enabel external oidc in capi

openshift · May 28, 2024 · 45fcce7 · 45fcce7
1 parent 1d58c6f
commit 45fcce7
Show file tree

Hide file tree

Showing 26 changed files with 331 additions and 116 deletions.
diff --git a/...penshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml b/...penshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml
@@ -1036,33 +1036,31 @@ tests:
     test:
     - chain: openshift-e2e-test-hypershift-qe
     workflow: rosa-aws-sts-hcp-cilium
-- as: aws-rosa-hcp-capi-stage-critical-f2
-  cron: 5 2 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29 * *
+- as: aws-rosa-hcp-capi-stage-f7
+  cron: 12 6 7,14,23,30 * *
   steps:
     cluster_profile: aws-sd-qe
     env:
       BASE_DOMAIN: qe.devcluster.openshift.com
-      E2E_RUN_TAGS: '@rosa'
-      OPENSHIFT_VERSION: 4.15.0
+      OPENSHIFT_VERSION: "4.15"
       REGION: us-west-2
       TEST_FILTERS: ~ChkUpgrade&;~NonPreRelease&;~Serial&;~Disruptive&;~DisconnectedOnly&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;ROSA&
-      TEST_IMPORTANCE: Critical
     test:
-    - chain: openshift-e2e-test-hypershift-qe
+    - ref: openshift-extended-test
+    - ref: openshift-e2e-test-qe-report
     workflow: rosa-aws-sts-hcp-capi
-- as: aws-rosa-hcp-capi-private-stage-critical-f7
-  cron: 15 14 3,10,17,24 * *
+- as: aws-rosa-hcp-capi-private-stage-f7
+  cron: 9 23 3,12,19,26 * *
   steps:
     cluster_profile: aws-sd-qe
     env:
       BASE_DOMAIN: qe.devcluster.openshift.com
-      E2E_RUN_TAGS: '@rosa'
-      OPENSHIFT_VERSION: 4.15.0
+      OPENSHIFT_VERSION: "4.15"
       REGION: us-west-2
       TEST_FILTERS: ~ChkUpgrade&;~NonPreRelease&;~Serial&;~Disruptive&;~DisconnectedOnly&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;ROSA&
-      TEST_IMPORTANCE: Critical
     test:
-    - chain: openshift-e2e-test-hypershift-qe
+    - ref: openshift-extended-test
+    - ref: openshift-e2e-test-qe-report
     workflow: rosa-aws-sts-hcp-capi-private
 - as: aws-rosa-hcp-int-full-f7
   cron: 29 23 4,13,20,27 * *

diff --git a/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.15-periodics.yaml b/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.15-periodics.yaml
@@ -11382,7 +11382,7 @@ periodics:
         secretName: result-aggregator
 - agent: kubernetes
   cluster: build05
-  cron: 15 14 3,10,17,24 * *
+  cron: 9 23 3,12,19,26 * *
   decorate: true
   decoration_config:
     skip_cloning: true
@@ -11397,7 +11397,7 @@ periodics:
     ci.openshift.io/generator: prowgen
     job-release: "4.15"
     pj-rehearse.openshift.io/can-be-rehearsed: "true"
-  name: periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-critical-f7
+  name: periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-f7
   reporter_config:
     slack:
       channel: '#managed-hypershift-ci-watcher'
@@ -11418,8 +11418,8 @@ periodics:
       - --oauth-token-path=/usr/local/github-credentials/oauth
       - --report-credentials-file=/etc/report/credentials
       - --secret-dir=/secrets/ci-pull-credentials
-      - --secret-dir=/usr/local/aws-rosa-hcp-capi-private-stage-critical-f7-cluster-profile
-      - --target=aws-rosa-hcp-capi-private-stage-critical-f7
+      - --secret-dir=/usr/local/aws-rosa-hcp-capi-private-stage-f7-cluster-profile
+      - --target=aws-rosa-hcp-capi-private-stage-f7
       - --variant=amd64-nightly
       command:
       - ci-operator
@@ -11436,7 +11436,7 @@ periodics:
       - mountPath: /secrets/ci-pull-credentials
         name: ci-pull-credentials
         readOnly: true
-      - mountPath: /usr/local/aws-rosa-hcp-capi-private-stage-critical-f7-cluster-profile
+      - mountPath: /usr/local/aws-rosa-hcp-capi-private-stage-f7-cluster-profile
         name: cluster-profile
       - mountPath: /secrets/gcs
         name: gcs-credentials
@@ -11481,7 +11481,7 @@ periodics:
         secretName: result-aggregator
 - agent: kubernetes
   cluster: build05
-  cron: 5 2 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29 * *
+  cron: 12 6 7,14,23,30 * *
   decorate: true
   decoration_config:
     skip_cloning: true
@@ -11496,7 +11496,7 @@ periodics:
     ci.openshift.io/generator: prowgen
     job-release: "4.15"
     pj-rehearse.openshift.io/can-be-rehearsed: "true"
-  name: periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-stage-critical-f2
+  name: periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-stage-f7
   reporter_config:
     slack:
       channel: '#managed-hypershift-ci-watcher'
@@ -11517,8 +11517,8 @@ periodics:
       - --oauth-token-path=/usr/local/github-credentials/oauth
       - --report-credentials-file=/etc/report/credentials
       - --secret-dir=/secrets/ci-pull-credentials
-      - --secret-dir=/usr/local/aws-rosa-hcp-capi-stage-critical-f2-cluster-profile
-      - --target=aws-rosa-hcp-capi-stage-critical-f2
+      - --secret-dir=/usr/local/aws-rosa-hcp-capi-stage-f7-cluster-profile
+      - --target=aws-rosa-hcp-capi-stage-f7
       - --variant=amd64-nightly
       command:
       - ci-operator
@@ -11535,7 +11535,7 @@ periodics:
       - mountPath: /secrets/ci-pull-credentials
         name: ci-pull-credentials
         readOnly: true
-      - mountPath: /usr/local/aws-rosa-hcp-capi-stage-critical-f2-cluster-profile
+      - mountPath: /usr/local/aws-rosa-hcp-capi-stage-f7-cluster-profile
         name: cluster-profile
       - mountPath: /secrets/gcs
         name: gcs-credentials

diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/capi/OWNERS
@@ -1,6 +1,8 @@
 approvers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
 reviewers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/clear/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/capi/clear/OWNERS
@@ -1,6 +1,8 @@
 approvers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
 reviewers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
diff --git a/...hypershift-extended/capi/clear/cucushift-hypershift-extended-capi-clear-ref.metadata.json b/...hypershift-extended/capi/clear/cucushift-hypershift-extended-capi-clear-ref.metadata.json
@@ -3,11 +3,13 @@
 	"owners": {
 		"approvers": [
 			"LiangquanLi930",
-			"heliubj18"
+			"heliubj18",
+			"fxierh"
 		],
 		"reviewers": [
 			"LiangquanLi930",
-			"heliubj18"
+			"heliubj18",
+			"fxierh"
 		]
 	}
 }
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/deprovision/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/capi/deprovision/OWNERS
@@ -1,6 +1,8 @@
 approvers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
 reviewers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
diff --git a/...xtended/capi/deprovision/cucushift-hypershift-extended-capi-deprovision-ref.metadata.json b/...xtended/capi/deprovision/cucushift-hypershift-extended-capi-deprovision-ref.metadata.json
@@ -3,11 +3,13 @@
 	"owners": {
 		"approvers": [
 			"LiangquanLi930",
-			"heliubj18"
+			"heliubj18",
+			"fxierh"
 		],
 		"reviewers": [
 			"LiangquanLi930",
-			"heliubj18"
+			"heliubj18",
+			"fxierh"
 		]
 	}
 }
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/enable-hc/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/capi/enable-hc/OWNERS
@@ -0,0 +1,8 @@
+approvers:
+  - LiangquanLi930
+  - heliubj18
+  - fxierh
+reviewers:
+  - LiangquanLi930
+  - heliubj18
+  - fxierh
diff --git a/...pershift-extended/capi/enable-hc/cucushift-hypershift-extended-capi-enable-hc-commands.sh b/...pershift-extended/capi/enable-hc/cucushift-hypershift-extended-capi-enable-hc-commands.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+set -euo pipefail
+
+export KUBECONFIG="${SHARED_DIR}/kubeconfig"
+if [[ -f "${SHARED_DIR}/mgmt_kubeconfig" ]]; then
+  export KUBECONFIG="${SHARED_DIR}/mgmt_kubeconfig"
+fi
+
+# get cluster namesapce
+CLUSTER_NAME=$(cat "${SHARED_DIR}/cluster-name")
+if [[ -z "${CLUSTER_NAME}" ]] ; then
+  echo "Error: cluster name not found"
+  exit 1
+fi
+
+read -r namespace _ _  <<< "$(oc get cluster -A | grep ${CLUSTER_NAME})"
+if [[ -z "${namespace}" ]]; then
+  echo "Error: capi cluster name not found, ${CLUSTER_NAME}"
+  exit 1
+fi
+
+secret_name="${CLUSTER_NAME}-kubeconfig"
+if [[ "${ENABLE_EXTERNAL_OIDC}" == "true" ]]; then
+  secret_name="${CLUSTER_NAME}-bootstrap-kubeconfig"
+fi
+
+max_retries=10
+retry_delay=30
+retries=0
+secret=""
+while (( retries < max_retries )); do
+  secret=$(oc get secret -n ${namespace} ${secret_name} --ignore-not-found -ojsonpath='{.data.value}')
+  if [[ ! -z "$secret" ]]; then
+    echo "find the secret ${secret_name} in ${namespace}"
+    break
+  fi
+
+  retries=$(( retries + 1 ))
+  if (( retries < max_retries )); then
+    echo "Retrying in $retry_delay seconds..."
+    sleep $retry_delay
+  else
+    oc get secret -n ${namespace}
+    echo "capi kubeconfig not found, exit"
+    exit 1
+  fi
+done
+
+if [[ !  -f "${SHARED_DIR}/mgmt_kubeconfig" ]] ; then
+  mv $KUBECONFIG "${SHARED_DIR}/mgmt_kubeconfig"
+fi
+
+echo "${secret}" | base64 -d > "${SHARED_DIR}/kubeconfig"
+echo "hosted cluster kubeconfig is switched"
+oc whoami
+
+
diff --git a/...ft-extended/capi/enable-hc/cucushift-hypershift-extended-capi-enable-hc-ref.metadata.json b/...ft-extended/capi/enable-hc/cucushift-hypershift-extended-capi-enable-hc-ref.metadata.json
@@ -0,0 +1,15 @@
+{
+	"path": "cucushift/hypershift-extended/capi/enable-hc/cucushift-hypershift-extended-capi-enable-hc-ref.yaml",
+	"owners": {
+		"approvers": [
+			"LiangquanLi930",
+			"heliubj18",
+			"fxierh"
+		],
+		"reviewers": [
+			"LiangquanLi930",
+			"heliubj18",
+			"fxierh"
+		]
+	}
+}
diff --git a/.../hypershift-extended/capi/enable-hc/cucushift-hypershift-extended-capi-enable-hc-ref.yaml b/.../hypershift-extended/capi/enable-hc/cucushift-hypershift-extended-capi-enable-hc-ref.yaml
@@ -0,0 +1,19 @@
+ref:
+  as: cucushift-hypershift-extended-capi-enable-hc
+  from_image:
+    namespace: ocp
+    name: "4.12"
+    tag: upi-installer
+  grace_period: 5m
+  cli: latest
+  commands: cucushift-hypershift-extended-capi-enable-hc-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  env:
+    - name: ENABLE_EXTERNAL_OIDC
+      default: "false"
+      documentation: Enable external OIDC.
+  documentation: |-
+    prepare some resources to install capi and capa controllers
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/health-check/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/capi/health-check/OWNERS
@@ -1,6 +1,8 @@
 approvers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
 reviewers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
diff --git a/...ft-extended/capi/health-check/cucushift-hypershift-extended-capi-health-check-commands.sh b/...ft-extended/capi/health-check/cucushift-hypershift-extended-capi-health-check-commands.sh
@@ -14,11 +14,11 @@ function set_proxy () {
 }
 
