109 Commits

Author SHA1 Message Date
Ghanshyam Mann
43b2116adb Test glance RBAC old defaults
Glance has enabled the scope checks and new defaults in
antelope release and now devstack is switching the testing
to new defaults by default (depends-on). With that all the
jobs will run the the new defaults.

As old defaults are still supported (as deprecated), we should
test those at least in a single integrated job. Enable the old
defaults in glance-multistore-cinder-import job.

Keeping existing job enabling the new defaults because other services
have not switched to new defaults yet to this job enable new defaults
for those service and test Glance against that.

Depends-On: https://review.opendev.org/c/openstack/devstack/+/883601/
Change-Id: I470e3b8c1106d88e85343508a8e5891c88861c98
2023-05-19 03:30:23 +00:00
Ghanshyam Mann
dca70d1ca8 Run integrated test if zuul.yaml file is changed
zuul.yaml file contain many jobs definition and base class.
Any change in this file can impact other job definition. Also,
many times we want to test the full integrated gate if this
file is changed or if depends-on is changing some global setting,
for example: https://review.opendev.org/c/openstack/glance/+/883602/1

Change-Id: I14abd88944407da17ca81b77c079262565ff71c6
2023-05-18 22:27:30 -05:00
Brian Rosmaita
084c8a32f5 Update functional jobs for 2023.2
Based on the python runtimes for 2023.2 [0], we should be running
functional jobs on python 3.9 and python 3.10.  This patch adds
functional testenvs for python 3.10 and 3.11 (the latter for local
testing) to tox.ini so the appropriate zuul jobs can be defined.

The functional-py38 testenv is not removed from tox.ini, as it may
be useful locally.

Functional py39 and py310 jobs are added to the check and the gate.

The current openstack-functional-py38-fips job is not removed; a
py39 job has not yet been defined to replace it [1].

[0] https://governance.openstack.org/tc/reference/runtimes/2023.2.html
[1] b3cad4f7a3/zuul.d/jobs.yaml

Change-Id: Ibc21b107878f5ba50137da4082a7cbc6342d2aa9
2023-04-17 18:00:24 -04:00
Ghanshyam
e53af9c3ce Revert "Make glance-secure-rbac-protection-functional job non-voting"
This reverts commit 1ae2ad39795a3b4c8e0d4f7169ead740b29ee033.

Reason for revert:
Test are fixed in depends-on and job is passing now

Change-Id: I94bc43b3e88e284fdc1158404c3ee3ee2b0125c0
Depends-On: https://review.opendev.org/c/openstack/glance-tempest-plugin/+/876235
2023-03-03 18:38:18 +00:00
Abhishek Kekane
1ae2ad3979 Make glance-secure-rbac-protection-functional job non-voting
Tempest change [1] has broken glance srbac tempest tests, so
in order to unblock the gate we need to turn the job non-voting and
once we fix those tests we will re-enable the same.

[1] https://review.opendev.org/c/openstack/tempest/+/871018

Change-Id: Ibbfd8904b3a87b870ed8cde26245176c5b8e74aa
2023-03-02 14:47:38 +00:00
Pranali Deore
8c04d19e88 Enabled new defaults and scope checks by default
Enabling the enforce scope and new defaults by default in glance

Related blueprint secure-rbac

Change-Id: I0808dc0b1b34b527e38aa137c1dd25e1fc06409f
2023-02-16 11:11:31 +00:00
Abhishek Kekane
d07187f710 Remove migration constant job and test
Since openstack release naming conventions has changed, current test
which check data migration version will not work as expected and same
is also blocking our gate. Removing this job and test to unblock the
gate.

NOTE: Going forward glance PTL/team needs to change the database
migration version without fail at the start of release cycle.

Change-Id: Idcb12a6c450d4ce4ee859e6e1f02fb71adf8c1d5
2023-01-16 14:40:29 +00:00
likui
4da0077d7b add openstack-python3-zed-jobs-arm64 job
This is a non-voting job to validate py3 unittests on ARM64

Change-Id: Ie229c57654a8827d2274f6ab812310bdd989db4b
Task: #40402
Story: 2007938
2022-10-10 09:38:19 +08:00
499257d2b6 Switch to 2023.1 Python3 unit tests and generic template name
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for antelope. Also,
updating the template name to generic one.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I9c3e19cf1a2c74381395d49ee3d792bbd92b603a
2022-09-14 17:19:29 +00:00
Abhishek Kekane
1ef06ef08b Enable Image cache tempest testing
This patch will enable new cache APIs tempest tests in glance gate.

