-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
708 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
FROM quay.io/centos/centos:stream9 | ||
|
||
# Use this build arg to set any default test script arguments | ||
ENV RUN_SCRIPT_ARGS=${RUN_SCRIPT_ARGS} | ||
ENV ROBOT_EXTRA_ARGS='' | ||
ENV SET_ENVIRONMENT=0 | ||
ENV RETURN_PW=0 | ||
ENV OC_HOST=${OC_HOST} | ||
ENV RUN_FROM_CONTAINER=1 | ||
ENV SE_BROWSER_PATH=/usr/bin/chromium-browser | ||
ARG OC_VERSION=4.13 | ||
ARG OC_CHANNEL=stable | ||
ARG PYTHON_VERSION=3.11 | ||
|
||
ENV ODS_VENV="/ods_venv" \ | ||
HOME="/ods_venv" \ | ||
PATH="ods_venv/bin:${PATH}" \ | ||
AM_I_IN_CONTAINER="Yes" \ | ||
PYTHONUNBUFFERED="True" | ||
|
||
WORKDIR /ods_venv | ||
|
||
COPY . ${ODS_VENV} | ||
COPY ods_ci/test-variables.yml.example ${ODS_VENV}/ods_ci/test-variables.yml | ||
|
||
RUN dnf install epel-release -y &&\ | ||
dnf -y update &&\ | ||
dnf install -y jq git unzip chromium chromedriver httpd-tools gcc \ | ||
python3 python3-devel python3-distro python-pip python${PYTHON_VERSION} python${PYTHON_VERSION}-devel &&\ | ||
dnf clean all && rm -rf /var/cache/yum &&\ | ||
curl --proto "=https" -L https://github.com/mikefarah/yq/releases/download/v4.34.1/yq_linux_amd64 -o /usr/bin/yq &&\ | ||
chmod +x /usr/bin/yq &&\ | ||
curl --proto "=https" -L https://mirror.openshift.com/pub/openshift-v$(echo ${OC_VERSION} | cut -d'.' -f 1)/x86_64/clients/ocp/${OC_CHANNEL}-${OC_VERSION}/openshift-client-linux.tar.gz -o ${HOME}/oc_client.tar.gz && \ | ||
tar xvf ${HOME}/oc_client.tar.gz -C /usr/local/bin/ && \ | ||
rm -rf ${HOME}/oc_client.tar.gz && rm /usr/local/bin/README.md && chmod 755 /usr/local/bin/oc && oc version --client && \ | ||
curl --proto "=https" -L https://github.com/openshift-online/ocm-cli/releases/download/v0.1.62/ocm-linux-amd64 -o ${HOME}/ocm && \ | ||
mv ${HOME}/ocm /usr/local/bin/ && chmod 755 /usr/local/bin/ocm && ocm version | ||
|
||
RUN alternatives --install /usr/local/bin/python3 python3 /usr/bin/python${PYTHON_VERSION} 1 | ||
RUN python3 --version | ||
RUN curl -sSL https://install.python-poetry.org | python3 - | ||
ENV PATH="${PATH}:${HOME}/.local/bin" | ||
RUN poetry install | ||
|
||
ENV REQUESTS_CA_BUNDLE="/etc/pki/tls/certs/ca-bundle.crt" | ||
RUN curl -L https://certs.corp.redhat.com/certs/Current-IT-Root-CAs.pem \ | ||
-o /etc/pki/ca-trust/source/anchors/Current-IT-Root-CAs.pem && \ | ||
update-ca-trust | ||
|
||
RUN chgrp -R 0 ${ODS_VENV} && \ | ||
chmod -R g+rwX ${ODS_VENV} | ||
|
||
USER 1001 | ||
WORKDIR ${ODS_VENV}/ods_ci |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
HTPASSWD_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" | ||
oc create secret generic htpasswd-bind-password --from-file=htpasswd=$HTPASSWD_PATH/users.txt -n openshift-config || echo "htpasswd secret exists" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"name":"htpasswd-cluster-admin","mappingMethod":"claim","type":"HTPasswd","htpasswd":{"fileData":{"name":"htpasswd-bind-password"}}, "comment": "notsecret"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
#!/bin/bash | ||
|
||
PROVIDER_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" | ||
OAUTH_HTPASSWD_JSON="$(cat $PROVIDER_PATH/htpasswd/oauth-htpasswd.idp.json)" | ||
OAUTH_LDAP_JSON="$(cat $PROVIDER_PATH/ldap/oauth-ldap.idp.json)" | ||
ARTIFACT_DIR="." | ||
TEST_VARIABLES_FILE="test-variables.yml" | ||
|
||
install_htpasswd_identity_provider(){ | ||
|
||
# Test if any oauth identityProviders exists. If not, initialize the identityProvider list | ||
CURRENT_IDP_LIST=$(oc get oauth cluster -o json | jq -e '.spec.identityProviders') | ||
if [[ -z "${CURRENT_IDP_LIST}" ]] || [[ "${CURRENT_IDP_LIST}" == "null" ]]; then | ||
echo 'No oauth identityProvider exists. Initializing oauth .spec.identityProviders = []' | ||
oc patch oauth cluster --type json -p '[{"op": "add", "path": "/spec/identityProviders", "value": []}]' | ||
fi | ||
|
||