 function rosa_login() {
-    ROSA_VERSION=$(rosa version)
+    # ROSA_VERSION=$(rosa version)
     ROSA_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token")
 
     if [[ ! -z "${ROSA_TOKEN}" ]]; then
-      echo "Logging into ${OCM_LOGIN_ENV} with offline token using rosa cli ${ROSA_VERSION}"
+      echo "Logging into ${OCM_LOGIN_ENV} with offline token using rosa cli"
       rosa login --env "${OCM_LOGIN_ENV}" --token "${ROSA_TOKEN}"
       ocm login --url "${OCM_LOGIN_ENV}" --token "${ROSA_TOKEN}"
     else
@@ -71,11 +71,12 @@ fi
 echo "check machinepool, rosamachinepool status"
 machinepools=$(oc get MachinePools -n "${namespace}" -ojsonpath='{.items[?(@.spec.clusterName=="'"${CLUSTER_NAME}"'")].metadata.name}')
 for machinepool in ${machinepools} ; do
-  mp_status=$(oc get MachinePool "${machinepool}" -n "${namespace}" -ojsonpath='{.status.phase}')
-  if [[ "${mp_status}" != "Running" ]]; then
-    echo "Error: machinepool ${machinepool} is not in the Running status: ${mp_status}"
-    exit 1
-  fi
+# ignore machinepool status, it is still in the ScalingUp status when external oidc
+#  mp_status=$(oc get MachinePool "${machinepool}" -n "${namespace}" -ojsonpath='{.status.phase}')
+#  if [[ "${mp_status}" != "Running" ]]; then
+#    echo "Error: machinepool ${machinepool} is not in the Running status: ${mp_status}"
+#    exit 1
+#  fi
 
