[focal] Python modules sync with Airship project

- uplifted some python modules
- fixed tox4 requirements
- added focal build node as a default one
- added bindep.txt and bindep role to playbooks and docker image build process
- changes Makefile to reflect GoLang and dependency management changes
- upgraded Helm to v3 for chart build process
- uplifted postgresql version to 14.6
- fixed deprecated falcon.API - replaced with falcon.APP
- fixed upstream docker image publishing process

Change-Id: I307d72bb7680f6f5c71e42ad30666cf786420460

.gitignore

@@ -6,6 +6,9 @@ __pycache__/
 # C extensions
 *.so
 
+# Go
+baclient_built
+
 # Distribution / packaging
 .Python
 build/
@@ -108,3 +111,8 @@ ENV/
 # Chart artifacts
 charts/drydock/charts
 charts/drydock/requirements.lock
+/charts/*.tgz
+/charts/*/charts
+/charts/*/requirements.lock
+/charts/deps/*/
+/*.tgz

.readthedocs.yaml

@@ -19,7 +19,7 @@ formats:
 
 # Optionally set the version of Python and requirements required to build your docs
 python:
-  version: 3.7
+  version: 3.8
   install:
     - requirements: doc/requirements-doc.txt
     - requirements: python/requirements-lock.txt

.zuul.yaml

@@ -21,18 +21,15 @@
         - airship-drydock-omni-test
         - airship-drydock-chart-build-gate
         - airship-drydock-chart-build-latest-htk
-        - airship-drydock-docker-build-gate-ubuntu_xenial
-        - airship-drydock-docker-build-gate-ubuntu_bionic
+        - airship-drydock-docker-build-gate-ubuntu_focal
     gate:
       jobs:
         - airship-drydock-omni-test
         - airship-drydock-chart-build-gate
-        - airship-drydock-docker-build-gate-ubuntu_xenial
-        - airship-drydock-docker-build-gate-ubuntu_bionic
+        - airship-drydock-docker-build-gate-ubuntu_focal
     post:
       jobs:
-        - airship-drydock-docker-publish-ubuntu_xenial
-        - airship-drydock-docker-publish-ubuntu_bionic
+        - airship-drydock-docker-publish-ubuntu_focal
         - drydock-upload-git-mirror
 
 - nodeset:
@@ -41,6 +38,12 @@
       - name: primary
         label: ubuntu-bionic
 
+- nodeset:
+    name: airship-drydock-single-node-focal
+    nodes:
+      - name: primary
+        label: ubuntu-focal
+
 - job:
     name: airship-drydock-omni-test
     description: |
@@ -50,7 +53,7 @@
     required-projects:
       - openstack/openstack-helm-infra
     timeout: 3600
-    nodeset: airship-drydock-single-node
+    nodeset: airship-drydock-single-node-focal
 
 - job:
     name: airship-drydock-chart-build-gate
@@ -58,7 +61,7 @@
       Builds charts using pinned Helm toolkit.
     timeout: 900
     run: tools/gate/playbooks/build-charts.yaml
-    nodeset: airship-drydock-single-node
+    nodeset: airship-drydock-single-node-focal
 
 - job:
     name: airship-drydock-chart-build-latest-htk
@@ -67,46 +70,31 @@
     timeout: 900
     voting: false
     run: tools/gate/playbooks/build-charts.yaml
-    nodeset: airship-drydock-single-node
+    nodeset: airship-drydock-single-node-focal
     vars:
       HTK_COMMIT: master
 
 - job:
-    name: airship-drydock-docker-build-gate-ubuntu_xenial
+    name: airship-drydock-docker-build-gate-ubuntu_focal
     timeout: 1800
     run: tools/gate/playbooks/docker-image-build.yaml
-    nodeset: airship-drydock-single-node
+    nodeset: airship-drydock-single-node-focal
     irrelevant-files:
       - '^doc/.*'
       - '^charts/.*'
     vars:
       publish: false
-      distro: ubuntu_xenial
-      tags:
-        dynamic:
-          patch_set: true
-
-- job:
-    name: airship-drydock-docker-build-gate-ubuntu_bionic
-    timeout: 1800
-    run: tools/gate/playbooks/docker-image-build.yaml
-    nodeset: airship-drydock-single-node
-    irrelevant-files:
-      - '^doc/.*'
-      - '^charts/.*'
-    vars:
-      publish: false
-      distro: ubuntu_bionic
+      distro: ubuntu_focal
       tags:
         dynamic:
           patch_set: true
 
 
 - job:
-    name: airship-drydock-docker-publish-ubuntu_xenial
+    name: airship-drydock-docker-publish-ubuntu_focal
     timeout: 1800
     run: tools/gate/playbooks/docker-image-build.yaml
-    nodeset: airship-drydock-single-node
+    nodeset: airship-drydock-single-node-focal
     secrets:
       - airship_drydock_quay_creds
     irrelevant-files:
@@ -114,27 +102,7 @@
       - '^charts/.*'
     vars:
       publish: true
-      distro: ubuntu_xenial
-      tags:
-        dynamic:
-          branch: true
-          commit: true
-        static:
-          - latest
-
-- job:
-    name: airship-drydock-docker-publish-ubuntu_bionic
-    timeout: 1800
-    run: tools/gate/playbooks/docker-image-build.yaml
-    nodeset: airship-drydock-single-node
-    secrets:
-      - airship_drydock_quay_creds
-    irrelevant-files:
-      - '^doc/.*'
-      - '^charts/.*'
-    vars:
-      publish: true
-      distro: ubuntu_bionic
+      distro: ubuntu_focal
       tags:
         dynamic:
           branch: true

Makefile

@@ -19,7 +19,7 @@ IMAGE_PREFIX    	?= airshipit
 IMAGE_TAG       	?= dev
 HELM            	:= $(shell realpath $(BUILD_DIR))/helm
 UBUNTU_BASE_IMAGE	?=
-DISTRO			?= ubuntu_bionic
+DISTRO			?= ubuntu_focal
 PROXY           	?= http://proxy.foo.com:8000
 NO_PROXY        	?= localhost,127.0.0.1,.svc.cluster.local
 USE_PROXY       	?= false
@@ -40,21 +40,16 @@ run_images: run_drydock
 # Run tests
 tests: pep8 security docs unit_tests test_baclient
 
-# Install external (not managed by tox/pip) dependencies
-external_dep: requirements-host.txt requirements-host-test.txt
-	sudo ./hostdeps.sh
-	touch external_dep
-
 # Run unit and Postgres integration tests in coverage mode
 coverage_test: build_drydock
 	tox -re cover
 
