Update test

openstack-k8s-operators · Jan 7, 2025 · 60d6883 · 60d6883
1 parent 695fd14
commit 60d6883
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 94 deletions.
diff --git a/templates/keystoneapi/config/httpd.conf b/templates/keystoneapi/config/httpd.conf
@@ -51,16 +51,14 @@ CustomLog /dev/stdout proxy env=forwarded
   SSLCertificateKeyFile   "{{ $vhost.SSLCertificateKeyFile }}"
 {{- end }}
 
- ## WSGI configuration
+  ## WSGI configuration
   WSGIApplicationGroup %{GLOBAL}
   WSGIDaemonProcess {{ $endpt }} display-name={{ $endpt }} group=keystone processes={{ $.ProcessNumber }} threads=1 user=keystone
   WSGIProcessGroup {{ $endpt }}
   WSGIScriptAlias / "/usr/bin/keystone-wsgi-public"
   WSGIPassAuthorization On
 
-
-{{- if $vhost.EnableFederation }}
-  # LoadModule auth_openidc_module modules/mod_auth_openidc.so
+{{ if $vhost.EnableFederation }}
   OIDCClaimPrefix "{{ $vhost.OIDCClaimPrefix }}"
   OIDCResponseType "{{ $vhost.OIDCResponseType }}"
   OIDCScope "{{ $vhost.OIDCScope }}"
@@ -75,7 +73,6 @@ CustomLog /dev/stdout proxy env=forwarded
   OIDCCacheType "{{ $vhost.OIDCCacheType }}"
   OIDCMemCacheServers "{{ $vhost.OIDCMemCacheServers }}"
 
-
   # The following directives are necessary to support websso from Horizon
   # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
   OIDCRedirectURI "{{ $vhost.KeystoneEndpoint }}/v3/auth/OS-FEDERATION/identity_providers/{{ $vhost.KeystoneFederationIdentityProviderName }}/protocols/openid/websso"

diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go
@@ -65,7 +65,6 @@ func GetTLSKeystoneAPISpec() map[string]interface{} {
 }
 
 func CreateKeystoneAPI(name types.NamespacedName, spec map[string]interface{}) client.Object {
-
 	raw := map[string]interface{}{
 		"apiVersion": "keystone.openstack.org/v1beta1",
 		"kind":       "KeystoneAPI",
@@ -91,7 +90,7 @@ func CreateKeystoneAPISecret(namespace string, name string) *corev1.Secret {
 		types.NamespacedName{Namespace: namespace, Name: name},
 		map[string][]byte{
 			"AdminPassword":                []byte("12345678"),
-			"KeystoneOIDCClientSecret":     []byte("secret"),
+			"KeystoneOIDCClientSecret":     []byte("secret123"),
 			"KeystoneOIDCCryptoPassphrase": []byte("openstack"),
 		},
 	)

diff --git a/tests/functional/keystoneapi_controller_test.go b/tests/functional/keystoneapi_controller_test.go
@@ -1112,6 +1112,116 @@ var _ = Describe("Keystone controller", func() {
 		})
 	})
 
+	When("A TLS KeystoneAPI is created with an OIDC Federation configuration", func() {
+		BeforeEach(func() {
+			spec := GetTLSKeystoneAPISpec()
+			/* serviceOverride := map[string]interface{}{}
+			serviceOverride["public"] = map[string]interface{}{
+				"endpointURL": "https://keystone-openstack.apps-crc.testing",
+			}
+			spec["override"] = map[string]interface{}{
+				"service": serviceOverride,
+			} */
+			spec["oidcFederation"] = map[string]interface{}{
+				"keystoneFederationIdentityProviderName": "myidp",
+				"oidcCacheType":                          "memcache",
+				"oidcClaimDelimiter":                     ";",
+				"oidcClaimPrefix":                        "OIDC-",
+				"oidcClientID":                           "client123",
+				"oidcIntrospectionEndpoint":              "https://idp.example.com/token/introspect",
+				"oidcPassClaimsAs":                       "both",
+				"oidcPassUserInfoAs":                     "claims",
+				"oidcProviderMetadataURL":                "https://idp.example.com/.well-known/openid-configuration",
+				"oidcResponseType":                       "id_token",
+				"oidcScope":                              "openid email profile",
+				"remoteIDAttribute":                      "HTTP_OIDC_ISS",
+			}
+
+			DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(caBundleSecretName))
+			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(internalCertSecretName))
+			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(publicCertSecretName))
+			DeferCleanup(th.DeleteInstance, CreateKeystoneAPI(keystoneAPIName, spec))
+			DeferCleanup(
+				k8sClient.Delete, ctx, CreateKeystoneMessageBusSecret(namespace, "rabbitmq-secret"))
+			DeferCleanup(
+				k8sClient.Delete, ctx, CreateKeystoneAPISecret(namespace, SecretName))
+			DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec))
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(
+					namespace,
+					GetKeystoneAPI(keystoneAPIName).Spec.DatabaseInstance,
+					corev1.ServiceSpec{
+						Ports: []corev1.ServicePort{{Port: 3306}},
+					},
+				),
+			)
+			mariadb.SimulateMariaDBAccountCompleted(keystoneAccountName)
+			mariadb.SimulateMariaDBDatabaseCompleted(keystoneDatabaseName)
+			infra.SimulateTransportURLReady(types.NamespacedName{
+				Name:      fmt.Sprintf("%s-keystone-transport", keystoneAPIName.Name),
+				Namespace: namespace,
+			})
+			infra.SimulateMemcachedReady(types.NamespacedName{
+				Name:      "memcached",
+				Namespace: namespace,
+			})
+			th.SimulateJobSuccess(dbSyncJobName)
+			th.SimulateJobSuccess(bootstrapJobName)
+			th.SimulateDeploymentReplicaReady(deploymentName)
+		})
+
+		/* It("registers LoadBalancer services keystone endpoints", func() {
+			instance := keystone.GetKeystoneAPI(keystoneAPIName)
+			Expect(instance).NotTo(BeNil())
+			Expect(instance.Status.APIEndpoints).To(HaveKeyWithValue("public", "https://keystone-openstack.apps-crc.testing"))
+			Expect(instance.Status.APIEndpoints).To(HaveKeyWithValue("internal", "https://keystone-internal."+keystoneAPIName.Namespace+".svc:5000"))
+
+			th.ExpectCondition(
+				keystoneAPIName,
+				ConditionGetterFunc(KeystoneConditionGetter),
+				condition.ReadyCondition,
+				corev1.ConditionTrue,
+			)
+		}) */
+
+		It("should configure OIDC in httpd.conf and keystone.conf", func() {
+			scrt := th.GetSecret(keystoneAPIConfigDataName)
+			Expect(scrt).ShouldNot(BeNil())
+
+			// Verify httpd.conf OIDC configuration
+			httpdConf := string(scrt.Data["httpd.conf"])
+			Expect(httpdConf).Should(ContainSubstring("OIDCClaimPrefix \"OIDC-\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCResponseType \"id_token\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCScope \"openid email profile\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCProviderMetadataURL https://idp.example.com/.well-known/openid-configuration"))
+			Expect(httpdConf).Should(ContainSubstring("OIDCClientID \"client123\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCClientSecret \"secret123\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCCryptoPassphrase \"openstack\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCCClaimDelimiter \";\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCCPassUserInfoAs \"claims\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCCPassClaimsAs \"both\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCCacheType \"memcache\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCRedirectURI \"https://keystone-openstack.apps-crc.testing/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCRedirectURI \"https://keystone-openstack.apps-crc.testing/v3/auth/OS-FEDERATION/websso/openid\""))
+			Expect(httpdConf).Should(ContainSubstring("LocationMatch \"/v3/auth/OS-FEDERATION/websso/openid\""))
+			Expect(httpdConf).Should(ContainSubstring("LocationMatch \"/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCAuthClientID \"client123\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCAuthClientSecret \"secret123\""))
+			Expect(httpdConf).Should(ContainSubstring("OIDCAuthIntrospectionEndpoint \"https://idp.example.com/token/introspect\""))
+			Expect(httpdConf).Should(ContainSubstring("Location ~ \"/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth\""))
+
+			// Verify keystone.conf federation configuration
+			keystoneConf := string(scrt.Data["keystone.conf"])
+			Expect(keystoneConf).Should(ContainSubstring("[federation]"))
+			Expect(keystoneConf).Should(ContainSubstring("trusted_dashboard=https://keystone-openstack.apps-crc.testing/dashboard/auth/websso/"))
+			Expect(keystoneConf).Should(ContainSubstring("[openid]"))
+			Expect(keystoneConf).Should(ContainSubstring("remote_id_attribute = HTTP_OIDC_ISS"))
+			Expect(keystoneConf).Should(ContainSubstring("[auth]"))
+			Expect(keystoneConf).Should(ContainSubstring("methods = password,token,oauth1,mapped,application_credential,openid"))
+		})
+	})
+
 	When("When FernetMaxActiveKeys is created with a number lower than 3", func() {
 		It("should fail", func() {
 			err := InterceptGomegaFailure(
@@ -1560,93 +1670,6 @@ var _ = Describe("Keystone controller", func() {
 		})
 	})
 
