Skip to content

Support Application Credentials in shiftstack-qa automation #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tusharjadhav3302 wants to merge 8 commits into
base: main
Choose a base branch
from
+303 −30
Open

Support Application Credentials in shiftstack-qa automation #13

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8d5c917
Add Application Credentials support (prepare + day2ops rotation)
tusharjadhav3302 Jun 15, 2026
bda356e
Use oc adm release extract --tools instead of unreliable file-cache f…
tusharjadhav3302 Jun 18, 2026
b4546d3
Address review: reuse prepare role, create-first pattern, pipe to oc …
tusharjadhav3302 Jun 18, 2026
7756aed
Add pull secret extraction fallback and diagnostics for CI debugging
tusharjadhav3302 Jun 22, 2026
35985b8
Use curl + kubeconfig certs for pull secret and bootstrap oc from mir…
tusharjadhav3302 Jun 23, 2026
6c996c3
Fix pull secret extraction to use shell heredoc instead of script module
tusharjadhav3302 Jun 23, 2026
8548bec
Use tempfile for certs, add auth type check, skip bootstrap if oc exi…
tusharjadhav3302 Jun 25, 2026
3624afa
Merge branch 'use-oc-adm-release-extract-for-binaries' into support_a…
tusharjadhav3302 Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions collection/stages/roles/day2ops/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,6 @@
# defaults file for day2ops
day2ops_steps: []
day2ops_report_filename: shiftstack-qa-day2ops-results.xml

# Application Credentials rotation
app_credential_name: "AppCreds-{{ user_cloud }}"
107 changes: 107 additions & 0 deletions collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
---
# Source: https://github.com/shiftstack/installer/blob/master/docs/user/openstack/README.md#openstack-credentials-update
- name: Delete existing Application Credential

@imatza-rh imatza-rh Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The delete-before-create pattern means if openstack application credential create fails (line 11), there's no credential at all - the old one was already deleted here.

The IR plugin's update_app_creds.yml shares this pattern, so it's consistent with the source. But worth considering a create-first approach (create with a temp name, verify, update clouds.yaml, then delete the old one) for robustness - especially since the day2ops rescue block doesn't restore the deleted credential.

@tusharjadhav3302 tusharjadhav3302 Jun 18, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed. Implemented the create-first approach you suggested. The flow now:

  1. Creates new credential with temp name (AppCreds-shiftstack-new)
  2. Updates clouds.yaml with the new credential
  3. Validates auth works with openstack.cloud.auth
  4. Only then deletes the old credential

If creation fails, the old credential stays intact in clouds.yaml. Also handles cleanup of stale -new credentials from interrupted prior runs.

ansible.builtin.shell: |
openstack application credential delete {{ app_credential_name }}
environment:
OS_CLOUD: "{{ user_cloud }}"
failed_when: false
changed_when: false

- name: Create Application Credential

@imatza-rh imatza-rh Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The IR plugin's update_app_creds.yml first restores user/password auth before creating new app creds:

- name: Make sure we are using user/password so we can create additional app creds
  include_role:
    name: prepare
    tasks_from: project/clouds.yml

This ensures full permissions for the creation step in case the cluster was already rotated to app creds in a prior run. For the current osp_verification flow (first run is always from user/password), this isn't blocking - but if the procedure is ever re-run, the auth reset would be needed.

@tusharjadhav3302 tusharjadhav3302 Jun 18, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed. Addedinclude_role: name=shiftstack.stages.prepare tasks_from=clouds.yml as the first step, matching the IR plugin's update_app_creds.yml pattern. This ensures the procedure works correctly on re-runs where the cluster already has app creds active.

ansible.builtin.shell: |
openstack application credential create \
--description "App Creds - All roles" \
"{{ app_credential_name }}" -f yaml
environment:
OS_CLOUD: "{{ user_cloud }}"
register: app_cred_output
changed_when: true

- name: Parse Application Credential output
ansible.builtin.set_fact:
app_cred_info: "{{ app_cred_output.stdout | from_yaml }}"

@imatza-rh imatza-rh Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The clouds.yaml update logic (lines 25-65) is duplicated almost verbatim in prepare/tasks/app_creds.yml. The IR plugin avoids this by having update_app_creds.yml call include_tasks: ../../prepare/tasks/app_creds.yml.

In shiftstack-qa's collection structure, a relative include_tasks across roles may not work. Consider either:

  • Extracting the shared logic into a dedicated task file and using include_role with tasks_from
  • Or keeping it in prepare/tasks/app_creds.yml and calling it from here via include_role: name=shiftstack.stages.prepare tasks_from=app_creds.yml

This would also fix the osp_config_dir guard inconsistency (line 60 here has no when: osp_config_dir is defined guard, but the prepare version does).

@tusharjadhav3302 tusharjadhav3302 Jun 18, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed. Refactored rotate_app_creds.yml to call include_role: name=shiftstack.stages.prepare tasks_from=app_creds.yml instead of duplicating the clouds.yaml update logic. This also inherits the osp_config_dir guard from the prepare version.