 # Run just unit tests
-unit_tests: external_dep
-	tox -re py36 $(TESTS)
+unit_tests:
+	tox -re py38 $(TESTS)
 
 # Run just DB integration tests
-db_integration_tests: external_dep
+db_integration_tests:
 	tox -re integration $(TESTS)
 
 # Freeze full set of Python requirements
@@ -91,27 +86,27 @@ helm-install:
 
 # Make targets intended for use by the primary targets above.
 
-build_drydock: external_dep
+build_drydock:
 	export; tools/drydock_image_build.sh
 ifeq ($(PUSH_IMAGE), true)
 	docker push $(IMAGE)
 endif
 
 # Make target for building bootaction signal client
-build_baclient: external_dep
-	sudo ./tools/baclient_build.sh $(shell realpath go) $(shell realpath ${BUILD_DIR})
+build_baclient:
+	./tools/baclient_build.sh $(shell realpath go) $(shell realpath ${BUILD_DIR})
 	touch ./baclient_built
 
 # Make target for testing bootaction signal client
-test_baclient: external_dep build_baclient
-	GOPATH=$(shell realpath go) go test -v baclient
+test_baclient: build_baclient
+	GOPATH=$(shell realpath go) GO111MODULE=off go test -v baclient
 
 docs: clean drydock_docs
 
-security: external_dep
+security:
 	tox -e bandit
 
-drydock_docs: external_dep render_diagrams genpolicy genconfig
+drydock_docs: render_diagrams genpolicy genconfig
 	tox -e docs
 
 render_diagrams:
@@ -129,12 +124,14 @@ clean:
 	rm -rf charts/drydock/charts
 	rm -rf charts/drydock/requirements.lock
 
-pep8: external_dep
+pep8:
 	tox -e pep8
 
 helm_lint: helm-init
+	$(HELM) dep up charts/drydock
 	$(HELM) lint charts/drydock
 
+
 .PHONY: build_baclient build_drydock charts clean coverage_test \
   db_integration_tests docs drydock drydock_docs dry-run genconfig \
   genpolicy helm-init helm-install helm_lint images lint pep8 \

bindep.txt

@@ -0,0 +1,25 @@
+# These are host packages needed for Drydock
+# that don't come on a minimal Ubuntu install
+build-essential
+curl
+git
+golang-go
+libffi-dev
+libkrb5-dev
+libpq-dev
+libre2-dev
+libsasl2-dev
+libssl-dev
+libvirt-dev
+libzmq3-dev
+netbase
+pkg-config
+python3-dev
+python3-pip
+python3-setuptools
+ssh
+tox
+
+# PlantUML is used for documentation builds, graphviz is it's soft  dependancy
+plantuml
+graphviz

charts/drydock/requirements.yaml

@@ -14,5 +14,5 @@
 
 dependencies:
   - name: helm-toolkit
-    repository: http://localhost:8879/charts
+    repository: file://../deps/helm-toolkit
     version: ">= 0.1.0"

charts/drydock/values.yaml

@@ -35,7 +35,7 @@ images:
     ks_user: docker.io/openstackhelm/heat:newton
     ks_service: docker.io/openstackhelm/heat:newton
     ks_endpoints: docker.io/openstackhelm/heat:newton
-    drydock_db_init: docker.io/postgres:9.5
+    drydock_db_init: docker.io/postgres:14.6
     drydock_db_cleanup: quay.io/airshipit/drydock:master
     drydock_db_sync: quay.io/airshipit/drydock:master
   pull_policy: "IfNotPresent"

doc/requirements-doc.txt

@@ -1,4 +1,5 @@
-sphinx>=1.6.2
-sphinx_rtd_theme==0.2.4
-oslo.versionedobjects
-falcon
+sphinx_rtd_theme==1.2.0
+pylibyaml==0.1.0
+oslo_versionedobjects==3.1.0
+falcon==3.1.1
+keystoneauth1==5.1.2

doc/source/_static/drydock.conf.sample

@@ -78,7 +78,7 @@
 # Domain name containing project (string value)
 #project_domain_name = <None>
 
-# Trust ID (string value)
+# ID of the trust to use as a trustee use (string value)
 #trust_id = <None>
 
 # Optional domain ID to use with v3 and v2 parameters. It will be used for both
@@ -114,15 +114,35 @@
 # Complete "public" Identity API endpoint. This endpoint should not be an
 # "admin" endpoint, as it should be accessible by all end users. Unauthenticated
 # clients are redirected to this endpoint to authenticate. Although this
-# endpoint should  ideally be unversioned, client support in the wild varies.
-# If you're using a versioned v2 endpoint here, then this  should *not* be the
-# same endpoint the service user utilizes  for validating tokens, because normal
-# end users may not be  able to reach that endpoint. (string value)
+# endpoint should ideally be unversioned, client support in the wild varies. If
+# you're using a versioned v2 endpoint here, then this should *not* be the same
+# endpoint the service user utilizes for validating tokens, because normal end
+# users may not be able to reach that endpoint. (string value)
+# Deprecated group/name - [keystone_authtoken]/auth_uri
+#www_authenticate_uri = <None>
+
+# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
+# be an "admin" endpoint, as it should be accessible by all end users.
+# Unauthenticated clients are redirected to this endpoint to authenticate.
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. This option
+# is deprecated in favor of www_authenticate_uri and will be removed in the S
+# release. (string value)
+# This option is deprecated for removal since Queens.
+# Its value may be silently ignored in the future.
+# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and
+# will be removed in the S  release.
 #auth_uri = <None>
 
-# API version of the admin Identity API endpoint. (string value)
+# API version of the Identity API endpoint. (string value)
 #auth_version = <None>
 
+# Interface to use for the Identity API endpoint. Valid values are "public",
+# "internal" (default) or "admin". (string value)
+#interface = internal
+
 # Do not handle authorization requests within the middleware, but delegate the
 # authorization decision to downstream WSGI components. (boolean value)
 #delay_auth_decision = false
@@ -157,9 +177,6 @@
 # The region in which the identity server can be found. (string value)
 #region_name = <None>
 
-# Directory used to cache files related to PKI tokens. (string value)
-#signing_dir = <None>
-
 # Optionally specify a list of memcached server(s) to use for caching. If left
 # undefined, tokens will instead be cached in-process. (list value)
 # Deprecated group/name - [keystone_authtoken]/memcache_servers
@@ -170,12 +187,6 @@
 # -1 to disable caching completely. (integer value)
 #token_cache_time = 300
 
