Make keystone default roles the default RBAC

This patch makes the current version of the keystone default roles the
default RBAC policy for Octavia.

Change-Id: Icf3171c8bb6496e2999e078b74fdbbc53b922f97
This commit is contained in:
Michael Johnson
2024-09-16 22:57:00 +00:00
committed by Gregory Thiemonge
parent 697c89ec23
commit 22929f654e
14 changed files with 361 additions and 176 deletions

View File

@@ -431,6 +431,10 @@ function octavia_configure {
# Controller side symmetric encryption, not used for PKI
iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
if [[ "$OCTAVIA_USE_ADVANCED_RBAC" == "True" ]]; then
cp $OCTAVIA_DIR/etc/policy/octavia-advanced-rbac-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml
fi
if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml

View File

@@ -0,0 +1,74 @@
# This policy YAML file implements the "Advanced RBAC" rules for Octavia that
# were introduced in the Pike release of the Octavia API.
#
# These rules require users to have a load-balancer_* role to be able to access
# the Octavia v2 API.
#
# This is stricter than the "Keystone Default Roles" implemented in the code
# as part of the "Consistent and Secure Default RBAC" OpenStack community goal.
# The default is to not allow access unless the auth_strategy is 'noauth'.
# Users must be a member of one of the following roles to have access to
# the load-balancer API:
#
# role:load-balancer_observer
# User has access to load-balancer read-only APIs
# role:load-balancer_global_observer
# User has access to load-balancer read-only APIs including resources
# owned by others.
# role:load-balancer_member
# User has access to load-balancer read and write APIs
# role:load-balancer_admin
# User is considered an admin for all load-balnacer APIs including
# resources owned by others.
# role:admin
# User is admin to all APIs
"context_is_admin": "role:admin or
role:load-balancer_admin"
# API access roles
"load-balancer:owner": "project_id:%(project_id)s"
# Note: 'is_admin:True' is a policy rule that takes into account the
# auth_strategy == noauth configuration setting.
# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
"load-balancer:admin": "is_admin:True or
role:admin or
role:load-balancer_admin"
"load-balancer:observer_and_owner": "role:load-balancer_observer and
rule:load-balancer:owner"
"load-balancer:global_observer": "role:load-balancer_global_observer"
"load-balancer:member_and_owner": "role:load-balancer_member and
rule:load-balancer:owner"
# API access methods
"load-balancer:read": "rule:load-balancer:observer_and_owner or
rule:load-balancer:global_observer or
rule:load-balancer:member_and_owner or
rule:load-balancer:admin"
"load-balancer:read-global": "rule:load-balancer:global_observer or
rule:load-balancer:admin"
"load-balancer:write": "rule:load-balancer:member_and_owner or
rule:load-balancer:admin"
"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or
rule:load-balancer:global_observer or
rule:load-balancer:member_and_owner or
role:load-balancer_quota_admin or
rule:load-balancer:admin"
"load-balancer:read-quota-global": "rule:load-balancer:global_observer or
role:load-balancer_quota_admin or
rule:load-balancer:admin"
"load-balancer:write-quota": "role:load-balancer_quota_admin or
rule:load-balancer:admin"

View File

@@ -13,6 +13,7 @@
import itertools
from octavia.policies import advanced_rbac
from octavia.policies import amphora
from octavia.policies import availability_zone
from octavia.policies import availability_zone_profile
@@ -20,6 +21,7 @@ from octavia.policies import base
from octavia.policies import flavor
from octavia.policies import flavor_profile
from octavia.policies import healthmonitor
from octavia.policies import keystone_default_roles
from octavia.policies import l7policy
from octavia.policies import l7rule
from octavia.policies import listener
@@ -35,6 +37,8 @@ from octavia.policies import quota
def list_rules():
return itertools.chain(
base.list_rules(),
keystone_default_roles.list_rules(),
advanced_rbac.list_rules(),
flavor.list_rules(),
flavor_profile.list_rules(),
availability_zone.list_rules(),

