Add job definition about K8S+keystone authentication+authorization scenario (apache#103)

liusheng · Zhuli · commit 0413ca538ae2 · 2018-03-30T09:57:56.000+08:00
* Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * Add job definition for kubernetes/cloud-provider-openstack + LB and Octavia scenario (apache#100) * Add job definition for kubernetes/cloud-provider-openstack + LB and Octavia scenario For apache#97 * fix some nits * Update the way to query network id * Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * improve resource cleanup * update * improve resource cleanup
diff --git a/playbooks/cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/post.yaml b/playbooks/cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/post.yaml
@@ -0,0 +1,4 @@
+- hosts: all
+  become: yes
+  roles:
+    - collect-k8s-logs
diff --git a/playbooks/cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/run.yaml b/playbooks/cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/run.yaml
@@ -0,0 +1,194 @@
+- name: Set up Kubernetes local cluster
+  hosts: all
+  roles:
+    - install-k8s-jobs-dependences
+  become: yes
+  tasks:
+    - name: Set up Kubernetes local cluster
+      shell:
+        cmd: |
+          set -e
+          apt-get install python-pip -y
+          pip install -U python-openstackclient
+
+          export OS_DOMAIN_NAME=$(echo '{{ vexxhost_credentials.user_domain_name }}')
+          export OS_AUTH_TYPE=$(echo '{{ vexxhost_credentials.auth_type }}')
+          export OS_IDENTITY_API_VERSION=$(echo '{{ vexxhost_credentials.identity_api_version }}')
+          export OS_VOLUME_API_VERSION=$(echo '{{ vexxhost_credentials.volume_api_version }}')
+          export OS_INTERFACE=$(echo '{{ vexxhost_credentials.interface }}')
+          export OS_AUTH_URL=$(echo '{{ vexxhost_credentials.auth_url }}')
+          export OS_PROJECT_ID=$(echo '{{ vexxhost_credentials.project_id }}')
+          export OS_PROJECT_NAME=$(echo '{{ vexxhost_credentials.project_name }}')
+          export OS_USER_DOMAIN_NAME=$(echo '{{ vexxhost_credentials.user_domain_name }}')
+          export OS_PROJECT_DOMAIN_ID=$(echo '{{ vexxhost_credentials.project_domain_id }}')
+          export OS_USERNAME=$(echo '{{ vexxhost_credentials.username }}')
+          export OS_PASSWORD=$(echo '{{ vexxhost_credentials.password }}')
+          export OS_REGION_NAME=$(echo '{{ vexxhost_credentials.region_name }}')
+
+          if [[ ! -d "/etc/kubernetes/" ]]; then
+              sudo mkdir -p /etc/kubernetes/
+          fi
+          chown zuul /etc/kubernetes/
+          cat << EOF >> /etc/kubernetes/cloud-config
+          [Global]
+          domain-name = ${OS_PROJECT_DOMAIN_NAME-$OS_PROJECT_DOMAIN_ID}
+          tenant-id = $OS_PROJECT_ID
+          auth-url = $OS_AUTH_URL
+          password = $OS_PASSWORD
+          username = $OS_USERNAME
+          region = $OS_REGION_NAME
+          [BlockStorage]
+          bs-version = v2
+          EOF
+
+          cat << EOF >> /etc/kubernetes/webhook.kubeconfig
+          apiVersion: v1
+          clusters:
+          - cluster:
+              insecure-skip-tls-verify: true
+              server: https://localhost:8443/webhook
+            name: webhook
+          contexts:
+          - context:
+              cluster: webhook
+              user: webhook
+            name: webhook
+          current-context: webhook
+          kind: Config
+          preferences: {}
+          users:
+          - name: webhook
+          EOF
+
+          set -x
+          make depend
+          make build
+          mkdir -p "{{ ansible_user_dir }}/.kube"
+          export API_HOST_IP="172.17.0.1"
+          export KUBELET_HOST="0.0.0.0"
+
+          echo "Stopping firewall and allow all traffic..."
