Add scs-0210-v2 and scs-0214-v1 zuul checks

.zuul.yaml

@@ -11,27 +11,53 @@
     cleanup-run: playbooks/cleanup.yaml  # executed also when the job is canceled
     vars:
       wait_for_cluster: 600  # 10min
+      extra_env: {}
+      sonobouy:
+        enabled: false
+      scs_compliance:
+        enabled: false
 
 - job:
     name: k8s-cluster-api-provider-e2e-conformance
     parent: k8s-cluster-api-provider-e2e-abstract
     description: |
       Run e2e tests of k8s-cluster-api-provider project using
-      [sonobuoy](https://sonobuoy.io/) with mode conformance meaning
-      it will test if the Kubernetes cluster is conformant to the CNCF.
+      [sonobuoy](https://sonobuoy.io/) with mode conformance and
+      SCS compliance checks meaning it will test if the Kubernetes
+      cluster is conformant to the CNCF and to the SCS.
     timeout: 10800  # 3h
     vars:
-      sonobouy_mode: conformance
+      sonobouy:
+        enabled: true
+        mode: conformance
+      scs_compliance:
+        enabled: true
 
 - job:
     name: k8s-cluster-api-provider-e2e-quick
     parent: k8s-cluster-api-provider-e2e-abstract
     description: |
       Run e2e tests of k8s-cluster-api-provider project using
-      [sonobuoy](https://sonobuoy.io/) with mode quick.
+      [sonobuoy](https://sonobuoy.io/) with mode quick and
+      SCS compliance checks.
     timeout: 3600  # 1h
     vars:
-      sonobouy_mode: quick
+      sonobouy:
+        enabled: true
+        mode: quick
+      scs_compliance:
+        enabled: true
+
+- job:
+    name: k8s-cluster-api-provider-scs-compliance-1.27
+    parent: k8s-cluster-api-provider-e2e-abstract
+    description: |
+      Run SCS compliance KaaS tests.
+    vars:
+      extra_env:
+        TF_VAR_kubernetes_version: 1.27.x
+      scs_compliance:
+        enabled: true
 
 - project:
     name: SovereignCloudStack/k8s-cluster-api-provider

playbooks/e2e.yaml

@@ -17,9 +17,11 @@
     pr_or_main: "{{ 'pr' + zuul.change if zuul.change is defined else 'main' }}"
     prefix: "{{ (pr_or_main + '-' + zuul.build) | truncate(12, True, '') }}"
     testcluster_name: "{{ (pr_or_main + '-' + zuul.build) | truncate(12, True, '') }}"
-  environment:
-    ENVIRONMENT: "{{ cloud_provider }}"
-    PATH: "{{ ansible_user_dir }}/.local/bin:{{ ansible_env.PATH }}"
+    env_variables:
+      ENVIRONMENT: "{{ cloud_provider }}"
+      PATH: "{{ ansible_user_dir }}/.local/bin:{{ ansible_env.PATH }}"
+    env_variables_merged: "{{ env_variables | combine(extra_env | default({}) ) }}"
+  environment: "{{ env_variables_merged }}"
   tasks:
   - name: Prepare environment
     block:
@@ -87,7 +89,7 @@
       become: true
       when: mtu.stdout != "1500"
       changed_when: mtu.stdout != "1500"
-  - name: Create k8s cluster and execute sonobouy check
+  - name: Create k8s cluster and execute checks
     block:
     - name: Create k8s cluster
       ansible.builtin.command: "make create GITREFERENCE={{ git_branch_name }} GITREPO={{ git_repository_url }}"
@@ -106,26 +108,21 @@
       environment:
         KUBECONFIG: "{{ testcluster_name }}.yaml.{{ cloud_provider }}"
       changed_when: true
-    - name: Execute sonobouy check mode {{ sonobouy_mode }}
-      ansible.builtin.command: "make check-{{ sonobouy_mode }}"
-      register: sonobouy_results
-      args:
-        chdir: "{{ project_tf_dir }}"
-      changed_when: true
+    - name: Import sonobouy tasks
+      ansible.builtin.import_tasks: tasks/sonobouy.yaml
+      when: sonobouy.enabled
+    - name: Import scs_compliance pre-tasks
+      ansible.builtin.import_tasks: tasks/label_nodes.yaml
+      vars:
+        os_cloud: "{{ cloud_provider }}"
+        kubeconfig_path: "{{ project_tf_dir }}/{{ testcluster_name }}.yaml.{{ cloud_provider }}"
+      when: scs_compliance.enabled
+    - name: Import scs_compliance tasks
+      ansible.builtin.import_tasks: tasks/scs_compliance.yaml
+      vars:
+        kubeconfig_path: "{{ project_tf_dir }}/{{ testcluster_name }}.yaml.{{ cloud_provider }}"
+      when: scs_compliance.enabled
     always:
-    - name: Parse sonobouy results  # noqa: ignore-errors
-      ansible.builtin.set_fact:
-        sonobouy_results_parsed: "{{ sonobouy_results.stdout | regex_search('=== Collecting results ===[\\S\\s]*') }}"
-      when: sonobouy_results is defined
-      ignore_errors: true  # ignore when this task failed as it is nice to have, and we should ensure that fullclean is reached
-    - name: Insert parsed sonobouy results to the warning message that will be appended to the comment zuul leaves on the PR  # noqa: ignore-errors
-      zuul_return:
-        data:
-          zuul:
-            warnings:
-              - "<details>\n  <summary><b>Sonobouy results</b></summary>\n{{ sonobouy_results_parsed }}\n</details>"
-      when: sonobouy_results_parsed is defined and sonobouy_results_parsed | length > 0
-      ignore_errors: true  # ignore when this task failed as it is nice to have, and we should ensure that fullclean is reached
     - name: Cleanup - fullclean
       ansible.builtin.command: "make fullclean"
       args:

