This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.
The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.
Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
This change resolves the following warning detected by zuul.
All regular expressions must conform to RE2 syntax, but an
expression using the deprecated Perl-style syntax has been detected.
Adjust the configuration to conform to RE2 syntax.
The RE2 syntax error is: invalid perl operator: (?!
Change-Id: I0c1be68030470b88dd4268d509e4c445667dc645
The previous patch in this chain disables rbac to work around a chicken
and egg problem with updating the tempest tests.
This patch re-enables the SRBAC test.
Depends-On: I735cefe2b1cb4eb09c9770f0bdc738ffeee34f0e
Change-Id: I239c3e9980a1fff1cdc0e72f75e861ded8248857
As specified in Phase 1 of the Consistent and Secure Default RBAC
goal [1] policies have been updated to remove "system" scope and
only use "project" scope in all policies.
APIs with policies that previously required "system" scope have been
updated to accept "project" scoped tokens with the "admin" role instead.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
Temporarly prevent the FIPS job from voting to unblock the gate.
We'll need to revert back to voting once devstack is working under FIPS
again. [1]
[1] https://review.opendev.org/c/openstack/devstack/+/884277
Change-Id: I2f946125d447d960e96dfac4699c557288750c3c
This job has actually attracted no interest and has been kept
experimental. Now TripleO project is being deprecated so we should
drop this unused job.
Change-Id: Ifab4ef02d8bf6d0713e70e225f32b1d51bd2a7ce
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for antelope. Also,
updating the template name to generic one.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I7c81e16652fbcc44eb4e1d42d89a8fb105cf774c
This patch fixes a zuul syntax error due to a deprecated definition that
was still in use in our configuration.
It also makes the grenade job non-voting as it is currently failing. A
follow up patch will fix grenade and re-enable voting.
Change-Id: I271a3d50dba5f1c7c58c01838fa68b4c8adbd72c
Add the required services and run a few barbican-specific tests
to validate the upgrade.
The grenade plugin contains a few settings which don't need to be
set anymore explicitly and they are not in the job configuration
(as devstack/upgrade/settings is not used anymore):
- all the image-related variables don't need to be overridden anymore,
the default one from devstack should be used
- Image API v1 has been disabled since tempest 20.0
The job can be switched to voting again.
Change-Id: Id0682aea57d4d1fc49334f2dd11ef9a0ffb355fb
The gate job barbican-tox-functional-fips is failing at the gate due to
a dependency issue when building the environment. Specifically, it
appears that the package "liberasurecode-devel" fails to be found in the
CentOS 9 repositories.
This patch temporarily disables gate-voting for the FIPS job. We should
be able to re-enable voting once this dependency issue is solved.
Change-Id: I9d8028454468f95bae405677dcd492fa2e52f93f
The TripleO team has replaced their CentOS 8 jobs with CentOS 9.
Unfortunately, this broke our gate because we're still looking for the
CentOS 8 jobs. This patch updates our jobs to use CentOS 9, which
should fix the gate.
Change-Id: Id54d0581dfc1426fea50302ea6b5b5ab217fe48d
Temporarily moving the Dogtag test to the experimental pipeline. The
tests has not passed in months and we won't be fixing it any time soon
so we should stop wasting resources.
Change-Id: Ie3fce8f4dda33d0eff166d1b1698f001f4d74e8f
Add a new FIPS enabled gate job This job will be
for Centos 8 with FIPS enabled, and will use a playbook in
zuul-jobs to enable FIPS.
The dogtag bindep dependencies are curently broken. Lets
temporarily remove them here until we can figure out how to
fix them and thereby fix the dogtag gate.
Change-Id: Ibcd8cb6fc356e27266ba04cd972834dcd97c1a9b
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/788778
Add the secure-rbac tempest tests as a new gate to barbican. This
will help ensure that new patches don't break the default
secure-rbac policy.
Change-Id: I91d50aa08574a2f8aeaaa2bf431266ee74c79ae3
This patch squashes all database migrations up to and including
the Ocata release into a single migration.
By squashing the migrations into a single one, we are able
to fix the migration issues in MySQL 8.0+.
There has only been one database migration since Ocata, which
was not changed, and any existing database will be compatible
with this change.
This patch also unblocks testing in Ubuntu Focal, which uses
MySQL 8.0 as its default database.
Change-Id: I66c4c5dc91ac3fe486784600d4f58ef4ddb8484c
Story: 2007732
Task: 39896
Use the correct service name so that dogtag will actually get installed.