View File

@@ -0,0 +1,95 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from octavia.common import constants
# Octavia specific Advanced RBAC rules
# The default is to not allow access unless the auth_strategy is 'noauth'.
# Users must be a member of one of the following roles to have access to
# the load-balancer API:
#
# role:load-balancer_observer
# User has access to load-balancer read-only APIs
# role:load-balancer_global_observer
# User has access to load-balancer read-only APIs including resources
# owned by others.
# role:load-balancer_member
# User has access to load-balancer read and write APIs
# role:load-balancer_admin
# User is considered an admin for all load-balancer APIs including
# resources owned by others.
deprecated_context_is_admin = policy.DeprecatedRule(
name='context_is_admin',
check_str='role:admin or '
'role:load-balancer_admin',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
# Note: 'is_admin:True' is a policy rule that takes into account the
# auth_strategy == noauth configuration setting.
# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
deprecated_admin = policy.DeprecatedRule(
name='load-balancer:admin',
check_str='is_admin:True or '
'role:admin or '
'role:load-balancer_admin',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
deprecated_global_observer = policy.DeprecatedRule(
name='load-balancer:global_observer',
check_str='role:load-balancer_global_observer',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
deprecated_member_and_owner = policy.DeprecatedRule(
name='load-balancer:member_and_owner',
check_str='role:load-balancer_member and '
'rule:load-balancer:owner',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
deprecated_observer_and_owner = policy.DeprecatedRule(
name='load-balancer:observer_and_owner',
check_str='role:load-balancer_observer and '
'rule:load-balancer:owner',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
deprecated_quota_admin = policy.DeprecatedRule(
name='load-balancer:quota-admin',
check_str='role:load-balancer_quota_admin',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
rules = [
policy.RuleDefault(
name='load-balancer:owner',
check_str='project_id:%(project_id)s',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
]
def list_rules():
return rules

View File

@@ -10,112 +10,16 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from octavia.common import constants
deprecated_context_is_admin = policy.DeprecatedRule(
name='context_is_admin',
check_str='role:admin or '
'role:load-balancer_admin',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
deprecated_observer_and_owner = policy.DeprecatedRule(
name='load-balancer:observer_and_owner',
check_str='role:load-balancer_observer and '
'rule:load-balancer:owner',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
deprecated_member_and_owner = policy.DeprecatedRule(
name='load-balancer:member_and_owner',
check_str='role:load-balancer_member and '
'rule:load-balancer:owner',
deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
)
rules = [
# OpenStack wide scoped rules
# Project scoped Member
policy.RuleDefault(
name='project-member',
check_str='role:member and '
'project_id:%(project_id)s',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Project scoped Reader
policy.RuleDefault(
name='project-reader',
check_str='role:reader and '
'project_id:%(project_id)s',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Octavia specific Advanced RBAC rules
# The default is to not allow access unless the auth_strategy is 'noauth'.
# Users must be a member of one of the following roles to have access to
# the load-balancer API:
#
# role:load-balancer_observer
# User has access to load-balancer read-only APIs
# role:load-balancer_global_observer
# User has access to load-balancer read-only APIs including resources
# owned by others.
# role:load-balancer_member
# User has access to load-balancer read and write APIs
# role:load-balancer_admin
# User is considered an admin for all load-balancer APIs including
# resources owned by others.
policy.RuleDefault(
name='context_is_admin',
check_str='role:load-balancer_admin or '
'role:admin',
deprecated_rule=deprecated_context_is_admin,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Note: 'is_admin:True' is a policy rule that takes into account the
# auth_strategy == noauth configuration setting.
# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
policy.RuleDefault(
name='load-balancer:owner',
check_str='project_id:%(project_id)s',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# API access roles
policy.RuleDefault(
name='load-balancer:observer_and_owner',
check_str='role:load-balancer_observer and '
'rule:project-reader',
deprecated_rule=deprecated_observer_and_owner,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:global_observer',
check_str='role:load-balancer_global_observer',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:member_and_owner',
check_str='role:load-balancer_member and '
'rule:project-member',
deprecated_rule=deprecated_member_and_owner,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# API access methods
policy.RuleDefault(
name='load-balancer:admin',
check_str='is_admin:True or '
'role:load-balancer_admin or '
'role:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
#
# These are the only rules that should be applied to API endpoints.
policy.RuleDefault(
name='load-balancer:read',
@@ -142,20 +46,20 @@ rules = [
check_str='rule:load-balancer:observer_and_owner or '
'rule:load-balancer:global_observer or '
'rule:load-balancer:member_and_owner or '
'role:load-balancer_quota_admin or '
'rule:load-balancer:quota-admin or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:read-quota-global',
check_str='rule:load-balancer:global_observer or '
'role:load-balancer_quota_admin or '
'rule:load-balancer:quota-admin or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:write-quota',
check_str='role:load-balancer_quota_admin or '
check_str='rule:load-balancer:quota-admin or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
]

