Merge branch 'master' into efoley-replace_query

infrawatch · Oct 5, 2023 · bbcb60e · bbcb60e
2 parents 391a19a + 79d8968
commit bbcb60e
Show file tree

Hide file tree

Showing 20 changed files with 146 additions and 17 deletions.
diff --git a/.zuul.yaml b/.zuul.yaml
@@ -26,8 +26,16 @@
       # Pass vars to crc cli https://review.rdoproject.org/cgit/config/tree/playbooks/crc/simple-start.yaml#n30
       crc_parameters: '--memory 16000 --disk-size 80 --cpus 6'  # Increase from 14336
 
+- job:
+    name: stf-crc-latest-local_build
+    parent: stf-base
+    description: |
+      Build images locally and deploy STF
+    vars:
+      scenario: "local_build"
+
 - project:
     name: infrawatch/service-telemetry-operator
     github-check:
       jobs:
-        - noop
+        - stf-crc-latest-local_build
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -36,6 +36,7 @@ spec:
           strategy: ephemeral
   transports:
     qdr:
+      auth: none
       enabled: true
       deploymentSize: 1
       web:

diff --git a/build/stf-run-ci/README.md b/build/stf-run-ci/README.md
@@ -52,6 +52,7 @@ choose to override:
 | `__service_telemetry_trap_default_oid`                               | <default_oid>                                               | 1.3.6.1.4.1.50495.15.1.2.1                            | The trap OID if none is found in the Prometheus alert labels.                                                                             |
 | `__service_telemetry_trap_default_severity`                          | <default_severity>                                          | <undefined>                                           | The trap severity if none is found in the Prometheus alert labels.                                                                        |
 | `__service_telemetry_observability_strategy`                         | <observability_strategy>                                    | `use_redhat`                                          | Which observability strategy to use for deployment. Default is 'use_redhat'. Also supported are 'use_hybrid', 'use_community', and 'none' |
+| `__service_telemetry_transports_qdr_auth`                            | {'none', 'basic'}                                           | `none`                                                | Which auth method to use for QDR. Can be 'none' or 'basic'. Note: 'basic' is not yet supported in smoketests.                             |
 | `__service_telemetry_transports_certificates_endpoint_cert_duration` | [ParseDuration](https://golang.org/pkg/time/#ParseDuration) | 70080h                                                | Lifetime of the QDR endpoint certificate (minimum duration is 1h)                                                                         |
 | `__service_telemetry_transports_certificates_ca_cert_duration`       | [ParseDuration](https://golang.org/pkg/time/#ParseDuration) | 70080h                                                | Lifetime of the QDR CA certificate (minimum duration is 1h)                                                                               |
 | `__internal_registry_path`                                           | <registry_path>                                             | image-registry.openshift-image-registry.svc:5000      | Path to internal registry for image path                                                                                                  |

diff --git a/build/stf-run-ci/tasks/deploy_stf.yml b/build/stf-run-ci/tasks/deploy_stf.yml
@@ -49,6 +49,9 @@
         transports:
           qdr:
             enabled: true
+      {% if __service_telemetry_transports_qdr_auth is defined %}
+            auth: "{{ __service_telemetry_transports_qdr_auth }}"
+      {% endif %}
             certificates:
               endpointCertDuration: {{ __service_telemetry_transports_certificates_endpoint_cert_duration }}
               caCertDuration: {{ __service_telemetry_transports_certificates_ca_cert_duration }}

diff --git a/build/stf-run-ci/tasks/main.yml b/build/stf-run-ci/tasks/main.yml
@@ -5,7 +5,7 @@
 - name: Setup default values
   ansible.builtin.set_fact:
     branch: "{{ working_branch | default('master') }}"
-    namespace: "{{ working_namespace | default('service-telemetry') }}"
+    namespace: "{{ namespace if namespace is defined else (working_namespace | default('service-telemetry'))}}"
 
 - name: Set default image paths for local builds
   ansible.builtin.set_fact:
@@ -205,7 +205,7 @@
 
