Add scs-0210-v2 and scs-0214-v1 zuul checks (#714)

* Add scs-0210-v2 and scs-0214-v1 zuul checks

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

* Add k8s node labels workaround

The SCS node distribution standard, scs-0214-v1, aims to verify the distribution
of k8s nodes across regions, zones, and physical nodes.
While information regarding regions and zones is readily available in node labels,
identifying physical node IDs is not.

This commit introduces a workaround for labeling k8s nodes with their corresponding
physical node IDs.

For more details, refer to the following issue: SovereignCloudStack/issues#540.

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

* Apply suggestions from code review

Co-authored-by: Matthias Büchse <github@mbue.de>
Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

* Drop unnecessary config task

The updated version of the SCS standard scripts handles
configuration management better.
Therefore, this config task marked with TODO comment is removed.

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

* Set the k8s node label key and link the related issue

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

* Adjust the default settings of the e2e pipeline to spin up a cluster with 3 control plane nodes

If we want to perform end-to-end testing on an SCS-compliant Kubernetes cluster, we need 3 control plane nodes

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

* Remove debug code and stabilize .zuul.yaml config

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

* Move tasks to the always block

This commit introduces the always block in the sonobuoy.yaml as well as in the scs_compliance.yaml
and moves the "parse" tasks and "Insert ... results to the warning message..." tasks there.

This should ensure that results from failed checks will be returned by Zuul.

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>

---------

Signed-off-by: Matej Feder <matej.feder@dnation.cloud>
Co-authored-by: Matthias Büchse <github@mbue.de>

.zuul.yaml

@@ -11,27 +11,53 @@
     cleanup-run: playbooks/cleanup.yaml  # executed also when the job is canceled
     vars:
       wait_for_cluster: 600  # 10min
+      extra_env: {}
+      sonobouy:
+        enabled: false
+      scs_compliance:
+        enabled: false
 
 - job:
     name: k8s-cluster-api-provider-e2e-conformance
     parent: k8s-cluster-api-provider-e2e-abstract
     description: |
       Run e2e tests of k8s-cluster-api-provider project using
-      [sonobuoy](https://sonobuoy.io/) with mode conformance meaning
-      it will test if the Kubernetes cluster is conformant to the CNCF.
+      [sonobuoy](https://sonobuoy.io/) with mode conformance and
+      SCS compliance checks meaning it will test if the Kubernetes
+      cluster is conformant to the CNCF and to the SCS.
     timeout: 10800  # 3h
     vars:
-      sonobouy_mode: conformance
+      sonobouy:
+        enabled: true
+        mode: conformance
+      scs_compliance:
+        enabled: true
 
 - job:
     name: k8s-cluster-api-provider-e2e-quick
     parent: k8s-cluster-api-provider-e2e-abstract
     description: |
       Run e2e tests of k8s-cluster-api-provider project using
-      [sonobuoy](https://sonobuoy.io/) with mode quick.
+      [sonobuoy](https://sonobuoy.io/) with mode quick and
+      SCS compliance checks.
     timeout: 3600  # 1h
     vars:
-      sonobouy_mode: quick
+      sonobouy:
+        enabled: true
+        mode: quick
+      scs_compliance:
+        enabled: true
+
+- job:
+    name: k8s-cluster-api-provider-scs-compliance-1.27
+    parent: k8s-cluster-api-provider-e2e-abstract
+    description: |
+      Run SCS compliance KaaS tests.
+    vars:
+      extra_env:
+        TF_VAR_kubernetes_version: 1.27.x
+      scs_compliance:
+        enabled: true
 
