Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSHOTCP-7294 Migrate the Slingshot 2.2.0 HPCM/Baremetal FM RBAC policy into CSM #113

Merged
merged 1 commit into from
Aug 14, 2024

Conversation

ndavidson-hpe
Copy link
Contributor

@ndavidson-hpe ndavidson-hpe commented Aug 12, 2024

Summary and Scope

Summarize what has changed. Explain why this PR is necessary. What is impacted? Is this a new feature, critical bug fix, etc?

The PR is about migrate the Slingshot 2.2.0 HPCM/Baremetal FM RBAC policy into CSM.

Is this change backwards incompatible, backwards compatible, or a backwards compatible bugfix?

The feature is supported from CSM 1.6 and above.

Issues and Related PRs

List and characterize relationship to Jira/Github issues and other pull requests. Be sure to list dependencies.

  • Resolves [issue id](issue link) : n/a
  • Change will also be needed in <insert branch name here> release/csm-1.6
  • Future work required by [issue id](issue link) : n/a
  • Documentation changes required in [issue id](issue link) : n/a
  • Merge with/before/after <insert PR URL here>

Testing

List the environments in which these changes were tested.

Tested on:

  • <development system> : ego.hpc.amslabs.hpecorp.net
  • Local development environment : New unit test cases were added and pass 100%
  • Virtual Shasta : No

Test description:

How were the changes tested and success verified? If schema changes were part of this change, how were those handled in your upgrade/downgrade testing?

  • Were the install/upgrade-based validation checks/tests run (goss tests/install-validation doc)?
  • Were continuous integration tests run? If not, why? Yes - gamora and tyr
  • Was upgrade tested? If not, why? Use helm upgrade cray-opa <Chart> in Ego
  • Was downgrade tested? If not, why? Use helm rollback cray-opa
  • Were new tests (or test issues/Jiras) created for this change? Yes.

ingressgateway

ncn-m002:~/sehanfor i in ${CLIENTS[@]};do  A=`nmnlb.sh $i`; echo "$i: $A" ; done
admin-client: 200
slingshot-admin-client: 200
slingshot-guest-client: 403
system-slingshot-client: 200

slingshot-guest role is now allowed to access the discovery/swagger resource per policy.

ncn-m002:~/sehan # for i in ${CLIENTS[@]}; do R=`./nmnlb.sh $i`; echo "$i $R" ; done
admin-client 200
slingshot-admin-client 200
slingshot-guest-client 200
system-slingshot-client 200

ingressgateway-customer-admin

ncn-m002:~/sehan # for i in ${CLIENTS[@]};do  A=`cmn.sh $i`; echo "$i: $A" ; done
admin-client: 200
slingshot-admin-client: 200
slingshot-guest-client: 200
system-slingshot-client: 403

ingressgateway-customer-user

ncn-m002:~/sehan # for i in ${CLIENTS[@]};do  A=`can.sh $i`; echo "$i: $A" ; done
admin-client: 404
slingshot-admin-client: 404
slingshot-guest-client: 404
system-slingshot-client: 404

ingressgateway-hmn

ncn-m002:~/sehan # for i in ${CLIENTS[@]};do  A=`hmnlb.sh $i`; echo "$i: $A" ; done
admin-client: 200
slingshot-admin-client: 200
slingshot-guest-client: 200
system-slingshot-client: 200

Unit test result

vagrant@at-pr-dc1:~/work/csm-devel/cray-opa> make test
helm lint "kubernetes/cray-opa"
==> Linting kubernetes/cray-opa
[INFO] Chart.yaml: icon is recommended

1 chart(s) linted, 0 chart(s) failed
docker run --rm -v /home/vagrant/work/csm-devel/cray-opa/kubernetes:/apps quintush/helm-unittest:3.3.0-0.2.5 -3 cray-opa

### Chart [ cray-opa ] cray-opa


Charts:      1 passed, 1 total
Test Suites: 0 passed, 0 total
Tests:       0 passed, 0 total
Snapshot:    0 passed, 0 total
Time:        5.818639ms
...(omitted)...

JWKS FETCHED!
JWKS FETCHED!
./test.rego:
data.istio.authz.test_spire_heartbeat_wrong_xname: PASS (19.540852ms)
data.istio.authz.test_spire_wrong_xname_subs: PASS (238.342616ms)
data.istio.authz.test_tpm_provisioner_wrong_xname: PASS (11.910937ms)
--------------------------------------------------------------------------------
PASS: 3/3

Risks and Mitigations

Are there known issues with these changes? Any other special considerations?

Pull Request Checklist

  • Version number(s) incremented, if applicable
  • Copyrights updated
  • License file intact
  • Target branch correct
  • CHANGELOG.md updated
  • Testing is appropriate and complete, if applicable
  • HPC Product Announcement prepared, if applicable

@ndavidson-hpe ndavidson-hpe force-pushed the SSHOTCP-7294-suggested branch 4 times, most recently from 301f2fa to 5d35a21 Compare August 12, 2024 22:29
@ndavidson-hpe ndavidson-hpe marked this pull request as ready for review August 12, 2024 22:34
@ndavidson-hpe ndavidson-hpe requested a review from a team as a code owner August 12, 2024 22:34
@sehan-snyk sehan-snyk changed the title SSHOTCP-7294 Migrate the Slingshot 2.2.0 HPCM/Baremetal FM RBAC polic… SSHOTCP-7294 Migrate the Slingshot 2.2.0 HPCM/Baremetal FM RBAC policy into CSM Aug 12, 2024
@sehan-snyk sehan-snyk force-pushed the SSHOTCP-7294-suggested branch from 334b79f to d751b04 Compare August 13, 2024 00:03
@mtupitsyn
Copy link
Contributor

@ndavidson-hpe You can add scan-image-snyk-args: "--severity-threshold=critical" to .github/workflows/charts-lint-test-scan.yml, or add Snyk suppression file like this to suppress validation check error.

@ndavidson-hpe ndavidson-hpe merged commit 77ac80b into master Aug 14, 2024
4 of 5 checks passed
@ndavidson-hpe ndavidson-hpe deleted the SSHOTCP-7294-suggested branch August 14, 2024 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants