nerc-project · knikolla · Aug 27, 2025 · Aug 11, 2025
diff --git a/README.md b/README.md
@@ -89,29 +89,25 @@ ESI resource allocations will only have quotas for network resources by default.
 
 ### Configuring for OpenShift
 
-Note: OpenShift support requires deploying the [openshift-acct-mgt][]
-API service.
-
-[openshift-acct-mgt]: https://github.com/cci-moc/openshift-acct-mgt
-
-Authentication for OpenShift is loaded as pairs of environment variables
-`OPENSHIFT_{resource_name}_USERNAME` and `OPENSHIFT_{resource_name}_PASSWORD`
+Authentication for OpenShift is loaded as a environment variable
+`OPENSHIFT_{resource_name}_TOKEN` which should be a access token with appropriate permissions
 where `{resource_name}` is the name of the coldfront resource as all uppercase
 (with spaces and `-` replaced by `_`).
 
 Each OpenShift resource must have the following attributes set in coldfront:
- * `OpenStack Auth URL` - the URL of the `openshift-acct-mgt` endpoint.
- * `OpenStack Role for User in Project` - the name of the `ClusterRole` to assign to users
+ * `OpenShift API URL` - the URL of the Openshift cluster API.
+ * `OpenShift Role for User in Project` - the name of the `ClusterRole` to assign to users
    on the namespace.
+ * `OpenShift Identity Provider Name` - the name of the IDP configured in Openshift
 
 Registration of OpenShift coldfront resources can be performed via the UI management
 dashboard or through the helper command:
 
 ```bash
 $ coldfront add_openshift_resource
-usage: coldfront add_openshift_resource [-h] --name NAME --auth-url AUTH_URL [--role ROLE] [--version] [-v {0,1,2,3}] [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback]
+usage: coldfront add_openshift_resource [-h] --name NAME --api-url API_URL --idp IDP [--role ROLE] [--for-virtualization] [--version] [-v {0,1,2,3}] [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback]
                                         [--no-color] [--force-color] [--skip-checks]
-coldfront add_openshift_resource: error: the following arguments are required: --name, --auth-url
+coldfront add_openshift_resource: error: the following arguments are required: --name, --api-url, --idp
 ```
 
 ### Quotas

diff --git a/ci/run_functional_tests_openshift.sh b/ci/run_functional_tests_openshift.sh
@@ -5,8 +5,6 @@
 # Tests expect the resource to be name Devstack
 set -xe
 
-export OPENSHIFT_MICROSHIFT_USERNAME="admin"
-export OPENSHIFT_MICROSHIFT_PASSWORD="pass"
 export OPENSHIFT_MICROSHIFT_TOKEN="$(oc create token -n onboarding onboarding-serviceaccount)"
 export OPENSHIFT_MICROSHIFT_VERIFY="false"
 
@@ -16,7 +14,6 @@ fi
 
 export DJANGO_SETTINGS_MODULE="local_settings"
 export FUNCTIONAL_TESTS="True"
-export OS_AUTH_URL="https://onboarding-onboarding.cluster.local"
 export OS_API_URL="https://onboarding-onboarding.cluster.local:6443"
 
 

diff --git a/src/coldfront_plugin_cloud/management/commands/add_openshift_resource.py b/src/coldfront_plugin_cloud/management/commands/add_openshift_resource.py
@@ -24,12 +24,6 @@ def add_arguments(self, parser):
         parser.add_argument(
             "--name", type=str, required=True, help="Name of OpenShift resource"
         )
-        parser.add_argument(
-            "--auth-url",
-            type=str,
-            required=True,
-            help="URL of the OpenShift-acct-mgt endpoint",
-        )
         parser.add_argument(
             "--api-url",
             type=str,
@@ -71,13 +65,6 @@ def handle(self, *args, **options):
             is_allocatable=True,
         )
 
-        ResourceAttribute.objects.get_or_create(
-            resource_attribute_type=ResourceAttributeType.objects.get(
-                name=attributes.RESOURCE_AUTH_URL
-            ),
-            resource=openshift,
-            value=options["auth_url"],
-        )
         ResourceAttribute.objects.get_or_create(
             resource_attribute_type=ResourceAttributeType.objects.get(
                 name=attributes.RESOURCE_API_URL

diff --git a/src/coldfront_plugin_cloud/openshift.py b/src/coldfront_plugin_cloud/openshift.py
@@ -2,10 +2,7 @@
 import json
 import logging
 import os
-import requests
-from requests.auth import HTTPBasicAuth
 import time
-from simplejson.errors import JSONDecodeError
 
 import kubernetes
 import kubernetes.dynamic.exceptions as kexc
@@ -66,10 +63,6 @@ class NotFound(ApiException):
     pass
 
 
-class Conflict(ApiException):
-    pass
-
-
 class OpenShiftResourceAllocator(base.ResourceAllocator):
     QUOTA_KEY_MAPPING = {
         attributes.QUOTA_LIMITS_CPU: lambda x: {"limits.cpu": f"{x * 1000}m"},
@@ -116,40 +109,6 @@ def k8_client(self):
         k8s_client = kubernetes.client.ApiClient(configuration=k8_config)
         return DynamicClient(k8s_client)
 