Change-Id: I01e8550aef85d333a70392be83a964267e632c2d
2022-07-27 20:06:55 +00:00
Ade Lee
05543914a7 Fix fips job
The ecdsa usage for ssh is supposed to be the default right now.
Also, a new role paramter nslookup_target is required for the fips role

Depends-On: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/847193
Change-Id: I795c751edd1403d23aa1de5cda194aada80d05b2
2022-06-22 20:49:23 +00:00
Zuul
2e94e3dc71 Merge "Revert "Disable import workflow in glance cinder jobs"" 2022-05-23 15:05:51 +00:00
Zuul
832377b9fd Merge "Add openstack-tox-functional-py38-fips job" 2022-05-23 09:52:54 +00:00
Rajat Dhasmana
0c15169c37 Revert "Disable import workflow in glance cinder jobs"
This reverts commit d7fa7a0321ea5a56ec130aa0bd346749459ccaf2.

Reason for revert: This is no longer needed as the devstack patch is merged to fix this issue https://review.opendev.org/c/openstack/devstack/+/841804

Change-Id: I214c9a6017f66d3eb6589496726e8c8f895d56aa
2022-05-23 13:55:51 +05:30
Zuul
532e52733c Merge "Revert "Override GLANCE_USE_IMPORT_WORKFLOW in cinder jobs"" 2022-05-23 07:15:32 +00:00
Ghanshyam Mann
b8e6bb0277 Add openstack-tox-functional-py38-fips job
openstack-tox-functional-py36-fips is removed in
https://review.opendev.org/c/openstack/glance/+/841350/
with the plan to be move to py38.

This commit migrate the fips job to py38.

Depends-On: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/841368
Change-Id: I0e2bca4603a34e39ffdbebaab2fcfad3a9da4241
2022-05-20 00:06:02 +00:00
Zuul
6c504b3210 Merge "Update python testing as per zed cycle teting runtime" 2022-05-19 21:47:33 +00:00
Ghanshyam Mann
d55d250d33 Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Moving the py36 job to py38 based as well as
updating the python classifier also to reflect the same.

openstack-tox-functional-py36-fips job is left which can be moved
to py38|py39 based once that job is defined in openatck-zuul-jobs
repo.

openstack-tox-functional-py36-fips job will be migrated to py38 or py39
in followup patch as that need openstack-zuul-config changes too.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Change-Id: Id0813d9dc553dd424732079039349b42f6f3201b
2022-05-19 12:56:56 -05:00
Rajat Dhasmana
f9fad19249 Revert "Override GLANCE_USE_IMPORT_WORKFLOW in cinder jobs"
This reverts commit 025ba83c470fd58425273ad10975a1eb3d095452.

Reason for revert: This is no longer needed as the devstack patch is merged to fix this issue https://review.opendev.org/c/openstack/devstack/+/841804

Change-Id: Ie72a2531172208e32626ad2060737257663eba46
2022-05-19 08:26:47 +00:00
Takashi Kajinami
ce8fd56e1a Migrate CentOS Stream 8 job to CentOS Stream 9
Some projects like cinder have dropped support for Python 3.6 and are
no longer compatible with CentOS Stream 8 which uses Python 3.6 as
the default runtime.

Change-Id: I48f88c188f830f61c03ec5570cd95731636a0396
2022-05-18 08:36:10 +09:00
whoami-rajat
025ba83c47 Override GLANCE_USE_IMPORT_WORKFLOW in cinder jobs
With change[1], we moved glance cinder jobs parent from
tempest-integrated-storage-import to regular
tempest-integrated-storage job but this job also has
import workflow enabled[2].
In this patch we are overriding GLANCE_USE_IMPORT_WORKFLOW
to False in cinder jobs to ensure that import workflow
is disabled in those jobs.
Also removing -import from job names since it's not using
import plugin anymore.

[1] https://review.opendev.org/c/openstack/glance/+/841548
[2] https://opendev.org/openstack/tempest/src/branch/master/zuul.d/integrated-gate.yaml#L195

Related-Bug: #1973136
Change-Id: I2775e007f942feed8fa6ae5e385c03992859edc1
2022-05-16 16:08:07 +05:30
whoami-rajat
d7fa7a0321 Disable import workflow in glance cinder jobs
Recently, glance-multistore-cinder-import job started failing.
As per the RCA done here[1], the reason is glance is using
import workflow to create images which is an async operation.
As in case of glance cinder configuration, there are a lot of
external APIs (cinder) called like volume create, attachment
create, attachment update, attachment delete etc which takes
time to process hence the image doesn't get available in the
expected time (as per devstack) hence the failure.
Disabling import workflow will cause the images to be created
synchronously which should pass the glance cinder jobs.
To disable import workflow, we are inheriting from
tempest-integrated-storage and not
tempest-integrated-storage-import (which has import plugin enabled).