-# Determines the frequency at which the list of revoked tokens is retrieved from
-# the Identity service (in seconds). A high number of revocation events combined
-# with a low cache duration may significantly reduce performance. Only valid for
-# PKI tokens. (integer value)
-#revocation_cache_time = 10
-
 # (Optional) If defined, indicate whether token data should be authenticated or
 # authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
 # in the cache. If ENCRYPT, token data is encrypted and authenticated in the
@@ -211,9 +222,9 @@
 # client connection from the pool. (integer value)
 #memcache_pool_conn_get_timeout = 10
 
-# (Optional) Use the advanced (eventlet safe) memcached client pool. The
-# advanced pool will only work under python 2.x. (boolean value)
-#memcache_use_advanced_pool = false
+# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean
+# value)
+#memcache_use_advanced_pool = true
 
 # (Optional) Indicate whether to set the X-Service-Catalog header. If False,
 # middleware will not ask for service catalog on token validation and will not
@@ -229,19 +240,23 @@
 # value)
 #enforce_token_bind = permissive
 
-# If true, the revocation list will be checked for cached tokens. This requires
-# that PKI tokens are configured on the identity server. (boolean value)
-#check_revocations_for_cached = false
+# A choice of roles that must be present in a service token. Service tokens are
+# allowed to request that an expired token can be used and so this check should
+# tightly control that only actual services should be sending this token. Roles
+# here are applied as an ANY check so any role in this list must be present. For
+# backwards compatibility reasons this currently only affects the allow_expired
+# check. (list value)
+#service_token_roles = service
 
-# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm
-# or multiple. The algorithms are those supported by Python standard
-# hashlib.new(). The hashes will be tried in the order given, so put the
-# preferred one first for performance. The result of the first hash will be
-# stored in the cache. This will typically be set to multiple values only while
-# migrating from a less secure algorithm to a more secure one. Once all the old
-# tokens are expired this option should be set to a single value for better
-# performance. (list value)
-#hash_algorithms = md5
+# For backwards compatibility reasons we must let valid service tokens pass that
+# don't pass the service_token_roles check as valid. Setting this true will
+# become the default in a future release and should be enabled if possible.
+# (boolean value)
+#service_token_roles_required = false
+
+# The name or type of the service as it appears in the service catalog. This is
+# used to validate tokens that have restricted access rules. (string value)
+#service_type = <None>
 
 # Authentication type to load (string value)
 # Deprecated group/name - [keystone_authtoken]/auth_plugin
@@ -335,7 +350,28 @@
 # From oslo.policy
 #
 
-# The file that defines policies. (string value)
+# This option controls whether or not to enforce scope when evaluating policies.
+# If ``True``, the scope of the token used in the request is compared to the
+# ``scope_types`` of the policy being enforced. If the scopes do not match, an
+# ``InvalidScope`` exception will be raised. If ``False``, a message will be
+# logged informing operators that policies are being invoked with mismatching
+# scope. (boolean value)
+#enforce_scope = false
+
+# This option controls whether or not to use old deprecated defaults when
+# evaluating policies. If ``True``, the old deprecated defaults are not going to
+# be evaluated. This means if any existing token is allowed for old defaults but
+# is disallowed for new defaults, it will be disallowed. It is encouraged to
+# enable this flag along with the ``enforce_scope`` flag so that you can get the
+# benefits of new defaults and ``scope_type`` together. If ``False``, the
+# deprecated policy check string is logically OR'd with the new policy check
+# string, allowing for a graceful upgrade experience between releases with new
+# policies, which is the default behavior. (boolean value)
+#enforce_new_defaults = false
+
+# The relative or absolute path of a file that maps roles to permissions for a
+# given service. Relative paths must be specified in relation to the
+# configuration file setting this option. (string value)
 #policy_file = policy.json
 
 # Default rule. Enforced when a requested rule is not found. (string value)
@@ -348,6 +384,25 @@
 # valued)
 #policy_dirs = policy.d
 
+# Content Type to send and receive data for REST based policy check (string
+# value)
+# Possible values:
+# application/x-www-form-urlencoded - <No description provided>
+# application/json - <No description provided>
+#remote_content_type = application/x-www-form-urlencoded
+
+# server identity verification for REST based policy check (boolean value)
+#remote_ssl_verify_server_crt = false
+
+# Absolute path to ca cert file for REST based policy check (string value)
+#remote_ssl_ca_crt_file = <None>
+
+# Absolute path to client cert for REST based policy check (string value)
+#remote_ssl_client_crt_file = <None>
+
+# Absolute path client key file REST based policy check (string value)
+#remote_ssl_client_key_file = <None>
+
 
 [plugins]
 

doc/source/conf.py

@@ -77,7 +77,7 @@ release = u'0.1.0'
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.

etc/drydock/drydock.conf.sample

@@ -78,7 +78,7 @@
 # Domain name containing project (string value)
 #project_domain_name = <None>
 
-# Trust ID (string value)
+# ID of the trust to use as a trustee use (string value)
 #trust_id = <None>
 
 # Optional domain ID to use with v3 and v2 parameters. It will be used for both
@@ -114,15 +114,35 @@
 # Complete "public" Identity API endpoint. This endpoint should not be an
 # "admin" endpoint, as it should be accessible by all end users. Unauthenticated
 # clients are redirected to this endpoint to authenticate. Although this
-# endpoint should  ideally be unversioned, client support in the wild varies.
-# If you're using a versioned v2 endpoint here, then this  should *not* be the
-# same endpoint the service user utilizes  for validating tokens, because normal
-# end users may not be  able to reach that endpoint. (string value)
+# endpoint should ideally be unversioned, client support in the wild varies. If
+# you're using a versioned v2 endpoint here, then this should *not* be the same
+# endpoint the service user utilizes for validating tokens, because normal end
+# users may not be able to reach that endpoint. (string value)
+# Deprecated group/name - [keystone_authtoken]/auth_uri
+#www_authenticate_uri = <None>
+
+# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
+# be an "admin" endpoint, as it should be accessible by all end users.
+# Unauthenticated clients are redirected to this endpoint to authenticate.
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. This option
+# is deprecated in favor of www_authenticate_uri and will be removed in the S
+# release. (string value)
+# This option is deprecated for removal since Queens.
+# Its value may be silently ignored in the future.
+# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and
+# will be removed in the S  release.
 #auth_uri = <None>
 
-# API version of the admin Identity API endpoint. (string value)
+# API version of the Identity API endpoint. (string value)
 #auth_version = <None>
 