- name: Read current clouds.yaml
ansible.builtin.slurp:
src: "{{ clouds_yaml_file_path }}"
register: clouds_yaml_file

- name: Set clouds.yaml fact
ansible.builtin.set_fact:
clouds_yaml_params: "{{ clouds_yaml_file.content | b64decode | from_yaml }}"

- name: Build updated cloud entry with application credentials
ansible.builtin.set_fact:
updated_cloud_entry:
auth:
auth_url: "{{ clouds_yaml_params.clouds[user_cloud].auth.auth_url }}"
application_credential_id: "{{ app_cred_info.id }}"
application_credential_secret: "{{ app_cred_info.secret }}"
auth_type: v3applicationcredential
identity_api_version: "{{ clouds_yaml_params.clouds[user_cloud].identity_api_version | default('3') }}"
region_name: "{{ clouds_yaml_params.clouds[user_cloud].region_name | default(omit) }}"

- name: Add cacert to updated cloud entry
ansible.builtin.set_fact:
updated_cloud_entry: "{{ updated_cloud_entry | combine({'cacert': clouds_yaml_params.clouds[user_cloud].cacert}, recursive=True) }}"
when: clouds_yaml_params.clouds[user_cloud].cacert is defined

- name: Update clouds.yaml with application credentials
ansible.builtin.set_fact:
clouds_yaml_params: "{{ {'clouds': (clouds_yaml_params.clouds | combine({user_cloud: updated_cloud_entry}))} }}"

- name: Write updated clouds.yaml
ansible.builtin.copy:
content: "{{ clouds_yaml_params | to_nice_yaml(indent=4) }}"
dest: "{{ clouds_yaml_file_path }}"
mode: u=rw,g=rw,o=r

- name: Update clouds.yaml copy in osp_config_dir
ansible.builtin.copy:
content: "{{ clouds_yaml_params | to_nice_yaml(indent=4) }}"
dest: "{{ osp_config_dir }}/clouds.yaml"
mode: u=rw,g=rw,o=r

- name: Create clouds.yaml copy with cloud renamed for OCP secret
ansible.builtin.shell: |
set -o pipefail && \
cat {{ clouds_yaml_file_path }} | sed 's/{{ user_cloud }}:/openstack:/' > /tmp/clouds_for_ocp.yaml

@imatza-rh imatza-rh Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This writes the modified clouds.yaml (containing the app credential secret) to /tmp/clouds_for_ocp.yaml. Consider piping directly to oc set data to avoid the intermediate file:

Suggested change
cat {{ clouds_yaml_file_path }} | sed 's/{{ user_cloud }}:/openstack:/' > /tmp/clouds_for_ocp.yaml
set -o pipefail && \
cat {{ clouds_yaml_file_path }} | sed 's/{{ user_cloud }}:/openstack:/' | \
oc set data -n kube-system secret/openstack-credentials clouds.yaml=-

The - at the end of clouds.yaml=- tells oc set data to read from stdin. This removes the need for the temp file and the cleanup task.

@tusharjadhav3302 tusharjadhav3302 Jun 18, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed. Replaced the temp file pattern with piping directly via clouds.yaml=-:

cat {{ clouds_yaml_file_path }} | sed 's/{{ user_cloud }}:/openstack:/' | \
oc set data -n kube-system secret/openstack-credentials clouds.yaml=-

Eliminates the intermediate file and cleanup task.

changed_when: false

- name: Rotate OpenShift Cloud Credentials
ansible.builtin.shell: |
oc set data -n kube-system secret/openstack-credentials clouds.yaml="$(cat /tmp/clouds_for_ocp.yaml)"
environment:
KUBECONFIG: "{{ kubeconfig }}"
changed_when: true

- name: Clean up temporary file
ansible.builtin.file:
path: /tmp/clouds_for_ocp.yaml
state: absent

- name: Get OpenStack Credentials from OCP cluster
ansible.builtin.shell: |
set -o pipefail && \
oc get secret -n kube-system openstack-credentials -o json | jq -r '.data."clouds.yaml"' | base64 -d
environment:
KUBECONFIG: "{{ kubeconfig }}"
register: ocp_creds_output
changed_when: false

- name: Parse OCP credentials
ansible.builtin.set_fact:
ocp_creds: "{{ ocp_creds_output.stdout | from_yaml }}"

- name: Verify credentials rotated to application credentials
ansible.builtin.assert:
that:
- ocp_creds.clouds.openstack.auth_type == 'v3applicationcredential'
fail_msg: "Credential rotation failed — auth_type is not v3applicationcredential"
success_msg: "Credential rotation verified — auth_type is v3applicationcredential"

