diff options
author | Julia Kreger <juliaashleykreger@gmail.com> | 2021-03-05 07:02:43 -0800 |
---|---|---|
committer | Julia Kreger <juliaashleykreger@gmail.com> | 2021-07-15 21:58:31 +0000 |
commit | 2cd64683461d3a5648b24e1202b2480a7115a195 (patch) | |
tree | fb8b9b577c304a024391e19df3fd29c75a985b38 /zuul.d | |
parent | eb18f8fce8fdfe5acf6d6525e9a18deebfc10f90 (diff) | |
download | ironic-2cd64683461d3a5648b24e1202b2480a7115a195.tar.gz |
Scoped RBAC Devstack Plugin support
Adds support to the ironic devstack plugin to configure
ironic to be used in a scope-enforcing mode in line with
the Secure RBAC effort. This change also defines two new
integration jobs *and* changes one of the existing
integration.
In these cases, we're testing functional crub interactions,
integration with nova, and integration with ironic-inspector.
As other services come online with their plugins and
devstack code being able to set the appropriate scope
enforcement configuration, we will be able to change the
overall operating default for all of ironic's jobs and
exclude the differences.
This effort identified issues in ironic-tempest-plugin,
tempest, devstack, and required plugin support in
ironic-inspector as well, and is ultimately required
to ensure we do not break the Secure RBAC.
Luckilly, it all works.
Change-Id: Ic40e47cb11a6b6e9915efcb12e7912861f25cae7
Diffstat (limited to 'zuul.d')
-rw-r--r-- | zuul.d/ironic-jobs.yaml | 22 | ||||
-rw-r--r-- | zuul.d/project.yaml | 4 |
2 files changed, 26 insertions, 0 deletions
diff --git a/zuul.d/ironic-jobs.yaml b/zuul.d/ironic-jobs.yaml index 56f2301e6..34a757254 100644 --- a/zuul.d/ironic-jobs.yaml +++ b/zuul.d/ironic-jobs.yaml @@ -181,6 +181,7 @@ IRONIC_VM_VOLUME_COUNT: 2 IRONIC_VM_SPECS_RAM: 1024 IRONIC_VM_SPECS_CPU: 1 + IRONIC_ENFORCE_SCOPE: True # We're using a lot of disk space in this job. Some testing nodes have # a small root partition, so use /opt which is mounted from a bigger # ephemeral partition on such nodes @@ -305,6 +306,7 @@ IRONIC_TEMPEST_WHOLE_DISK_IMAGE: True IRONIC_VM_EPHEMERAL_DISK: 0 IRONIC_AUTOMATED_CLEAN_ENABLED: False + IRONIC_ENFORCE_SCOPE: True - job: name: ironic-tempest-ipa-partition-uefi-pxe_ipmitool @@ -344,6 +346,7 @@ IRONIC_AUTOMATED_CLEAN_ENABLED: False SWIFT_ENABLE_TEMPURLS: True SWIFT_TEMPURL_KEY: secretkey + IRONIC_ENFORCE_SCOPE: True devstack_services: c-api: True c-bak: True @@ -393,6 +396,17 @@ s-proxy: True - job: + name: ironic-inspector-tempest-rbac-scope-enforced + description: ironic-inspector-tempest-rbac-scope-enforced + parent: ironic-inspector-tempest + required-projects: + - openstack/ironic-inspector + vars: + devstack_localrc: + IRONIC_ENFORCE_SCOPE: True + IRONIC_INSPECTOR_ENFORCE_SCOPE: True + +- job: name: ironic-tempest-functional-python3 description: ironic-tempest-functional-python3 parent: ironic-base @@ -428,6 +442,14 @@ q-svc: False - job: + name: ironic-tempest-functional-rbac-scope-enforced + description: ironic-tempest-funcitonal-rbac-scope-enforced + parent: ironic-tempest-functional-python3 + vars: + devstack_localrc: + IRONIC_ENFORCE_SCOPE: True + +- job: name: ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode description: ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode parent: tempest-multinode-full-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 676e28011..23aa568fb 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -11,6 +11,7 @@ jobs: - ironic-tox-unit-with-driver-libs - ironic-tempest-functional-python3 + - ironic-tempest-functional-rbac-scope-enforced - ironic-grenade - ironic-standalone - ironic-standalone-redfish @@ -41,6 +42,8 @@ voting: false - ironic-tempest-ipa-wholedisk-bios-ipmi-direct-dib: voting: false + - ironic-inspector-tempest-rbac-scope-enforced: + voting: false - bifrost-integration-tinyipa-ubuntu-focal: voting: false - bifrost-integration-redfish-vmedia-uefi-centos-8: @@ -54,6 +57,7 @@ jobs: - ironic-tox-unit-with-driver-libs - ironic-tempest-functional-python3 + - ironic-tempest-functional-rbac-scope-enforced - ironic-grenade - ironic-standalone - ironic-standalone-redfish |