# Patch in the HTPASSWD identityProviders | ||
oc patch oauth cluster --type json -p '[{"op": "add", "path": "/spec/identityProviders/-", "value": '"$OAUTH_HTPASSWD_JSON"'}]' | ||
|
||
$PROVIDER_PATH/htpasswd/htpasswd_installation.sh | ||
} | ||
|
||
install_ldap_identity_provider(){ | ||
|
||
# Test if any oauth identityProviders exists. If not, initialize the identityProvider list | ||
CURRENT_IDP_LIST=$(oc get oauth cluster -o json | jq -e '.spec.identityProviders') | ||
if [[ -z "${CURRENT_IDP_LIST}" ]] || [[ "${CURRENT_IDP_LIST}" == "null" ]]; then | ||
echo 'No oauth identityProvider exists. Initializing oauth .spec.identityProviders = []' | ||
oc patch oauth cluster --type json -p '[{"op": "add", "path": "/spec/identityProviders", "value": []}]' | ||
fi | ||
|
||
# Patch in the LDAP identityProviders | ||
oc patch oauth cluster --type json -p '[{"op": "add", "path": "/spec/identityProviders/-", "value": '"$OAUTH_LDAP_JSON"'}]' | ||
|
||
$PROVIDER_PATH/ldap/ldap_installation.sh | ||
} | ||
|
||
add_groups_users() { | ||
# create groups | ||
oc adm groups new rhods-admins | ||
oc adm groups new rhods-users | ||
oc adm groups new rhods-noaccess | ||
oc adm groups new dedicated-admins | ||
# add users to groups | ||
function add_users_to_groups(){ | ||
for i in {1..10} | ||
do | ||
oc adm groups add-users $1 $2$i | ||
done | ||
} | ||
add_users_to_groups rhods-admins htpasswd-admin | ||
add_users_to_groups rhods-users htpasswd-user | ||
add_users_to_groups rhods-noaccess htpasswd-noaccess | ||
add_users_to_groups rhods-admins ldap-admin | ||
add_users_to_groups dedicated-admins ldap-admin | ||
add_users_to_groups rhods-users ldap-user | ||
add_users_to_groups rhods-noaccess ldap-noaccess | ||
oc adm groups add-users dedicated-admins htpasswd-cluster-admin-user | ||
|
||
oc adm groups add-users rhods-admins kubeadmin | ||
oc adm policy add-cluster-role-to-group view rhods-admins | ||
oc adm policy add-cluster-role-to-group cluster-admin dedicated-admins | ||
|
||
oc describe oauth.config.openshift.io/cluster | ||
} | ||
|
||
function htpasswd_installation(){ | ||
chk_htpasswd=1 | ||
|
||
while read -r line; do | ||
|
||
if [[ $line == *"htpasswd-cluster-admin"* ]]; then | ||
echo -e "\033[0;33m Htpasswd Identity provider is installed. Skipping installation \033[0m" | ||
chk_htpasswd=0 | ||
break | ||
fi | ||
done < <(oc get oauth -o yaml) | ||
|
||
if [[ $chk_htpasswd == 1 ]]; then | ||
install_htpasswd_identity_provider | ||
fi | ||
} | ||
|
||
function ldap_installation(){ | ||
chk_ldap=1 | ||
while read -r line; do | ||
if [[ $line == *"ldap-provider-qe"* ]]; then | ||
echo -e "\033[0;33m LDAP Identity provider is installed. Skipping installation \033[0m" | ||
chk_ldap=0 | ||
break | ||
fi | ||
done < <(oc get oauth -o yaml) | ||
if [[ $chk_ldap == 1 ]]; then | ||
install_ldap_identity_provider | ||
fi | ||
} | ||
|
||
function createHtpasswdIDP(){ | ||
htpasswd -b -B -c $ARTIFACT_DIR/users.txt htpasswd-cluster-admin-user rhodsPW#123456 | ||
oc create secret generic htpasswd-bind-password --from-file=htpasswd=$ARTIFACT_DIR/users.txt -n openshift-config | ||
oc delete identity htpasswd-cluster-admin:htpasswd-cluster-admin-user --ignore-not-found | ||
oc patch oauth cluster --type json -p '[{op: add, path: /spec/identityProviders, value: []}]' | ||
oc patch oauth cluster --type json -p '[{"op": "add", "path": "/spec/identityProviders/-", "value": {"name":"htpasswd-cluster-admin","mappingMethod":"claim","type":"HTPasswd","htpasswd":{"fileData":{"name":"htpasswd-bind-password"}}}}]' | ||
oc delete groups dedicated-admins --ignore-not-found | ||
oc adm groups new dedicated-admins | ||
oc delete user htpasswd-cluster-admin-user --ignore-not-found -n openshift-config | ||
oc create user htpasswd-cluster-admin-user | ||
oc adm groups add-users dedicated-admins htpasswd-cluster-admin-user | ||
oc adm policy add-cluster-role-to-group cluster-admin dedicated-admins | ||
