbac tempest tests as a new gate to barbican.  This
will help ensure that new patches don't break the default
secure-rbac policy.

Change-Id: I91d50aa08574a2f8aeaaa2bf431266ee74c79ae3
2021-04-01 11:04:05 -05:00
OpenStack Release Bot 2e8d7dec1f Add Python3 xena unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for xena.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I191fc8a2df82de74d0390688e3c1322de238e890
2021-03-26 10:16:00 +00:00
OpenStack Release Bot 0e041689d5 Add Python3 wallaby unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for wallaby.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I986636ecb50c35636fa60d8266b0a754f5ee950d
2020-09-28 17:36:18 +00:00
Douglas Mendizábal 9da15bf32a Rebase alembic migrations
This patch squashes all database migrations up to and including
the Ocata release into a single migration.

By squashing the migrations into a single one, we are able
to fix the migration issues in MySQL 8.0+.

There has only been one database migration since Ocata, which
was not changed, and any existing database will be compatible
with this change.

This patch also unblocks testing in Ubuntu Focal, which uses
MySQL 8.0 as its default database.

Change-Id: I66c4c5dc91ac3fe486784600d4f58ef4ddb8484c
Story: 2007732
Task: 39896
2020-09-23 14:00:58 -05:00
Ghanshyam Mann 06e8556966 Keep barbican functional jobs on Bionic
Till db migration issue is fixed
- https://storyboard.openstack.org/#!/story/2007732

Let's keep running the failing jobs on Bionic nodeset.

Change-Id: I7f9b0ed0322918748249884a6bb7d694cae65177
2020-09-21 17:11:07 -05:00
Jens Harbott a1f3b836e2 Fix dogtag functional job
Use the correct service name so that dogtag will actually get installed.

Drop the mozilla-nss-devel pkg which no longer exists for Fedora 31.

TODO: The job will still fail because devstack replaces the system
python3-six pkg with some updated version, but pkispawn runs with
"python3 -I" which ignores user-installed libs, causing it to fail
with a "Cannot import six" error.

Change-Id: I6cdab2d58f47650f296f8e79ee718647c3160142
2020-09-01 13:13:49 +00:00
Zuul 06e67d0b25 Merge "Stop setting USE_PYTHON3 for jobs" 2020-08-25 14:26:49 +00:00
Luigi Toscano 79f0f10118 zuul: switch to the new tempest native jobs
- re-enable the tempest jobs and use the version defined inside
  barbican-tempest-plugin;
- (temporarily) define compatibility alias based on the new jobs
  so that the users of the legacy ones are not broken.

Depends-On: https://review.opendev.org/745321
Change-Id: Ibcfe314eb7e8a132d68d5b139956246c54c509ad
2020-08-11 15:17:56 +02:00
Jens Harbott ab8011167c Stop setting USE_PYTHON3 for jobs
DevStack is now hardcoded to always use python3, so we can drop this
setting from the zuul config.

[0] Ieffda4edea9cc19484c04420ed703f7141ef9f15

Change-Id: If4292a649e2d61c2d1cb7e28cd7ee593d6a62d9c
2020-08-07 09:09:53 +00:00
OpenStack Release Bot 724f0125c2 Add Python3 victoria unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for victoria.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I04bf2ef61f93077d9bea86fb455a04ff75991b85
2020-05-08 14:19:57 +02:00
Andreas Jaeger e2f37f5e63 Remove install_cmd,lower-constraints
Move constraints into deps, remove install_cmd.

The default install_cmd is just fine to use.

Increase constraints since they are now finally tested, see
http://lists.openstack.org/pipermail/openstack-discuss/2020-April/014237.html
showed that they are broken. The lower-constraints job is optional,
remove it.

Change-Id: Ieda45ef624e0cd4e60216b740cc04aff0783e863
2020-04-30 15:22:29 +02:00
Douglas Mendizábal e32856016c Add undercloud-containers to gate
This patch adds a TripleO job to our gate to make sure
we don't break TripleO with API changes again.

Change-Id: Ic1088556c95ff122d422f06a9cfd0549303217eb
2020-04-28 04:04:07 +00:00
Douglas Mendizábal b8266ef402 Use Zuulv3 devstack jobs
This patch updates the gate jobs to stop using legacy
jobs and use the new Zuul v3 jobs instead.

The tempest tests will be re-enabled in a future patch.

Depends-On: I5d2bda5e653ee5d7c17cb7697247802916bdc5f7
Change-Id: Id91f44e8053cf4f40224959021d43736d5525107
2020-04-27 16:41:20 -05:00
Zuul c38513224e Merge "Gate on octavia-v2-dsvm-tls-barbican" 2020-01-10 23:55:19 +00:00
Ghanshyam Mann ab6898aa7f [ussuri][goal] Drop python 2.7 support and testing
OpenStack is dropping the py2.7 support in ussuri cycle.

