The OpenDev team is planning to remove OpenSUSE LEAP 15 images as our
node builds and mirrors are for 15.2 which is ancient and no one is
currently working to modernize these test environments. On top of that
LEAP is apparently going away in the future and will be replaced with
another distro.
Change-Id: Ia94b4e7151410515a3ecf99185042dae82bf1b7d
This patch updates system-scoped policies to also accept project-admin
tokens so that operators can continue to use the "admin" role to access
system level APIs.
The protection test job is marked non-voting since tempest does not yet
expect these policy changes. A follow-up patch will make it voting
again after the test changes have merged into tempest.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: I31b5a1f85d994a90578657bc77fa46ace0748582
This updates the keystone gates to the jammy nodesets rather than the
focal ones. Focal is no longer supported by devstack [1].
[1]: https://review.opendev.org/c/openstack/devstack/+/885468
Change-Id: I39045098111df839fba116d8b0fa7dd9dbbaa8ac
Add devstack testing setup for OIDC using an instance of keycloak
which is instantiated from a keycloak image. This is largely taken
from Kristi's work in https://github.com/knikolla/devstack-plugin-oidc
This configuration is triggered by enabling the devstack service
keystone-oidc-federation. The expectation is that either SAML2 or
OIDC is enabled, but not both.
Depends-On: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/864571
Co-Authored-By: David Wilde <dwilde@redhat.com>
Change-Id: I1ff4d48c05cef1022dc510df03104f36cdd7a953
This updated the Python jobs and fixes the following error with tox 4:
tox.tox_env.errors.Fail: pass_env values cannot contain whitespace, use
comma to have multiple values in a single line, invalid values found
'http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
PBR_VERSION'PROXY PBR_VERSION'
Change-Id: I003723766b1dba7f54c9800364207191597c6741
Testing a new FIPS enabled gate job here. This job will be
for Centos 8 with FIPS enabled. This will use a playbook in
the zuul-jobs repo to enable FIPS.
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/788778
Change-Id: I3187971a14b38c7ca3bb64bdd3d18c64709c466f
This commit introduces a new check and gate job for keystone to use the
functional RBAC tests in keystone-tempest-plugin.
These tests were derived from keystone's original protection tests, but
they use tempest and they're re-useable for people looking to validate
secure RBAC functionality in their own deployments.
Depends-On: https://review.opendev.org/#/c/686305/
Change-Id: I813cff07c20fcba1aaec6a5e68014a2a9eb9462e
l-c job template moved the l-c jobs running on Focal
and currently fails on many constraints.
Let's keep running l-c job on bionic as it was before and we
can move it to Focal once issues are identified and fixed.
- Fixing the hacking tests which are behaving differently between
< 3.8.0 (until Ubuntu Bionic) and 3.8.2 (Ubuntu Focal).
Squashing below review also
- https://review.opendev.org/#/c/750786/
Co-Author: Lance Bragstad <lbragstad@gmail.com>
Change-Id: If733e9824d87d8c73797f753e4daf95489bed9c2
It implements the same behavior of the old one.
It is worth noting that the existing job the MULTI_KEYSTONE does not
produce any effect because this change hasn't been merged yet:
- https://review.opendev.org/399472
and when that merges, the following devstack-gate changes should be
applied directly to this new job definition instead:
- https://review.opendev.org/394895
Both changes are out of scope for this porting.
Change-Id: I5d5d31c8d89b0d2812a5e9be18a81611041e6da8
The integrated gate template (integrated-gate-py3) has been switched
to the new grenade name (grenade-py3 -> grenade). This repo uses the
template but also has for irrelevant files an extra entry.
Rename the job following the template change to avoid duplicate
grenade runs.
Details:
- http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014602.html
Depends-On: https://review.opendev.org/725148
Change-Id: I52ebbcae0d77c0420848a37babc73bb75dd58e0b
Ensure that Zuul publishes both the shibboleth config and the shibboleth
logs in the job artifacts so that we can debug issues with the SAML SP.
Change-Id: I53f844fae775d9b30d9b7f867bac0ed873b86bc7
This patch [1] doesn't remove tempest-full fully from the gate
jobs. It is a follow-up for the same.
[1] https://review.opendev.org/#/c/688601
Change-Id: I312a1a23b6cd11cbdec3fd58598f446f0e423071
This job is still running python 2.7. As we are dropping py2 support in
Ussuri cycle, lets drop this job now.
There is same job called "grenade-py3" which runs on python 3 already
and this is still used in project's CI.
Change-Id: Ie0faac1119c6d2bfea221ba60e26e67b6205909e
With the addition of K2K-specific tests in the tempest plugin and a
config toggle in the plugin to disable use of the external IdP, we can
safely add a voting federation job. This also fixes the devstack plugin
to install the xmlsec1 tool which is needed for K2K.