playbooks/tasks/label_nodes.yaml

@@ -0,0 +1,64 @@
+---
+- name: Label k8s nodes based on OpenStack host IDs
+  vars:
+    # Note (@mfeder): The following label key serves as a temporary label until upstream
+    #  proposes and implements an alternative label key/solution for indicating a physical machine
+    #  within the Kubernetes cluster.
+    #  refer to: https://github.com/SovereignCloudStack/issues/issues/540
+    label_key: "topology.scs.community/host-id"
+    openstackclient_version: "6.5.0"
+    jq_version: "1.7.1"
+    kubectl_version: "1.28.7"
+    install_dir: "{{ ansible_user_dir }}/.local/bin"
+  block:
+  - name: Check if `os_cloud` variable is defined
+    ansible.builtin.fail:
+      msg: "os_cloud is not defined or empty"
+    when: os_cloud is not defined or os_cloud == ''
+  - name: Check if `kubeconfig_path` variable is defined
+    ansible.builtin.fail:
+      msg: "kubeconfig_path is not defined or empty"
+    when: kubeconfig_path is not defined or kubeconfig_path == ''
+  - name: Install jq
+    ansible.builtin.get_url:
+      url: "https://github.com/jqlang/jq/releases/download/jq-{{ jq_version }}/jq-linux64"
+      dest: "{{ install_dir }}/jq"
+      mode: "+x"
+      # TODO: use `checksum` attr here to verify the digest of the destination file, if available
+  - name: Install kubectl
+    ansible.builtin.get_url:
+      url: "https://dl.k8s.io/release/v{{ kubectl_version }}/bin/linux/amd64/kubectl"
+      dest: "{{ install_dir }}/kubectl"
+      mode: "+x"
+      # TODO: use `checksum` attr here to verify the digest of the destination file, if available
+  - name: Install openstack cli
+    ansible.builtin.pip:
+      name:
+      - "python-openstackclient=={{ openstackclient_version }}"
+      extra_args: --user
+  - name: Get list of OpenStack server details
+    ansible.builtin.shell:
+      cmd: |
+        set -o pipefail
+        openstack server list -f json | jq -r '.[].ID' | while read id; do openstack server show $id -f json; done | jq -s '.'
+      executable: /bin/bash
+    register: openstack_server_list
+    changed_when: false
+    environment:
+      OS_CLOUD: "{{ os_cloud }}"
+  - name: Populate openstack_hosts dict with hostname=host_id pairs
+    ansible.builtin.set_fact:
+      openstack_hosts: "{{ openstack_hosts | default({}) | combine({item.name: item.hostId}) }}"
+    with_items: "{{ openstack_server_list.stdout | from_json }}"
+  - name: Get a list of nodes
+    ansible.builtin.command: kubectl get nodes -o json
+    register: kubernetes_node_list
+    changed_when: false
+    environment:
+      KUBECONFIG: "{{ kubeconfig_path }}"
+  - name: Add node label
+    ansible.builtin.command: "kubectl label nodes {{ item.metadata.name }} {{ label_key }}={{ openstack_hosts[item.metadata.name] }}"
+    with_items: "{{ (kubernetes_node_list.stdout | from_json)['items'] }}"
+    changed_when: false
+    environment:
+      KUBECONFIG: "{{ kubeconfig_path }}"

