Skip to content

Commit

Permalink
Add option to use custom user settings in ods-ci image (red-hat-data-…
Browse files Browse the repository at this point in the history 
…services#841)

* add function to read user configuration from json

Signed-off-by: bdattoma <[email protected]>

* add function to read conf from json

Signed-off-by: bdattoma <[email protected]>

* refactor to use use config file - to be finished

Signed-off-by: bdattoma <[email protected]>

* new default conf

Signed-off-by: bdattoma <[email protected]>

* final draft custom settings

Signed-off-by: bdattoma <[email protected]>

* re-enable oc commands + minor fixes

Signed-off-by: bdattoma <[email protected]>

* rename secret

Signed-off-by: bdattoma <[email protected]>

* add uppercase for special users test

Signed-off-by: bdattoma <[email protected]>

* update default template

Signed-off-by: bdattoma <[email protected]>

* copy tmplt files instead of overwriting

Signed-off-by: bdattoma <[email protected]>

* clean comment lines + improve logging msgs

Signed-off-by: bdattoma <[email protected]>

* add suffix len setting

Signed-off-by: bdattoma <[email protected]>

* add user config file documentation + minor changes

Signed-off-by: bdattoma <[email protected]>

* minor change

Signed-off-by: bdattoma <[email protected]>

* rename user config file

Signed-off-by: bdattoma <[email protected]>

* rename user config file in install script

Signed-off-by: bdattoma <[email protected]>

* mount user config secret to pods

Signed-off-by: bdattoma <[email protected]>

* add user config json file validation

Signed-off-by: bdattoma <[email protected]>

* remove json_pp check

Signed-off-by: bdattoma <[email protected]>

* reduce default n users

Signed-off-by: bdattoma <[email protected]>

* fix ocm htp setter + minor change

Signed-off-by: bdattoma <[email protected]>

* fix ded admin addition with OCM

Signed-off-by: bdattoma <[email protected]>

* minor changes

Signed-off-by: bdattoma <[email protected]>

* add user config file in dockerfile

Signed-off-by: bdattoma <[email protected]>

* misc fixes + improve logs

Signed-off-by: bdattoma <[email protected]>

* upgrade yq

Signed-off-by: bdattoma <[email protected]>

* update test variables example

Signed-off-by: bdattoma <[email protected]>

* change default

Signed-off-by: bdattoma <[email protected]>

* fix mount path

Signed-off-by: bdattoma <[email protected]>

* fix question mark support

Signed-off-by: bdattoma <[email protected]>

* fix special char asterisk

Signed-off-by: bdattoma <[email protected]>

* remove debug lines

Signed-off-by: bdattoma <[email protected]>

* remove debug lines (2)

Signed-off-by: bdattoma <[email protected]>

---------

Signed-off-by: bdattoma <[email protected]>
  • Loading branch information
@bdattoma
bdattoma authored Jul 12, 2023
1 parent ae1ad36 commit 2b4f566
Show file tree
Hide file tree
Showing 9 changed files with 551 additions and 135 deletions.
4 changes: 2 additions & 2 deletions ods_ci/build/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ ARG OC_CHANNEL=stable
RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm &&\
dnf install -y jq git unzip chromium chromedriver python3-distro httpd-tools &&\
dnf clean all &&\
curl --proto "=https" -L https://github.com/mikefarah/yq/releases/download/v4.25.1/yq_linux_amd64 -o /usr/bin/yq &&\
curl --proto "=https" -L https://github.com/mikefarah/yq/releases/download/v4.34.1/yq_linux_amd64 -o /usr/bin/yq &&\
chmod +x /usr/bin/yq &&\
curl --proto "=https" -L https://mirror.openshift.com/pub/openshift-v$(echo $OC_VERSION | cut -d'.' -f 1)/x86_64/clients/ocp/$OC_CHANNEL-$OC_VERSION/openshift-client-linux.tar.gz -o $HOME/oc_client.tar.gz && \
tar xvf $HOME/oc_client.tar.gz -C /usr/local/bin/ && \
Expand Down Expand Up @@ -46,6 +46,7 @@ COPY ods_ci/utils/scripts/SplitSuite.py ods_ci/utils/scripts/SplitSuite.py
COPY ods_ci/utils/scripts/testconfig/test-variables.yml ods_ci/test-variables.yml.model
COPY ods_ci/test-variables.yml.example ods_ci/test-variables.yml
COPY ods_ci/configs/templates/ldap/ldap.yaml ods_ci/configs/templates/ldap/ldap.yaml
COPY ods_ci/configs/templates/user_config.json ods_ci/configs/templates/user_config.json
COPY ods_ci/configs/resources/oauth_htp_idp.json ods_ci/configs/resources/oauth_htp_idp.json
COPY ods_ci/configs/resources/oauth_ldap_idp.json ods_ci/configs/resources/oauth_ldap_idp.json
COPY ods_ci/configs/templates/ca-rolebinding.yaml ods_ci/configs/templates/ca-rolebinding.yaml
Expand All @@ -64,5 +65,4 @@ RUN poetry install
RUN chgrp -R 0 . && \
chmod -R g=u .


ENTRYPOINT ["./ods_ci/build/run.sh"]
490 changes: 369 additions & 121 deletions ods_ci/build/install_idp.sh
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion ods_ci/configs/resources/oauth_htp_idp.json
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"name":"htpasswd","mappingMethod":"claim","type":"HTPasswd","htpasswd":{"fileData":{"name":"htpasswd-password"}}}
{"name":"htpasswd","mappingMethod":"claim","type":"HTPasswd","htpasswd":{"fileData":{"name":"htpasswd-secret"}}}
74 changes: 74 additions & 0 deletions ods_ci/configs/templates/user_config.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{
"idp":{
"ldap": {
"prefixes": [
"ldap-op-",
"ldap-usr-",
"ldap-noaccess-",
"ldap-special"
],
"suffixes": {
"ldap-op-": {
"type": "incremental_with_rand_base",
"rand_length": 20,
"n_users": 5
},
"ldap-usr-": {
"type": "incremental_with_rand_base",
"rand_length": 20,
"n_users": 5
},
"ldap-noaccess-": {
"type": "incremental_with_rand_base",
"rand_length": 20,
"n_users": 5
},
"ldap-special": {
"type": "custom",
"rand_length": 20,
"list": [".","^","$","*","?","(",")","[","]","{","}","|","@",";"]
}
},
"pw": "<GEN_RAMDOM_PW>",
"TEST_USER": "ldap-op-<RAND_BASE>1",
"TEST_USER_2": "ldap-op-<RAND_BASE>2",
"TEST_USER_3": "ldap-usr-<RAND_BASE>3",
"TEST_USER_4": "ldap-usr-<RAND_BASE>4",
"groups_map":{
"ldap-op-": [
"rhods-admins",
"dedicated-admins"
],
"ldap-usr-": [
"rhods-users"
],
"ldap-noaccess-": [
"rhods-noaccess"
],
"ldap-special": [
"rhods-users"
]
}
},
"htpasswd": {
"prefixes": [
"htp-user-",
"htp-basic-user-"
],
"suffixes": {
"htp-user-": {
"type": "incremental_with_rand_base",
"rand_length": 20,
"n_users": 1
},
"htp-basic-user-": {
"type": "incremental_with_rand_base",
"rand_length": 20,
"n_users": 2
}
},
"pw": "<GEN_RAMDOM_PW>",
"cluster_admin_username": "htp-user-<RAND_BASE>"
}
}
}
90 changes: 85 additions & 5 deletions ods_ci/docs/ODS-CI-IMAGE-README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,7 @@ $ podman build -t ods-ci:<mytag> -f ods_ci/build/Dockerfile .