Change-Id: I9dc634e073657ff337751ec67363a57bd10e20d4
Depends-on: https://review.opendev.org/689222
opensuse-150 nodeset is referring to openSUSE 15.0, which is still in
maintenance but openSUSE 15.1 has been released already. "opensuse-15"
is going to refer to the "latest openSUSE 15.x" build released and
working for OpenStack going forward, so add this nodeset and use
it by default going forward.
The new job tempest-full-py3-opensuse15 use the opensuse-15 nodeset,
change tempest-full-py3-opensuse150 to tempest-full-py3-opensuse15.
Change-Id: I03017b6595199e4af2f6e568ab58089517d689fe
With the protection tests split out, the regular unit tests mostly
shouldn't reach the 40 minute timeout limit unless they are extremely
unlucky, so remove those overrides.
The protection tests themselves are still extremely expensive even when
split out from the rest of the tests, so bump their timeout to an hour.
Change-Id: I247478f998d7fb84c486cc04a3040517721e0dd3
There are so many protection tests now, and for the moment they are so
inefficient, that running them all as part of our main unit test suite
for py27, py36, py37, and cover jobs yields a high rate of timeouts
which reduces our own development velocity and negatively impacts every
project that co-gates with keystone. This change splits the protection
tests into their own level of tests outside of the configured stestr
test_path and adds a separate tox environment and zuul job to run just
the protection tests on their own. Parallelizing these tests should help
alleviate the timeout issue while we work on making these tests more
efficient.
Change-Id: Ibb12053bd6864a153f7e3998dbd008b6eec4295b
With the gate being extra-busy due to feature freeze week, we seem to be
having even more of a noisy neighbor problem and jobs are still often
hitting the 60 minute timeout. This change increases the timeout from 60
to 90 minutes. This is not an indication that things are normal and fine
but should hopefully alleviate pressure until we're in a position to
merge a more satisfactory workaround and fix.
Change-Id: I171eccc2dd46c26ada74def36523c6f7f29be868
Change I90cbfdaad582900f3047acffbfcdd3189335ffbf added a timeout for
lower-constraints only to check queue but missed gate, add it there.
Change I0b9e0fbbd1760fe2d55935592f4349f337801209 added tox-cover to gate
but it is never run in gate, see
https://opendev.org/openstack/openstack-zuul-jobs/src/branch/master/zuul.d/project-templates.yaml#L416
Remove it again.
Change-Id: I78eaa450cdb7a84d9a81e2354a97617681babc40
In ba0dbdf we raised the timeouts for most of the tox jobs but neglected
the lower-constraints job which suffers the same timeout issues, so add
that one as well.
Change-Id: I213d6f91a815ba0dad5f5a04a5f0309722c91f62
Currently our unit tests frequently hit the 40 minute timeout due to the
inefficiency of the protection unit tests. As a temporary workaround,
this change overrides the zuul tox jobs with a 60 minute timeout.
Overriding the values of jobs that are defined elsewhere in a project
template isn't exactly documented but it supposedly works[1].
[1] http://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2019-09-06.log.html#t2019-09-06T23:35:57
Change-Id: I0b9e0fbbd1760fe2d55935592f4349f337801209
The devstack opensuse-150 nodeset went away[1] which is causing package
repo issues on the federation jobs. Update the nodeset to fix the jobs.
[1] https://review.opendev.org/667539
Change-Id: Icda90e0598383db0931a34dcede7fb4736fe195d
As part of Train community goal 'Support IPv6-Only Deployments and Testing'[1],
Tempest has defined the new job 'tempest-ipv6-only'(adding
in Depends-On patch) which will deploy services on IPv6 and run smoke
tests and IPv6 related tests present in Tempest.
This job will be part of Nova, Neutron, Cinder, Keystone, Glance, Swift
gate.
Verification structure will be:
- 'devstack-IPv6' deploy the service on IPv6
- 'devstack-tempest-ipv6' run will verify the IPv6-only setting and listen address
- 'tempest-ipv6-only' will run the smoke + IPv6 related test case.
This commit adds the new job 'tempest-ipv6-only' run on gate.
Story: #2005477
Task: #35898
Depends-On: https://review.opendev.org/#/c/671231/
[1] https://governance.openstack.org/tc/goals/train/ipv6-support-and-testing.html
Change-Id: I3aff9bf8e23e7c04119c6cd91f1ee3ce6add8eb0
This goal is to implement the process set out in the 2018-10-24 Python
Update Process TC resolution[1], for the Train cycle to ensure unit
testing is in place for all of the Tested Runtimes for Train[2].
In practice, this generally means adding unit tests for Python 3.7 and dropping
unit tests for Python 3.5. Using the Zuul template for Train will ensure that
all projects that support Python3 will be tested against the agreed runtime
versions, and make it easier to update them in future.
[1]https://governance.openstack.org/tc/resolutions/20181024-python-update-process.html
[2]https://governance.openstack.org/tc/reference/runtimes/train.html
Change-Id: Ied3c0fab32caf39cc34d9ce5d65551241c782f7b
Depends-On: https://review.opendev.org/#/c/641878/