-    @functools.cached_property
-    def session(self):
-        var_name = utils.env_safe_name(self.resource.name)
-        username = os.getenv(f"OPENSHIFT_{var_name}_USERNAME")
-        password = os.getenv(f"OPENSHIFT_{var_name}_PASSWORD")
-
-        session = requests.session()
-        if username and password:
-            session.auth = HTTPBasicAuth(username, password)
-
-        functional_tests = os.environ.get("FUNCTIONAL_TESTS", "").lower()
-        verify = os.getenv(f"OPENSHIFT_{var_name}_VERIFY", "").lower()
-        if functional_tests == "true" or verify == "false":
-            session.verify = False
-
-        return session
-
-    @staticmethod
-    def check_response(response: requests.Response):
-        if 200 <= response.status_code < 300:
-            try:
-                return response.json()
-            except JSONDecodeError:
-                # https://github.com/CCI-MOC/openshift-acct-mgt/issues/54
-                return response.text
-        if response.status_code == 404:
-            raise NotFound(f"{response.status_code}: {response.text}")
-        elif "does not exist" in response.text or "not found" in response.text:
-            raise NotFound(f"{response.status_code}: {response.text}")
-        elif "already exists" in response.text:
-            raise Conflict(f"{response.status_code}: {response.text}")
-        else:
-            raise ApiException(f"{response.status_code}: {response.text}")
-
     @staticmethod
     def is_error_not_found(e_info):
         return e_info["reason"] == "NotFound"

diff --git a/src/coldfront_plugin_cloud/tests/base.py b/src/coldfront_plugin_cloud/tests/base.py
@@ -80,14 +80,13 @@ def new_openstack_resource(name=None, auth_url=None) -> Resource:
 
     @staticmethod
     def new_openshift_resource(
-        name=None, auth_url=None, api_url=None, idp=None, for_virtualization=False
+        name=None, api_url=None, idp=None, for_virtualization=False
     ) -> Resource:
         resource_name = name or uuid.uuid4().hex
 
         call_command(
             "add_openshift_resource",
             name=resource_name,
-            auth_url=auth_url or "https://onboarding-onboarding.cluster.local",
             api_url=api_url or "https://onboarding-onboarding.cluster.local:6443",
             idp=idp or "developer",
             for_virtualization=for_virtualization,

diff --git a/src/coldfront_plugin_cloud/tests/functional/openshift/test_allocation.py b/src/coldfront_plugin_cloud/tests/functional/openshift/test_allocation.py
@@ -16,7 +16,6 @@ def setUp(self) -> None:
         super().setUp()
         self.resource = self.new_openshift_resource(
             name="Microshift",
-            auth_url=os.getenv("OS_AUTH_URL"),
             api_url=os.getenv("OS_API_URL"),
         )
 

diff --git a/src/coldfront_plugin_cloud/tests/functional/openshift_vm/test_allocation.py b/src/coldfront_plugin_cloud/tests/functional/openshift_vm/test_allocation.py
@@ -11,7 +11,7 @@ def setUp(self) -> None:
         super().setUp()
         self.resource = self.new_openshift_resource(
             name="Microshift",
-            auth_url=os.getenv("OS_AUTH_URL"),
+            api_url=os.getenv("OS_API_URL"),
             for_virtualization=True,
         )
 

diff --git a/src/coldfront_plugin_cloud/tests/unit/test_calculate_quota_unit_hours.py b/src/coldfront_plugin_cloud/tests/unit/test_calculate_quota_unit_hours.py
@@ -19,7 +19,6 @@ class TestCalculateAllocationQuotaHours(base.TestBase):
     def test_new_allocation_quota(self):
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
 
         with freezegun.freeze_time("2020-03-15 00:01:00"):
@@ -88,7 +87,6 @@ def test_new_allocation_quota_expired(self):
         """Test that expiration doesn't affect invoicing."""
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -122,7 +120,6 @@ def test_new_allocation_quota_denied(self):
         """Test a simple case of invoicing until a status change."""
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -153,7 +150,6 @@ def test_new_allocation_quota_last_revoked(self):
         """Test that we correctly distinguish the last transition to an unbilled state."""
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -199,7 +195,6 @@ def test_new_allocation_quota_last_revoked(self):
     def test_new_allocation_quota_new(self):
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -218,7 +213,6 @@ def test_new_allocation_quota_new(self):
     def test_new_allocation_quota_never_approved(self):
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -241,7 +235,6 @@ def test_change_request_decrease(self):
         """Test for when a change request decreases the quota"""
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -288,7 +281,6 @@ def test_change_request_increase(self):
         """Test for when a change request increases the quota"""
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -335,7 +327,6 @@ def test_change_request_decrease_multiple(self):
         """Test for when multiple different change request decreases the quota"""
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)
@@ -399,7 +390,6 @@ def test_change_request_decrease_multiple(self):
     def test_new_allocation_quota_change_request(self):
         self.resource = self.new_openshift_resource(
             name="",
-            auth_url="",
         )
         user = self.new_user()
         project = self.new_project(pi=user)