oc adm policy add-cluster-role-to-user cluster-admin htpasswd-cluster-admin-user | ||
} | ||
|
||
function updateTestConfig(){ | ||
ldap_pass="rhodsPW#1" | ||
export ldap_pass=$ldap_pass | ||
|
||
yq -i '.OCP_ADMIN_USER.AUTH_TYPE="htpasswd-cluster-admin"' ${TEST_VARIABLES_FILE} | ||
yq -i '.OCP_ADMIN_USER.USERNAME="htpasswd-cluster-admin-user"' ${TEST_VARIABLES_FILE} | ||
yq -i '.OCP_ADMIN_USER.PASSWORD="rhodsPW#123456"' ${TEST_VARIABLES_FILE} | ||
|
||
yq -i '.TEST_USER.AUTH_TYPE="ldap-provider-qe"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER.USERNAME="ldap-admin1"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER.PASSWORD=env(ldap_pass)' ${TEST_VARIABLES_FILE} | ||
|
||
yq -i '.TEST_USER_2.AUTH_TYPE="ldap-provider-qe"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER_2.USERNAME="ldap-admin2"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER_2.PASSWORD=env(ldap_pass)' ${TEST_VARIABLES_FILE} | ||
|
||
yq -i '.TEST_USER_3.AUTH_TYPE="ldap-provider-qe"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER_3.USERNAME="ldap-user2"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER_3.PASSWORD=env(ldap_pass)' ${TEST_VARIABLES_FILE} | ||
|
||
yq -i '.TEST_USER_4.AUTH_TYPE="ldap-provider-qe"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER_4.USERNAME="ldap-user9"' ${TEST_VARIABLES_FILE} | ||
yq -i '.TEST_USER_4.PASSWORD=env(ldap_pass)' ${TEST_VARIABLES_FILE} | ||
} | ||
|
||
createHtpasswdIDP | ||
htpasswd_installation | ||
ldap_installation | ||
add_groups_users | ||
updateTestConfig | ||
sleep 60 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: openldap | ||
namespace: openldap | ||
labels: | ||
app.kubernetes.io/name: openldap | ||
spec: | ||
type: ClusterIP | ||
ports: | ||
- name: tcp-ldap | ||
port: 1389 | ||
targetPort: tcp-ldap | ||
selector: | ||
app.kubernetes.io/name: openldap | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: openldap | ||
namespace: openldap | ||
labels: | ||
app.kubernetes.io/name: openldap | ||
spec: | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: openldap | ||
replicas: 1 | ||
template: | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: openldap | ||
spec: | ||
containers: | ||
Check warning Code scanning / SonarCloud Service account permissions should be restricted Medium
Bind this resource's automounted service account to RBAC or disable automounting. See more on SonarQube Cloud
|
||
- name: openldap | ||
Check warning Code scanning / SonarCloud Storage limits should be enforced Medium
Specify a storage limit for this container. See more on SonarQube Cloud
|
||
image: quay.io/croberts/openldapserver@sha256:9d4ec0a31b48e165cbef6950c29a0a71a9508cee74fbca2b9df8a9b36f776be1 | ||
imagePullPolicy: "Always" | ||
resources: | ||
requests: | ||
memory: "256Mi" | ||
limits: | ||
memory: "512Mi" | ||
env: | ||
- name: LDAP_ADMIN_USERNAME | ||
value: "admin" | ||
- name: LDAP_ADMIN_PASSWORD | ||
valueFrom: | ||
secretKeyRef: | ||
key: adminpassword | ||
name: openldap | ||
- name: LDAP_USERS | ||
valueFrom: | ||
secretKeyRef: | ||
key: users | ||
name: openldap | ||
- name: LDAP_PASSWORDS | ||
valueFrom: | ||
secretKeyRef: | ||
key: passwords | ||
name: openldap | ||
ports: | ||
- name: tcp-ldap | ||
containerPort: 1389 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#!/bin/bash | ||
LDAP_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" | ||
oc create secret generic ldap-bind-password --from-literal=bindPassword=adminpassword -n openshift-config || echo "ldap secret exists" | ||
oc apply -f $LDAP_PATH/ldap.yaml | ||
sleep 25s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"ldap":{"attributes":{"email":[],"id":["dn"],"name":["cn"],"preferredUsername":["uid"]},"insecure":true,"bindDN":"cn=admin,dc=example,dc=org","bindPassword":{"name":"ldap-bind-password"},"url":"ldap://openldap.openldap.svc.cluster.local:1389/dc=example,dc=org?uid"},"mappingMethod":"claim","name":"ldap-provider-qe","type":"LDAP"} |
Oops, something went wrong.