+          iptables -F
+          iptables -X
+          iptables -t nat -F
+          iptables -t nat -X
+          iptables -t mangle -F
+          iptables -t mangle -X
+          iptables -P INPUT ACCEPT
+          iptables -P FORWARD ACCEPT
+          iptables -P OUTPUT ACCEPT
+          export ALLOW_SECURITY_CONTEXT=true
+          export ENABLE_CRI=false
+          export ENABLE_HOSTPATH_PROVISIONER=true
+          export ENABLE_SINGLE_CA_SIGNER=true
+          # export KUBE_ENABLE_CLUSTER_DASHBOARD=true
+          export KUBE_ENABLE_CLUSTER_DNS=false
+          export LOG_LEVEL=10
+          # we want to use the openstack cloud provider
+          export CLOUD_PROVIDER=openstack
+          # we want to run a separate cloud-controller-manager for openstack
+          export EXTERNAL_CLOUD_PROVIDER=true
+          # DO NOT change the location of the cloud-config file. It is important for the old cinder provider to work
+          export CLOUD_CONFIG=/etc/kubernetes/cloud-config
+          # specify the OCCM binary
+          export EXTERNAL_CLOUD_PROVIDER_BINARY="{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/openstack-cloud-controller-manager"
+          # Cleanup some directories just in case
+          sudo rm -rf /var/lib/kubelet/*
+
+          # location of where the kubernetes processes log their output
+          mkdir -p /opt/stack/logs/
+          export LOG_DIR=/opt/stack/logs
+          # We need this for one of the conformance tests
+          export ALLOW_PRIVILEGED=true
+          # Just kick off all the processes and drop down to the command line
+          export ENABLE_DAEMON=true
+          # We need the hostname to match the name of the vm started by openstack
+          export HOSTNAME_OVERRIDE=$(curl http://169.254.169.254/openstack/latest/meta_data.json | python -c "import sys, json; print json.load(sys.stdin)['name']")
+          cp ./examples/webhook/policy.json /etc/kubernetes/
+
+          pushd ${GOPATH}/src/k8s.io/kubernetes
+          export AUTHORIZATION_MODE="Webhook,Node"
+
+          # TODO: Following is workaround for supporting keystone webhook in local-up-cluster.sh tool, it should be landed in the official kubernetes repo
+          sed 's/curl --max-time 1/curl --max-time 5/g' -i ./hack/lib/util.sh
+          sed '583,587 d' -i ./hack/local-up-cluster.sh
+          sed '555 a \      --authentication-token-webhook-config-file=/etc/kubernetes/webhook.kubeconfig \\'  -i ./hack/local-up-cluster.sh
+          sed '555 a \      --authorization-webhook-config-file=/etc/kubernetes/webhook.kubeconfig \\'  -i ./hack/local-up-cluster.sh
+
+          # -E preserves the current env vars, but we need to special case PATH
+          sudo -E PATH=$PATH SHELLOPTS=$SHELLOPTS ./hack/local-up-cluster.sh -O
+
+          nohup "{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/k8s-keystone-auth" \
+                --tls-cert-file /var/run/kubernetes/serving-kube-apiserver.crt \
+                --tls-private-key-file /var/run/kubernetes/serving-kube-apiserver.key \
+                --keystone-policy-file /etc/kubernetes/policy.json \
+                --log-dir=${LOG_DIR} \
+                --v=10 \
+                --keystone-url  ${OS_AUTH_URL} >"${LOG_DIR}/keystone-auth.log" 2>&1 &
+
+          # sudo of local-up-cluster mucks with permissions
+          sudo chmod -R 777 "{{ ansible_user_dir }}/.kube"
+          sudo chmod 777 /var/run/kubernetes/client-admin.key
+
+          # set up the config we need for kubectl to work
+          cluster/kubectl.sh config set-cluster local --server=https://localhost:6443 --certificate-authority=/var/run/kubernetes/server-ca.crt
+          cluster/kubectl.sh config set-credentials myself --client-key=/var/run/kubernetes/client-admin.key --client-certificate=/var/run/kubernetes/client-admin.crt
+          cluster/kubectl.sh config set-context local --cluster=local --user=myself
+          cluster/kubectl.sh config use-context local
+
+          # Hack for RBAC for all for the new cloud-controller process, we need to do better than this
+          cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:default kube-system-cluster-admin-1 --clusterrole cluster-admin
+          cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:pvl-controller kube-system-cluster-admin-2 --clusterrole cluster-admin
+          cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-node-controller kube-system-cluster-admin-3 --clusterrole cluster-admin
+          cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-controller-manager kube-system-cluster-admin-4 --clusterrole cluster-admin
+          cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:shared-informers kube-system-cluster-admin-5 --clusterrole cluster-admin
+          cluster/kubectl.sh create clusterrolebinding --user system:kube-controller-manager  kube-system-cluster-admin-6 --clusterrole cluster-admin
+
+          {
+            TOKEN=$(openstack token issue -f value -c id)
+            authenticated_info=`cat << EOF | curl -kvs -XPOST -d @- https://localhost:8443/webhook | python -c "import sys, json; print json.load(sys.stdin)"
+          {
+            "apiVersion": "authentication.k8s.io/v1beta1",
+            "kind": "TokenReview",
+            "metadata": {
+                "creationTimestamp": null
+            },
+            "spec": {
+                "token": "$TOKEN"
+            }
+          }
+          EOF`
+            base_body=`cat << EOF |  python -c "import sys, json; print json.load(sys.stdin)"
+          {
+              "apiVersion": "authorization.k8s.io/v1beta1",
+              "kind": "SubjectAccessReview",
+              "spec": {
+                  "resourceAttributes": {
+                      "namespace": "default",
+                      "verb": "get",
+                      "group": "",
+                      "resource": "pods"
+                  }
+              }
+          }
+          EOF`
+            authorization_body=$(python -c "import json; s1=${authenticated_info}; s2=${base_body}; \
+               s2['spec']['user']=s1['status']['user']['username']; \
+               s2['spec']['group']=s1['status']['user']['groups']; \
+               s2['spec']['extra']=s1['status']['user']['extra'];print json.dumps(s2)")
+            allowed=$(echo $authorization_body | curl -kvs -XPOST -d @- https://localhost:8443/webhook | python -mjson.tool)
+          } 1> /dev/null 2>&1
+          echo ${allowed}
+          [[ "${allowed}" =~ '"allowed": true' ]] && echo "Testing k8s-keystone-auth sucessfully!"
+
+          cluster/kubectl.sh config set-credentials openstackuser --auth-provider=openstack
+          cluster/kubectl.sh config set-context --cluster=local --user=openstackuser openstackuser@local
+          cluster/kubectl.sh config use-context openstackuser@local
+          if ! cluster/kubectl.sh get pods; then
+              echo "Testing kubernetes+keystone authentication and authorizatio failed!"
+              exit 1
+          fi
+          popd
+        executable: /bin/bash
+        chdir: '{{ zuul.project.src_dir }}'
+      environment: '{{ golang_env }}'
diff --git a/playbooks/cloud-provider-openstack-acceptance-test-lb-octavia/post.yaml b/playbooks/cloud-provider-openstack-acceptance-test-lb-octavia/post.yaml
@@ -10,8 +10,8 @@
           set -x
           pushd ${GOPATH}/src/k8s.io/kubernetes
           cluster/kubectl.sh config use-context local
-          cluster/kubectl.sh delete services internal-http-nginx-service || true
-          cluster/kubectl.sh delete services external-http-nginx-service || true
+          cluster/kubectl.sh delete -f "{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/examples/loadbalancers/external-http-nginx.yaml" || true
+          cluster/kubectl.sh delete -f "{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/examples/loadbalancers/internal-http-nginx.yaml" || true
           popd
         executable: /bin/bash
         chdir: '{{ zuul.project.src_dir }}'
diff --git a/playbooks/openstack-cloud-controller-manager-acceptance-test-keystone-authentication/.gitkeep b/playbooks/openstack-cloud-controller-manager-acceptance-test-keystone-authentication/.gitkeep
diff --git a/playbooks/openstack-cloud-controller-manager-acceptance-test-keystone-authorization/.gitkeep b/playbooks/openstack-cloud-controller-manager-acceptance-test-keystone-authorization/.gitkeep
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
@@ -244,3 +244,15 @@
     secrets:
       - vexxhost_credentials
     nodeset: ubuntu-xenial-vexxhost
+
+- job:
+    name: cloud-provider-openstack-acceptance-test-keystone-authentication-authorization
+    parent: golang-test
+    description: |
+      Run acceptance tests of cloud-provider-openstack repo of K8S+keystone authentication and
+      authorization scenario against vexxhost cloud
+    run: playbooks/cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/run.yaml
+    post-run: playbooks/cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/post.yaml
+    secrets:
+      - vexxhost_credentials
+    nodeset: ubuntu-xenial-vexxhost
