There has been a direction change in the "secure-RBAC" goal and scoped
tokens are no longer being implemented[1].
The Octavia tempest tests were updated for the new keystone roles and
scoped tokens at the same time with an (bad) assumption that they would be
turned on at the same time.
This patch updates the Octavia tempest plugin to not assume that scoped
tokens are in use when the RBAC type is set to keystone_default_roles.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
Depends-On: https://review.opendev.org/c/openstack/octavia/+/877433
Change-Id: Ia1c4ca0b675d39bd43640184d6d3deba823fd3f6
Some services are enabling "new defaults" RBAC by default. This will require all non-admin users to have either the "member" or "reader" role. This patch updates the Octavia tempest plugin to include the "member" role in test credentials when the tempest plugin is configured for "RBAC_test_type" other than owner-or-admin.
Change-Id: I8aadb98d438943b18a8d72ff54e216930cfd3ccc
Not in every cloud does tempest have permissions to list the
role assignments. Since it is not critial for running the tests,
the logging of the user roles should be configurable.
Change-Id: I8aea2b597b9dd9bbdc5a1527fae03e86364aab4c
This patch adds a pool client authentication scenario test that uses
test servers that require client authentication.
Change-Id: Id5b200954cdf02280d31ed910012a1591a2d2697
Add octavia-v2-dsvm-scenario-centos-9-stream
Add extra args to the "scp" command to authorize the pubkey exchange
with a cirros VM.
Detect the openssh client version to enable the use of the SCP protocol
(starting with openssh 8.7, the SFTP protocol is the default protocol
with scp, SFTP is not supported by Cirros) when sending files to the
cirros VM.
Depends-On: https://review.opendev.org/828189
Change-Id: I689a50e6762fd22e1aaec8aa84ff5b075ff5bd45
This is a follow-up commit for 'Add type to allow ECDSA keys'
(I34ac429ab5442cef056ee8b63fcb2ba41e8b9b27), this commit allows
using octavia-tempest-plugin with older tempest releases
(ex: in our jobs on stable/train).
It catches the exception if [validation].ssh_key_type is not
supported and doesn't pass the ssh_key_type argument to tempest
functions.
Change-Id: I5c2db87975803b30ea230c3bbf5dab4b96da4614
Some tempest tests will fail under FIPS because they are trying to
ssh to a cirrus instance that has a version of dropbear that does
not support signatures other than using SHA-1 for RSA keys. This
is not allowed under FIPS. The workaround until cirros is updated
is to use ECDSA keys. This patch allows the key type to be
specified.
Depends-On: https://review.opendev.org/c/openstack/tempest/+/807465
Change-Id: I34ac429ab5442cef056ee8b63fcb2ba41e8b9b27
All the load balancer service clients are registered via the plugin interface[1],
that way Tempest register and create the lazy initialization of registered clients
so that they can be access from there in consistent way.
But octavia-tempest-client create a separate instance of those and access instead of
accessing the registered service client in Tempest. This commit makes all the service clients
access from Tempest registry and remove the separate objects.
[1] cac3eefc44/octavia_tempest_plugin/plugin.py (L54)
Change-Id: Ie24909b49baf2c6a886e2ff711e641e36ffe6b50
lb_observer and lb_global_observer don't have any meaning when
admin_or_owner policy override in enabled.
This commit disables client creation for those roles and removes their
uses from API tests (the behavior of the owner_or_admin tests are now
similar to their behavior before the introduction of the new RBAC
tests).
Requires the following configuration in tempest.conf:
[load_balancer]
RBAC_test_type = owner_or_admin
member_role = member
admin_role = admin
Change-Id: I2231384933d5974b962a558e8c0b3bffb1140b5a
This patch refactors the RBAC enforcement checks in the API tests.
It also updates those test for keystone scoped tokens and default roles.
Change-Id: I6fad03f5a89c213562918ca258884aac34ba7ce7
This patch adds a pool re-encryption scenario test that covers
TLS enabled pools, pools with CA validation, and pools with
certificate revocation lists.
Co-Authored-By: Gregory Thiemonge <gthiemon@redhat.com>
Change-Id: Ib3d8d766b8eb358b48da74f8634f6d24510394b4
The IPv6 VIP subnet used in the tests is created using devstack's
default IPv6 subnetpool.
Devstack ensures that any CIDR from this subnetpool is routable from the
devstack node if the subnet is plugged into devstack's router1.
Change-Id: Iaf3113087a344787add3405208fb229838a56d0b
This patch creates the required pki resources and enables HTTPS
on the test web servers. It sets up port 443 for regular HTTPS and
port 9443 for HTTPS that will require a valid client certificate.
Change-Id: Ib7cee4c8600fd1be4a9d7027d3ca1f413a0b1007
Story: 2003858
Task: 41170
This patch installs and uses test_server.bin from
/opt/octavia-tempest-plugin as a well known location on the
filesystem. This way tests, like grenade, that run the devstack
plugins once in /old paths, can find the binary when running from
/new paths.
Change-Id: Ia78f16fde026269dec01f4dceb202842ad12a557
This is a patch to restructure the API tests to use the
new skip_if_not_implemented capability.