 - project:
     name: SovereignCloudStack/k8s-cluster-api-provider

playbooks/e2e.yaml

@@ -17,9 +17,11 @@
     pr_or_main: "{{ 'pr' + zuul.change if zuul.change is defined else 'main' }}"
     prefix: "{{ (pr_or_main + '-' + zuul.build) | truncate(12, True, '') }}"
     testcluster_name: "{{ (pr_or_main + '-' + zuul.build) | truncate(12, True, '') }}"
-  environment:
-    ENVIRONMENT: "{{ cloud_provider }}"
-    PATH: "{{ ansible_user_dir }}/.local/bin:{{ ansible_env.PATH }}"
+    env_variables:
+      ENVIRONMENT: "{{ cloud_provider }}"
+      PATH: "{{ ansible_user_dir }}/.local/bin:{{ ansible_env.PATH }}"
+    env_variables_merged: "{{ env_variables | combine(extra_env | default({}) ) }}"
+  environment: "{{ env_variables_merged }}"
   tasks:
   - name: Prepare environment
     block:
@@ -87,7 +89,7 @@
       become: true
       when: mtu.stdout != "1500"
       changed_when: mtu.stdout != "1500"
-  - name: Create k8s cluster and execute sonobouy check
+  - name: Create k8s cluster and execute checks
     block:
     - name: Create k8s cluster
       ansible.builtin.command: "make create GITREFERENCE={{ git_branch_name }} GITREPO={{ git_repository_url }}"
@@ -106,26 +108,21 @@
       environment:
         KUBECONFIG: "{{ testcluster_name }}.yaml.{{ cloud_provider }}"
       changed_when: true
-    - name: Execute sonobouy check mode {{ sonobouy_mode }}
-      ansible.builtin.command: "make check-{{ sonobouy_mode }}"
-      register: sonobouy_results
-      args:
-        chdir: "{{ project_tf_dir }}"
-      changed_when: true
+    - name: Import sonobouy tasks
+      ansible.builtin.import_tasks: tasks/sonobouy.yaml
+      when: sonobouy.enabled
+    - name: Import scs_compliance pre-tasks
+      ansible.builtin.import_tasks: tasks/label_nodes.yaml
+      vars:
+        os_cloud: "{{ cloud_provider }}"
+        kubeconfig_path: "{{ project_tf_dir }}/{{ testcluster_name }}.yaml.{{ cloud_provider }}"
+      when: scs_compliance.enabled
+    - name: Import scs_compliance tasks
+      ansible.builtin.import_tasks: tasks/scs_compliance.yaml
+      vars:
+        kubeconfig_path: "{{ project_tf_dir }}/{{ testcluster_name }}.yaml.{{ cloud_provider }}"
+      when: scs_compliance.enabled
     always:
-    - name: Parse sonobouy results  # noqa: ignore-errors
-      ansible.builtin.set_fact:
-        sonobouy_results_parsed: "{{ sonobouy_results.stdout | regex_search('=== Collecting results ===[\\S\\s]*') }}"
-      when: sonobouy_results is defined
-      ignore_errors: true  # ignore when this task failed as it is nice to have, and we should ensure that fullclean is reached
-    - name: Insert parsed sonobouy results to the warning message that will be appended to the comment zuul leaves on the PR  # noqa: ignore-errors
-      zuul_return:
-        data:
-          zuul:
-            warnings:
-              - "<details>\n  <summary><b>Sonobouy results</b></summary>\n{{ sonobouy_results_parsed }}\n</details>"
-      when: sonobouy_results_parsed is defined and sonobouy_results_parsed | length > 0
-      ignore_errors: true  # ignore when this task failed as it is nice to have, and we should ensure that fullclean is reached
     - name: Cleanup - fullclean
       ansible.builtin.command: "make fullclean"
       args:

playbooks/tasks/label_nodes.yaml

@@ -0,0 +1,64 @@
+---
+- name: Label k8s nodes based on OpenStack host IDs
+  vars:
+    # Note (@mfeder): The following label key serves as a temporary label until upstream
+    #  proposes and implements an alternative label key/solution for indicating a physical machine
+    #  within the Kubernetes cluster.
+    #  refer to: https://github.com/SovereignCloudStack/issues/issues/540
+    label_key: "topology.scs.community/host-id"
+    openstackclient_version: "6.5.0"
+    jq_version: "1.7.1"
+    kubectl_version: "1.28.7"
+    install_dir: "{{ ansible_user_dir }}/.local/bin"
+  block:
+  - name: Check if `os_cloud` variable is defined
+    ansible.builtin.fail:
+      msg: "os_cloud is not defined or empty"
+    when: os_cloud is not defined or os_cloud == ''
+  - name: Check if `kubeconfig_path` variable is defined
+    ansible.builtin.fail:
+      msg: "kubeconfig_path is not defined or empty"
+    when: kubeconfig_path is not defined or kubeconfig_path == ''
+  - name: Install jq
+    ansible.builtin.get_url:
+      url: "https://github.com/jqlang/jq/releases/download/jq-{{ jq_version }}/jq-linux64"
+      dest: "{{ install_dir }}/jq"
+      mode: "+x"
+      # TODO: use `checksum` attr here to verify the digest of the destination file, if available
+  - name: Install kubectl
+    ansible.builtin.get_url:
+      url: "https://dl.k8s.io/release/v{{ kubectl_version }}/bin/linux/amd64/kubectl"
+      dest: "{{ install_dir }}/kubectl"
+      mode: "+x"
+      # TODO: use `checksum` attr here to verify the digest of the destination file, if available
+  - name: Install openstack cli
+    ansible.builtin.pip:
+      name:
+      - "python-openstackclient=={{ openstackclient_version }}"
+      extra_args: --user
+  - name: Get list of OpenStack server details
+    ansible.builtin.shell:
+      cmd: |
+        set -o pipefail
+        openstack server list -f json | jq -r '.[].ID' | while read id; do openstack server show $id -f json; done | jq -s '.'
+      executable: /bin/bash
+    register: openstack_server_list
+    changed_when: false
+    environment:
+      OS_CLOUD: "{{ os_cloud }}"
+  - name: Populate openstack_hosts dict with hostname=host_id pairs
+    ansible.builtin.set_fact:
+      openstack_hosts: "{{ openstack_hosts | default({}) | combine({item.name: item.hostId}) }}"
+    with_items: "{{ openstack_server_list.stdout | from_json }}"
+  - name: Get a list of nodes
+    ansible.builtin.command: kubectl get nodes -o json
+    register: kubernetes_node_list
+    changed_when: false
+    environment:
+      KUBECONFIG: "{{ kubeconfig_path }}"
+  - name: Add node label
+    ansible.builtin.command: "kubectl label nodes {{ item.metadata.name }} {{ label_key }}={{ openstack_hosts[item.metadata.name] }}"
+    with_items: "{{ (kubernetes_node_list.stdout | from_json)['items'] }}"
+    changed_when: false
+    environment:
+      KUBECONFIG: "{{ kubeconfig_path }}"

