43ab59d8b3
Implement acceptance tests. Those jobs will run in the post-review pipeline requiring access to secrets containing credentials of friendly public clouds to test sdk with them. Base job is generating a token from the given credentials and writes clouds.yaml file with the token inside instead of password. As a post step the token is physically revoked. This is done to prevent potential leakage of real credentials from the test jobs/logs. Since devstack is not a real cloud we do not use zuul secrets. Change-Id: I95af9b81e6abd51af2a7dd91cae14b56926a869c
84 lines
3.4 KiB
YAML
84 lines
3.4 KiB
YAML
# Need to actually start devstack first
|
|
- hosts: all
|
|
roles:
|
|
- run-devstack
|
|
|
|
# Prepare local clouds.yaml
|
|
# We can't rely on pre.yaml, since it is specifically delegates to
|
|
# localhost, while on devstack it will not work unless APIs are available
|
|
# over the net.
|
|
- hosts: all
|
|
tasks:
|
|
- name: Get temporary token for the cloud
|
|
# nolog is important to keep job-output.json clean
|
|
no_log: true
|
|
os_auth:
|
|
cloud:
|
|
profile: "{{ openstack_credentials.profile | default(omit) }}"
|
|
auth:
|
|
auth_url: "{{ openstack_credentials.auth.auth_url }}"
|
|
username: "{{ openstack_credentials.auth.username }}"
|
|
password: "{{ openstack_credentials.auth.password }}"
|
|
user_domain_name: "{{ openstack_credentials.auth.user_domain_name | default(omit) }}"
|
|
user_domain_id: "{{ openstack_credentials.auth.user_domain_id | default(omit) }}"
|
|
domain_name: "{{ openstack_credentials.auth.domain_name | default(omit) }}"
|
|
domain_id: "{{ openstack_credentials.auth.domain_id | default(omit) }}"
|
|
project_name: "{{ openstack_credentials.auth.project_name | default(omit) }}"
|
|
project_id: "{{ openstack_credentials.auth.project_id | default(omit) }}"
|
|
project_domain_name: "{{ openstack_credentials.auth.project_domain_name | default(omit) }}"
|
|
project_domain_id: "{{ openstack_credentials.auth.project_domain_id | default(omit) }}"
|
|
register: os_auth
|
|
|
|
- name: Verify token
|
|
# nolog is important to keep job-output.json clean
|
|
no_log: true
|
|
os_auth:
|
|
cloud:
|
|
profile: "{{ openstack_credentials.profile | default(omit) }}"
|
|
auth_type: token
|
|
auth:
|
|
auth_url: "{{ openstack_credentials.auth.auth_url }}"
|
|
token: "{{ os_auth.auth_token }}"
|
|
project_name: "{{ openstack_credentials.auth.project_name | default(omit) }}"
|
|
project_id: "{{ openstack_credentials.auth.project_id | default(omit) }}"
|
|
project_domain_name: "{{ openstack_credentials.auth.project_domain_name | default(omit) }}"
|
|
project_domain_id: "{{ openstack_credentials.auth.project_domain_id | default(omit) }}"
|
|
|
|
- name: Include deploy-clouds-config role
|
|
include_role:
|
|
name: deploy-clouds-config
|
|
vars:
|
|
cloud_config:
|
|
clouds:
|
|
acceptance:
|
|
profile: "{{ openstack_credentials.profile | default(omit) }}"
|
|
auth_type: "token"
|
|
auth:
|
|
|
|
auth_url: "{{ openstack_credentials.auth.auth_url }}"
|
|
project_name: "{{ openstack_credentials.auth.project_name | default(omit) }}"
|
|
project_domain_id: "{{ openstack_credentials.auth.project_domain_id | default(omit) }}"
|
|
token: "{{ os_auth.auth_token }}"
|
|
verify: false
|
|
|
|
# Intruders might want to corrupt clouds.yaml to avoid revoking token in
|
|
# the post phase. To prevent this we save token on the executor for later
|
|
# use.
|
|
- name: Save token
|
|
delegate_to: localhost
|
|
copy:
|
|
dest: "{{ zuul.executor.work_root }}/.{{ zuul.build }}"
|
|
content: "{{ os_auth.auth_token }}"
|
|
mode: "0640"
|
|
|
|
# Run the rest
|
|
- hosts: all
|
|
roles:
|
|
- role: bindep
|
|
bindep_profile: test
|
|
bindep_dir: "{{ zuul_work_dir }}"
|
|
- test-setup
|
|
- ensure-tox
|
|
- get-devstack-os-environment
|
|
- tox
|