diff --git a/openshift/frontend/Dockerfile b/openshift/frontend/Dockerfile index d855bdb8..94358b1a 100644 --- a/openshift/frontend/Dockerfile +++ b/openshift/frontend/Dockerfile @@ -25,7 +25,7 @@ LABEL \ USER root RUN $DNF_CMD install \ - nss_wrapper httpd mod_ssl python3-mod_wsgi && \ + nss_wrapper httpd mod_ssl mod_auth_gssapi python3-mod_wsgi && \ $DNF_CMD clean all RUN chmod a+rwx /run/httpd && \ diff --git a/openshift/integration/koji/containers/jenkins-slave/Dockerfile b/openshift/integration/koji/containers/jenkins-slave/Dockerfile index 64fe82b1..f216f248 100644 --- a/openshift/integration/koji/containers/jenkins-slave/Dockerfile +++ b/openshift/integration/koji/containers/jenkins-slave/Dockerfile @@ -37,7 +37,7 @@ RUN ${DNF_CMD} install -y \ # Jenkins pipeline 'sh' steps seem to require ps procps-ng \ # Tools to interface with our test instances - koji && \ + koji krb5-workstation && \ ${DNF_CMD} clean all # CA Certs diff --git a/openshift/integration/koji/pipelines/templates/mbs-integration-test-template.yaml b/openshift/integration/koji/pipelines/templates/mbs-integration-test-template.yaml index a28b2929..57b2ef7a 100644 --- a/openshift/integration/koji/pipelines/templates/mbs-integration-test-template.yaml +++ b/openshift/integration/koji/pipelines/templates/mbs-integration-test-template.yaml @@ -39,6 +39,16 @@ parameters: displayName: The UMB container image to be tested description: This field must be in repo:tag or repo@sha256 format value: docker-registry.upshift.redhat.com/factory2/umb:latest +- name: USE_KRB5 + displayName: Deploy a Kerberos KDC and configure the MBS frontend to require Kerberos authentication. + description: If not set to "true", no KDC will be deployed and MBS will allow anonymous access. + required: true + value: "true" +- name: KRB5_IMAGE + displayName: Kerberos 5 KDC image + description: The image used to deploy a Kerberos 5 KDC, if configured to do so. + required: false + value: quay.io/factory2/krb5-fedora:latest - name: TEST_IMAGES displayName: Images being tested description: >- @@ -121,6 +131,10 @@ objects: value: "${KOJI_IMAGE}" - name: UMB_IMAGE value: "${UMB_IMAGE}" + - name: USE_KRB5 + value: "${USE_KRB5}" + - name: KRB5_IMAGE + value: "${KRB5_IMAGE}" - name: TEST_IMAGES value: "${TEST_IMAGES}" - name: IMAGE_IS_SCRATCH diff --git a/openshift/integration/koji/pipelines/templates/mbs-integration-test.Jenkinsfile b/openshift/integration/koji/pipelines/templates/mbs-integration-test.Jenkinsfile index 5b8e6d5a..7a4c96f5 100644 --- a/openshift/integration/koji/pipelines/templates/mbs-integration-test.Jenkinsfile +++ b/openshift/integration/koji/pipelines/templates/mbs-integration-test.Jenkinsfile @@ -75,7 +75,7 @@ pipeline { openshift.withCluster() { openshift.withProject() { // Cleanup all test environments that were created 1 hour ago in case of failures of previous cleanups. - c3i.cleanup(script: this, 'umb', 'koji', 'mbs') + c3i.cleanup(script: this, 'krb5', 'umb', 'koji', 'mbs') } } } @@ -113,6 +113,46 @@ pipeline { } } } + stage('Deploy KDC') { + when { + expression { + return params.USE_KRB5 == 'true' + } + } + steps { + script { + env.KRB5_DOMAIN = env.ROUTE_SUFFIX.split('\\.', 2).last() + env.KRB5_REALM = env.KRB5_DOMAIN.toUpperCase() + env.KRB5_ADMIN_PASSWORD = UUID.randomUUID().toString().take(12) + openshift.withCluster() { + openshift.withProject(params.TEST_NAMESPACE) { + def deployed = krb5.deploy(script: this, test_id: env.TEST_ID, + realm: env.KRB5_REALM, domain: env.KRB5_DOMAIN, + admin_password: env.KRB5_ADMIN_PASSWORD) + // Wait for the KDC to become available, to allow creation of + // principals and keytabs for subsequent deployments. + c3i.waitForDeployment(script: this, objs: deployed) + def ports = openshift.selector('service', "kerberos-${TEST_ID}").object().spec.ports + def kdcPort = ports.find { it.name == 'kdc-udp' }.nodePort + def adminPort = ports.find { it.name == 'admin' }.nodePort + def kpasswdPort = ports.find { it.name == 'kpasswd-udp' }.nodePort + def krb5Host = "krb5-${TEST_ID}-${env.ROUTE_SUFFIX}" + env.KRB5_KDC_HOST = "${krb5Host}:${kdcPort}" + env.KRB5_ADMIN_HOST = "${krb5Host}:${adminPort}" + env.KRB5_KPASSWD_HOST = "${krb5Host}:${kpasswdPort}" + } + } + } + } + post { + success { + echo "KDC deployed: REALM: ${env.KRB5_REALM} KDC: ${env.KRB5_KDC_HOST}" + } + failure { + echo "KDC deployment FAILED" + } + } + } stage('Deploy UMB') { steps { script { @@ -185,6 +225,17 @@ pipeline { def cabundle = ca.get_ca_cert().cert + digicertca def msgcert = ca.get_ssl_cert("mbs-${TEST_ID}-msg") def kojicert = ca.get_ssl_cert(env.KOJI_ADMIN) + if (params.USE_KRB5 == 'true') { + def krbAdmin = krb5.adminClient() + def krbsvc = "HTTP/${env.MBS_SSL_HOST}" + krbAdmin.addService(krbsvc) + env.MBS_FRONTEND_KEYTAB = krbAdmin.getKeytab(krbsvc) + // Usernames between MBS and Koji need to be consistent, + // so use the Koji admin as the MBS user. + env.KRB5_PRINCIPAL = env.KOJI_ADMIN + env.KRB5_PASSWORD = UUID.randomUUID().toString().take(12) + krbAdmin.addPrincipal(env.KRB5_PRINCIPAL, env.KRB5_PASSWORD) + } openshift.withCluster() { openshift.withProject(params.TEST_NAMESPACE) { def deployed = mbs.deploy(script: this, test_id: env.TEST_ID, @@ -192,6 +243,9 @@ pipeline { brokercert: msgcert, frontendcert: frontendcert, frontendca: ca.get_ca_cert(), cacerts: cabundle, + frontend_keytab: params.USE_KRB5 == 'true' ? env.MBS_FRONTEND_KEYTAB : '', + krb5_conf_configmap: params.USE_KRB5 == 'true' ? "krb5-${TEST_ID}-config" : '', + krb5_user: params.USE_KRB5 == 'true' ? env.KRB5_PRINCIPAL : '', kojiurl: "https://${env.KOJI_SSL_HOST}", stompuri: "${env.UMB_HOST}:${env.UMB_STOMP_SSL_PORT}", backend_image: params.MBS_BACKEND_IMAGE,