Synchronise 2025.1 with upstream

.zuul.yaml

@@ -145,9 +145,11 @@
       jobs:
         - magnum-tempest-plugin-tests-api
         - magnum-tempest-plugin-tests-api-jammy
-        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.27-flannel
+        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.27-flannel:
+            voting: false
         - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.27-calico
-        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.28-flannel
+        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.28-flannel:
+            voting: false
         - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.28-calico
         - magnum-container-build
     gate:

devstack/lib/magnum

@@ -49,7 +49,7 @@ MAGNUM_API_PASTE=$MAGNUM_CONF_DIR/api-paste.ini
 MAGNUM_K8S_KEYSTONE_AUTH_DEFAULT_POLICY=$MAGNUM_CONF_DIR/k8s_keystone_auth_default_policy.json
 MAGNUM_POLICY=$MAGNUM_CONF_DIR/policy.yaml
 
-MAGNUM_UWSGI=$MAGNUM_BIN_DIR/magnum-api-wsgi
+MAGNUM_UWSGI=magnum.wsgi.api:application
 MAGNUM_UWSGI_CONF=$MAGNUM_CONF_DIR/magnum-api-uwsgi.ini
 
 # Public facing bits
@@ -242,7 +242,7 @@ function create_magnum_conf {
 
     iniset $MAGNUM_CONF kubernetes keystone_auth_default_policy $MAGNUM_K8S_KEYSTONE_AUTH_DEFAULT_POLICY
 
-    write_uwsgi_config "$MAGNUM_UWSGI_CONF" "$MAGNUM_UWSGI" "/container-infra"
+    write_uwsgi_config "$MAGNUM_UWSGI_CONF" "$MAGNUM_UWSGI" "/container-infra" "" "magnum-api"
 }
 
 function create_api_paste_conf {

dockerfiles/helm-client/Dockerfile

@@ -1,5 +1,5 @@
 ARG HELM_VERSION=v3.2.0
-FROM debian:buster-slim
+FROM debian/eol:buster-slim
 
 ARG HELM_VERSION
 

magnum/common/x509/operations.py

@@ -223,6 +223,12 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
         builder = builder.add_extension(extention.value,
                                         critical=extention.critical)
 
+    subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key(
+        csr.public_key())
+    builder = builder.add_extension(
+            subject_key_identifier, critical=False
+    )
+
     certificate = builder.sign(
         private_key=ca_key, algorithm=hashes.SHA256(),
     ).public_bytes(serialization.Encoding.PEM).strip()

magnum/tests/unit/common/x509/test_sign.py

@@ -233,6 +233,26 @@ def test_sign_empty_chars(self, mock_load_pem):
         self.assertEqual(certificate,
                          certificate.strip())
 
+    # If a subject key identifier is given in the CSR, ensure it is added
+    @mock.patch('cryptography.x509.load_pem_x509_csr')
+    def test_sign_subject_key_identifier(self, mock_load_pem):
+        ca_key = self._generate_private_key()
+        private_key = self._generate_private_key()
+        csr_obj = self._build_csr(private_key)
+        csr = csr_obj.public_bytes(serialization.Encoding.PEM)
+        csr = csr.decode('utf-8')
+
+        mock_load_pem.return_value = csr_obj
+        certificate = operations.sign(csr, self.issuer_name,
+                                      ca_key, skip_validation=True)
+
+        # Ensure the Subject Key Identifier extension is present
+        cert = c_x509.load_pem_x509_certificate(certificate)
+        ext_ski = [ext for ext in cert.extensions
+                   if cert.extensions[0].oid ==
+                   c_x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER]
+        self.assertEqual(len(ext_ski), 1)
+
     def test_sign_with_invalid_csr(self):
         ca_key = self._generate_private_key()
         csr = 'test'

magnum/wsgi/api.py

@@ -0,0 +1,24 @@
+# -*- mode: python -*-
+#
+# Copyright 2017 SUSE Linux GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import sys
+
+from magnum.api import app as api_app
+from magnum.common import service
+
+service.prepare_service(sys.argv)
+
+application = api_app.load_app()

releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add subject key identifier extension to x509 operations
+    signing function. Allows for magnum Kubernetes clusters
+    to generate certificates with authority key
+    identifier extension.