[1] https://review.opendev.org/c/openstack/glance/+/841278/1#message-456096e48b28e5b866deb8bf53e9258ee08219a0

Closes-Bug: 1973136
Change-Id: I524dfeb05c078773aa77020d4a6a9991a7eb75c2
2022-05-13 11:26:52 +05:30
Zuul
2eb118905c Merge "Add grenade-skip-level irrelevant-files config" 2022-05-05 15:32:38 +00:00
afariasa
8c6a79891a Move FIPS jobs to experimental and periodic queue
Change-Id: I945f30fa7dd60e2e93bc248be4529633fb1f6bea
2022-03-14 17:03:21 +00:00
Ghanshyam Mann
80083fd0e9 Add grenade-skip-level irrelevant-files config
Depends-On: https://review.opendev.org/c/openstack/tempest/+/830670
Change-Id: I2ba1928875b75ae893e740bc1470d142d2dd73fb
2022-03-01 13:08:31 -06:00
Ade Lee
0457ab2086 Make FIPS job non-voting
Temporarily make the FIPS job non-voting till we figure out why
its failing. Restore the non-fips version of the cinder job so
we keep the coverage.

Change-Id: I1a9dbd087cca52798f0d01c62ebb47e37f52d87a
2022-02-11 11:18:24 -08:00
Ade Lee
0f13754f84 Add fips check jobs
Some jobs have been modified to run to confirm that functionality is
still working when FIPS is enabled on the nodes.

As the FIPS tests currently run on centos nodes, code is added
to the test-setup script to set up the databases correctly.  Also had
to increase the swap space on the nodes; see [0] for an explanation.

The current FIPS jobs run using python 3.6 on centos-8-stream.  We will
modify these to run on centos-9-stream and python 3.9 in a
subsequent patch.

[0] https://review.opendev.org/c/openstack/devstack/+/803706

Change-Id: I060d8247c7b09f63990ea411e6c6a056bb50410d
2022-02-03 13:19:20 -05:00
Ghanshyam Mann
ed1183919a Updating python testing as per Yoga testing runtime
Yoga testing runtime[1] has been updated to add py39
testing as voting. Unit tests update are
handled by the job template change in openstack-zuul-job

- https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/820286

this commit updates the functional and tips jobs to test
on py39, also update the classifier in setup.cfg file.

[1] https://governance.openstack.org/tc/reference/runtimes/yoga.html

Change-Id: I6e1c64961f0feb920e45ef6a6ed29f2e32265768
2021-12-13 20:57:28 -06:00
Ghanshyam Mann
458e2b7b45 Remove broken tempest-full-py3-opensuse15 job
tempest-full-py3-opensuse15 is failing all the time[1] and
opensuse is not tested/supported distro in testing runtime
or devstack anymore. So let's remove opensuse broken job from
tempest too.

Needed-By: https://review.opendev.org/c/openstack/tempest/+/816569

[1] https://zuul.opendev.org/t/openstack/builds?job_name=tempest-full-py3-opensuse15

Change-Id: Iae7ec150fb51d7e9d019182223062e6462084617
2021-11-03 15:54:52 -05:00
Zuul
d52abef6d3 Merge "Make glance cinder multistore job voting" 2021-09-20 18:38:37 +00:00
b8c55efa14 Add Python3 yoga unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for yoga.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: Iab3983dfab5074d30f22122524f30cb21fe5758e
2021-09-16 11:07:22 +00:00
Zuul
91ed096ec0 Merge "Add a nonvoting functional job with RBAC defaults" 2021-07-01 15:19:36 +00:00
Dan Smith
8201f5f101 Add a nonvoting functional job with RBAC defaults
This adds a new tox target called functional-py38-rbac which enables
the new secure RBAC policy defaults for all functional tests. To do
this, the functional tests needed a little bit of extra work to
actually set those, and a new non-voting job is added to run these
in CI.

Related to blueprint policy-refactor

Change-Id: Id376193521671bdb0ebc08ea8e563578bbaa541f
2021-06-30 11:49:30 -07:00
Dan Smith
fa1bc2f904 Drop lower-constraints jobs
Change-Id: Id030b56b721cb62255936d56f0409c4be9ce21d4
2021-06-21 07:19:01 -07:00
6cabdf93fc Add Python3 xena unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for xena.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I5208077a9f700e8104dab697b8ac58fd85575f7a
2021-03-23 17:09:16 +00:00
Zuul
751e5ed812 Merge "Enable second glance worker for import testing" 2021-03-10 02:27:07 +00:00
Lance Bragstad
aec2de7ffd Add a release note for secure RBAC personas
Provide some literature on what we introduced for operators in wallaby,
how they can configure it, and actions we recommend they take. Since
this marks the point at which we consider the feature implemented,
this also removes the legacy-rbac job and makes the secure-rbac job
voting.

Implements: blueprint secure-rbac
Change-Id: I8f980cf7731d26b92b5392fdada21e5be0f541c4
2021-03-09 09:51:47 -08:00
Lance Bragstad
8d694786d3 Add glance functional protection tests to check and gate
This commit updates glance's zuul configuration to tack on a job
dedicated to protecting API authroization. The tests for this job live
in glance-tempest-plugin and they currently test full support for
project-reader and project-admin against the images API.

Future changes will update the policies in glance to consume
system-scope and additional test coverage will be added to
glance-tempest-plugin. But, until that happens, having protection
testing as part of the check and gate jobs is vital to ensuring we don't
inadvertently expose sensitive information or APIs to users.

This level of testing will also be useful in the future if we decide to
refactor authorization logic out of various parts of glance and into a
consistent layer.

Depends-On: https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742
Change-Id: Iddee8144fb21b7ac2dec4e7fbc62c132c186fa89
2021-03-04 21:53:30 +00:00
Dan Smith
662607f496 Enable second glance worker for import testing
This enables the g-api-r service in devstack, which allows tempest
to run the remote import test, causing it to stage and import an
image across two different workers. Note we disable it for the
standalone mode, since devstack does not support starting another
standalone glance.

Depends-On: https://review.opendev.org/c/openstack/devstack/+/770487
Depends-On: https://review.opendev.org/c/openstack/tempest/+/770520
Change-Id: Ica715fc1922f4b36dd0bb008ef6706b86115ec05
2021-03-04 12:13:23 -08:00
whoami-rajat
f9258314bf Make glance cinder multistore job voting
Change-Id: I0aa2737ea47559f158653cbe9dbdf21df32bf4e7
2021-02-16 09:24:14 +00:00
Zuul
c0e54c0aa0 Merge "Add Python3 wallaby unit tests" 2020-12-15 14:03:48 +00:00
Erno Kuvaja
e26f9b40d8 Run nova-ceph-multistore only when tempest is ran
Change-Id: I4e5af52caedb78ace15d84c8a84acad2dc8490fa
2020-12-14 17:16:21 +00:00
whoami-rajat
1344c45772 Adding gate job for glance cinder store
Depends-On: https://review.opendev.org/743800
Change-Id: Ib192550182008754644b74636ede0d85bbcc4faf
2020-10-05 09:54:38 -04:00
Dan Smith
b49c042467 Adjust jobs for devstack WSGI mode default
Devstack is switching the default glance operational model back to pure-WSGI
mode for parity with the rest of the services. This adjusts our jobs to fit
with that so that we're testing the default, but also the standalone case.
After this change, we end up with the following for the vanilla devstack
jobs:

 - The "-import" job, which takes the devstack default of WSGI mode,
   with all the tweaks required for import to be enabled. It configures
   import conversion to raw, metadata injection, and confirms that with a
   post-run check for that metadata.
 - The "-import-standalone" job, which inherits all the behaviors from
   the job above, but configures glance in standalone mode.

Depends-On: https://review.opendev.org/#/c/742884
Change-Id: Ia3fb8aba83bbd7a1399aef136ce8857b14d08435
2020-09-29 06:43:27 -07:00
452fba2a59 Add Python3 wallaby unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for wallaby.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: Ia7c16cc554aa740bc51bb32713fe1189ad50b8c7
2020-09-24 09:13:54 +00:00
Dan Smith
1a9b345840 Run the nova-ceph-multistore job against glance
Nova has a job where both nova and glance are configured for multistore
ceph, and where the image gets automatically copied from the file to
rbd stores on first use. Run that on glance to get the coverage for
it as well.

Change-Id: I9c734fabaabe78ea8f7e77d0aa2112ebe867ecb6
2020-09-14 10:01:08 -07:00
Zuul
c5bf4d42e3 Merge "Make our ceph job enable thin provisioning" 2020-09-02 21:43:09 +00:00
Dan Smith
c023445d05 Make our import-workflow job also convert images to raw
This enables image conversion on the import-workflow job so that we at
least run those code paths somewhere in CI.

Change-Id: Ie4a9171f002b42a13c1786268057bdc0ab3804d0
2020-08-27 07:29:12 -07:00
Dan Smith
b6380424f8 Make our ceph job enable thin provisioning
Depends-On: https://review.opendev.org/#/c/744282
Change-Id: Ifa05b30cd8a810c6ae0678eaa1e433c16e0b7b93
2020-08-24 08:41:34 -07:00
Luigi Toscano
3041b0b4ef zuul: use the new barbican simple-crypto job
The old job name is still available as an alias for a while,
but it is time to switch away from it.

Change-Id: I8083c097516c14274ddb29d1696e25b90c01271e
2020-08-17 20:08:13 +02:00