# Mount a file volume to provide a test-variables.yml file at runtime
# Mount a volume to preserve the test run artifacts
$ podman run --rm -v $PWD/ods_ci/test-variables.yml:/tmp/ods-ci/ods_ci/test-variables.yml:Z
-v $PWD/ods_ci/test-output:/tmp/ods-ci/ods_ci/test-output:Z
$ podman run --rm -v $PWD/ods_ci/test-variables.yml:/tmp/ods-ci/ods_ci/test-variables.yml -v $PWD/ods_ci/test-output:/tmp/ods-ci/ods_ci/test-output:Z
ods-ci:<mytag>
```
Additional arguments for container build
Expand All @@ -40,9 +39,84 @@ podman build -t ods-ci:master -f ods_ci/build/Dockerfile .
* If ```SET_ENVIRONMENT``` = 1:
- ```OC_HOST```: it contains the OpenShift API URL of the test cluster where the Identity Providers are going to be installed and tests are going to be executed.
- ```USE_OCM_IDP``` (default: 1): it sets the IDP creation script to use either OCM (OpenShift Cluster Manager) CLI and APIs or OC CLI to create the IDPs in the cluster. If it is sets to 0, OC CLI is used.
* If ```USE_OCM_IDP``` = 1:
- ```OCM_TOKEN```: it contains the authorization token to allow ODS-CI to install IDPs in the test cluster using OCM
- ```OCM_ENV```: it contains the OCM environment name, e.g., staging vs production. If not set, OCM CLI assumes it is production
- If ```USE_OCM_IDP``` = 1:
- ```OCM_TOKEN```: it contains the authorization token to allow ODS-CI to install IDPs in the test cluster using OCM
- ```OCM_ENV```: it contains the OCM environment name, e.g., staging vs production. If not set, OCM CLI assumes it is production.
* ```RETURN_PW``` (default:1):
- if ```RETURN_PW``` = 1: CLI will prints the user password and cluster admin username. It's recommended to use for Debug purposes only, where the CLI output is not made publicly available.
* ```ods_ci/configs/templates/user_config.json```: this JSON file is necessary to instruct the image about desired user configuration. Check the dedicated section below.


## User Configuration JSON File
As mentioned in the previous paragraph, if you enable automatic IDP creation you need to either pass a custom configuration file or use the default one.

You find field description inline in the below JSON file. Before reading it, there are a couple of notes:
1. the install scripts assumes you want to install a LDAP and HTPASSWD identity provider.
2. it assumes that the cluster-admin user is from HTP identity provider.
3. it asusmes the users in test-variables.yml are mapped to LDAP users only.