+# Interface to use for the Identity API endpoint. Valid values are "public",
+# "internal" (default) or "admin". (string value)
+#interface = internal
+
 # Do not handle authorization requests within the middleware, but delegate the
 # authorization decision to downstream WSGI components. (boolean value)
 #delay_auth_decision = false
@@ -157,9 +177,6 @@
 # The region in which the identity server can be found. (string value)
 #region_name = <None>
 
-# Directory used to cache files related to PKI tokens. (string value)
-#signing_dir = <None>
-
 # Optionally specify a list of memcached server(s) to use for caching. If left
 # undefined, tokens will instead be cached in-process. (list value)
 # Deprecated group/name - [keystone_authtoken]/memcache_servers
@@ -170,12 +187,6 @@
 # -1 to disable caching completely. (integer value)
 #token_cache_time = 300
 
-# Determines the frequency at which the list of revoked tokens is retrieved from
-# the Identity service (in seconds). A high number of revocation events combined
-# with a low cache duration may significantly reduce performance. Only valid for
-# PKI tokens. (integer value)
-#revocation_cache_time = 10
-
 # (Optional) If defined, indicate whether token data should be authenticated or
 # authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
 # in the cache. If ENCRYPT, token data is encrypted and authenticated in the
@@ -211,9 +222,9 @@
 # client connection from the pool. (integer value)
 #memcache_pool_conn_get_timeout = 10
 
-# (Optional) Use the advanced (eventlet safe) memcached client pool. The
-# advanced pool will only work under python 2.x. (boolean value)
-#memcache_use_advanced_pool = false
+# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean
+# value)
+#memcache_use_advanced_pool = true
 
 # (Optional) Indicate whether to set the X-Service-Catalog header. If False,
 # middleware will not ask for service catalog on token validation and will not
@@ -229,19 +240,23 @@
 # value)
 #enforce_token_bind = permissive
 
-# If true, the revocation list will be checked for cached tokens. This requires
-# that PKI tokens are configured on the identity server. (boolean value)
-#check_revocations_for_cached = false
+# A choice of roles that must be present in a service token. Service tokens are
+# allowed to request that an expired token can be used and so this check should
+# tightly control that only actual services should be sending this token. Roles
+# here are applied as an ANY check so any role in this list must be present. For
+# backwards compatibility reasons this currently only affects the allow_expired
+# check. (list value)
+#service_token_roles = service
 
-# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm
-# or multiple. The algorithms are those supported by Python standard
-# hashlib.new(). The hashes will be tried in the order given, so put the
-# preferred one first for performance. The result of the first hash will be
-# stored in the cache. This will typically be set to multiple values only while
-# migrating from a less secure algorithm to a more secure one. Once all the old
-# tokens are expired this option should be set to a single value for better
-# performance. (list value)
-#hash_algorithms = md5
+# For backwards compatibility reasons we must let valid service tokens pass that
+# don't pass the service_token_roles check as valid. Setting this true will
+# become the default in a future release and should be enabled if possible.
+# (boolean value)
+#service_token_roles_required = false
+
+# The name or type of the service as it appears in the service catalog. This is
+# used to validate tokens that have restricted access rules. (string value)
+#service_type = <None>
 
 # Authentication type to load (string value)
 # Deprecated group/name - [keystone_authtoken]/auth_plugin
@@ -335,7 +350,28 @@
 # From oslo.policy
 #
 
-# The file that defines policies. (string value)
+# This option controls whether or not to enforce scope when evaluating policies.
+# If ``True``, the scope of the token used in the request is compared to the
+# ``scope_types`` of the policy being enforced. If the scopes do not match, an
+# ``InvalidScope`` exception will be raised. If ``False``, a message will be
+# logged informing operators that policies are being invoked with mismatching
+# scope. (boolean value)
+#enforce_scope = false
+
+# This option controls whether or not to use old deprecated defaults when
+# evaluating policies. If ``True``, the old deprecated defaults are not going to
+# be evaluated. This means if any existing token is allowed for old defaults but
+# is disallowed for new defaults, it will be disallowed. It is encouraged to
+# enable this flag along with the ``enforce_scope`` flag so that you can get the
+# benefits of new defaults and ``scope_type`` together. If ``False``, the
+# deprecated policy check string is logically OR'd with the new policy check
+# string, allowing for a graceful upgrade experience between releases with new
+# policies, which is the default behavior. (boolean value)
+#enforce_new_defaults = false
+
+# The relative or absolute path of a file that maps roles to permissions for a
+# given service. Relative paths must be specified in relation to the
+# configuration file setting this option. (string value)
 #policy_file = policy.json
 
 # Default rule. Enforced when a requested rule is not found. (string value)
@@ -348,6 +384,25 @@
 # valued)
 #policy_dirs = policy.d
 
+# Content Type to send and receive data for REST based policy check (string
+# value)
+# Possible values:
+# application/x-www-form-urlencoded - <No description provided>
+# application/json - <No description provided>
+#remote_content_type = application/x-www-form-urlencoded
+
+# server identity verification for REST based policy check (boolean value)
+#remote_ssl_verify_server_crt = false
+
+# Absolute path to ca cert file for REST based policy check (string value)
+#remote_ssl_ca_crt_file = <None>
+
+# Absolute path to client cert for REST based policy check (string value)
+#remote_ssl_client_crt_file = <None>
+
+# Absolute path client key file REST based policy check (string value)
+#remote_ssl_client_key_file = <None>
+
 
 [plugins]
 

go/src/baclient/go.mod

@@ -0,0 +1 @@
+module baclient

hostdeps.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-
-# Install host-level package dependencies
-# needed for local testing
-set -x
-
-if [[ ! -z $(uname -a | grep Ubuntu) ]]
-then
-  apt-get update
-  installed_pkgs=$(dpkg --get-selections | awk '!/deinstall/ { gsub(/:.*/,"",$1); print $1 }')
-  set -a added_pkgs
-  for reqfile in $(ls requirements-host*.txt)
-  do
-    for l in $(grep -vE '(^ *#)|(^$)' "${reqfile}")
-    do
-      # Do extra magic to support a list of alternative packages separated by '|'
-      # none of the packages are found, install the first one listed
-      IFS='|' read -a pkgalts <<< "${l}"
-      pkgfound=0
-      for a in "${pkgalts[@]}"
-      do
-        if grep -qE "^${a}$" <<< "${installed_pkgs}"
-        then
-          pkgfound=1
-          break
-        fi
-      done
-      if [[ "${pkgfound}" -eq 0 ]]
-      then
-        added_pkgs+=("${pkgalts[0]}")
-      fi
-    done
-  done
-  if [[ ${#added_pkgs[@]} -gt 0 ]]
-  then
-    DEBIAN_FRONTEND=noninteractive apt-get \
-      -o Dpkg::Options::="--force-confdef" \
-      -o Dpkg::Options::="--force-confold" \
-      install -y --no-install-recommends "${added_pkgs[@]}"
-  fi
-else
-  echo "Only support testing on Ubuntu hosts at this time."
-fi

images/drydock/Dockerfile.ubuntu_focal

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ARG FROM=ubuntu:16.04
+ARG FROM=ubuntu:20.04
 FROM ${FROM} AS baclient_builder
 
