Skip to content

Commit

Permalink
Initial changes for QDR basicAuth (#481)
Browse files Browse the repository at this point in the history 
* Initial changes for QDR basicAuth

* Update roles/servicetelemetry/tasks/pre.yml

Co-authored-by: Leif Madsen <[email protected]>

* correct API version on secret

* Touchups from fresh environment test

* swap ansible_date_time for a filter that doesnt required facts

...and adheres to the rules for label text

* Update CSV

* Disable qdr auth in smoketests

See: #492

---------

Co-authored-by: Leif Madsen <[email protected]>
  • Loading branch information
@csibbitt @leifmadsen
csibbitt and leifmadsen authored Sep 29, 2023
1 parent 30461a8 commit be41737
Show file tree
Hide file tree
Showing 9 changed files with 100 additions and 0 deletions.
1 change: 1 addition & 0 deletions Jenkinsfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ spec:
strategy: ephemeral
transports:
qdr:
auth: none
enabled: true
deploymentSize: 1
web:
Expand Down
6 changes: 6 additions & 0 deletions deploy/crds/infra.watch_servicetelemetrys_crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,12 @@ spec:
enabled:
description: Enable QDR data transort
type: boolean
auth:
description: 'Auth type to use for incoming OSP connections. Options are "none", or "basic"'
type: string
enum:
- none
- basic
web:
description: QDR web configuration
properties:
Expand Down
1 change: 1 addition & 0 deletions deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ spec:
transports:
qdr:
enabled: true
auth: basic
web:
enabled: false
certificates:
Expand Down
7 changes: 7 additions & 0 deletions ...y/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,13 @@ spec:
qdr:
description: QDR configuration for data transport
properties:
auth:
description: Auth type to use for incoming OSP connections.
Options are "none", or "basic"
enum:
- none
- basic
type: string
certificates:
properties:
caCertDuration:
Expand Down
1 change: 1 addition & 0 deletions ...ervice-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ metadata:
"observabilityStrategy": "use_redhat",
"transports": {
"qdr": {
"auth": "basic",
"certificates": {
"caCertDuration": "70080h",
"endpointCertDuration": "70080h"
Expand Down
1 change: 1 addition & 0 deletions roles/servicetelemetry/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ servicetelemetry_defaults:
deployment_size: 1
web:
enabled: false
auth: basic
certificates:
endpoint_cert_duration: 70080h
ca_cert_duration: 70080h
Expand Down
31 changes: 31 additions & 0 deletions roles/servicetelemetry/tasks/component_qdr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,32 @@
sasldb_path: /tmp/qdrouterd.sasldb
when: interconnect_manifest is not defined

- when:
- servicetelemetry_vars.transports.qdr.auth == "basic"
block:
- name: Get QDR BasicAuth secret
k8s_info:
api_version: interconnectedcloud.github.io/v1alpha1
kind: Interconnect
name: "{{ ansible_operator_meta.name }}-interconnect"
namespace: "{{ ansible_operator_meta.namespace }}"
register: _qdr_basicauth_object

# Because https://github.com/interconnectedcloud/qdr-operator/blob/576d2b33dac71437ea2b165caaaf6413220767fe/pkg/controller/interconnect/interconnect_controller.go#L634
- name: Perform a one-time upgrade to the default generated password for QDR BasicAuth
k8s:
definition:
kind: Secret
apiVersion: v1
metadata:
name: "{{ ansible_operator_meta.name }}-interconnect-users"
namespace: "{{ ansible_operator_meta.namespace }}"
labels:
stf_one_time_upgrade: "{{ lookup('pipe', 'date +%s') }}"
stringData:
guest: "{{ lookup('password', '/dev/null') }}"
when:
- _qdr_basicauth_object.resources[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined

- name: Set default Interconnect manifest
set_fact:
Expand Down Expand Up @@ -183,7 +209,12 @@
- expose: true
host: 0.0.0.0
port: 5671
{% if servicetelemetry_vars.transports.qdr.auth == "basic" %}
saslMechanisms: PLAIN
authenticatePeer: true
{% elif servicetelemetry_vars.transports.qdr.auth == "none" %}
saslMechanisms: ANONYMOUS
{% endif %}
sslProfile: openstack
- port: 5673
linkCapacity: 25000
Expand Down
45 changes: 45 additions & 0 deletions roles/servicetelemetry/tasks/pre.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,51 @@
- _community_prom_object.resources[0] is not defined
- _stf_object.resources[0].spec.observabilityStrategy is not defined

- name: Get QDR objects
k8s_info:
api_version: interconnectedcloud.github.io/v1alpha1
kind: Interconnect
name: "{{ ansible_operator_meta.name }}-interconnect"
namespace: "{{ ansible_operator_meta.namespace }}"
register: _qdr_object

- block:
- name: Apply legacy auth=none for QDR if missing on the STF object and it's currently deployed that way
k8s:
definition:
apiVersion: infra.watch/v1beta1
kind: ServiceTelemetry
metadata:
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
spec:
transports:
qdr:
auth: none

- name: Set auth=none for remainder of this run
set_fact:
servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206
when:
- _stf_object.resources[0].spec.transports.qdr.auth is not defined
- _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS"

- name: Apply default auth for QDR if missing on a new STF object with no associated auth=none QDR
k8s:
definition:
apiVersion: infra.watch/v1beta1
kind: ServiceTelemetry
metadata:
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
spec:
transports:
qdr:
auth: "{{ servicetelemetry_defaults.transports.qdr.auth }}"
when:
- _stf_object.resources[0].spec.transports.qdr.auth is not defined
- _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS"

- name: Set ephemeral_storage_enabled to true when storage strategy is ephemeral
set_fact:
_ephemeral_storage_enabled: true
Expand Down
7 changes: 7 additions & 0 deletions tests/smoketest/smoketest.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ if [ "${OC_CLIENT_VERSION_Y}" -lt "${OC_CLIENT_VERSION_Y_REQUIRED}" ] || [ "${OC
exit 1
fi

if [ "$(oc get stf default -o=jsonpath='{.spec.transports.qdr.auth}')" != "none" ]; then
echo "*** QDR authentication is currently not supported in smoketests."
echo "To disable it, use: oc patch stf default --patch '{\"spec\":{\"transports\":{\"qdr\":{\"auth\":\"none\"}}}}' --type=merge"
echo "For more info: https://github.com/infrawatch/service-telemetry-operator/pull/492"
exit 1
fi

CLEANUP=${CLEANUP:-true}
SMOKETEST_VERBOSE=${SMOKETEST_VERBOSE:-true}

Expand Down

0 comments on commit be41737

Please sign in to comment.