Add Barbican

[vakwetu]

This commit adds the barbican operator to the openstack-operator.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/96f5fb72a9f441278f1b294d30bce329

❌ openstack-k8s-operators-content-provider FAILURE in 5m 56s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[vakwetu]

/retest

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/737d77657c894f67b344e5f3aa9a5ab5

❌ openstack-k8s-operators-content-provider NODE_FAILURE Node request 200-0006650721 failed in 0s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[vakwetu]

/retest

[vakwetu]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/61b5da1db41b4818a27c4ad7a7058186

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 24m 50s
❌ podified-multinode-edpm-deployment-crc FAILURE in 1h 05m 14s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 1h 05m 15s
❌ openstack-operator-tempest-multinode FAILURE in 1h 09m 47s

[abays]

One question here and for all the other samples: do we intend to have Barbican enabled by default? I'm just asking because I don't know one way or the other. Right now it's enabled.

[abays]

One thing I've noticed while trying this out is that the rabbitMqClusterName field is empty in the Barbican section of the OpenStackControlPlane CR. This results in the control plane never finishing deployment, because the TransportURL created by the Barbican controller then uses that empty string as the RabbitMQ cluster name (which the Infra operator considers an error and thus it goes no further).

I see that other operators have the rabbitMqClusterName in their base spec struct as opposed to a template struct that is in-lined [1]. Perhaps using that same approach would fix the problem here. I think the webhooks and the kubebuilder defaulting are interfering here and are setting the rabbitMqClusterName to the empty string, which is somehow tricking the validation into allowing such a zero-value as if the user had explicitly provided it. We've seen similar problems in other operators.

I think this is the cause of the CI failure too:

TASK [edpm_prepare : Wait for OpenStack controlplane to be deployed _raw_params=oc wait OpenStackControlPlane {{ cr_name }} --namespace={{ cifmw_install_yamls_defaults['NAMESPACE'] }} --for=condition=ready --timeout={{ cifmw_edpm_prepare_timeout }}m] ***
Friday 17 November 2023  16:49:55 -0500 (0:00:00.724)       0:10:14.725 ******* 
fatal: [localhost]: FAILED! => ...

[1] https://github.com/openstack-k8s-operators/cinder-operator/blob/3c5c40e6cc3aba6e287b94d26770519f76ae9528/api/v1beta1/cinder_types.go#L55-L59

[abays]

One thing I've noticed while trying this out is that the rabbitMqClusterName field is empty in the Barbican section of the OpenStackControlPlane CR. This results in the control plane never finishing deployment, because the TransportURL created by the Barbican controller then uses that empty string as the RabbitMQ cluster name (which the Infra operator considers an error and thus it goes no further).

I see that other operators have the rabbitMqClusterName in their base spec struct as opposed to a template struct that is in-lined [1]. Perhaps using that same approach would fix the problem here. I think the webhooks and the kubebuilder defaulting are interfering here and are setting the rabbitMqClusterName to the empty string, which is somehow tricking the validation into allowing such a zero-value as if the user had explicitly provided it. We've seen similar problems in other operators.

I think this is the cause of the CI failure too:

TASK [edpm_prepare : Wait for OpenStack controlplane to be deployed _raw_params=oc wait OpenStackControlPlane {{ cr_name }} --namespace={{ cifmw_install_yamls_defaults['NAMESPACE'] }} --for=condition=ready --timeout={{ cifmw_edpm_prepare_timeout }}m] ***
Friday 17 November 2023  16:49:55 -0500 (0:00:00.724)       0:10:14.725 ******* 
fatal: [localhost]: FAILED! => ...

[1] https://github.com/openstack-k8s-operators/cinder-operator/blob/3c5c40e6cc3aba6e287b94d26770519f76ae9528/api/v1beta1/cinder_types.go#L55-L59

I did some more testing. It seems like the struct definition as-is is actually fine. Something else must be causing CI to fail.

[vakwetu]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/463c81acca384963926bf21b7d4e3de2

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 05m 31s
❌ podified-multinode-edpm-deployment-crc FAILURE in 1h 06m 44s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 24m 25s
❌ openstack-operator-tempest-multinode RETRY_LIMIT in 1h 52m 07s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/9f9194d5630b407886782401fd61288f

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 24m 53s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 03m 00s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 23m 06s
❌ openstack-operator-tempest-multinode FAILURE in 1h 10m 26s

[abays]

The current samples have Barbican enabled by default, since they don't have enabled: false in the YAML. So we need to reflect that here. Also, since Barbican is enabled by default, its condition entry needs to be added to the status.conditions list after the first entry in the list (the one with type: Ready):

  - message: OpenStackControlPlane Barbican completed
    reason: Ready
    status: "True"
    type: OpenStackControlPlaneBarbicanReady

[abays]

It also needs an entry for the Barbican "expose" condition:

    - message: OpenStackControlPlane barbican service exposed
      reason: Ready
      status: "True"
      type: OpenStackControlPlaneExposeBarbicanReady

That should go after the OpenStackControlPlaneClientReady condition.

[dmendiza]

Yes, per JP Jung, the current plan is to always enable Barbican. This also means other projects that integrate with Barbican will be set up to use it by default. e.g. encrypted volumes will store keys there, etc.

[dmendiza]

IIRC, Barbican does not depend or use Memcached in any way.

[vakwetu]

fixed

[vakwetu]

/retest

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/f2cd794f02964a72aec1d93f7c3a4913

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 48m 05s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 08m 31s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 1h 05m 06s
❌ openstack-operator-tempest-multinode FAILURE in 1h 31m 54s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/70dd054cee1446b1862c2aac14a77820

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 36m 09s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 03m 02s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 12m 43s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 21m 21s

[vakwetu]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/eb80594def0445c5a9c0c03889d478a8

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 40m 50s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 07m 04s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 14m 25s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 25m 23s

[abays]

recheck

error: Failed to attach interface\nerror: Cannot get interface MTU on 'default': No such device

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/ac14f2e0cac9465498c8aeb7338339d3

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 04m 55s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 03m 37s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 58m 09s
❌ openstack-operator-tempest-multinode FAILURE in 1h 33m 15s

[abays]

Between the last two Zuul attempts, we have full success for the 4 jobs there. Let's try one more recheck and then we can override if it flakes-out again.

[vakwetu]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/a277a3a34c62429fbbe1f69e60f8714c

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 41m 15s
❌ podified-multinode-edpm-deployment-crc RETRY_LIMIT in 52m 53s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 03m 20s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 19m 45s

[abays]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abays, vakwetu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abays]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[abays]

The Zuul jobs have all passed independently over several attempts, so I think we're good there despite the hiccups. I will override by the end of the day unless another reviewer requests changes to the PR.

[abays]

/override rdoproject.org/github-check

[gibizer]

I try to deploy this from a local build and I see that for me barbican is disabled by default even though the code suggests it should be enabled by default.

[openshift-ci]

@abays: Overrode contexts on behalf of abays: rdoproject.org/github-check

In response to this:

/override rdoproject.org/github-check

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[abays]

/hold

[gibizer]

I try to deploy this from a local build and I see that for me barbican is disabled by default even though the code suggests it should be enabled by default.

I used the wrong sample and updating it from the sample from this PR did not work. But recreating the OpenStackControlPlane from the sample from this PR works. Sorry for the noise

[abays]

/unhold