playbooks/tasks/scs_compliance.yaml

@@ -0,0 +1,50 @@
+---
+- name: Download, install, configure, and execute SCS KaaS compliance check
+  vars:
+    check_dir: "{{ ansible_user_dir }}/scs-compliance"
+    python_venv_dir: "{{ ansible_user_dir }}/scs-compliance/venv"
+  block:
+  - name: Check if `kubeconfig_path` variable is defined
+    ansible.builtin.fail:
+      msg: "kubeconfig_path is not defined or empty"
+    when: kubeconfig_path is not defined or kubeconfig_path == ''
+  - name: Ensure check directory
+    ansible.builtin.file:
+      path: "{{ check_dir }}"
+      state: directory
+      mode: 0755
+  - name: Get SCS KaaS compliance check assets
+    ansible.builtin.git:
+      repo: https://github.com/SovereignCloudStack/standards.git
+      dest: "{{ check_dir }}"
+      single_branch: true
+      version: main
+  - name: Install virtualenv
+    ansible.builtin.package:
+      name: virtualenv
+    become: true
+  - name: Install check requirements
+    ansible.builtin.pip:
+      requirements: "{{ check_dir }}/Tests/requirements.txt"
+      virtualenv: "{{ python_venv_dir }}"
+  - name: Execute SCS KaaS compliance check
+    ansible.builtin.shell:
+      cmd:
+        ". {{ python_venv_dir }}/bin/activate &&
+         python3 {{ check_dir }}/Tests/scs-compliance-check.py {{ check_dir }}/Tests/scs-compatible-kaas.yaml -v -s KaaS_V1 -a kubeconfig={{ kubeconfig_path }}"
+    changed_when: false
+    register: scs_compliance_results
+  always:
+  - name: Parse SCS KaaS compliance results  # noqa: ignore-errors
+    ansible.builtin.set_fact:
+      scs_compliance_results_parsed: "{{ scs_compliance_results.stdout }}"
+    when: scs_compliance_results is defined
+    ignore_errors: true
+  - name: Insert SCS compliance results to the warning message that will be appended to the comment zuul leaves on the PR  # noqa: ignore-errors
+    zuul_return:
+      data:
+        zuul:
+          warnings:
+            - "<details>\n  <summary><b>SCS Compliance results</b></summary>\n{{ scs_compliance_results_parsed }}\n</details>"
+    when: scs_compliance_results_parsed is defined and scs_compliance_results_parsed | length > 0
+    ignore_errors: true

playbooks/tasks/sonobouy.yaml

@@ -0,0 +1,23 @@
+---
+- name: Execute sonobouy check mode {{ sonobouy.mode }}
+  block:
+  - name: Execute sonobouy
+    ansible.builtin.command: "make check-{{ sonobouy.mode }}"
+    register: sonobouy_results
+    args:
+      chdir: "{{ project_tf_dir }}"
+    changed_when: true
+  always:
+  - name: Parse sonobouy results  # noqa: ignore-errors
+    ansible.builtin.set_fact:
+      sonobouy_results_parsed: "{{ sonobouy_results.stdout | regex_search('=== Collecting results ===[\\S\\s]*') }}"
+    when: sonobouy_results is defined
+    ignore_errors: true
+  - name: Insert sonobouy results to the warning message that will be appended to the comment zuul leaves on the PR  # noqa: ignore-errors
+    zuul_return:
+      data:
+        zuul:
+          warnings:
+            - "<details>\n  <summary><b>Sonobouy results</b></summary>\n{{ sonobouy_results_parsed }}\n</details>"
+    when: sonobouy_results_parsed is defined and sonobouy_results_parsed | length > 0
+    ignore_errors: true

playbooks/templates/environment.tfvars.j2

@@ -9,4 +9,7 @@ kind_flavor       = "SCS-2V:4"
 controller_flavor = "SCS-2V:4:20"
 worker_flavor     = "SCS-2V:4:20"
 
+controller_count  = 3
+worker_count      = 3
+
 {{ zuul_config|default("") }}