As a result of fixing OSSA-2025-002, ec2tokens API in Keystone
now by default requires authentication.
The config section `[ec2authtoken]` is now expected to have
auth information for Heat to be able to use this API.
In multicloud configuration keystone auth credentials are
required for each cloud. These can be configured using the new clouds
option and the ``[ec2authtoken.{cloud}]`` sections.
NOTE:
Disables test_software_config.ParallelDeploymentsTest in
grenade. Should follow up to re-enable once fix has been
backported.
Related-Bug: #2119646
Change-Id: Ib41f76c1ba56005b6c4233424cca5768657a7686
Co-Authored-By: Adrian Jarvis <adrian.jarvis@catalystcloud.nz>
Co-Authored-By: Takashi Kajinami <kajinamit@oss.nttdata.com>
Signed-off-by: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
... following the global method.
Closes-Bug: #2126581
Change-Id: Ie4b2c73bb6364917d260d2ae9947fdf4802f346d
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
With convergence there is a chance some leaf resource won't be
processed by workers if the stack is marked as failed due to
failure of one resources and stack traversal set to empty string
i.e traversal cancelled.
Also uses TestResource to simplifly the tests.
Change-Id: I1a04853d42f519d9a14dd345ac8cb441b08c4d77
Signed-off-by: rabi <ramishra@redhat.com>
The bind_host option is used only for osprofiler. It is used to
identify the host where the api service runs and can be replaced
the `host` option.
Also the port option is used only for logging.
Change-Id: Ia55b269207987c419f30a4bfc0cebcf75d8fcb4a
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
At the moment devstack upgrade tries to assign `Member` role
to which Keystone replies with 404 as role naming is case sensitive.
Change-Id: Ib85a920eae6c3ce2369a76282e8ea2fc90f7290b
The wsgi_script feature is being removed because of some changes in
underlying python packaging tooling. This makes heat to vendor the wsgi
module which can be used instead of the wsgi script, according to
the proposed community goal[1]. The existing wsgi scripts are kept now
for smooth transition.
[1] https://review.opendev.org/c/openstack/governance/+/902807
Depends-On: https://review.opendev.org/c/openstack/devstack/+/902758
Change-Id: I4dc92f06610753171215913180ce7cdab15ba047
This is a temporal workaround to allow downloading Fedora 37 image
which was moved to the archive path.
Change-Id: I9b1702749976a2cea42a24130e5fec2931b75ce1
The OS_IDENTITY_API_VERSION environment has been removed from tempest.
Replace the environment by the hard-coded value because now only v3
is available.
Depends-on: https://review.opendev.org/c/openstack/devstack/+/923660
Change-Id: If80b48204ac8583714bbff550ad8f73c815ec684
It seems the latest libvirt in Ubuntu is no longer affected by
the known problem with device handlings. This re-enables some test
cases which were previously disabled because of the problem.
Change-Id: I538462414f0a9b634d4d216230ed04b49cf71c40
Based on the agreed steps to implement the SRBAC community goal, this
enables the new policy defaults and scope checks by default.
Change-Id: I315893150549d1174c3270c37c031e6a519f9a28
This is a prep work to enforce new default policy rules and scope
checking, and allows users to enable/disable the enforcement by setting
the single knob.
Change-Id: I8248f825a90b50fe874224c7ee06a1de299f1feb
Since we bumped Fedora version used in CI from 36 to 37, we've
seen timeout during boot process more frequently, which results
in job failure. This increases core and ram assigned to Fedora
VMs, to reduce failure rate.
To avoid consuming too much resources, this limits concurrency
of test runner.
Change-Id: I12e8ee0861629fd42a6bd03ec8705751da12ff61
Fedora 36 is already EOLed so we should use more recent version.
Because guest enters to emergency shell when Fedora 38 (latest at
the time of writing) is used, we select Fedora 37 for now.
Change-Id: Ie0876080c771fb124d4dd36f803fbfd3b108e240
This introduces non-voting CentOS 9 Stream functional jobs, to restore
some tests which were disabled because of the known libvirt bug. Though
the bug also affects CentOS 9 Stream, we observe much low failure rate
in CentOS 9 Stream so we can restore these test cases in CentOS 9
Stream. The job is kept non-voting until it is proven to be stable
after a while.
Change-Id: I37211aa941be1892ad0ddf0694a758972a0aebba
Some test have been unstable in Ubuntu Jammy because of the known
libvirt bug, and we have disabled these in functional jobs.
Let's disable the test case in grenade jobs, because these test cases
now cause frequent job failures.
Related-Bug: #1998274
Change-Id: I7038ce3ec2840b133e9ae5eb09a96dc8a5f3abc2
This test is very frequently failing now. The test case creates a stack
with an instance but the stack can't be deleted within timeout because
of the known libvirt bug in Ubuntu Jammy. Because the release deadline
is already over, we'll disable this test so that we can merge some
changes now. We'll revisit this (and the other test cases we disabled)
later.
