From 09ed09090db24270626e1b5fed2162e554ae72cc Mon Sep 17 00:00:00 2001 From: Andrew Bays Date: Wed, 10 Dec 2025 13:53:15 +0000 Subject: [PATCH] Merge ctlplane-tls-cert-rotation tests into ctlplane-tls-custom-issuers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Consolidate these two TLS-related kuttl tests into a single comprehensive test suite that covers: - TLS ingress-only to full pod-level TLS transitions - Custom and default certificate issuer switching - Certificate rotation triggered by secret deletion - Custom certificate duration configuration - Certificate fingerprint verification before/after rotation Key changes: - Remove ctlplane-tls-cert-rotation test suite (merged into custom-issuers) - Renumber test steps (00-16) for proper sequencing - Add certificate fingerprint comparison to rotation assertions - Replace symlink with actual assert file for custom issuer deployment - Increase timeout for certificate issuer assertions (60s → 900s) - Improve error messages with namespace context This reduces test execution time by eliminating redundant OpenStack deployments while maintaining full TLS functionality coverage. Co-authored-by: Claude Assistant assistant@cursor.sh --- .../common/osp_check_noapi_service_certs.sh | 2 +- .../02-assert-endpoint-proto.yaml | 24 -- .../02-get-endpoints-certs.yaml | 6 - .../03-change-cert-duration.yaml | 6 - .../05-cleanup.yaml | 13 - .../06-assert-deploy-openstack.yaml | 1 - .../10-rotate-service-certs.yaml | 7 - .../11-errors-cleanup.yaml | 1 - ...rt-deploy-openstack-tls-ingress-only.yaml} | 4 +- .../00-deploy-openstack-tls-ingress-only.yaml | 2 + .../01-assert-deploy-openstack-full-tls.yaml | 332 ++++++++++++++++++ .../01-deploy-openstack-full-tls.yaml} | 2 + .../02-assert-custom-issuers.yaml} | 0 .../02-deploy-custom-issuers.yaml} | 0 .../03-assert-deploy-openstack.yaml} | 0 .../03-deploy-openstack.yaml} | 0 .../04-assert-service-certs-issuers.yaml} | 2 +- .../05-assert-deploy-openstack.yaml} | 0 .../05-deploy-openstack.yaml} | 0 ...assert-service-certs-default-issuers.yaml} | 8 + .../ctlplane-tls/06-rotate-service-certs.yaml | 10 + .../07-cleanup.yaml} | 0 .../07-errors-cleanup.yaml} | 0 .../08-assert-deploy-openstack.yaml} | 0 .../08-deploy-openstack.yaml} | 0 ...assert-service-certs-default-issuers.yaml} | 0 .../10-assert-custom-issuers.yaml} | 0 .../10-deploy-custom-issuers.yaml} | 0 .../11-assert-deploy-openstack.yaml} | 8 + .../11-deploy-openstack.yaml} | 0 .../12-assert-service-certs-issuers.yaml} | 8 + .../12-rotate-service-certs.yaml} | 2 +- .../14-assert-custom-duration.yaml} | 0 .../14-deploy-custom-duration.yaml | 9 + ...-cert-rotation-after-duration-change.yaml} | 4 +- .../16-cleanup.yaml} | 0 .../16-errors-cleanup.yaml} | 0 37 files changed, 386 insertions(+), 65 deletions(-) delete mode 100644 test/kuttl/tests/ctlplane-tls-cert-rotation/02-assert-endpoint-proto.yaml delete mode 100644 test/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml delete mode 100644 test/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml delete mode 100644 test/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml delete mode 120000 test/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml delete mode 100644 test/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml delete mode 120000 test/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml rename test/kuttl/tests/{ctlplane-tls-cert-rotation/00-assert-deploy-openstack.yaml => ctlplane-tls/00-assert-deploy-openstack-tls-ingress-only.yaml} (98%) rename test/kuttl/tests/{ctlplane-tls-cert-rotation => ctlplane-tls}/00-deploy-openstack-tls-ingress-only.yaml (57%) create mode 100644 test/kuttl/tests/ctlplane-tls/01-assert-deploy-openstack-full-tls.yaml rename test/kuttl/tests/{ctlplane-tls-cert-rotation/01-deploy-openstack.yaml => ctlplane-tls/01-deploy-openstack-full-tls.yaml} (58%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/00-assert-custom-issuers.yaml => ctlplane-tls/02-assert-custom-issuers.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/00-deploy-custom-issuers.yaml => ctlplane-tls/02-deploy-custom-issuers.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/01-assert-deploy-openstack.yaml => ctlplane-tls/03-assert-deploy-openstack.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/01-deploy-openstack.yaml => ctlplane-tls/03-deploy-openstack.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml => ctlplane-tls/04-assert-service-certs-issuers.yaml} (97%) rename test/kuttl/tests/{ctlplane-tls-cert-rotation/01-assert-deploy-openstack.yaml => ctlplane-tls/05-assert-deploy-openstack.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/03-deploy-openstack.yaml => ctlplane-tls/05-deploy-openstack.