Hi all,
$Subject is currently broken.
We do not have yet an open bug for this but did have a few related
(but different) ones, including:
https://bugzilla.redhat.com/show_bug.cgi?id=2122174
https://bugzilla.redhat.com/show_bug.cgi?id=2113980
While looking at this, I decided it's about time to have
ovirt-system-tests test this flow, as it seems it's not tested enough
otherwise.
Right now, I managed to make it all work, but do have some open
questions, thus current email.
What I have right now
=====================
1. This harmless patch to the engine, to just add new library code,
only to be used (for now) by grafana setup code (later):
https://github.com/oVirt/ovirt-engine/pull/669
I see no obvious reason to not merge it already, but if it turns out
that only grafana setup is going to ever use it, it might be easier to
move this code there. In principle it can be useful also for OVN, as
commented there.
2. This patch to DWH. It's "mandatory", but not enough to get a
complete solution. Should be ready for merge. Requires above engine
patch.
https://github.com/oVirt/ovirt-dwh/pull/57
3. This PR for ovirt-system-tests:
https://github.com/oVirt/ovirt-system-tests/pull/293
What's inside:
3.1. "Make grafana test use grafana_fqdn" - should be trivial and harmless.
3.2. "WIP: Add separate-machine-basic-suite-master" - started as a
copy of basic-suite-master. Much of it is links to there. To review
the rest, you can compare with relevant files in basic-suite. "WIP",
because it's not enough, see later, but is probably more-or-less also
ready for merging.
3.3. "WIP: Add the dwh/grafana host name to keycloak redirect URIs" -
this is where my main question/issue is. Without this, our setup code
sets redirectUris to point only at the engine machine, so when trying
to login to grafana with SSO, you get an error from keycloak, e.g. as
in:
https://stackoverflow.com/questions/51275797/invalid-redirect-uri-keycloa...
When configuring things manually, it's up to the user to handle all of
this. This applies either to oVirt users that want to do this
manually, or to RHV users, where keycloak is not integrated:
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/...
So it sounds like it makes sense to fix this in dwh/grafana setup
code, not in OST, right? But this is slightly more risky and annoying,
as we'll need to prompt asking the user for the keycloak admin
password. Perhaps we do want to do this anyway, but perhaps it's
enough to document how to do this manually (and keep this patch in OST
as an implementation of this document).
3.4. "WIP: Copy test_verify_engine_certs to test_001" not sure I
always needed it, but should be harmless. Perhaps should be done more
nicely somehow also for other suites.
Opinions/comments/ideas/suggestions/whatever are most welcome!
Thanks and best regards,
--
Didi