   - name: Validate system is operational
     ansible.builtin.shell: |
-      OCP_PROJECT="{{ namespace }}" VALIDATION_SCOPE="{{ __service_telemetry_observability_strategy }}" timeout 600 "{{ base_dir }}/validate_deployment.sh" >> {{ logfile_dir }}/validate_deployment.log 2>&1
+      OCP_PROJECT="{{ namespace }}" VALIDATION_SCOPE="{{ __service_telemetry_observability_strategy }}" timeout 1200 "{{ base_dir }}/validate_deployment.sh" >> {{ logfile_dir }}/validate_deployment.log 2>&1
     args:
       executable: /bin/bash
     register: validate_deployment

diff --git a/ci/post-collect_logs.yml b/ci/post-collect_logs.yml
@@ -55,6 +55,7 @@
           oc get subscriptions > {{ logfile_dir }}/post_oc_get_subscriptions.log 2>&1
           oc describe subscription service-telemetry-operator >> {{ logfile_dir }}/post_oc_get_subscriptions.log 2>&1
           cat {{ logfile_dir}}/post_oc_get_subscriptions.log
+      ignore_errors: true
 
     - name: "Get image infos"
       ansible.builtin.shell:
@@ -69,6 +70,7 @@
           oc get imagestream -oyaml >> {{ logfile_dir }}/post_oc_get_images.log 2>&1
           cat {{ logfile_dir }}/post_oc_get_images.log 2>&1
       register: post_oc_get_images
+      ignore_errors: true
       retries: 3
       delay: 10
 
@@ -86,9 +88,10 @@
           echo "What images were created in the internal registry?" > {{ logfile_dir }}/post_question_deployment.log 2>&1
           oc get images | grep $(oc registry info --internal) >> {{ logfile_dir }}/post_question_deployment.log 2>&1
           echo "What state is the STO csv in?" >> {{ logfile_dir }}/post_question_deployment.log 2>&1
-          oc get csv -n service-telemetry | grep service-telemetry-operator >> {{ logfile_dir }}/post_question_deployment.log 2>&1
-          oc get csv -n service-telemetry-operator -oyaml >> {{ logfile_dir }}/post_question_deployment.log 2>&1
+          oc get csv -n {{ namespace }} | grep service-telemetry-operator >> {{ logfile_dir }}/post_question_deployment.log 2>&1
+          oc get csv -n {{ namespace }} service-telemetry-operator -oyaml >> {{ logfile_dir }}/post_question_deployment.log 2>&1
       register: output
+      ignore_errors: true
       retries: 3
       delay: 10
 

diff --git a/ci/prepare.yml b/ci/prepare.yml
@@ -2,17 +2,25 @@
 - name: "Prepare the environment for running stf"
   hosts: controller
   tasks:
+    - name: "Set the sto_dir if it isn't already set"
+      ansible.builtin.set_fact:
+        sto_dir: '{{ ansible_env.HOME }}/{{ zuul.project.src_dir }}'
+      when: sto_dir | default('') | length == 0
+
+    - name: "Get vars common to all jobs"
+      ansible.builtin.include_vars:
+        file: "vars-zuul-common.yml"
+
+    - name: "Get scenario-specific vars"
+      ansible.builtin.include_vars:
+        file: "vars-{{ scenario }}.yml"
+
     - name: "Update pip"
       ansible.builtin.pip:
         name: pip
         state: latest
         extra_args: "-U"
 
-    - name: "Set the value of sto_dir, if it's not already defined"
-      ansible.builtin.set_fact:
-        sto_dir: "{{ ansible_env.HOME }}/{{ zuul.project.src_dir }}"
-      when: not (sto_dir is defined)
-
     - name: "Install pre-reqs from pip"
       ansible.builtin.pip:
         requirements: "build/stf-run-ci/requirements.txt"

diff --git a/ci/vars-local_build.yml b/ci/vars-local_build.yml
@@ -0,0 +1,5 @@
+---
+__deploy_stf: true
+__local_build_enabled: true
+__service_telemetry_snmptraps_enabled: true
+__service_telemetry_storage_ephemeral_enabled: true
diff --git a/ci/vars-zuul-common.yml b/ci/vars-zuul-common.yml
@@ -1,6 +1,7 @@
 ---
-namespace: "service-telemetry-PR#{{ zuul.change }}-{{ zuul.build }}"
+namespace: "service-telemetry"
 setup_bundle_registry_tls_ca: false
 setup_bundle_registry_auth: false
+__service_telemetry_transports_qdr_auth: none
 base_dir: "{{ sto_dir }}/build"
 logfile_dir: "{{ ansible_user_dir }}/zuul-output/logs/controller"
diff --git a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml
@@ -248,6 +248,12 @@ spec:
                       enabled:
                         description: Enable QDR data transort
                         type: boolean
+                      auth:
+                        description: 'Auth type to use for incoming OSP connections. Options are "none", or "basic"'
+                        type: string
+                        enum:
+                        - none
+                        - basic
                       web:
                         description: QDR web configuration
                         properties:

diff --git a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml
@@ -73,7 +73,7 @@ spec:
             subscriptionAddress: sensubility/cloud1-telemetry
             debugEnabled: false
             bridge:
-              ringBufferSize: 16384
+              ringBufferSize: 65535
               ringBufferCount: 15000
               verbose: false
       events:
@@ -102,6 +102,7 @@ spec:
   transports:
     qdr:
       enabled: true
+      auth: basic
       web:
         enabled: false
       certificates:

diff --git a/...y/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml b/...y/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml
@@ -429,6 +429,13 @@ spec:
                   qdr:
                     description: QDR configuration for data transport
                     properties:
+                      auth:
+                        description: Auth type to use for incoming OSP connections.
+                          Options are "none", or "basic"
+                        enum:
+                        - none
+                        - basic
+                        type: string
                       certificates:
                         properties:
                           caCertDuration:

diff --git a/...ervice-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml b/...ervice-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml
@@ -126,7 +126,7 @@ metadata:
                     {
                       "bridge": {
                         "ringBufferCount": 15000,
-                        "ringBufferSize": 16384,
+                        "ringBufferSize": 65535,
                         "verbose": false
                       },
                       "collectorType": "sensubility",
@@ -153,6 +153,7 @@ metadata:
             "observabilityStrategy": "use_redhat",
             "transports": {
               "qdr": {
+                "auth": "basic",
                 "certificates": {
                   "caCertDuration": "70080h",
                   "endpointCertDuration": "70080h"

diff --git a/roles/servicetelemetry/defaults/main.yml b/roles/servicetelemetry/defaults/main.yml
@@ -74,6 +74,7 @@ servicetelemetry_defaults:
       deployment_size: 1
       web:
         enabled: false
+      auth: basic
       certificates:
         endpoint_cert_duration: 70080h
         ca_cert_duration: 70080h
@@ -115,7 +116,7 @@ servicetelemetry_defaults:
             subscription_address: sensubility/cloud1-telemetry
             debug_enabled: false
             bridge:
-              ring_buffer_size: 16384
+              ring_buffer_size: 65535
               ring_buffer_count: 15000
               verbose: false
       events:

diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml
@@ -149,6 +149,32 @@
           sasldb_path: /tmp/qdrouterd.sasldb
   when: interconnect_manifest is not defined
 
+- when:
+  - servicetelemetry_vars.transports.qdr.auth == "basic"
+  block:
+    - name: Get QDR BasicAuth secret
+      k8s_info:
+        api_version: interconnectedcloud.github.io/v1alpha1
+        kind: Interconnect
+        name: "{{ ansible_operator_meta.name }}-interconnect"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+      register: _qdr_basicauth_object
+
+    # Because https://github.com/interconnectedcloud/qdr-operator/blob/576d2b33dac71437ea2b165caaaf6413220767fe/pkg/controller/interconnect/interconnect_controller.go#L634
+    - name: Perform a one-time upgrade to the default generated password for QDR BasicAuth
+      k8s:
+        definition:
+          kind: Secret
+          apiVersion: v1
+          metadata:
+            name: "{{ ansible_operator_meta.name }}-interconnect-users"
+            namespace: "{{ ansible_operator_meta.namespace }}"
+            labels:
+              stf_one_time_upgrade: "{{ lookup('pipe', 'date +%s') }}"
+          stringData:
+            guest: "{{ lookup('password', '/dev/null') }}"
+      when:
+        - _qdr_basicauth_object.resources[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined
 
 - name: Set default Interconnect manifest
   set_fact:
@@ -183,7 +209,12 @@
           - expose: true
             host: 0.0.0.0
             port: 5671
+      {% if servicetelemetry_vars.transports.qdr.auth == "basic" %}
+            saslMechanisms: PLAIN
+            authenticatePeer: true
+      {% elif servicetelemetry_vars.transports.qdr.auth == "none" %}
             saslMechanisms: ANONYMOUS
+      {% endif %}
             sslProfile: openstack
           - port: 5673
             linkCapacity: 25000

diff --git a/roles/servicetelemetry/tasks/pre.yml b/roles/servicetelemetry/tasks/pre.yml
@@ -127,6 +127,51 @@
     - _community_prom_object.resources[0] is not defined
     - _stf_object.resources[0].spec.observabilityStrategy is not defined
 
+- name: Get QDR objects
+  k8s_info:
+    api_version: interconnectedcloud.github.io/v1alpha1
+    kind: Interconnect
+    name: "{{ ansible_operator_meta.name }}-interconnect"
+    namespace: "{{ ansible_operator_meta.namespace }}"
+  register: _qdr_object
+
+- block:
+  - name: Apply legacy auth=none for QDR if missing on the STF object and it's currently deployed that way
+    k8s:
+      definition:
+        apiVersion: infra.watch/v1beta1
+        kind: ServiceTelemetry
+        metadata:
+          name: "{{ ansible_operator_meta.name }}"
+          namespace: "{{ ansible_operator_meta.namespace }}"
+        spec:
+          transports:
+            qdr:
+              auth: none
+
+  - name: Set auth=none for remainder of this run
+    set_fact:
+      servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206
+  when:
+    - _stf_object.resources[0].spec.transports.qdr.auth is not defined
+    - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS"
+
+- name: Apply default auth for QDR if missing on a new STF object with no associated auth=none QDR
+  k8s:
+    definition:
+      apiVersion: infra.watch/v1beta1
+      kind: ServiceTelemetry
+      metadata:
+        name: "{{ ansible_operator_meta.name }}"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+      spec:
+        transports:
+          qdr:
+            auth: "{{ servicetelemetry_defaults.transports.qdr.auth }}"
+  when:
+    - _stf_object.resources[0].spec.transports.qdr.auth is not defined
+    - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS"
+
 - name: Set ephemeral_storage_enabled to true when storage strategy is ephemeral
   set_fact:
     _ephemeral_storage_enabled: true

diff --git a/tests/infrared/17.1/enable-stf.yaml.template b/tests/infrared/17.1/enable-stf.yaml.template
@@ -11,6 +11,7 @@ custom_templates:
         # manage the polling and pipeline configuration files for Ceilometer agents
         ManagePolling: true
         ManagePipeline: true
+        ManageEventPipeline: false
 
         # enable Ceilometer metrics
         CeilometerQdrPublishMetrics: true

diff --git a/tests/smoketest/smoketest.sh b/tests/smoketest/smoketest.sh
@@ -27,6 +27,13 @@ if [ "${OC_CLIENT_VERSION_Y}" -lt "${OC_CLIENT_VERSION_Y_REQUIRED}" ] || [ "${OC
     exit 1
 fi
 
+if [ "$(oc get stf default -o=jsonpath='{.spec.transports.qdr.auth}')" != "none" ]; then
+    echo "*** QDR authentication is currently not supported in smoketests."
+    echo "To disable it, use: oc patch stf default --patch '{\"spec\":{\"transports\":{\"qdr\":{\"auth\":\"none\"}}}}' --type=merge"
+    echo "For more info: https://github.com/infrawatch/service-telemetry-operator/pull/492"
+    exit 1
+fi
+
 CLEANUP=${CLEANUP:-true}
 SMOKETEST_VERBOSE=${SMOKETEST_VERBOSE:-true}
 

diff --git a/tests/smoketest/smoketest_ceilometer_entrypoint.sh b/tests/smoketest/smoketest_ceilometer_entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-set -e
+set +e
 
 # Executes inside the test harness container to start collectd and look for resulting metrics in prometheus
 PROMETHEUS=${PROMETHEUS:-"https://default-prometheus-proxy:9092"}
@@ -28,7 +28,6 @@ echo "*** [INFO] Checking for recent image metrics..."
 
 echo "[DEBUG] Running the curl command to return a query"
 curl -k -u "internal:${PROMETHEUS_AUTH_PASS}" -g "${PROMETHEUS}/api/v1/query?" --data-urlencode 'query=ceilometer_image_size' 2>&1 | grep '"result":\[{"metric":{"__name__":"ceilometer_image_size"'
-echo "[DEBUG] Query returned"
 metrics_result=$?
 echo "[DEBUG] Set metrics_result to $metrics_result"
 

diff --git a/tests/smoketest/smoketest_collectd_entrypoint.sh b/tests/smoketest/smoketest_collectd_entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-set -e
+set +e
 
 # Executes inside the test harness container to start collectd and look for resulting metrics in prometheus
 PROMETHEUS=${PROMETHEUS:-"https://default-prometheus-proxy:9092"}