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml => ctlplane-tls/06-assert-service-certs-default-issuers.yaml} (68%) create mode 100644 test/kuttl/tests/ctlplane-tls/06-rotate-service-certs.yaml rename test/kuttl/tests/{ctlplane-tls-cert-rotation/05-cleanup.yaml => ctlplane-tls/07-cleanup.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-cert-rotation/05-errors-cleanup.yaml => ctlplane-tls/07-errors-cleanup.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/03-assert-deploy-openstack.yaml => ctlplane-tls/08-assert-deploy-openstack.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/06-deploy-openstack.yaml => ctlplane-tls/08-deploy-openstack.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml => ctlplane-tls/09-assert-service-certs-default-issuers.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/08-assert-custom-issuers.yaml => ctlplane-tls/10-assert-custom-issuers.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/08-deploy-custom-issuers.yaml => ctlplane-tls/10-deploy-custom-issuers.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml => ctlplane-tls/11-assert-deploy-openstack.yaml} (96%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/09-deploy-openstack.yaml => ctlplane-tls/11-deploy-openstack.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml => ctlplane-tls/12-assert-service-certs-issuers.yaml} (68%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml => ctlplane-tls/12-rotate-service-certs.yaml} (79%) rename test/kuttl/tests/{ctlplane-tls-cert-rotation/03-assert-new-certs.yaml => ctlplane-tls/14-assert-custom-duration.yaml} (100%) create mode 100644 test/kuttl/tests/ctlplane-tls/14-deploy-custom-duration.yaml rename test/kuttl/tests/{ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml => ctlplane-tls/15-assert-cert-rotation-after-duration-change.yaml} (82%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/11-cleanup.yaml => ctlplane-tls/16-cleanup.yaml} (100%) rename test/kuttl/tests/{ctlplane-tls-custom-issuers/05-errors-cleanup.yaml => ctlplane-tls/16-errors-cleanup.yaml} (100%) diff --git a/test/kuttl/common/osp_check_noapi_service_certs.sh b/test/kuttl/common/osp_check_noapi_service_certs.sh index fc5d16f00..78ea4803c 100755 --- a/test/kuttl/common/osp_check_noapi_service_certs.sh +++ b/test/kuttl/common/osp_check_noapi_service_certs.sh @@ -56,7 +56,7 @@ for service in "${!services_secrets[@]}"; do pod_cert=$(oc rsh -n "$NAMESPACE" openstackclient openssl s_client -connect "$cluster_ip:$port" -servername "$cluster_ip" /dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p') if [[ -z "$pod_cert" ]]; then - echo "Error retrieving certificate from $service at $cluster_ip:$port." + echo "Error retrieving certificate from $service at $cluster_ip:$port in namespace $NAMESPACE." continue fi diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/02-assert-endpoint-proto.yaml b/test/kuttl/tests/ctlplane-tls-cert-rotation/02-assert-endpoint-proto.yaml deleted file mode 100644 index 5b786d2fe..000000000 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/02-assert-endpoint-proto.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: kuttl.dev/v1beta1 -kind: TestAssert -timeout: 500 -commands: - - script: | - echo "Waiting for OpenStack control plane to be ready..." - oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane - - script: | - echo "Fail if internal http endpoints are registered" - oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface internal -f value -c URL" | grep 'http:' && exit 1 - exit 0 - - script: | - echo "check ovn sb internalDbAddress use ssl" - oc get -n $NAMESPACE OVNDBCluster ovndbcluster-sb -o jsonpath={.status.internalDbAddress} | grep -q ssl - - script: | - echo "check ovn sb DB connection use ssl" - oc exec -i statefulset/ovsdbserver-sb -n $NAMESPACE -- bash -c "ovn-sbctl --no-leader-only get-connection | grep -q pssl" - - script: | - echo "check nova transport_url use ssl" - oc exec -i statefulset/nova-cell1-conductor -n $NAMESPACE -- bash -c "grep transport_url /etc/nova/nova.conf.d/01-nova.conf | grep -q 'ssl=1'" - - script: | - echo "check neutron ovn_sb_connection url ssl" - oc exec -i deployment/neutron -n $NAMESPACE -- bash -c "grep ovn_sb_connection /etc/neutron/neutron.conf.d/01-neutron.conf| grep -q ssl" diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml b/test/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml deleted file mode 100644 index 7719160a1..000000000 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - script: | - echo "Get fingerprints of all service certs" - oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_before diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml b/test/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml deleted file mode 100644 index c76a4806e..000000000 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# Deploys with custom tls service certs and CA certs duration -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - script: | - oc kustomize ../../../../config/samples/tls/custom_duration | oc apply -n $NAMESPACE -f - diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml b/test/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml deleted file mode 100644 index 6b4992512..000000000 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/05-cleanup.