Barbican is ready with python 3 and ok to drop the
python 2.7 support.

Complete discussion & schedule can be found in
- http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support

Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html

Depends-On: https://review.opendev.org/#/c/693631/
Change-Id: I77bf25fedb45433c7dbe655b4fd0c24dcf030549
2020-01-10 17:22:04 +00:00
Zuul 2d1e530adb Merge "Switch to Ussuri jobs" 2020-01-10 16:26:53 +00:00
Carlos Goncalves dc17878fd8 Gate on octavia-v2-dsvm-tls-barbican
At the Shanghai PTG, members of the Barbican and Octavia teams seemed to
agree that job octavia-v2-dsvm-tls-barbican could be made voting in both
projects. The job has proven to be quite stable over time [1].

The patch that make the job voting in Octavia is [2].

[1] http://zuul.openstack.org/builds?job_name=octavia-v2-dsvm-tls-barbican
[2] https://review.opendev.org/#/c/697644/

Change-Id: I56dd4b92ccb2545a9b46c743647af11aaa5c94f8
2019-12-06 10:36:59 +00:00
Zuul c40ef6f7d8 Merge "[train][goal] Define new barbican-simple-crypto-devstack-tempest-ipv6-only job" 2019-10-30 03:09:49 +00:00
pengyuesheng 103f1aadea Switch to Ussuri jobs
Change-Id: I3047ff560ccb2c5d8a7d1e2bf8a7f74edea7a891
2019-10-21 17:24:35 +08:00
Andreas Jaeger be537bb79c Don't use branch matching
This is not needed since we have implicit branch matches - and even
hurts since the master version is used on stable branches

Remove here - this ensures that future stable branches and master are
fine.

Change-Id: I24a46d0d7476203feccb1250d4ce3ad94b2e0ecd
2019-10-03 15:26:39 +00:00
Ghanshyam Mann 5967344c96 [train][goal] Define new barbican-simple-crypto-devstack-tempest-ipv6-only job
As part of Train community goal 'Support IPv6-Only Deployments and Testing'[1],
we need to define the integration job which deploy services
on IPv6 and perform testing to make sure service listen and communicate
over IPv6 properly.

Barbican has legacy zuul jobs only so base zuulv3 IPv6 job 'devstack-ipv6' and
'devstack-tempest-ipv6' cannot be used and we have to copy the whole
run.yaml to set the IPv6 setting and run the IPv6 verification
script via post_test_hook.

This commit adds the new job 'barbican-simple-crypto-devstack-tempest-ipv6-only'
run on gate and set the required IPv6 setting'.

Story: #2005477
Task: # 35881

[1] https://governance.openstack.org/tc/goals/train/ipv6-support-and-testing.html

Change-Id: I150df168225189dcad2e052f06f098f578151fbd
2019-10-03 14:51:11 +00:00
Brian Haley 2a6fc155d2 Start using the f29 nodeset
The dogtag pki python module has been moved to Python 3 in
Fedora 29.  This patch also fixes a few Python 3
compatibility issues in the DogTag backend plugin.

Unfortunately, there is a bug in the dogtag pki module
that must be fixed before the gate will pass. [1]

This patch temporarily makes the DogTag gate non-voting
to unblock the gate while we wait for a fix from the
DogTag maintainers.

[1] https://pagure.io/dogtagpki/issue/3108

Depends-on: https://review.opendev.org/#/c/662529/
Change-Id: Iaa7a535c410c726fa8e7346c2ef775fbaf58eb61
2019-09-18 12:15:53 -05:00
Zuul de74526dbe Merge "Add Python 3 Train unit tests" 2019-08-05 23:31:00 +00:00
Andreas Jaeger 24521ff21f Make broken job barbican-kmip-devstack-functional experimental
According to [1], the test barbican-kmip-devstack-functional last passed
on the queens branch - and fails on master since 2018-07-09. Mark it as
experimental so that it is not run by default and wastes cloud resources
since apparently nobody cares.

[1]
http://zuul.opendev.org/t/openstack/builds?job_name=barbican-kmip-devstack-functional&result=SUCCESS

Change-Id: Id87506c1cba701ec203bb898ea986a447d9a51d1
2019-08-05 19:04:00 +02:00
Corey Bryant 6982e9707f Add Python 3 Train unit tests
This is a mechanically generated patch to ensure unit testing is in place
for all of the Tested Runtimes for Train.

See the Train python3-updates goal document for details:
https://governance.openstack.org/tc/goals/train/python3-updates.html

Change-Id: If8e7d6fbb7730705432fb9cc0d5d7a8b06bbe6c1
Story: #2005924
Task: #34198
2019-08-05 16:04:50 +00:00