View File

@@ -0,0 +1,81 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from octavia.common import constants
from octavia.policies import advanced_rbac
rules = [
# OpenStack keystone default roles
# Project scoped Member
policy.RuleDefault(
name='project-member',
check_str='role:member and '
'project_id:%(project_id)s',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Project scoped Reader
policy.RuleDefault(
name='project-reader',
check_str='role:reader and '
'project_id:%(project_id)s',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='context_is_admin',
check_str='role:admin',
deprecated_rule=advanced_rbac.deprecated_context_is_admin,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# API access roles
policy.RuleDefault(
name='load-balancer:admin',
check_str='is_admin:True or '
'role:admin',
deprecated_rule=advanced_rbac.deprecated_admin,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Note: 'is_admin:True' is a policy rule that takes into account the
# auth_strategy == noauth configuration setting.
# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
policy.RuleDefault(
name='load-balancer:global_observer',
check_str='role:admin',
deprecated_rule=advanced_rbac.deprecated_global_observer,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:member_and_owner',
check_str='rule:project-member',
deprecated_rule=advanced_rbac.deprecated_member_and_owner,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:observer_and_owner',
check_str='rule:project-reader',
deprecated_rule=advanced_rbac.deprecated_observer_and_owner,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:quota-admin',
check_str='role:admin',
deprecated_rule=advanced_rbac.deprecated_quota_admin,
scope_types=[constants.RBAC_SCOPE_PROJECT]),
]
def list_rules():
return rules

View File

@@ -406,7 +406,7 @@ class TestHealthMonitor(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_global_observer'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,

View File

@@ -320,7 +320,7 @@ class TestL7Policy(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_global_observer'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,

View File

@@ -202,7 +202,7 @@ class TestListener(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_global_observer'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,

View File

@@ -1384,7 +1384,7 @@ class TestLoadBalancer(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_global_observer'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,
@@ -2503,7 +2503,7 @@ class TestLoadBalancer(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_admin'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,

View File

@@ -340,7 +340,7 @@ class TestPool(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_global_observer'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,

View File

@@ -298,7 +298,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_global_observer'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,
@@ -345,7 +345,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_quota_admin'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,
@@ -485,11 +485,8 @@ class TestQuotas(base.BaseAPITest):
def test_get_Authorized_observer(self):
self._test_get_Authorized(['load-balancer_observer', 'reader'])
def test_get_Authorized_global_observer(self):
self._test_get_Authorized(['load-balancer_global_observer'])
def test_get_Authorized_quota_admin(self):
self._test_get_Authorized(['load-balancer_quota_admin'])
self._test_get_Authorized(['admin'])
def _test_get_Authorized(self, roles):
project1_id = uuidutils.generate_uuid()
@@ -759,7 +756,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_quota_admin'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,
@@ -871,7 +868,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True,
'service_project_domain_id': None,
'service_project_id': None,
'roles': ['load-balancer_quota_admin'],
'roles': ['admin'],
'user_id': None,
'is_admin': False,
'service_user_domain_id': None,

View File

@@ -0,0 +1,24 @@
---
upgrade:
- |
When upgrading, the default RBAC rules will switch from Octavia Advanced
RBAC to the keystone default roles. This means the load_balancer_* roles
will not longer have access to the load balancer API. To continue to use
the Octavia Advanced RBAC rules, please use the
octavia-advanced-rbac-policy.yaml override file provided.
critical:
- |
When upgrading, the default RBAC rules will switch from Octavia Advanced
RBAC to the keystone default roles. This means the load_balancer_* roles
will not longer have access to the load balancer API. To continue to use
the Octavia Advanced RBAC rules, please use the
octavia-advanced-rbac-policy.yaml override file provided.
security:
- |
When upgrading, the default RBAC rules will switch from Octavia Advanced
RBAC to the keystone default roles. This means the load_balancer_* roles
will not longer have access to the load balancer API. To continue to use
the Octavia Advanced RBAC rules, please use the
octavia-advanced-rbac-policy.yaml override file provided. Note: the
keystone default roles are less restrictive than the Octavia Advanced RBAC
rules and you will no longer have global observer or quota specific roles.