Drop the mozilla-nss-devel pkg which no longer exists for Fedora 31.
TODO: The job will still fail because devstack replaces the system
python3-six pkg with some updated version, but pkispawn runs with
"python3 -I" which ignores user-installed libs, causing it to fail
with a "Cannot import six" error.
Change-Id: I6cdab2d58f47650f296f8e79ee718647c3160142
- re-enable the tempest jobs and use the version defined inside
barbican-tempest-plugin;
- (temporarily) define compatibility alias based on the new jobs
so that the users of the legacy ones are not broken.
Depends-On: https://review.opendev.org/745321
Change-Id: Ibcfe314eb7e8a132d68d5b139956246c54c509ad
DevStack is now hardcoded to always use python3, so we can drop this
setting from the zuul config.
[0] Ieffda4edea9cc19484c04420ed703f7141ef9f15
Change-Id: If4292a649e2d61c2d1cb7e28cd7ee593d6a62d9c
Move constraints into deps, remove install_cmd.
The default install_cmd is just fine to use.
Increase constraints since they are now finally tested, see
http://lists.openstack.org/pipermail/openstack-discuss/2020-April/014237.html
showed that they are broken. The lower-constraints job is optional,
remove it.
Change-Id: Ieda45ef624e0cd4e60216b740cc04aff0783e863
This patch adds a TripleO job to our gate to make sure
we don't break TripleO with API changes again.
Change-Id: Ic1088556c95ff122d422f06a9cfd0549303217eb
This patch updates the gate jobs to stop using legacy
jobs and use the new Zuul v3 jobs instead.
The tempest tests will be re-enabled in a future patch.
Depends-On: I5d2bda5e653ee5d7c17cb7697247802916bdc5f7
Change-Id: Id91f44e8053cf4f40224959021d43736d5525107
At the Shanghai PTG, members of the Barbican and Octavia teams seemed to
agree that job octavia-v2-dsvm-tls-barbican could be made voting in both
projects. The job has proven to be quite stable over time [1].
The patch that make the job voting in Octavia is [2].
[1] http://zuul.openstack.org/builds?job_name=octavia-v2-dsvm-tls-barbican
[2] https://review.opendev.org/#/c/697644/
Change-Id: I56dd4b92ccb2545a9b46c743647af11aaa5c94f8
This is not needed since we have implicit branch matches - and even
hurts since the master version is used on stable branches
Remove here - this ensures that future stable branches and master are
fine.
Change-Id: I24a46d0d7476203feccb1250d4ce3ad94b2e0ecd
As part of Train community goal 'Support IPv6-Only Deployments and Testing'[1],
we need to define the integration job which deploy services
on IPv6 and perform testing to make sure service listen and communicate
over IPv6 properly.
Barbican has legacy zuul jobs only so base zuulv3 IPv6 job 'devstack-ipv6' and
'devstack-tempest-ipv6' cannot be used and we have to copy the whole
run.yaml to set the IPv6 setting and run the IPv6 verification
script via post_test_hook.
This commit adds the new job 'barbican-simple-crypto-devstack-tempest-ipv6-only'
run on gate and set the required IPv6 setting'.
Story: #2005477
Task: # 35881
[1] https://governance.openstack.org/tc/goals/train/ipv6-support-and-testing.html
Change-Id: I150df168225189dcad2e052f06f098f578151fbd
The dogtag pki python module has been moved to Python 3 in
Fedora 29. This patch also fixes a few Python 3
compatibility issues in the DogTag backend plugin.
Unfortunately, there is a bug in the dogtag pki module
that must be fixed before the gate will pass. [1]
This patch temporarily makes the DogTag gate non-voting
to unblock the gate while we wait for a fix from the
DogTag maintainers.
[1] https://pagure.io/dogtagpki/issue/3108
Depends-on: https://review.opendev.org/#/c/662529/
Change-Id: Iaa7a535c410c726fa8e7346c2ef775fbaf58eb61
According to [1], the test barbican-kmip-devstack-functional last passed
on the queens branch - and fails on master since 2018-07-09. Mark it as
experimental so that it is not run by default and wastes cloud resources
since apparently nobody cares.
[1]
http://zuul.opendev.org/t/openstack/builds?job_name=barbican-kmip-devstack-functional&result=SUCCESS
Change-Id: Id87506c1cba701ec203bb898ea986a447d9a51d1