- name: Wait until the Cluster Operators are healthy
ansible.builtin.include_role:
name: tools_cluster_checks
tasks_from: wait_until_cluster_operators_ready.yml
4 changes: 4 additions & 0 deletions collection/stages/roles/prepare/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ project:
load_balancers: 1000
load_balancer_listeners: 5000
load_balancer_pools: 5000
# Application Credentials
use_application_credentials: false
app_credential_name: "AppCreds-{{ user_cloud }}"

ocp_api_description: "API {{ ocp_cluster_name }}.{{ ocp_base_domain }}"
ocp_apps_description: "APPS {{ ocp_cluster_name }}.{{ ocp_base_domain }}"
ocp_bootstrap_fip_description: "Bootstrap {{ ocp_cluster_name }}.{{ ocp_base_domain }}"
Expand Down
68 changes: 68 additions & 0 deletions collection/stages/roles/prepare/tasks/app_creds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
- name: Delete existing Application Credential
ansible.builtin.shell: |
openstack application credential delete {{ app_credential_name }}
environment:
OS_CLOUD: "{{ user_cloud }}"
failed_when: false
changed_when: false

- name: Create Application Credential
ansible.builtin.shell: |
openstack application credential create \
--description "App Creds - All roles" \
"{{ app_credential_name }}" -f yaml
environment:
OS_CLOUD: "{{ user_cloud }}"
register: app_cred_output
changed_when: true

- name: Parse Application Credential output
ansible.builtin.set_fact:
app_cred_info: "{{ app_cred_output.stdout | from_yaml }}"

- name: Read current clouds.yaml
ansible.builtin.slurp:
src: "{{ clouds_yaml_file_path }}"
register: clouds_yaml_file

- name: Set clouds.yaml fact
ansible.builtin.set_fact:
clouds_yaml_params: "{{ clouds_yaml_file.content | b64decode | from_yaml }}"

- name: Build updated cloud entry with application credentials
ansible.builtin.set_fact:
updated_cloud_entry:
auth:
auth_url: "{{ clouds_yaml_params.clouds[user_cloud].auth.auth_url }}"
application_credential_id: "{{ app_cred_info.id }}"
application_credential_secret: "{{ app_cred_info.secret }}"
auth_type: v3applicationcredential
identity_api_version: "{{ clouds_yaml_params.clouds[user_cloud].identity_api_version | default('3') }}"
region_name: "{{ clouds_yaml_params.clouds[user_cloud].region_name | default(omit) }}"

- name: Add cacert to updated cloud entry
ansible.builtin.set_fact:
updated_cloud_entry: "{{ updated_cloud_entry | combine({'cacert': clouds_yaml_params.clouds[user_cloud].cacert}, recursive=True) }}"
when: clouds_yaml_params.clouds[user_cloud].cacert is defined

- name: Update clouds.yaml with application credentials
ansible.builtin.set_fact:
clouds_yaml_params: "{{ {'clouds': (clouds_yaml_params.clouds | combine({user_cloud: updated_cloud_entry}))} }}"

- name: Write updated clouds.yaml
ansible.builtin.copy:
content: "{{ clouds_yaml_params | to_nice_yaml(indent=4) }}"
dest: "{{ clouds_yaml_file_path }}"
mode: u=rw,g=rw,o=r

- name: Update clouds.yaml copy in osp_config_dir
ansible.builtin.copy:
content: "{{ clouds_yaml_params | to_nice_yaml(indent=4) }}"
dest: "{{ osp_config_dir }}/clouds.yaml"
mode: u=rw,g=rw,o=r
when: osp_config_dir is defined

- name: Validate application credentials work
openstack.cloud.auth:
cloud: "{{ user_cloud }}"
4 changes: 4 additions & 0 deletions collection/stages/roles/prepare/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@
- name: Update clouds.yml file with new Project
ansible.builtin.include_tasks: clouds.yml

- name: Configure Application Credentials for OpenStack authentication
ansible.builtin.include_tasks: app_creds.yml
when: use_application_credentials | default(false)

- name: Restricted Network Preparations
ansible.builtin.include_tasks: restricted_network.yml
when:
Expand Down
4 changes: 4 additions & 0 deletions jobs_definitions/osp_verification.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,13 @@ stages:
- install
- post
- verification
- day2ops
- openstack_test
- lb_tests

day2ops_procedures:
- rotate_app_creds

@imatza-rh imatza-rh Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The day2ops stage is added but use_application_credentials isn't set (defaults to false). This means the cluster installs with user/password, then rotate_app_creds switches it to app creds as a day2 operation.

Is this the intended test flow? The Jenkins cp-migration multijob passes OPENSHIFT_OPENSTACK_APP_CREDS=True which enables BOTH prepare-time app creds AND day2ops rotation. If you want to test the prepare path too, add use_application_credentials: true here.

@tusharjadhav3302 tusharjadhav3302 Jun 18, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, intentional for this PR — the test flow is: install with user/password, then rotate_app_creds switches to app creds as a day2 operation. This validates the rotation path. Enabling use_application_credentials: true for prepare-time testing can be added as a follow-up once the rotation path is proven in CI.


ocp_deployment_topology:
network_type: OVNKubernetes
primary_ip_protocol: ipv4 # ipv4 or ipv6
Expand Down