43ab59d8b3
Implement acceptance tests. Those jobs will run in the post-review pipeline requiring access to secrets containing credentials of friendly public clouds to test sdk with them. Base job is generating a token from the given credentials and writes clouds.yaml file with the token inside instead of password. As a post step the token is physically revoked. This is done to prevent potential leakage of real credentials from the test jobs/logs. Since devstack is not a real cloud we do not use zuul secrets. Change-Id: I95af9b81e6abd51af2a7dd91cae14b56926a869c
61 lines
2.8 KiB
YAML
61 lines
2.8 KiB
YAML
- hosts: all
|
|
tasks:
|
|
- name: Get temporary token for the cloud
|
|
# nolog is important to keep job-output.json clean
|
|
no_log: true
|
|
os_auth:
|
|
cloud:
|
|
profile: "{{ openstack_credentials.profile | default(omit) }}"
|
|
auth:
|
|
auth_url: "{{ openstack_credentials.auth.auth_url }}"
|
|
username: "{{ openstack_credentials.auth.username }}"
|
|
password: "{{ openstack_credentials.auth.password }}"
|
|
user_domain_name: "{{ openstack_credentials.auth.user_domain_name | default(omit) }}"
|
|
user_domain_id: "{{ openstack_credentials.auth.user_domain_id | default(omit) }}"
|
|
domain_name: "{{ openstack_credentials.auth.domain_name | default(omit) }}"
|
|
domain_id: "{{ openstack_credentials.auth.domain_id | default(omit) }}"
|
|
project_name: "{{ openstack_credentials.auth.project_name | default(omit) }}"
|
|
project_id: "{{ openstack_credentials.auth.project_id | default(omit) }}"
|
|
project_domain_name: "{{ openstack_credentials.auth.project_domain_name | default(omit) }}"
|
|
project_domain_id: "{{ openstack_credentials.auth.project_domain_id | default(omit) }}"
|
|
register: os_auth
|
|
delegate_to: localhost
|
|
|
|
- name: Verify token
|
|
no_log: true
|
|
os_auth:
|
|
cloud:
|
|
profile: "{{ openstack_credentials.profile | default(omit) }}"
|
|
auth_type: token
|
|
auth:
|
|
auth_url: "{{ openstack_credentials.auth.auth_url }}"
|
|
token: "{{ os_auth.auth_token }}"
|
|
project_name: "{{ openstack_credentials.auth.project_name | default(omit) }}"
|
|
project_id: "{{ openstack_credentials.auth.project_id | default(omit) }}"
|
|
project_domain_id: "{{ openstack_credentials.auth.project_domain_id | default(omit) }}"
|
|
project_domain_name: "{{ openstack_credentials.auth.project_domain_name | default(omit) }}"
|
|
delegate_to: localhost
|
|
|
|
- name: Include deploy-clouds-config role
|
|
include_role:
|
|
name: deploy-clouds-config
|
|
vars:
|
|
cloud_config:
|
|
clouds:
|
|
acceptance:
|
|
profile: "{{ openstack_credentials.profile | default(omit) }}"
|
|
auth_type: "token"
|
|
auth:
|
|
auth_url: "{{ openstack_credentials.auth.auth_url | default(omit) }}"
|
|
project_name: "{{ openstack_credentials.auth.project_name | default(omit) }}"
|
|
token: "{{ os_auth.auth_token }}"
|
|
|
|
# Intruders might want to corrupt clouds.yaml to avoid revoking token in the post phase
|
|
# To prevent this we save token on the executor for later use.
|
|
- name: Save token
|
|
delegate_to: localhost
|
|
copy:
|
|
dest: "{{ zuul.executor.work_root }}/.{{ zuul.build }}"
|
|
content: "{{ os_auth.auth_token }}"
|
|
mode: "0440"
|