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: core.openstack.org/v1beta1 - kind: OpenStackControlPlane - name: openstack -commands: -- script: | - oc delete --ignore-not-found=true -n $NAMESPACE pvc \ - srv-swift-storage-0 - oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE - oc delete secret -l service-cert -n $NAMESPACE - oc delete secret -l ca-cert -n $NAMESPACE diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml deleted file mode 120000 index 762a8cf31..000000000 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/06-assert-deploy-openstack.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common/assert-sample-deployment.yaml \ No newline at end of file diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml b/test/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml deleted file mode 100644 index d0fc5e349..000000000 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/10-rotate-service-certs.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - script: | - echo "Deleting secrets..." - oc get secret -l service-cert -n $NAMESPACE -o name > /tmp/deleted-secrets.txt - oc delete secret -l service-cert -n $NAMESPACE diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml b/test/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml deleted file mode 120000 index 4d7b8362e..000000000 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/11-errors-cleanup.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common/errors_cleanup_openstack.yaml \ No newline at end of file diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/00-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/00-assert-deploy-openstack-tls-ingress-only.yaml similarity index 98% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/00-assert-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/00-assert-deploy-openstack-tls-ingress-only.yaml index 8cf806104..f82ee37dd 100644 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/00-assert-deploy-openstack.yaml +++ b/test/kuttl/tests/ctlplane-tls/00-assert-deploy-openstack-tls-ingress-only.yaml @@ -300,11 +300,11 @@ commands: echo "Waiting for OpenStack control plane to be ready..." oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane - script: | - echo "Fail if internal https endpoints are registered" + echo "Fail if internal https endpoints are registered (ingress-only mode)" oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface internal -f value -c URL" | grep 'https:' && exit 1 exit 0 - script: | - echo "check ovn sb internalDbAddress use tcp" + echo "check ovn sb internalDbAddress use tcp (not ssl)" oc get -n $NAMESPACE OVNDBCluster ovndbcluster-sb -o jsonpath={.status.internalDbAddress} | grep -q tcp - script: | echo "check ovn sb DB connection use tcp" diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/00-deploy-openstack-tls-ingress-only.yaml b/test/kuttl/tests/ctlplane-tls/00-deploy-openstack-tls-ingress-only.yaml similarity index 57% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/00-deploy-openstack-tls-ingress-only.yaml rename to test/kuttl/tests/ctlplane-tls/00-deploy-openstack-tls-ingress-only.yaml index e4292d456..e1da7dac6 100644 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/00-deploy-openstack-tls-ingress-only.yaml +++ b/test/kuttl/tests/ctlplane-tls/00-deploy-openstack-tls-ingress-only.yaml @@ -1,3 +1,5 @@ +# Deploy with TLS ingress-only (podLevel.enabled: false) +# This tests the transition from ingress-only TLS to full TLS apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: diff --git a/test/kuttl/tests/ctlplane-tls/01-assert-deploy-openstack-full-tls.yaml b/test/kuttl/tests/ctlplane-tls/01-assert-deploy-openstack-full-tls.yaml new file mode 100644 index 000000000..669218fc2 --- /dev/null +++ b/test/kuttl/tests/ctlplane-tls/01-assert-deploy-openstack-full-tls.yaml @@ -0,0 +1,332 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + secret: osp-secret + keystone: + template: + databaseInstance: openstack + secret: osp-secret + galera: + enabled: true + templates: + openstack: + storageRequest: 500M + secret: osp-secret + replicas: 1 + openstack-cell1: + storageRequest: 500M + secret: osp-secret + replicas: 1 + rabbitmq: + templates: + rabbitmq: + replicas: 1 + rabbitmq-cell1: + replicas: 1 + memcached: + templates: + memcached: + replicas: 1 + placement: + template: + databaseInstance: openstack + secret: osp-secret + glance: + template: + databaseInstance: openstack + secret: osp-secret + glanceAPIs: + default: + replicas: 1 + storage: + storageRequest: 10G + cinder: + template: + databaseInstance: openstack + secret: osp-secret + cinderAPI: + replicas: 1 + cinderScheduler: + replicas: 1 + cinderBackup: + replicas: 0 # backend needs to be configured + cinderVolumes: + volume1: + replicas: 0 # backend needs to be configured + manila: + template: + manilaAPI: + replicas: 1 + manilaScheduler: + replicas: 1 + manilaShares: + share1: + replicas: 1 + ovn: + template: + ovnDBCluster: + ovndbcluster-nb: + replicas: 1 + dbType: NB + storageRequest: 10G + ovndbcluster-sb: + replicas: 1 + dbType: SB + storageRequest: 10G + ovnNorthd: + replicas: 1 + ovnController: + external-ids: + system-id: "random" + ovn-bridge: "br-int" + ovn-encap-type: "geneve" + neutron: + template: + databaseInstance: openstack + secret: osp-secret + horizon: + template: + replicas: 1 + secret: osp-secret + nova: + template: + secret: osp-secret + heat: + enabled: false + template: + databaseInstance: openstack + heatAPI: + replicas: 1 + heatEngine: + replicas: 1 + secret: osp-secret + octavia: + enabled: false + template: + databaseInstance: openstack + octaviaAPI: + replicas: 1 + secret: osp-secret + ironic: + enabled: false + template: + databaseInstance: openstack + ironicAPI: + replicas: 1 + ironicConductors: + - replicas: 1 + storageRequest: 10G + ironicInspector: + replicas: 1 + ironicNeutronAgent: + replicas: 1 + secret: osp-secret + telemetry: + enabled: true + template: + autoscaling: + aodh: + secret: osp-secret + serviceUser: aodh + ceilometer: + passwordSelector: + ceilometerService: CeilometerPassword + secret: osp-secret + serviceUser: ceilometer + swift: + enabled: true + template: + swiftRing: + ringReplicas: 1 + swiftStorage: + replicas: 1 + swiftProxy: + replicas: 1 + designate: + enabled: false + template: + databaseInstance: openstack + secret: osp-secret + designateAPI: + replicas: 1 + designateCentral: + replicas: 1 + designateMdns: + replicas: 1 + designateWorker: + replicas: 1 + designateProducer: + replicas: 1 + designateBackendbind9: + replicas: 1 + barbican: + enabled: true + template: + databaseInstance: openstack + secret: osp-secret + barbicanAPI: + replicas: 1 + barbicanWorker: + replicas: 1 + barbicanKeystoneListener: + replicas: 1 + tls: + ingress: + ca: + duration: 87600h0m0s + cert: + duration: 43800h0m0s + enabled: true + podLevel: + enabled: true + internal: + ca: + duration: 87600h0m0s + cert: + duration: 43800h0m0s + libvirt: + ca: + duration: 87600h0m0s + cert: + duration: 43800h0m0s + ovn: + ca: + duration: 87600h0m0s + cert: + duration: 43800h0m0s +status: + conditions: + - message: Setup complete + reason: Ready + status: "True" + type: Ready + - message: OpenStackControlPlane Barbican completed + reason: Ready + status: "True" + type: OpenStackControlPlaneBarbicanReady + - message: OpenStackControlPlane CAs completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCAReadyCondition + - message: OpenStackControlPlane Cinder completed + reason: Ready + status: "True" + type: OpenStackControlPlaneCinderReady + - message: OpenStackControlPlane Client completed + reason: Ready + status: "True" + type: OpenStackControlPlaneClientReady + - message: OpenStackControlPlane barbican service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeBarbicanReady + - message: OpenStackControlPlane cinder service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeCinderReady + - message: OpenStackControlPlane glance service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeGlanceReady + - message: OpenStackControlPlane keystone service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeKeystoneAPIReady + - message: OpenStackControlPlane neutron service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNeutronReady + - message: OpenStackControlPlane nova service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeNovaReady + - message: OpenStackControlPlane placement service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposePlacementAPIReady + - message: OpenStackControlPlane swift service exposed + reason: Ready + status: "True" + type: OpenStackControlPlaneExposeSwiftReady + - message: OpenStackControlPlane Glance completed + reason: Ready + status: "True" + type: OpenStackControlPlaneGlanceReady + - message: OpenStackControlPlane InstanceHa CM is available + reason: Ready + status: "True" + type: OpenStackControlPlaneInstanceHaCMReadyCondition + - message: OpenStackControlPlane KeystoneAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlaneKeystoneAPIReady + - message: OpenStackControlPlane MariaDB completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMariaDBReady + - message: OpenStackControlPlane Memcached completed + reason: Ready + status: "True" + type: OpenStackControlPlaneMemcachedReady + - message: OpenStackControlPlane Neutron completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNeutronReady + - message: OpenStackControlPlane Nova completed + reason: Ready + status: "True" + type: OpenStackControlPlaneNovaReady + - message: OpenStackControlPlane OVN completed + reason: Ready + status: "True" + type: OpenStackControlPlaneOVNReady + - message: OpenStackControlPlane OpenStackVersion initialized + reason: Ready + status: "True" + type: OpenStackControlPlaneOpenStackVersionInitializationReadyCondition + - message: OpenStackControlPlane PlacementAPI completed + reason: Ready + status: "True" + type: OpenStackControlPlanePlacementAPIReady + - message: OpenStackControlPlane RabbitMQ completed + reason: Ready + status: "True" + type: OpenStackControlPlaneRabbitMQReady + - message: OpenStackControlPlane Swift completed + reason: Ready + status: "True" + type: OpenStackControlPlaneSwiftReady + - message: OpenStackControlPlane Telemetry completed + reason: Ready + status: "True" + type: OpenStackControlPlaneTelemetryReady + - message: OpenStackControlPlane Test Operator CM is available + reason: Ready + status: "True" + type: OpenStackControlPlaneTestCMReadyCondition +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 500 +commands: + - script: | + echo "Waiting for OpenStack control plane to be ready..." + oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane + - script: | + echo "Fail if internal http endpoints are registered (full TLS mode)" + oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface internal -f value -c URL" | grep 'http:' && exit 1 + exit 0 + - script: | + echo "check ovn sb internalDbAddress use ssl" + oc get -n $NAMESPACE OVNDBCluster ovndbcluster-sb -o jsonpath={.status.internalDbAddress} | grep -q ssl + - script: | + echo "check ovn sb DB connection use ssl" + oc exec -i statefulset/ovsdbserver-sb -n $NAMESPACE -- bash -c "ovn-sbctl --no-leader-only get-connection | grep -q pssl" + - script: | + echo "check nova transport_url use ssl" + oc exec -i statefulset/nova-cell1-conductor -n $NAMESPACE -- bash -c "grep transport_url /etc/nova/nova.conf.d/01-nova.conf | grep -q 'ssl=1'" + - script: | + echo "check neutron ovn_sb_connection url ssl" + oc exec -i deployment/neutron -n $NAMESPACE -- bash -c "grep ovn_sb_connection /etc/neutron/neutron.conf.d/01-neutron.conf| grep -q ssl" diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/01-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/01-deploy-openstack-full-tls.yaml similarity index 58% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/01-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/01-deploy-openstack-full-tls.yaml index 6c9d0887d..f9f6845ef 100644 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/01-deploy-openstack.yaml +++ b/test/kuttl/tests/ctlplane-tls/01-deploy-openstack-full-tls.yaml @@ -1,3 +1,5 @@ +# Deploy with full TLS (podLevel.enabled: true) +# This tests the transition from ingress-only TLS to full pod-level TLS apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-custom-issuers.yaml b/test/kuttl/tests/ctlplane-tls/02-assert-custom-issuers.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-custom-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/02-assert-custom-issuers.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/00-deploy-custom-issuers.yaml b/test/kuttl/tests/ctlplane-tls/02-deploy-custom-issuers.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/00-deploy-custom-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/02-deploy-custom-issuers.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/01-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/03-assert-deploy-openstack.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/01-assert-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/03-assert-deploy-openstack.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/01-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/03-deploy-openstack.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/01-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/03-deploy-openstack.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml b/test/kuttl/tests/ctlplane-tls/04-assert-service-certs-issuers.yaml similarity index 97% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/04-assert-service-certs-issuers.yaml index 9f831cdd5..d897812c8 100644 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/02-assert-service-certs-issuers.yaml +++ b/test/kuttl/tests/ctlplane-tls/04-assert-service-certs-issuers.yaml @@ -1,6 +1,6 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 60 +timeout: 900 commands: - script: | echo "Checking rotation of non API service certificates..." diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/01-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/05-assert-deploy-openstack.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/01-assert-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/05-assert-deploy-openstack.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/03-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/05-deploy-openstack.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/03-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/05-deploy-openstack.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml b/test/kuttl/tests/ctlplane-tls/06-assert-service-certs-default-issuers.yaml similarity index 68% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/06-assert-service-certs-default-issuers.yaml index 8c647c383..f055cbfca 100644 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/04-assert-service-certs-default-issuers.yaml +++ b/test/kuttl/tests/ctlplane-tls/06-assert-service-certs-default-issuers.yaml @@ -10,6 +10,14 @@ commands: echo "Checking rotation of non API service certificates..." NAMESPACE=$NAMESPACE bash ../../common/osp_check_noapi_service_certs.sh + - script: | + echo "Get fingerprints of all service certs after rotation" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_after + + - script: | + echo "Check if all services from before are present in after and have rotated fingerprints" + bash -s < ../../common/osp_check_fingerprints.sh + - script: | echo "Checking issuer of internal certificates..." oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal" "internal" diff --git a/test/kuttl/tests/ctlplane-tls/06-rotate-service-certs.yaml b/test/kuttl/tests/ctlplane-tls/06-rotate-service-certs.yaml new file mode 100644 index 000000000..5800551f7 --- /dev/null +++ b/test/kuttl/tests/ctlplane-tls/06-rotate-service-certs.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + echo "Get fingerprints of all service certs before rotation" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_before + - script: | + echo "Deleting secrets to trigger rotation..." + oc get secret -l service-cert -n $NAMESPACE -o name > /tmp/deleted-secrets.txt + oc delete secret -l service-cert -n $NAMESPACE diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/05-cleanup.yaml b/test/kuttl/tests/ctlplane-tls/07-cleanup.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/05-cleanup.yaml rename to test/kuttl/tests/ctlplane-tls/07-cleanup.yaml diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/05-errors-cleanup.yaml b/test/kuttl/tests/ctlplane-tls/07-errors-cleanup.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/05-errors-cleanup.yaml rename to test/kuttl/tests/ctlplane-tls/07-errors-cleanup.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/03-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/08-assert-deploy-openstack.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/03-assert-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/08-assert-deploy-openstack.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/06-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/08-deploy-openstack.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/06-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/08-deploy-openstack.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml b/test/kuttl/tests/ctlplane-tls/09-assert-service-certs-default-issuers.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/07-assert-service-certs-default-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/09-assert-service-certs-default-issuers.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/08-assert-custom-issuers.yaml b/test/kuttl/tests/ctlplane-tls/10-assert-custom-issuers.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/08-assert-custom-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/10-assert-custom-issuers.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/08-deploy-custom-issuers.yaml b/test/kuttl/tests/ctlplane-tls/10-deploy-custom-issuers.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/08-deploy-custom-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/10-deploy-custom-issuers.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/11-assert-deploy-openstack.yaml similarity index 96% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/11-assert-deploy-openstack.yaml index 1a49ee63f..8c26e6374 100644 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/09-assert-deploy-openstack.yaml +++ b/test/kuttl/tests/ctlplane-tls/11-assert-deploy-openstack.yaml @@ -292,3 +292,11 @@ status: reason: Ready status: "True" type: OpenStackControlPlaneTestCMReadyCondition +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 500 +commands: + - script: | + echo "Get fingerprints of all service certs before rotation" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_before diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/09-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-tls/11-deploy-openstack.