Related-Bug: #1998274
Story: 2010631
Task: 47589
Change-Id: I87c4b1e7a911fd78e327393b1af200667e89c999
Heat upgrade script set the env var TOX_CONSTRAINTS_FILE/UPPER_CONSTRAINTS_FILE
which are used to use the constraints during Tempest virtual env
installation. Those env var are set to non-master constraint when
we need to use non-master constraints but when we need to use the
master constraints we do not set/reset them point to master constraints.
This create the issue when this grenade script install the tempest with
stable constraints but with master Tempest and as there is mismatch of
constraints now with fasteners of stable branches. Below is failure
of heat greande job on stable/yoga
- https://zuul.opendev.org/t/openstack/build/3aaec4d59bb84068bb4d4428ea747cbd/log/controller/logs/grenade.sh_log.txt#3245
Similar way, role should set stable constraints only for the stable EM branch
not for all otherwise it fail when constraints/requirements are bumped.
- https://zuul.opendev.org/t/openstack/build/74f86b8097f44c35acaffdcfe41d9693
We should set/reset those constraint env var to master constraints if configuration
tell to use the master constraints.
Closes-Bug: #2003993
Change-Id: I024cd134577338fc1075e7742df7f006dc914646
This test case is frequently failing because of a known libvirt issue
in Ubuntu Jammy. We already disabled one functional test case, but will
disable this test case as well, to reduce failure rate of CI runs and
unblock gate.
The existing skip for a different test case[1] is re-implemented using
the proper configuration knob.
This also fixes tox.ini to adapt to new tox 4.0.
- Update how passenv is defined because space-separated list is no
longer allowed. Also the values are not case sensitive.
- skipdist=True breaks installation so is removed.
[1] https://review.opendev.org/c/openstack/heat/+/866545
Co-Authored-By: Rabi Mishra <ramishra@redhat.com>
Related-Bug: #1998274
Story: 2010487
Task: 47056
Change-Id: I915dc83ccde6b6b8497642857292f9974fd84e98
stestr has removed whitelist / blacklist. This change updates the
devstack upgrade tests to ensure we use the new include-list instead.
9ffeb470fb
Change-Id: Ia0df9b3468fee9382c42c8bd6a35b76ed7f2b4e5
As a followup for change I6a8cffdc86c895eebe4269c5cd37841325566c54
let's use branch specific upper constraints when running tests in
grenade.
Change-Id: I71f8398b6aa57b7c1910750b8e048825383e3d9a
When tls-proxy is enabled, devstack enables SSL for the core services
(Cinder, Glance, Keystone, Nova, Neutron and Swift). This change
ensures that the ca_file parameter is properly defined in clients_*
section for these options, so that requests to these services pick up
the CA certificate.
Change-Id: Ib6278d95d1ce31dc86aa8784a621227e17dc0fe7
The is_ssl_enabled_service function is kept for backword compatibility,
and now returns the same value as `is_service_enabled tls-proxy`
since [1] was merged.
[1] f3b2f4c85307b14f115a020f5eaf6c92026b55b4
Change-Id: I5a3311121e56a7cfaefb73be39d3f60809bafb06
OpenDev infra only keep around the latest two Fedora releases in their
mirrors. Probe for the image from the local test mirror, but if not
found, fallback to upstream. This will be much less reliable, but can
avoid gate breakage until new images can be used.
Also, use endpoint_type when creating keystoneclient
Keystone admin endpoint has been removed from devstack with[1].
This would use the public endpoint by default.
Change-Id: I96ab14871ee8c5d5b83cc0cd4abc840ef0218ca8
Fedora 31 was retired and the image is gone from mirrors.
heat-cfntools have been dropped from fedora images, disable
the test till that's resolved.
Also makes grenade job non-voting, till this is backported
to stable/victoria.
Change-Id: Id869f83a46454897c2fe7a532eebfa2863befe5e
This function has been deprecated for a long time, let's finally
remove it. It is only generating a warning anyway.
Change-Id: I0f69076ef7c288c113f4e7739c7e12fcfb11d91d
Ceilometer uses gnocchi as the default backend. Also we use
gnocchi based aodh alarms in tests.
gnocchi seems unmaintained with last commit a year or so ago and
does not look like the openstack telemetry team is involved in
that project.
It's better to disable the services and tests in heat to avoid
broken gate like last time, where we fixed it by banning latest
pecan release[1] that does not work with python-gnocchiclient.
[1] https://review.opendev.org/#/c/746261/
Change-Id: Id2ffdf6b9d342e800bab4a94ec46742228361ee8
It conforms with API_WORKERS default calculation to avoid too much
processes consuming the memory.
Change-Id: If2b483711668715047662a286cb0f0e3b52bbdac
Signed-off-by: Cédric Ollivier <ollivier.cedric@gmail.com>