 ARG UBUNTU_REPO=http://archive.ubuntu.com/ubuntu
@@ -23,16 +23,23 @@ ENV container docker
 ENV LC_ALL C.UTF-8
 ENV LANG C.UTF-8
 
-# Copy direct dependency requirements only to build a dependency layer
-RUN echo "deb  ${UBUNTU_REPO} xenial main restricted universe multiverse" > /etc/apt/sources.list; \
-    echo "deb  ${UBUNTU_REPO} xenial-security main restricted universe multiverse" >> /etc/apt/sources.list; \
-    echo "deb  ${UBUNTU_REPO} xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list; \
-    cat /etc/apt/sources.list; \
-    echo "APT::Get::AllowUnauthenticated ${ALLOW_UNAUTHENTICATED};" >> /etc/apt/apt.conf.d/00-local-mirrors;
 
+COPY ./bindep.txt /tmp/drydock/
+WORKDIR /tmp/drydock
+RUN apt update \
+    && apt install -y --allow-downgrades \
+        python3 \
+        python3-dev \
+        python3-pip \
+        python3-venv \
+        python3-setuptools \
+    && DEBIAN_FRONTEND=noninteractive apt install  --no-install-recommends -y tzdata \
+    && pip3 install bindep \
+    && bindep -f /tmp/drydock/bindep.txt --brief | xargs  apt install -y
 
 COPY ./tools/baclient_build.sh /tmp/drydock/
 COPY ./go /tmp/drydock/go
+
 WORKDIR /tmp/drydock
 RUN ./baclient_build.sh /tmp/drydock/go /tmp/drydock/baclient
 
@@ -73,29 +80,36 @@ ENV PORT 9000
 ENV LC_ALL C.UTF-8
 ENV LANG C.UTF-8
 
-# Copy direct dependency requirements only to build a dependency layer
-RUN echo "deb  ${UBUNTU_REPO} xenial main restricted universe multiverse" > /etc/apt/sources.list; \
-    echo "deb  ${UBUNTU_REPO} xenial-security main restricted universe multiverse" >> /etc/apt/sources.list; \
-    echo "deb  ${UBUNTU_REPO} xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list; \
-    cat /etc/apt/sources.list; \
-    echo "APT::Get::AllowUnauthenticated ${ALLOW_UNAUTHENTICATED};" >> /etc/apt/apt.conf.d/00-local-mirrors;
 
-
-COPY ./requirements-host.txt /tmp/drydock/
-COPY ./hostdeps.sh /tmp/drydock
+# COPY ./bindep-python.txt /tmp/drydock/
 WORKDIR /tmp/drydock
-RUN ./hostdeps.sh; \
-    rm -r /var/lib/apt/lists/*
+RUN DEBIAN_FRONTEND=noninteractive \
+        apt update \
+    && DEBIAN_FRONTEND=noninteractive \
+        apt install -y \
+            --allow-downgrades \
+             --no-install-recommends \
+                python3-dev \
+                python3-pip \
+                python3-setuptools \
+                pkg-config \
+                libvirt-dev \
+                libssl-dev \
+                gcc \
+                ssh\
+                curl \
+                netbase \
+    && rm -r /var/lib/apt/lists/*
 
 # Install LibYAML
 ENV LD_LIBRARY_PATH=/usr/local/lib
 COPY --from=baclient_builder /usr/local/lib /usr/local/lib
 COPY --from=baclient_builder /usr/local/include/yaml.h /usr/local/include/yaml.h
 
-RUN python3 -m pip install -U 'pip<21.0'
 COPY ./python/requirements-lock.txt /tmp/drydock/
-RUN cat /tmp/drydock/requirements-lock.txt | xargs -d '\n' \
-    -l1 pip3 -vv install --no-cache-dir
+RUN pip3 install \
+    --no-cache-dir \
+    -r /tmp/drydock/requirements-lock.txt
 
 COPY ./python /tmp/drydock/python
 WORKDIR /tmp/drydock/python

python/drydock_provisioner/control/api.py

@@ -45,7 +45,7 @@ def start_api(state_manager=None, ingester=None, orchestrator=None):
                             part input
     :param orchestrator:    Instance of drydock_provisioner.orchestrator.Orchestrator for managing tasks
     """
-    control_api = falcon.API(
+    control_api = falcon.App(
         request_type=DrydockRequest,
         middleware=[
             AuthMiddleware(),

python/requirements-direct.txt

@@ -1,29 +1,30 @@
-pylibyaml~=0.1
-PyYAML~=5.3.1
-pyghmi==1.0.18
-netaddr
-falcon
-oslo.versionedobjects==1.23.0
-requests
-oauthlib
-uwsgi==2.0.17.1
-pymongo==3.6.1
-oslo.config==7.0.0
+# edited with compartibility with shipyard's apache-airflow 1.10.15
+alembic==1.4.3
+Beaker==1.12.0
 click==6.7
-PasteDeploy==1.5.2
-PTable==0.9.2
-keystonemiddleware==4.9.1
-oslo.policy==1.22.1
-iso8601==0.1.11
-keystoneauth1==3.18.0
-alembic==0.8.2
-sqlalchemy==1.2.8
+defusedxml===0.6.0
+falcon==3.1.1
+iso8601==0.1.13
+jinja2==3.0.3
+jsonschema==3.2.0
+keystoneauth1==5.1.1
+keystonemiddleware==10.2.0
+libvirt-python==9.2.0
+netaddr==0.8.0
+oauthlib==3.1.0
+oslo.config==8.7.1
+oslo.policy==3.10.1
+oslo.versionedobjects==2.4.0
+Paste==3.5.0
+PasteDeploy==3.0.1
 psycopg2-binary==2.8.4
-jsonschema==2.6.0
-jsonschema>=3.0.1<4
-jinja2==2.10
+PTable==0.9.2
+pyghmi==1.5.60
+pylibyaml==0.1.0
+pymongo==3.10.1
+PyYAML==5.4.1
+redfish==3.1.9
+requests==2.23.0
+SQLAlchemy==1.2.8
 ulid2==0.1.1
-defusedxml===0.5.0
-libvirt-python==3.10.0
-beaker==1.9.1
-redfish==2.0.1
+uWSGI==2.0.21

python/requirements-lock.txt

@@ -1,82 +1,132 @@
-alembic==0.8.2
-amqp==2.6.0
-Babel==2.6.0
-Beaker==1.9.1
-cachetools==2.1.0
-certifi==2018.8.24
+alabaster==0.7.13
+alembic==1.4.3
+amqp==5.1.1
+attrs==22.2.0
+Babel==2.12.1
+bandit==1.7.5
+bcrypt==4.0.1
+Beaker==1.12.0
+cachetools==5.3.0
+certifi==2022.12.7
+cffi==1.15.1
 chardet==3.0.4
 click==6.7
-contextlib2==0.5.5
-debtcollector==1.20.0
-defusedxml==0.5.0
-dnspython==1.15.0
-eventlet==0.24.1
-falcon==1.4.1
-fasteners==0.14.1
-futurist==1.7.0
-greenlet==0.4.15
-idna==2.7
-iso8601==0.1.11
-Jinja2==2.10
-jsonschema>=3.0.1<4
-keystoneauth1==3.18.0
-keystonemiddleware==4.9.1
-kombu==4.6.11
-libvirt-python==3.10.0
-Mako==1.0.7
-MarkupSafe~=1.1.1
-monotonic==1.5
-msgpack==0.5.6
-netaddr==0.7.19
-netifaces==0.10.7
-oauthlib==2.1.0
-oslo.concurrency==3.28.0
-oslo.config==7.0.0
-oslo.context==2.21.0
-oslo.i18n==3.22.0
-oslo.log==3.45.2
-oslo.messaging==8.1.1
-oslo.middleware==3.36.0
-oslo.policy==1.22.1
-oslo.serialization==2.29.2
-oslo.service==1.32.0
-oslo.utils==3.42.1
-oslo.versionedobjects==1.23.0
-Paste==2.0.3
-PasteDeploy==1.5.2
-pbr==5.4.5
-pip==18.0
-positional==1.2.1
-prettytable==0.7.2
+coverage==7.2.3
+cryptography==40.0.1
+debtcollector==2.5.0
+decorator==5.1.1
+defusedxml==0.6.0
+dnspython==2.3.0
+docutils==0.19
+dogpile.cache==1.1.8
+eventlet==0.33.3
+falcon==3.1.1
+fasteners==0.18
+fixtures==4.0.1
+flake8==6.0.0
+futurist==2.4.1
+gitdb==4.0.10
+GitPython==3.1.31
+greenlet==2.0.2
+idna==2.10
+imagesize==1.4.1
+iniconfig==2.0.0
+iso8601==0.1.13
+Jinja2==3.0.3
+jsonpatch==1.32
+jsonpath-rw==1.4.0
+jsonpointer==2.3
+jsonschema==3.2.0
+keystoneauth1==5.1.1
+keystonemiddleware==10.2.0
+kombu==5.2.4
+libvirt-python==9.2.0
+Mako==1.2.4
+markdown-it-py==2.2.0
+MarkupSafe==2.1.2
+mccabe==0.7.0
+mdurl==0.1.2
+mock==5.0.1
+msgpack==1.0.5
+netaddr==0.8.0
+netifaces==0.11.0
+oauthlib==3.1.0
+os-service-types==1.7.0
+oslo.cache==3.3.1
+oslo.concurrency==5.1.1
+oslo.config==8.7.1
+oslo.context==5.1.1
+oslo.i18n==6.0.0
+oslo.log==5.2.0
+oslo.messaging==14.2.0
+oslo.metrics==0.6.0
+oslo.middleware==5.1.1
+oslo.policy==3.10.1
+oslo.serialization==5.1.1
+oslo.service==3.1.1
+oslo.utils==6.1.0
+oslo.versionedobjects==2.4.0
+packaging==23.0
+Paste==3.5.0
+PasteDeploy==3.0.1
+pbr==5.11.1
+pip==23.0.1
+pluggy==1.0.0
+ply==3.11
+prometheus-client==0.16.0
 psycopg2-binary==2.8.4
 PTable==0.9.2
-pycadf==2.8.0
-pycrypto==2.6.1
-pyghmi==1.0.18
+py==1.11.0
+pycadf==3.1.1
+pycodestyle==2.10.0
+pycparser==2.21
+pyflakes==3.0.1
+pyghmi==1.5.60
+Pygments==2.14.0
 pylibyaml==0.1.0
-pymongo==3.6.1
-pyparsing==2.2.1
-python-dateutil==2.8.1
-python-editor==1.0.3
-python-keystoneclient==3.22.0
-python-mimeparse==1.6.0
-pytz==2018.5
-PyYAML==5.3.1
-redfish==2.0.1
+pymongo==3.10.1
+pyparsing==3.0.9
+pyrsistent==0.19.3
+pytest==6.2.5
+pytest-cov==4.0.0
+pytest-mock==3.10.0
+python-dateutil==2.8.2
+python-editor==1.0.4
+python-keystoneclient==5.1.0
+pytz==2023.3
+PyYAML==5.4.1
+redfish==3.1.9
 repoze.lru==0.7
-requests==2.22.0
-rfc3986==1.2.0
-Routes==2.4.1
-setuptools==40.4.3
-six==1.15.0
+requests==2.23.0
+requests-toolbelt==0.10.1
+requests-unixsocket==0.3.0
+responses==0.23.1
+rfc3986==2.0.0
+rich==13.3.3
+Routes==2.5.1
+setuptools==56.0.0
+six==1.16.0
+smmap==5.0.0
+snowballstemmer==2.2.0
+Sphinx==5.3.0
+sphinxcontrib-applehelp==1.0.4
+sphinxcontrib-devhelp==1.0.2
+sphinxcontrib-htmlhelp==2.0.1
+sphinxcontrib-jsmath==1.0.1
+sphinxcontrib-qthelp==1.0.3
+sphinxcontrib-serializinghtml==1.1.5
 SQLAlchemy==1.2.8
-statsd==3.3.0
-stevedore==1.29.0
-tenacity==5.0.2
+statsd==4.0.1
+stevedore==5.0.0
+toml==0.10.2
+tomli==2.0.1
+types-PyYAML==6.0.12.9
 ulid2==0.1.1
-urllib3==1.25.9
-uWSGI==2.0.15
-vine==1.1.4
-WebOb==1.8.2
-wheel==0.31.1
-wrapt==1.10.11
+urllib3==1.25.11
+uWSGI==2.0.21
+vine==5.0.0
+WebOb==1.8.7
+wheel==0.38.4
+wrapt==1.15.0
+yapf==0.32.0
+yappi==1.4.0

python/requirements-test.txt

@@ -1,13 +1,19 @@
-pytest-mock==3.1.0
-pytest
+# tests
+click==6.7
+falcon==3.1.1
+jsonschema==3.2.0
+mock==5.0.1
+pylibyaml==0.1.0
+pymongo==3.10.1
+pytest==6.2.5
 pytest-cov
-responses
-mock
-tox
-oslo.versionedobjects[fixtures]>=1.23.0
-oslo.config[fixtures]
+pytest-mock
+responses==0.23.1
+setuptools==56.0.0
+ulid2==0.1.1
+
+# tools
 yapf
 flake8
 bandit>=1.1.0
 sphinx>=1.6.2
-sphinx_rtd_theme==0.2.4

python/tests/postgres/start_postgres.sh

@@ -14,11 +14,11 @@ then
   sudo docker stop 'psql_integration'
 fi
 
-sudo docker run --rm -dp 5432:5432 --name 'psql_integration' postgres:9.5
+sudo docker run --rm -dp 5432:5432 --name 'psql_integration' postgres:14.6
 sleep 15
 
-docker run --rm --net host postgres:9.5 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres
-docker run --rm --net host postgres:9.5 psql -h localhost -c "create database drydock;" postgres postgres
+docker run --rm --net host postgres:14.6 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres
+docker run --rm --net host postgres:14.6 psql -h localhost -c "create database drydock;" postgres postgres
 
 export DRYDOCK_DB_URL="postgresql+psycopg2://drydock:drydock@localhost:5432/drydock"
 

requirements-host-test.txt

@@ -1,5 +0,0 @@
-# These are host packages needed for Drydock
-# that don't come on a minimal Ubuntu install
-python-tox
-docker.io|docker-ce
-plantuml

requirements-host.txt

@@ -1,12 +0,0 @@
-# These are host packages needed for Drydock
-# that don't come on a minimal Ubuntu install
-libvirt-dev
-pkg-config
-python3-dev
-gcc
-netbase
-libssl-dev
-python3-pip
-python3-setuptools
-ssh
-curl

tools/baclient_build.sh

@@ -7,12 +7,7 @@ if $(uname -a | grep -q Ubuntu); then
   GOPATH=$1
   BUILD_DIR=$2
   if [[ ! -f ./baclient_built ]]; then
-    apt-get update
-    DEBIAN_FRONTEND=noninteractive apt-get \
-      -o Dpkg::Options::="--force-confdef" \
-      -o Dpkg::Options::="--force-confold" \
-      install -y --no-install-recommends golang-go
-    GOPATH=${GOPATH} go build -o ${BUILD_DIR}/baclient baclient
+    GO111MODULE=off GOPATH=${GOPATH} go build -v -o ${BUILD_DIR}/baclient baclient
   else
     echo "Baclient library is already built. No action."
   fi

tools/drydock_image_build.sh

@@ -3,7 +3,7 @@ set -x
 
 UBUNTU_BASE_IMAGE=${UBUNTU_BASE_IMAGE:-""}
 UBUNTU_REPO=${UBUNTU_REPO:-""}
-DISTRO=${DISTRO:-"ubuntu_bionic"}
+DISTRO=${DISTRO:-"ubuntu_focal"}
 TRUSTED_UBUNTU_REPO=${TRUSTED_UBUNTU_REPO:-"no"}
 ALLOW_UNATHENTICATED=${ALLOW_UNAUTHENTICATED:-"false"}
 PIP_INDEX_URL=${PIP_INDEX_URL:-""}

tools/drydock_image_run.sh

@@ -9,11 +9,11 @@ function start_db {
       sudo docker stop 'psql_integration'
     fi
 
-    docker run --rm -dp 5432:5432 --name 'psql_integration' postgres:9.5
+    docker run --rm -dp 5432:5432 --name 'psql_integration' -e POSTGRES_HOST_AUTH_METHOD=trust postgres:14.6
     sleep 15
 
-    docker run --rm --net host postgres:9.5 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres
-    docker run --rm --net host postgres:9.5 psql -h localhost -c "create database drydock;" postgres postgres
+    docker run --rm --net host postgres:14.6 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres
+    docker run --rm --net host postgres:14.6 psql -h localhost -c "create database drydock;" postgres postgres
 }
 
 function customize_conf {

tools/gate/playbooks/build-charts.yaml

@@ -13,6 +13,15 @@
 # limitations under the License.
 
 - hosts: primary
+
+
+
+  roles:
+    - bindep
+    - ensure-docker
+    - ensure-python
+    - ensure-pip
+
   tasks:
     - name: Execute the make target to package Helm charts.
       make:

tools/gate/playbooks/docker-image-build.yaml

@@ -13,6 +13,14 @@
 # limitations under the License.
 
 - hosts: primary
+
+  roles:
+    - bindep
+    - ensure-docker
+    - ensure-python
+    - ensure-pip
+
+
   tasks:
     - name: Debug tag generation inputs
       block:
@@ -40,18 +48,11 @@
       debug:
         var: image_tags
 
-    - name: Install Docker (Debian)
+    - name: Install Docker python module for ansible docker login
       block:
-        - apt:
-            name: "{{ item }}"
-          with_items:
-            - docker.io
-            - python3-pip
-            - python3-setuptools
-          when: ansible_os_family == 'Debian'
         - pip:
             name: docker
-            version: 2.7.0
+            version: 4.4.4
             executable: pip3
       become: True
 

tools/gate/playbooks/omni_test.yaml

@@ -14,6 +14,16 @@
 # to minimize Zuul node consumption
 
 - hosts: primary
+
+
+
+  roles:
+    - bindep
+    - ensure-docker
+    - ensure-python
+    - ensure-pip
+
+
   tasks:
     - name: Execute the make target for PEP8 linting
       make:
@@ -41,12 +51,6 @@
         target: test_baclient
       become: true
       register: result
-    - name: Execute the make target for building and running the Drydock Docker image
-      make:
-        chdir: "{{ zuul.project.src_dir }}"
-        target: run_drydock
-      register: result
-      become: true
     - name: Setup Apparmor
       shell: |
         set -xe;
@@ -54,3 +58,9 @@
       args:
         chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
         executable: /bin/bash
+    - name: Execute the make target for building and running the Drydock Docker image
+      make:
+        chdir: "{{ zuul.project.src_dir }}"
+        target: run_drydock
+      register: result
+      become: true

tools/helm_install.sh

@@ -17,7 +17,7 @@
 set -x
 
 HELM=$1
-HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v2.17.0-linux-amd64.tar.gz"}
+HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.6.3-linux-amd64.tar.gz"}
 
 
 function install_helm_binary {

tools/helm_tk.sh

@@ -12,65 +12,20 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
-# Script to setup helm-toolkit and helm dep up the shipyard chart
-#
-HELM=$1
-HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
-HTK_PATH=${HTK_PATH:-""}
+
+
+set -eux
+
+HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm-infra.git"}
 HTK_STABLE_COMMIT=${HTK_COMMIT:-"f4972121bcb41c8d74748917804d2b239ab757f9"}
-DEP_UP_LIST=${DEP_UP_LIST:-"drydock"}
-BUILD_DIR=${BUILD_DIR:-$(mktemp -d)}
 