```json
{
"idp":{
"ldap": {
// prefix is the first part of the usernames, e.g., professor-xyzxyzxyzxyz10
"prefixes": [
"professor-",
"student-",
"operator-"
],
// suffix is the part(s) after the prefix: it accepts:
// - "incremental": adds a numeric suffix after the prefix, the range is [1, "n_users"]
// - "incremental_with_rand_base": it adds a randomly generate portion before the numeric suffix. The number of random chars is controled by "rand_length" attribute
// - "custom": it adds to the suffix a custom suffix extracted from the passed "list" attribute. The number of users is controled by the length of the given list.
// - "custom_with_rand_base": t adds a randomly generate portion before the custom suffix. The number of random chars is controled by "rand_length" attribute.
"suffixes": {
"professor-": {
"type": "incremental",
"rand_length": null,
"n_users": 5
},
"student-": {
"type": "incremental_with_rand_base",
"rand_length": 20,
"n_users": 20
}
},
// this is the pw for ldap users. If it is sets to "<GEN_RANDOM_PW>" it generates an alphanumeric random password.
"pw": "<GEN_RAMDOM_PW>",
// this is the mapping to the users in test-variables.yml file, which are used by automated tests. if you used random generated suffix, you can use the placeholder "<RAND_BASE>" to let script handling it.
"TEST_USER": "professor-<RAND_BASE>11",
"TEST_USER_2": "student-<RAND_BASE>2",
"TEST_USER_3": "student-<RAND_BASE>3",
"TEST_USER_4": "student-<RAND_BASE>4",
// all the user with the same prefix will be added to the mapped group.
"groups_map":{
"professor-": [
"professors"
],
"student-": [
"users"
]
}
},
"htpasswd": {
"prefixes": [
"operator-"
],
"suffixes": {
"operator-": {
"type": "custom_with_rand_base",
"rand_length": 20,
"list": ["A","B","C"]
}
},
"pw": "<GEN_RAMDOM_PW>",
// assignes cluster admin permissions to one of the given htp users
"cluster_admin_username": "operator-<RAND_BASE>B"
}
}
}
```

## Running the ODS-CI container image from terminal

Expand Down Expand Up @@ -107,6 +181,9 @@ oc apply -f ods_ci_rbac.yaml -n ods-ci
# create a secret with test variables that can be mounted in ODS-CI container
oc create secret generic ods-ci-test-variables --from-file ods_ci/test-variables.yml -n ods-ci

# Optional: create a secret with user_config.json that can be mounted in ODS-CI container
oc create secret generic ods-ci-user-config --from-file ods_ci/user_config.json -n ods-ci

# Optional: create registry pull secret and patch SA
oc create secret docker-registry ods-ci-pull-secret --docker-server='quay.io' --docker-username='my-username' --docker-password='my-pw' --docker-email='[email protected]' -n ods-ci

Expand Down Expand Up @@ -153,6 +230,9 @@ test execution using the container in a OpenShift pod - minimum configuration, e
- name: ROBOT_EXTRA_ARGS
value: "-i Smoke --dryrun"
volumeMounts:
- mountPath: /tmp/ods-ci/ods_ci/configs/templates/user_config.json
name: ods-ci-user-config
subPath: user_config.json
- mountPath: /tmp/ods-ci/test-output
name: ods-ci-test-output
```
Expand Down
9 changes: 8 additions & 1 deletion ods_ci/docs/ods-ci_pod_oc_idp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,16 @@ spec:
# Mount the test-variables to prevent leaking secure info for the cluster you test against
- mountPath: /tmp/ods-ci/test-output
name: ods-ci-test-output
- mountPath: /tmp/ods-ci/ods_ci/configs/templates/user_config.json
name: ods-ci-user-config
subPath: user_config.json
restartPolicy: Never
volumes:
# Persistent Volume where we will store the test-output for this pod
- name: ods-ci-test-output
persistentVolumeClaim:
claimName: ods-ci
claimName: ods-ci
- name: ods-ci-user-config
secret:
# Specify Secret that has the necessary test-variables.yml
secretName: ods-ci-user-config
9 changes: 8 additions & 1 deletion ods_ci/docs/ods-ci_pod_ocm_idp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,16 @@ spec:
# Mount the test-variables to prevent leaking secure info for the cluster you test against
- mountPath: /tmp/ods-ci/test-output
name: ods-ci-test-output
- mountPath: /tmp/ods-ci/ods_ci/configs/templates/user_config.json
name: ods-ci-user-config
subPath: user_config.json
restartPolicy: Never
volumes:
# Persistent Volume where we will store the test-output for this pod
- name: ods-ci-test-output
persistentVolumeClaim:
claimName: ods-ci
claimName: ods-ci
- name: ods-ci-user-config
secret:
# Specify Secret that has the necessary user_configuration.json
secretName: ods-ci-user-config
6 changes: 3 additions & 3 deletions ods_ci/test-variables.yml.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ TEST_USER:
USERNAME: foo-user
PASSWORD: foo-passwd
OCP_ADMIN_USER:
AUTH_TYPE: "kube:admin"
USERNAME: kubeadmin
PASSWORD: abc123XYZ!
AUTH_TYPE: adm-auth
USERNAME: adminuser
PASSWORD: adminuser-passwd
TEST_USER_2:
AUTH_TYPE: foo-auth
USERNAME: foo-user2
Expand Down
2 changes: 1 addition & 1 deletion ods_ci/tests/Resources/Page/ODH/JupyterHub/jupyter-helper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ def get_safe_username(username):
# Kubespawner example:
# https://github.com/jupyterhub/kubespawner/blob/
# 251a0b65ffaff72e722446d5b9aac738ad6923d1/kubespawner/spawner.py#L1709
safe_chars = set(string.ascii_lowercase + string.digits)
safe_chars = set(string.ascii_lowercase + string.ascii_uppercase + string.digits)
return escapism.escape(username, safe=safe_chars, escape_char="-").lower()


Expand Down

0 comments on commit 2b4f566

Please sign in to comment.