playbooks/tasks/scs_compliance.yaml

@@ -0,0 +1,50 @@
+---
+- name: Download, install, configure, and execute SCS KaaS compliance check
+  vars:
+    check_dir: "{{ ansible_user_dir }}/scs-compliance"
+    python_venv_dir: "{{ ansible_user_dir }}/scs-compliance/venv"
+  block:
+  - name: Check if `kubeconfig_path` variable is defined
+    ansible.builtin.fail:
+      msg: "kubeconfig_path is not defined or empty"
+    when: kubeconfig_path is not defined or kubeconfig_path == ''
+  - name: Ensure check directory
+    ansible.builtin.file:
+      path: "{{ check_dir }}"
+      state: directory
+      mode: 0755
+  - name: Get SCS KaaS compliance check assets
+    ansible.builtin.git:
+      repo: https://github.com/SovereignCloudStack/standards.git
+      dest: "{{ check_dir }}"
+      single_branch: true
+      version: main
+  - name: Install virtualenv
+    ansible.builtin.package:
+      name: virtualenv
+    become: true
+  - name: Install check requirements
+    ansible.builtin.pip:
+      requirements: "{{ check_dir }}/Tests/requirements.txt"
+      virtualenv: "{{ python_venv_dir }}"
+  - name: Execute SCS KaaS compliance check
+    ansible.builtin.shell:
+      cmd:
+        ". {{ python_venv_dir }}/bin/activate &&
+         python3 {{ check_dir }}/Tests/scs-compliance-check.py {{ check_dir }}/Tests/scs-compatible-kaas.yaml -v -s KaaS_V1 -a kubeconfig={{ kubeconfig_path }}"
+    changed_when: false
+    register: scs_compliance_results
+  always:
+  - name: Parse SCS KaaS compliance results  # noqa: ignore-errors
+    ansible.builtin.set_fact:
+      scs_compliance_results_parsed: "{{ scs_compliance_results.stdout }}"
+    when: scs_compliance_results is defined
+    ignore_errors: true
+  - name: Insert SCS compliance results to the warning message that will be appended to the comment zuul leaves on the PR  # noqa: ignore-errors
+    zuul_return:
+      data:
+        zuul:
+          warnings:
+            - "<details>\n  <summary><b>SCS Compliance results</b></summary>\n{{ scs_compliance_results_parsed }}\n</details>"
+    when: scs_compliance_results_parsed is defined and scs_compliance_results_parsed | length > 0
+    ignore_errors: true

playbooks/tasks/sonobouy.yaml

@@ -0,0 +1,23 @@
+---
+- name: Execute sonobouy check mode {{ sonobouy.mode }}
+  block:
+  - name: Execute sonobouy
+    ansible.builtin.command: "make check-{{ sonobouy.mode }}"
+    register: sonobouy_results
+    args:
+      chdir: "{{ project_tf_dir }}"
+    changed_when: true
+  always:
+  - name: Parse sonobouy results  # noqa: ignore-errors
+    ansible.builtin.set_fact:
+      sonobouy_results_parsed: "{{ sonobouy_results.stdout | regex_search('=== Collecting results ===[\\S\\s]*') }}"
+    when: sonobouy_results is defined
+    ignore_errors: true
+  - name: Insert sonobouy results to the warning message that will be appended to the comment zuul leaves on the PR  # noqa: ignore-errors
+    zuul_return:
+      data:
+        zuul:
+          warnings:
+            - "<details>\n  <summary><b>Sonobouy results</b></summary>\n{{ sonobouy_results_parsed }}\n</details>"
+    when: sonobouy_results_parsed is defined and sonobouy_results_parsed | length > 0
+    ignore_errors: true

playbooks/templates/environment.tfvars.j2

@@ -9,4 +9,7 @@ kind_flavor       = "SCS-2V:4"
 controller_flavor = "SCS-2V:4:20"
 worker_flavor     = "SCS-2V:4:20"
 
+controller_count  = 3
+worker_count      = 3
+
 {{ zuul_config|default("") }}