-if [[ ! -z $(echo $http_proxy) ]]
-then
-  export no_proxy=$no_proxy,127.0.0.1
-fi
+TMP_DIR=$(mktemp -d)
 
-set -x
-
-# Use ./helm as we expect this to be run in a already
-# configured build directory
-
-function helm_serve {
-  if [[ -d "$HOME/.helm" ]]; then
-     echo ".helm directory found"
-  else
-     ${HELM} init --client-only --skip-refresh
-  fi
-  if [[ -z $(curl --noproxy '*' -s 127.0.0.1:8879 | grep 'Helm Repository') ]]; then
-     "${HELM}" serve & > /dev/null
-     while [[ -z $(curl --noproxy '*' -s 127.0.0.1:8879 | grep 'Helm Repository') ]]; do
-        sleep 1
-        echo "Waiting for Helm Repository"
-     done
-  else
-     echo "Helm serve already running"
-  fi
-
-  if "${HELM}" repo list | grep -q "^stable" ; then
-     "${HELM}" repo remove stable
-  fi
-
-  ${HELM} repo add local http://localhost:8879/charts
+{
+    HTK_REPO_DIR=$TMP_DIR/htk
+    git clone "$HTK_REPO" "$HTK_REPO_DIR"
+    (cd "$HTK_REPO_DIR" && git reset --hard "${HTK_STABLE_COMMIT}")
+    cp -r "${HTK_REPO_DIR}/helm-toolkit" charts/deps/
 }
 
-mkdir -p "$BUILD_DIR"
-pushd "$BUILD_DIR"
-git clone $HTK_REPO || true
-pushd openstack-helm-infra/$HTK_PATH
-git reset --hard "${HTK_STABLE_COMMIT}"
-
-helm_serve
-# OSH Makefile is bugged, so ensure helm is in the path
-if [[ ${HELM} != "helm" ]]
-then
-  export PATH=${PATH}:$(dirname ${HELM})
-fi
-
-make helm-toolkit
-popd && popd
-for c in $DEP_UP_LIST
-do
-  ${HELM} dep up charts/$c
-done
+rm -rf "${TMP_DIR}"

tox.ini

@@ -1,32 +1,32 @@
 [tox]
-envlist = py36,pep8,bandit
+envlist = py38,pep8,bandit
 setupdir=python/
 
+
 [testenv]
 setenv = YAMLDIR = {toxinidir}/python/tests/yaml_samples/
 passenv = http_proxy,HTTP_PROXY,https_proxy,HTTPS_PROXY,no_proxy,NO_PROXY
 deps=
   -r{toxinidir}/python/requirements-lock.txt
-  -r{toxinidir}/python/requirements-test.txt
 
 [testenv:venv]
-basepython=python3
 commands = {posargs}
 
 [testenv:freeze]
-basepython=python3
 recreate = True
 allowlist_externals=
   rm
   sh
+  pipdeptree
 deps=
   -rpython/requirements-direct.txt
+  -rpython/requirements-test.txt
 commands=
-  rm python/requirements-lock.txt
+  rm -f python/requirements-lock.txt
   sh -c "pip freeze --all | grep -vE 'drydock-provisioner|pyinotify|pkg-resources==0.0.0' > python/requirements-lock.txt"
+  sh -c "pipdeptree > python/requirements-tree.txt"
 
 [testenv:yapf]
-basepython=python3
 allowlist_externals=find
 commands=
   yapf -i -r  --style=pep8 {toxinidir}/python/setup.py
@@ -35,7 +35,7 @@ commands=
   yapf -i -r  --style=pep8 {toxinidir}/python/tests
   find {toxinidir}/python/drydock_provisioner -name '__init__.py' -exec yapf -i --style=pep8 \{\} ;
 
-[testenv:py36]
+[testenv:py38]
 usedevelop=True
 setenv=
   PYTHONWARNING=all
@@ -46,7 +46,6 @@ commands=
     {toxinidir}/python/tests/unit/{posargs}
 
 [testenv:integration]
-basepython=python3
 passenv=DOCKER_REGISTRY,IMAGE_NAME,IMAGE_PREFIX,IMAGE_TAG
 setenv=
   PYTHONWARNING=all
@@ -57,7 +56,6 @@ commands=
     {toxinidir}/python/tests/integration/postgres/{posargs}
 
 [testenv:cover]
-basepython=python3
 usedevelop=True
 passenv=DOCKER_REGISTRY,IMAGE_NAME,IMAGE_PREFIX,IMAGE_TAG
 setenv=
@@ -68,24 +66,20 @@ commands=
     {toxinidir}/python/tests/unit/ {toxinidir}/python/tests/integration/postgres
 
 [testenv:genconfig]
-basepython=python3
 allowlist_externals=tee
                     sh
 commands = sh -c 'oslo-config-generator --config-file=etc/drydock/drydock-config-generator.conf | tee etc/drydock/drydock.conf.sample doc/source/_static/drydock.conf.sample'
 
 [testenv:genpolicy]
-basepython=python3
 allowlist_externals=tee
                     sh
 commands = sh -c 'oslopolicy-sample-generator --config-file etc/drydock/drydock-policy-generator.conf | tee etc/drydock/policy.yaml.sample doc/source/_static/policy.yaml.sample'
 
 [testenv:pep8]
-basepython=python3
 commands = flake8 \
              {posargs}
 
 [testenv:bandit]
-basepython=python3
 commands = bandit -r drydock_provisioner -n 5
 
 [flake8]
@@ -94,9 +88,9 @@ exclude= venv,.venv,.git,.idea,.tox,*.egg-info,*.eggs,bin,dist,./build/,alembic/
 max-line-length=119
 
 [testenv:docs]
-basepython=python3
 deps=
   -rdoc/requirements-doc.txt
+  -epython
 allowlist_externals=rm
 recreate=true
 commands =