Depends-On: https://review.opendev.org/745239
Change-Id: I291488e1c9418e51d6fe7ea142eaca13e3c181a0
This is a patch to restructrue the scenario tests to use the
new skip_if_not_implemented capability.
Change-Id: I49a7fb6650030f2a1115c6d42442062bd33415fd
This patch adds API and scenario tests for testing allowed CIDRS in
listeners introduced in API version 2.12 (included in Train release).
Change-Id: Ibe677e046afc16f038ccacb10e5fe62802828581
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found by updated hacking version.
The tempest plugin is used on older branches as well.
We really only need hacking on master anyways,
where we no longer support python 2, so here we
make the requirement specific to python 3.
Change-Id: I885da1613e9cf754302700019a1207a279b3af2a
Update test_healthmonitor_traffic & test_basic_traffic tests
to support UDP traffic in test_traffic_ops
Add simple UDP test in test_ipv6_traffic_ops
Add a UDP test server, merged with the existing HTTP test server.
Change-Id: I1e497b75672753ed0e7acf482bc0e4a6138d3437
This patch adds map of supported algorithms by
provider drivers. For a first iteration lets select
the first from supported algorithms to be used as
a default and run the tests with it.
In addition this patch splits check_members_balanced()
into subfunctions related to the algorithm
that is validated.
Story: 2006264
Task: 35972
Change-Id: Id055763f35b487da539eddfe802c543a11246503
This patch adds scenario tests that exercise the SNI capabilities
of the Octavia TLS offloading.
Depends-On: https://review.opendev.org/690444
Change-Id: I4bbd103e34997dd6b1bb64cb5d69b5135c6e26ea
While using requests.session TCP connections are
reused. OVN Load Balancing algorithm uses hash with source port
to route clients requests. In that terms if connection is reused
the load is not spread across members. This patch adds an option
to disable reusing connections.
Change-Id: I61a202a2c1a6d15d714464d519de39f5f2acb2a6
Story: 2006264
Task: 35992
Enable memory overcommit in server VMs to fix an allocation error when
using static binaries that have been compiled with a recent golang
toolchain (>= 1.11).
Story: 2006346
Task: 36103
Change-Id: I1e5979b4e49492c9a84f936681214deac556d856
This patch adds a service client for the amphora agent configuration update
API and adds an API test for the amphora configuration update API.
It also adds the service client for amphora failover and cleans up some
client credintials in the amphora scenario tests.
Change-Id: I4b1a1f48d2f619b883619811539ddb262d6b5f45
Code was assuming the subnet existed already and only after creating one
if not. On environments where the subnet does not exist, it raises an
IndexError exception as there are no elements in priv_ipv6_subnet. This
patch fixes the order of the code to first create the subnet if ones
does not exist yet.
Story: 2006280
Task: 35982
Change-Id: I9fa9d7e16f32f516592bf155045d4f4e6a15ed6c
If the cloud has configured the ipv6-private-subnet to use stateless
addressing, such as slaac or dhcpv6-stateless, we need to not request
a fixed IP from neutron.
Story: 2006164
Task: 35674
Change-Id: I27e82b34a39bea8a987724e013081079f236894d
The IPv6 tests will fail if the ipv6-public-subnet (created by the
tempest plugin) is not present. This is because we don't store
the lb_member_vip_ipv6_net value when we create an ipv6 subnet.
Change-Id: Ib44896c0707f29cb6b98bb249176602f3e7c7190
Public ipv6 subnet isn't actually pluggable -- neutron in devstack makes
the private ipv6 subnet externally routable instead. So, we should use
that in our tests.
Change-Id: I45354806f7ad1ce06e59e644004770ac57bcc6ef
This patch adds a tempest scenario test for active/standby topology.
This scenario takes a similar approach to scenario proposed in Change-Id
Ibcd5552a67cea650edc72bfaa986357267ca2407 with the difference that it
does not rely on amphora stats API. Instead, it uses iptables to log VIP
traffic and make assertions based on logging.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I24a6fc3387166ec6cdbd57a5ca9f63743748ec68
This patch adds flavor API tests to the Octavia tempest plugin.
Depends-On: https://review.openstack.org/626819
Change-Id: I863ca500d255fe41eef2d7434e540d53b9ead903
This patch adds flavor profile API tests to the Octavia tempest plugin.
Depends-On: https://review.openstack.org/626819
Change-Id: I4e76b3717ddc577a912e39edbe701c71825361d2
Neutron can be slow to cleanup ports from subnets/networks.
This patch adds retries when deleting subnets and networks in the
tempest teardown/clean up phase after tests.
Also, there were cases where addClassResourceCleanup was being used
inside test cases instead of addCleanup. This patch corrects those to
use addCleanup.
Story: 2004826
Task: 29000
Change-Id: Ia29541d1c89f3559a3ce22b1a27c6bcf079ce2cc
Adds a traffic scenario test that has an IPv6 VIP address and mixed
IPv4/IPv6 members. It tests that connections to the IPv6 VIP are
evenly balanced across the mixed members.
Change-Id: I6bb7be14379174be9018a74b07356ecd85089f45
Story: 1627892
Task: 27532
Depends-On: https://review.openstack.org/#/c/611460/
Tom Weininger