-	When("A KeystoneAPI is created with OIDC Federation configuration", func() {
-		BeforeEach(func() {
-			spec := GetDefaultKeystoneAPISpec()
-			spec["oidcFederation"] = map[string]interface{}{
-				"idpName":             "myidp",
-				"idpURL":              "https://idp.example.com",
-				"idpClientID":         "client123",
-				"idpClientSecret":     "secret123",
-				"idpMetadataURL":      "https://idp.example.com/.well-known/openid-configuration",
-				"idpUserInfoURL":      "https://idp.example.com/userinfo",
-				"idpAuthURL":          "https://idp.example.com/auth",
-				"idpTokenURL":         "https://idp.example.com/token",
-				"idpRemoteIDClaim":    "sub",
-				"idpUsernameClaim":    "preferred_username",
-				"idpScopeClaim":       "scope",
-				"idpRolesClaim":       "roles",
-				"idpDomainName":       "Default",
-				"idpDefaultProject":   "demo",
-				"idpDefaultRole":      "member",
-				"idpScopedTokenGroup": "oidc",
-			}
-
-			DeferCleanup(
-				k8sClient.Delete, ctx, CreateKeystoneMessageBusSecret(namespace, "rabbitmq-secret"))
-			DeferCleanup(th.DeleteInstance, CreateKeystoneAPI(keystoneAPIName, spec))
-			DeferCleanup(
-				k8sClient.Delete, ctx, CreateKeystoneAPISecret(namespace, SecretName))
-			DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec))
-			DeferCleanup(
-				mariadb.DeleteDBService,
-				mariadb.CreateDBService(
-					namespace,
-					GetKeystoneAPI(keystoneAPIName).Spec.DatabaseInstance,
-					corev1.ServiceSpec{
-						Ports: []corev1.ServicePort{{Port: 3306}},
-					},
-				),
-			)
-			mariadb.SimulateMariaDBAccountCompleted(keystoneAccountName)
-			mariadb.SimulateMariaDBDatabaseCompleted(keystoneDatabaseName)
-			infra.SimulateTransportURLReady(types.NamespacedName{
-				Name:      fmt.Sprintf("%s-keystone-transport", keystoneAPIName.Name),
-				Namespace: namespace,
-			})
-			infra.SimulateMemcachedReady(types.NamespacedName{
-				Name:      "memcached",
-				Namespace: namespace,
-			})
-			th.SimulateJobSuccess(dbSyncJobName)
-			th.SimulateJobSuccess(bootstrapJobName)
-			th.SimulateDeploymentReplicaReady(deploymentName)
-		})
-
-		It("should configure OIDC in httpd.conf and keystone.conf", func() {
-			scrt := th.GetSecret(keystoneAPIConfigDataName)
-			Expect(scrt).ShouldNot(BeNil())
-
-			// Verify httpd.conf OIDC configuration
-			httpdConf := string(scrt.Data["httpd.conf"])
-			Expect(httpdConf).Should(ContainSubstring("LoadModule auth_openidc_module modules/mod_auth_openidc.so"))
-			Expect(httpdConf).Should(ContainSubstring("OIDCProviderMetadataURL https://idp.example.com/.well-known/openid-configuration"))
-			Expect(httpdConf).Should(ContainSubstring("OIDCClientID client123"))
-			Expect(httpdConf).Should(ContainSubstring("OIDCClientSecret secret123"))
-			Expect(httpdConf).Should(ContainSubstring("OIDCRedirectURI https://keystone-public."))
-			Expect(httpdConf).Should(ContainSubstring("/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth"))
-			Expect(httpdConf).Should(ContainSubstring("OIDCRemoteUserClaim preferred_username"))
-			Expect(httpdConf).Should(ContainSubstring("OIDCProviderTokenEndpointAuth client_secret_basic"))
-			Expect(httpdConf).Should(ContainSubstring("OIDCScope \"openid profile email\""))
-
-			// Verify keystone.conf federation configuration
-			keystoneConf := string(scrt.Data["keystone.conf"])
-			Expect(keystoneConf).Should(ContainSubstring("[auth]"))
-			Expect(keystoneConf).Should(ContainSubstring("methods = password,token,oauth1,openid"))
-			Expect(keystoneConf).Should(ContainSubstring("[federation]"))
-			Expect(keystoneConf).Should(ContainSubstring("remote_id_attribute = HTTP_OIDC_ISS"))
-			Expect(keystoneConf).Should(ContainSubstring("[openid]"))
-			Expect(keystoneConf).Should(ContainSubstring("remote_id_claim = sub"))
-			Expect(keystoneConf).Should(ContainSubstring("username_claim = preferred_username"))
-			Expect(keystoneConf).Should(ContainSubstring("scope_claim = scope"))
-			Expect(keystoneConf).Should(ContainSubstring("roles_claim = roles"))
-			Expect(keystoneConf).Should(ContainSubstring("domain_name = Default"))
-			Expect(keystoneConf).Should(ContainSubstring("default_project = demo"))
-			Expect(keystoneConf).Should(ContainSubstring("default_role = member"))
-			Expect(keystoneConf).Should(ContainSubstring("scoped_token_group = oidc"))
-		})
-	})
-
 	// Run MariaDBAccount suite tests.  these are pre-packaged ginkgo tests
 	// that exercise standard account create / update patterns that should be
 	// common to all controllers that ensure MariaDBAccount CRs.