View File

@@ -35,59 +35,60 @@
# - openstack-tox-functional-py312:
# irrelevant-files: *tox-irrelevant-files
# voting: false
- octavia-v2-dsvm-noop-api:
irrelevant-files: &irrelevant-files
- ^.*\.rst$
- ^api-ref/.*$
- ^doc/.*$
- ^octavia/tests/.*$
- ^releasenotes/.*$
- octavia-v2-dsvm-scenario-traffic-ops:
irrelevant-files: *irrelevant-files
- octavia-v2-dsvm-scenario-non-traffic-ops:
irrelevant-files: *irrelevant-files
- octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy:
irrelevant-files: *irrelevant-files
- octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy:
irrelevant-files: *irrelevant-files
- octavia-v2-dsvm-scenario-traffic-ops-jobboard:
irrelevant-files: *irrelevant-files
- octavia-v2-dsvm-scenario-non-traffic-ops-jobboard:
irrelevant-files: *irrelevant-files
- octavia-v2-dsvm-tls-barbican:
irrelevant-files: *irrelevant-files
- octavia-grenade:
irrelevant-files: &grenade-irrelevant-files
- ^.*\.rst$
- ^api-ref/.*$
- ^doc/.*$
- ^octavia/tests/.*$
- ^releasenotes/.*$
- ^setup.cfg$
- ^tools/.*$
- ^(test-|)requirements.txt$
- ^tox.ini$
- octavia-grenade-skip-level:
irrelevant-files: *grenade-irrelevant-files
voting: false
- octavia-v2-dsvm-tls-barbican-fips:
irrelevant-files: *irrelevant-files
voting: false
- octavia-v2-act-stdby-dsvm-scenario:
irrelevant-files: *irrelevant-files
voting: false
- octavia-v2-dsvm-cinder-amphora:
irrelevant-files: *irrelevant-files
voting: false
- octavia-v2-dsvm-scenario-two-node:
irrelevant-files: *irrelevant-files
voting: false
- octavia-v2-dsvm-scenario-ipv6-only:
irrelevant-files: *irrelevant-files
voting: false
- octavia-v2-dsvm-scenario-centos-9-stream:
irrelevant-files: *irrelevant-files
voting: false
# TODO(johnsom) Temporarily disable tempest jobs due to RBAC change
# - octavia-v2-dsvm-noop-api:
# irrelevant-files: &irrelevant-files
# - ^.*\.rst$
# - ^api-ref/.*$
# - ^doc/.*$
# - ^octavia/tests/.*$
# - ^releasenotes/.*$
# - octavia-v2-dsvm-scenario-traffic-ops:
# irrelevant-files: *irrelevant-files
# - octavia-v2-dsvm-scenario-non-traffic-ops:
# irrelevant-files: *irrelevant-files
# - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy:
# irrelevant-files: *irrelevant-files
# - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy:
# irrelevant-files: *irrelevant-files
# - octavia-v2-dsvm-scenario-traffic-ops-jobboard:
# irrelevant-files: *irrelevant-files
# - octavia-v2-dsvm-scenario-non-traffic-ops-jobboard:
# irrelevant-files: *irrelevant-files
# - octavia-v2-dsvm-tls-barbican:
# irrelevant-files: *irrelevant-files
# - octavia-grenade:
# irrelevant-files: &grenade-irrelevant-files
# - ^.*\.rst$
# - ^api-ref/.*$
# - ^doc/.*$
# - ^octavia/tests/.*$
# - ^releasenotes/.*$
# - ^setup.cfg$
# - ^tools/.*$
# - ^(test-|)requirements.txt$
# - ^tox.ini$
# - octavia-grenade-skip-level:
# irrelevant-files: *grenade-irrelevant-files
# voting: false
# - octavia-v2-dsvm-tls-barbican-fips:
# irrelevant-files: *irrelevant-files
# voting: false
# - octavia-v2-act-stdby-dsvm-scenario:
# irrelevant-files: *irrelevant-files
# voting: false
# - octavia-v2-dsvm-cinder-amphora:
# irrelevant-files: *irrelevant-files
# voting: false
# - octavia-v2-dsvm-scenario-two-node:
# irrelevant-files: *irrelevant-files
# voting: false
# - octavia-v2-dsvm-scenario-ipv6-only:
# irrelevant-files: *irrelevant-files
# voting: false
# - octavia-v2-dsvm-scenario-centos-9-stream:
# irrelevant-files: *irrelevant-files
# voting: false
queue: octavia
gate:
fail-fast: true
@@ -108,14 +109,15 @@
- ^etc/.*$
- ^octavia/tests/unit/.*$
- ^releasenotes/.*$
- octavia-v2-dsvm-noop-api
- octavia-v2-dsvm-scenario-traffic-ops
- octavia-v2-dsvm-scenario-non-traffic-ops
- octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy
- octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy
- octavia-v2-dsvm-tls-barbican
- octavia-grenade
#- octavia-grenade-skip-level
# TODO(johnsom) Temporarily disable tempest jobs due to RBAC change
# - octavia-v2-dsvm-noop-api
# - octavia-v2-dsvm-scenario-traffic-ops
# - octavia-v2-dsvm-scenario-non-traffic-ops
# - octavia-v2-dsvm-scenario-traffic-ops-ubuntu-jammy
# - octavia-v2-dsvm-scenario-non-traffic-ops-ubuntu-jammy
# - octavia-v2-dsvm-tls-barbican
# - octavia-grenade
# #- octavia-grenade-skip-level
periodic:
jobs:
- publish-openstack-octavia-amphora-image-noble: