Merge branch 'master' into efoley-zuul-nightly-bundles

Jenkinsfile

@@ -36,6 +36,7 @@ spec:
           strategy: ephemeral
   transports:
     qdr:
+      auth: none
       enabled: true
       deploymentSize: 1
       web:

build/stf-run-ci/README.md

@@ -52,6 +52,7 @@ choose to override:
 | `__service_telemetry_trap_default_oid`                               | <default_oid>                                               | 1.3.6.1.4.1.50495.15.1.2.1                            | The trap OID if none is found in the Prometheus alert labels.                                                                             |
 | `__service_telemetry_trap_default_severity`                          | <default_severity>                                          | <undefined>                                           | The trap severity if none is found in the Prometheus alert labels.                                                                        |
 | `__service_telemetry_observability_strategy`                         | <observability_strategy>                                    | `use_redhat`                                          | Which observability strategy to use for deployment. Default is 'use_redhat'. Also supported are 'use_hybrid', 'use_community', and 'none' |
+| `__service_telemetry_transports_qdr_auth`                            | {'none', 'basic'}                                           | `none`                                                | Which auth method to use for QDR. Can be 'none' or 'basic'. Note: 'basic' is not yet supported in smoketests.                             |
 | `__service_telemetry_transports_certificates_endpoint_cert_duration` | [ParseDuration](https://golang.org/pkg/time/#ParseDuration) | 70080h                                                | Lifetime of the QDR endpoint certificate (minimum duration is 1h)                                                                         |
 | `__service_telemetry_transports_certificates_ca_cert_duration`       | [ParseDuration](https://golang.org/pkg/time/#ParseDuration) | 70080h                                                | Lifetime of the QDR CA certificate (minimum duration is 1h)                                                                               |
 | `__internal_registry_path`                                           | <registry_path>                                             | image-registry.openshift-image-registry.svc:5000      | Path to internal registry for image path                                                                                                  |

build/stf-run-ci/tasks/deploy_stf.yml

@@ -49,6 +49,9 @@
         transports:
           qdr:
             enabled: true
+      {% if __service_telemetry_transports_qdr_auth is defined %}
+            auth: "{{ __service_telemetry_transports_qdr_auth }}"
+      {% endif %}
             certificates:
               endpointCertDuration: {{ __service_telemetry_transports_certificates_endpoint_cert_duration }}
               caCertDuration: {{ __service_telemetry_transports_certificates_ca_cert_duration }}

ci/vars-zuul-common.yml

@@ -2,5 +2,6 @@
 namespace: "service-telemetry"
 setup_bundle_registry_tls_ca: false
 setup_bundle_registry_auth: false
+__service_telemetry_transports_qdr_auth: none
 base_dir: "{{ sto_dir }}/build"
 logfile_dir: "{{ ansible_user_dir }}/zuul-output/logs/controller"

deploy/crds/infra.watch_servicetelemetrys_crd.yaml

@@ -248,6 +248,12 @@ spec:
                       enabled:
                         description: Enable QDR data transort
                         type: boolean
+                      auth:
+                        description: 'Auth type to use for incoming OSP connections. Options are "none", or "basic"'
+                        type: string
+                        enum:
+                        - none
+                        - basic
                       web:
                         description: QDR web configuration
                         properties:

deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml

@@ -102,6 +102,7 @@ spec:
   transports:
     qdr:
       enabled: true
+      auth: basic
       web:
         enabled: false
       certificates:

deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml

@@ -429,6 +429,13 @@ spec:
                   qdr:
                     description: QDR configuration for data transport
                     properties:
+                      auth:
+                        description: Auth type to use for incoming OSP connections.
+                          Options are "none", or "basic"
+                        enum:
+                        - none
+                        - basic
+                        type: string
                       certificates:
                         properties:
                           caCertDuration:

deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml

@@ -153,6 +153,7 @@ metadata:
             "observabilityStrategy": "use_redhat",
             "transports": {
               "qdr": {
+                "auth": "basic",
                 "certificates": {
                   "caCertDuration": "70080h",
                   "endpointCertDuration": "70080h"

roles/servicetelemetry/defaults/main.yml

@@ -74,6 +74,7 @@ servicetelemetry_defaults:
       deployment_size: 1
       web:
         enabled: false
+      auth: basic
       certificates:
         endpoint_cert_duration: 70080h
         ca_cert_duration: 70080h

roles/servicetelemetry/tasks/component_qdr.yml

@@ -149,6 +149,32 @@
           sasldb_path: /tmp/qdrouterd.sasldb
   when: interconnect_manifest is not defined
 
