Merge "Add OpenID Connect Token Auth for k8s"

2022-08-25 09:36:16 +00:00 · 2022-08-25 09:36:16 +00:00 · bfc0c8fdeb
parent 21f60be225 0fcb9a59a1
commit bfc0c8fdeb
2 changed files with 52 additions and 1 deletions
--- a/tackerclient/tacker/v1_0/nfvo/vim_utils.py
+++ b/tackerclient/tacker/v1_0/nfvo/vim_utils.py
@ -63,7 +63,25 @@ def args2body_vim(config_param, vim):
                message='Project name must be specified in Kubernetes VIM,'
                        'it is namespace in Kubernetes environment',
                status_code=404)
-        if ('username' in config_param) and ('password' in config_param):
+        if 'oidc_token_url' in config_param:
+            if ('username' not in config_param or
+                    'password' not in config_param or
+                    'client_id' not in config_param):
+                # the username, password, client_id are required.
+                # client_secret is not required when client type is public.
+                raise exceptions.TackerClientException(
+                    message='oidc_token_url must be specified with username,'
+                            ' password, client_id, client_secret(optional).',
+                    status_code=404)
+            vim['auth_cred'] = {
+                'oidc_token_url': config_param.pop('oidc_token_url'),
+                'username': config_param.pop('username'),
+                'password': config_param.pop('password'),
+                'client_id': config_param.pop('client_id')}
+            if 'client_secret' in config_param:
+                vim['auth_cred']['client_secret'] = config_param.pop(
+                    'client_secret')
+        elif ('username' in config_param) and ('password' in config_param):
            vim['auth_cred'] = {
                'username': config_param.pop('username', ''),
                'password': config_param.pop('password', '')}
--- a/tackerclient/tests/unit/vm/test_vim_utils.py
+++ b/tackerclient/tests/unit/vm/test_vim_utils.py
@ -76,6 +76,39 @@ class TestVIMUtils(testtools.TestCase):
        vim_utils.args2body_vim(config_param.copy(), vim)
        self.assertEqual(expected_vim, vim)

+    def test_args2body_kubernetes_vim_oidc(self):
+        config_param = {'oidc_token_url': sentinel.oidc_token_url,
+                        'username': sentinel.username,
+                        'password': sentinel.password,
+                        'client_id': sentinel.client_id,
+                        'client_secret': sentinel.client_secret,
+                        'ssl_ca_cert': "None",
+                        'project_name': sentinel.prj_name,
+                        'type': 'kubernetes'}
+        vim = {}
+        auth_cred = config_param.copy()
+        auth_cred.pop('project_name')
+        auth_cred.pop('type')
+        expected_vim = {'auth_cred': auth_cred,
+                        'vim_project':
+                            {'name': sentinel.prj_name},
+                        'type': 'kubernetes'}
+        vim_utils.args2body_vim(config_param.copy(), vim)
+        self.assertEqual(expected_vim, vim)
+
+    def test_args2body_kubernetes_vim_oidc_no_username(self):
+        config_param = {'oidc_token_url': sentinel.oidc_token_url,
+                        'password': sentinel.password,
+                        'client_id': sentinel.client_id,
+                        'client_secret': sentinel.client_secret,
+                        'ssl_ca_cert': "None",
+                        'project_name': sentinel.prj_name,
+                        'type': 'kubernetes'}
+        vim = {}
+        self.assertRaises(exceptions.TackerClientException,
+                          vim_utils.args2body_vim,
+                          config_param, vim)
+
    def test_args2body_vim_no_project(self):
        config_param = {'username': sentinel.usrname1,
                        'password': sentinel.password1,