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/09-deploy-openstack.yaml rename to test/kuttl/tests/ctlplane-tls/11-deploy-openstack.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml b/test/kuttl/tests/ctlplane-tls/12-assert-service-certs-issuers.yaml similarity index 68% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml rename to test/kuttl/tests/ctlplane-tls/12-assert-service-certs-issuers.yaml index b6f616bf1..75dff770b 100644 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/10-assert-service-certs-issuers.yaml +++ b/test/kuttl/tests/ctlplane-tls/12-assert-service-certs-issuers.yaml @@ -10,6 +10,14 @@ commands: echo "Checking rotation of non API service certificates..." NAMESPACE=$NAMESPACE bash ../../common/osp_check_noapi_service_certs.sh + - script: | + echo "Get fingerprints of all service certs after rotation" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_after + + - script: | + echo "Check if all services from before are present in after and have rotated fingerprints" + bash -s < ../../common/osp_check_fingerprints.sh + - script: | echo "Checking issuer of internal certificates..." oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_check_cert_issuer.sh "rootca-internal-custom" "internal" diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml b/test/kuttl/tests/ctlplane-tls/12-rotate-service-certs.yaml similarity index 79% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml rename to test/kuttl/tests/ctlplane-tls/12-rotate-service-certs.yaml index d0fc5e349..3f94061a3 100644 --- a/test/kuttl/tests/ctlplane-tls-custom-issuers/04-rotate-service-certs.yaml +++ b/test/kuttl/tests/ctlplane-tls/12-rotate-service-certs.yaml @@ -2,6 +2,6 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - echo "Deleting secrets..." + echo "Deleting secrets to trigger rotation..." oc get secret -l service-cert -n $NAMESPACE -o name > /tmp/deleted-secrets.txt oc delete secret -l service-cert -n $NAMESPACE diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/03-assert-new-certs.yaml b/test/kuttl/tests/ctlplane-tls/14-assert-custom-duration.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/03-assert-new-certs.yaml rename to test/kuttl/tests/ctlplane-tls/14-assert-custom-duration.yaml diff --git a/test/kuttl/tests/ctlplane-tls/14-deploy-custom-duration.yaml b/test/kuttl/tests/ctlplane-tls/14-deploy-custom-duration.yaml new file mode 100644 index 000000000..62684a613 --- /dev/null +++ b/test/kuttl/tests/ctlplane-tls/14-deploy-custom-duration.yaml @@ -0,0 +1,9 @@ +# Deploy with custom TLS service certs and CA certs duration +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + echo "Get fingerprints of all service certs before duration change" + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_before + - script: | + oc kustomize ../../../../config/samples/tls/custom_duration | oc apply -n $NAMESPACE -f - diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml b/test/kuttl/tests/ctlplane-tls/15-assert-cert-rotation-after-duration-change.yaml similarity index 82% rename from test/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml rename to test/kuttl/tests/ctlplane-tls/15-assert-cert-rotation-after-duration-change.yaml index 6525e4e14..976ceca0a 100644 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml +++ b/test/kuttl/tests/ctlplane-tls/15-assert-cert-rotation-after-duration-change.yaml @@ -7,9 +7,9 @@ commands: NAMESPACE=$NAMESPACE bash ../../common/osp_check_noapi_service_certs.sh - script: | - echo "Get fingerprints of all service certs" + echo "Get fingerprints of all service certs after duration change" oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_after - script: | - echo "Check if all services from before are present in after and have valid fingerprints" + echo "Check if all services from before are present in after and have rotated fingerprints" bash -s < ../../common/osp_check_fingerprints.sh diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/11-cleanup.yaml b/test/kuttl/tests/ctlplane-tls/16-cleanup.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/11-cleanup.yaml rename to test/kuttl/tests/ctlplane-tls/16-cleanup.yaml diff --git a/test/kuttl/tests/ctlplane-tls-custom-issuers/05-errors-cleanup.yaml b/test/kuttl/tests/ctlplane-tls/16-errors-cleanup.yaml similarity index 100% rename from test/kuttl/tests/ctlplane-tls-custom-issuers/05-errors-cleanup.yaml rename to test/kuttl/tests/ctlplane-tls/16-errors-cleanup.yaml