+- when:
+  - servicetelemetry_vars.transports.qdr.auth == "basic"
+  block:
+    - name: Get QDR BasicAuth secret
+      k8s_info:
+        api_version: interconnectedcloud.github.io/v1alpha1
+        kind: Interconnect
+        name: "{{ ansible_operator_meta.name }}-interconnect"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+      register: _qdr_basicauth_object
+
+    # Because https://github.com/interconnectedcloud/qdr-operator/blob/576d2b33dac71437ea2b165caaaf6413220767fe/pkg/controller/interconnect/interconnect_controller.go#L634
+    - name: Perform a one-time upgrade to the default generated password for QDR BasicAuth
+      k8s:
+        definition:
+          kind: Secret
+          apiVersion: v1
+          metadata:
+            name: "{{ ansible_operator_meta.name }}-interconnect-users"
+            namespace: "{{ ansible_operator_meta.namespace }}"
+            labels:
+              stf_one_time_upgrade: "{{ lookup('pipe', 'date +%s') }}"
+          stringData:
+            guest: "{{ lookup('password', '/dev/null') }}"
+      when:
+        - _qdr_basicauth_object.resources[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined
 
 - name: Set default Interconnect manifest
   set_fact:
@@ -183,7 +209,12 @@
           - expose: true
             host: 0.0.0.0
             port: 5671
+      {% if servicetelemetry_vars.transports.qdr.auth == "basic" %}
+            saslMechanisms: PLAIN
+            authenticatePeer: true
+      {% elif servicetelemetry_vars.transports.qdr.auth == "none" %}
             saslMechanisms: ANONYMOUS
+      {% endif %}
             sslProfile: openstack
           - port: 5673
             linkCapacity: 25000

roles/servicetelemetry/tasks/pre.yml

@@ -127,6 +127,51 @@
     - _community_prom_object.resources[0] is not defined
     - _stf_object.resources[0].spec.observabilityStrategy is not defined
 
+- name: Get QDR objects
+  k8s_info:
+    api_version: interconnectedcloud.github.io/v1alpha1
+    kind: Interconnect
+    name: "{{ ansible_operator_meta.name }}-interconnect"
+    namespace: "{{ ansible_operator_meta.namespace }}"
+  register: _qdr_object
+
+- block:
+  - name: Apply legacy auth=none for QDR if missing on the STF object and it's currently deployed that way
+    k8s:
+      definition:
+        apiVersion: infra.watch/v1beta1
+        kind: ServiceTelemetry
+        metadata:
+          name: "{{ ansible_operator_meta.name }}"
+          namespace: "{{ ansible_operator_meta.namespace }}"
+        spec:
+          transports:
+            qdr:
+              auth: none
+
+  - name: Set auth=none for remainder of this run
+    set_fact:
+      servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206
+  when:
+    - _stf_object.resources[0].spec.transports.qdr.auth is not defined
+    - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS"
+
+- name: Apply default auth for QDR if missing on a new STF object with no associated auth=none QDR
+  k8s:
+    definition:
+      apiVersion: infra.watch/v1beta1
+      kind: ServiceTelemetry
+      metadata:
+        name: "{{ ansible_operator_meta.name }}"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+      spec:
+        transports:
+          qdr:
+            auth: "{{ servicetelemetry_defaults.transports.qdr.auth }}"
+  when:
+    - _stf_object.resources[0].spec.transports.qdr.auth is not defined
+    - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS"
+
 - name: Set ephemeral_storage_enabled to true when storage strategy is ephemeral
   set_fact:
     _ephemeral_storage_enabled: true

tests/smoketest/smoketest.sh

@@ -27,6 +27,13 @@ if [ "${OC_CLIENT_VERSION_Y}" -lt "${OC_CLIENT_VERSION_Y_REQUIRED}" ] || [ "${OC
     exit 1
 fi
 
+if [ "$(oc get stf default -o=jsonpath='{.spec.transports.qdr.auth}')" != "none" ]; then
+    echo "*** QDR authentication is currently not supported in smoketests."
+    echo "To disable it, use: oc patch stf default --patch '{\"spec\":{\"transports\":{\"qdr\":{\"auth\":\"none\"}}}}' --type=merge"
+    echo "For more info: https://github.com/infrawatch/service-telemetry-operator/pull/492"
+    exit 1
+fi
+
 CLEANUP=${CLEANUP:-true}
 SMOKETEST_VERBOSE=${SMOKETEST_VERBOSE:-true}