Merge "Add OpenID Connect Token Auth for k8s"

Zuul · openstack-gerrit · commit bfc0c8fdebb0 · 2022-08-25T09:36:16.000Z
diff --git a/tackerclient/tacker/v1_0/nfvo/vim_utils.py b/tackerclient/tacker/v1_0/nfvo/vim_utils.py
@@ -63,7 +63,25 @@ def args2body_vim(config_param, vim):
                 message='Project name must be specified in Kubernetes VIM,'
                         'it is namespace in Kubernetes environment',
                 status_code=404)
-        if ('username' in config_param) and ('password' in config_param):
+        if 'oidc_token_url' in config_param:
+            if ('username' not in config_param or
+                    'password' not in config_param or
+                    'client_id' not in config_param):
+                # the username, password, client_id are required.
+                # client_secret is not required when client type is public.
+                raise exceptions.TackerClientException(
+                    message='oidc_token_url must be specified with username,'
+                            ' password, client_id, client_secret(optional).',
+                    status_code=404)
+            vim['auth_cred'] = {
+                'oidc_token_url': config_param.pop('oidc_token_url'),
+                'username': config_param.pop('username'),
+                'password': config_param.pop('password'),
+                'client_id': config_param.pop('client_id')}
+            if 'client_secret' in config_param:
+                vim['auth_cred']['client_secret'] = config_param.pop(
+                    'client_secret')
+        elif ('username' in config_param) and ('password' in config_param):
             vim['auth_cred'] = {
                 'username': config_param.pop('username', ''),
                 'password': config_param.pop('password', '')}
diff --git a/tackerclient/tests/unit/vm/test_vim_utils.py b/tackerclient/tests/unit/vm/test_vim_utils.py
@@ -76,6 +76,39 @@ def test_args2body_kubernetes_vim_bearer(self):
         vim_utils.args2body_vim(config_param.copy(), vim)
         self.assertEqual(expected_vim, vim)
 
+    def test_args2body_kubernetes_vim_oidc(self):
+        config_param = {'oidc_token_url': sentinel.oidc_token_url,
+                        'username': sentinel.username,
+                        'password': sentinel.password,
+                        'client_id': sentinel.client_id,
+                        'client_secret': sentinel.client_secret,
+                        'ssl_ca_cert': "None",
+                        'project_name': sentinel.prj_name,
+                        'type': 'kubernetes'}
+        vim = {}
+        auth_cred = config_param.copy()
+        auth_cred.pop('project_name')
+        auth_cred.pop('type')
+        expected_vim = {'auth_cred': auth_cred,
+                        'vim_project':
+                            {'name': sentinel.prj_name},
+                        'type': 'kubernetes'}
+        vim_utils.args2body_vim(config_param.copy(), vim)
+        self.assertEqual(expected_vim, vim)
+
+    def test_args2body_kubernetes_vim_oidc_no_username(self):
+        config_param = {'oidc_token_url': sentinel.oidc_token_url,
+                        'password': sentinel.password,
+                        'client_id': sentinel.client_id,
+                        'client_secret': sentinel.client_secret,
+                        'ssl_ca_cert': "None",
+                        'project_name': sentinel.prj_name,
+                        'type': 'kubernetes'}
+        vim = {}
+        self.assertRaises(exceptions.TackerClientException,
+                          vim_utils.args2body_vim,
+                          config_param, vim)
+
     def test_args2body_vim_no_project(self):
         config_param = {'username': sentinel.usrname1,
                         'password': sentinel.password1,