   rosamachinepool_name=$(oc get MachinePool -n "${namespace}" "${machinepool}" -ojsonpath='{.spec.template.spec.infrastructureRef.name}')
   is_ready=$(oc get rosamachinepool "${rosamachinepool_name}" -n "${namespace}" -ojsonpath='{.status.ready}')
@@ -191,7 +192,20 @@ fi
 tags=$(jq -r '.spec.additionalTags  //""' < "${capi_cp_json_file}")
 if [[ -n "${tags}" ]]; then
   echo "check rosacontrolplane additionalTags"
-  hc_dft_sg=$(cat "${SHARED_DIR}/capi_hcp_default_security_group")
+  hc_dft_sg=""
+  if [[ -f "${SHARED_DIR}/capi_hcp_default_security_group" ]] ; then
+    hc_dft_sg=$(cat "${SHARED_DIR}/capi_hcp_default_security_group")
+  else
+    cluster_id=$(cat "${SHARED_DIR}/cluster-id")
+    hc_vpc_id=$(cat "${SHARED_DIR}/vpc_id")
+    hc_dft_sg=$(aws ec2 describe-security-groups --region ${REGION} --filters "Name=vpc-id,Values=${hc_vpc_id}" "Name=group-name,Values=${cluster_id}-default-sg" --query 'SecurityGroups[].GroupId' --output text)
+  fi
+
+  if [[ -z "${hc_dft_sg}" ]] ; then
+    echo "default security group not found error"
+    exit 1
+  fi
+
   echo "${tags}" | jq -r 'to_entries[] | "\(.key) \(.value)"' | while read key value; do
     contain_key=$(jq -e '.aws.tags | contains({"'"${key}"'": "'"${value}"'"})' < "${rosa_hcp_info_file}")
     if [[ "${contain_key}" != "true" ]] ; then

diff --git a/...ended/capi/health-check/cucushift-hypershift-extended-capi-health-check-ref.metadata.json b/...ended/capi/health-check/cucushift-hypershift-extended-capi-health-check-ref.metadata.json
@@ -3,11 +3,13 @@
 	"owners": {
 		"approvers": [
 			"LiangquanLi930",
-			"heliubj18"
+			"heliubj18",
+			"fxierh"
 		],
 		"reviewers": [
 			"LiangquanLi930",
-			"heliubj18"
+			"heliubj18",
+			"fxierh"
 		]
 	}
 }
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/init/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/capi/init/OWNERS
@@ -1,6 +1,8 @@
 approvers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
 reviewers:
   - LiangquanLi930
   - heliubj18
+  - fxierh
diff --git a/...cushift/hypershift-extended/capi/init/cucushift-hypershift-extended-capi-init-commands.sh b/...cushift/hypershift-extended/capi/init/cucushift-hypershift-extended-capi-init-commands.sh
@@ -6,19 +6,16 @@ export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
 export AWS_REGION=${REGION}
 export AWS_PAGER=""
 
-#todo debug only
-
+# debug only
 # aws s3 cp s3://heli-test/kubeconfig  ${SHARED_DIR}/kubeconfig
-# cp ${SHARED_DIR}/kubeconfig ${SHARED_DIR}/mgmt_kubeconfig
-
 
 # download clusterctl and clusterawsadm
 mkdir -p /tmp/bin
 export PATH=/tmp/bin:$PATH
-curl -L https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.6.2/clusterctl-linux-amd64 -o /tmp/bin/clusterctl && \
+curl -L https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.7.2/clusterctl-linux-amd64 -o /tmp/bin/clusterctl && \
     chmod +x /tmp/bin/clusterctl
 
-curl -L https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/download/v2.4.1/clusterawsadm-linux-amd64 -o /tmp/bin/clusterawsadm && \
+curl -L https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases/download/v2.5.0/clusterawsadm_v2.5.0_linux_amd64 -o /tmp/bin/clusterawsadm && \
     chmod +x /tmp/bin/clusterawsadm
 
 export KUBECONFIG="${SHARED_DIR}/kubeconfig"