changes to fix tripleo tests
1. for compact_services, some services that were not ssl enabled are now enabled. Updated TLS_EXCEPTIONS 2. haproxy.stats is only accessible on localhost on the node that had the stats vip. Check to make sure we have this controller before checking connections. 3. certs are only issued for networks that are defined for a controller. Therefore do not check for the cert to be issued or tracked if the network is not enabled for that controller. Change-Id: Ied35638bcbdff2260c2c4bb5d6c84329d6894ab1
This commit is contained in:
parent
3f38833cd4
commit
0b5d1a1a12
|
@ -181,26 +181,38 @@ class NovajoinScenarioTest(manager.ScenarioTest):
|
|||
|
||||
return None
|
||||
|
||||
def verify_compact_services(self, services, host, verify_certs=False):
|
||||
def verify_compact_services(self, services, host,
|
||||
host_ip, verify_certs=False):
|
||||
for (service, networks) in services.items():
|
||||
for network in networks:
|
||||
subhost = '{host}.{network}.{domain}'.format(
|
||||
host=host, network=network, domain=self.ipa_client.domain
|
||||
)
|
||||
LOG.debug("SUBHOST: %s", subhost)
|
||||
self.verify_service(service, subhost, verify_certs)
|
||||
self.verify_service(service, subhost, host_ip,
|
||||
verify_certs, network)
|
||||
|
||||
def verify_service(self, service, host, verify_certs=False):
|
||||
LOG.debug("verifying: %s %s ", service, host)
|
||||
def verify_service(self, service, host, host_ip,
|
||||
verify_certs=False, network=False):
|
||||
LOG.debug("verifying: %s %s", service, host)
|
||||
if network:
|
||||
LOG.debug("verifying network %s", network)
|
||||
self.verify_host_registered_with_ipa(host, add_domain=False)
|
||||
self.verify_service_created(service, host)
|
||||
self.verify_service_managed_by_host(service, host)
|
||||
if verify_certs:
|
||||
self.verify_service_cert(service, host)
|
||||
self.verify_service_cert(service, host, host_ip, network)
|
||||
LOG.debug("verified: %s %s ", service, host)
|
||||
|
||||
def verify_service_cert(self, service, host):
|
||||
def verify_service_cert(self, service, host, host_ip, network=None):
|
||||
LOG.debug("Verifying cert for %s %s", service, host)
|
||||
|
||||
if not self.network_defined(host, network, host_ip):
|
||||
# if the network is not enabled for this host
|
||||
# no cert will be requested
|
||||
LOG.debug("No network defined for {network} on {host}.".format(
|
||||
network=network, host=host))
|
||||
return
|
||||
serial = self.get_service_cert(service, host)
|
||||
|
||||
internal_controllers = ['{controller}.internalapi.{domain}'.format(
|
||||
|
@ -216,6 +228,17 @@ class NovajoinScenarioTest(manager.ScenarioTest):
|
|||
self.assertTrue(serial is not None)
|
||||
LOG.debug("Cert verified for %s %s", service, host)
|
||||
|
||||
def network_defined(self, host, network, host_ip):
|
||||
"""Confirm network is defined on host."""
|
||||
if network == 'internalapi':
|
||||
network = 'internal_api'
|
||||
if network == 'storagemgmt':
|
||||
network = 'storage_mgmt'
|
||||
cmd = ('sudo hiera -c /etc/puppet/hiera.yaml fqdn_{network}'.format(
|
||||
network=network))
|
||||
result = self.execute_on_controller('heat-admin', host_ip, cmd)
|
||||
return result.strip() != 'nil'
|
||||
|
||||
def verify_managed_services(self, services, verify_certs=False):
|
||||
for principal in services:
|
||||
service = principal.split('/', 1)[0]
|
||||
|
@ -228,6 +251,12 @@ class NovajoinScenarioTest(manager.ScenarioTest):
|
|||
'-connect {hostport} -tls1_2'.format(hostport=hostport))
|
||||
self.execute_on_controller(user, controller_ip, cmd)
|
||||
|
||||
def get_pcs_node(self, vip, controller_ip, user, hostport):
|
||||
"""Get controller node that hosts vip"""
|
||||
cmd = ('sudo pcs status |grep {vip}| '
|
||||
'sed \'s/.*Started \(.*\)/\\1/\''.format(vip=vip))
|
||||
return self.execute_on_controller(user, controller_ip, cmd).strip()
|
||||
|
||||
def get_server_id(self, name):
|
||||
params = {'all_tenants': '', 'name': name}
|
||||
resp = self.servers_client.list_servers(detail=True, **params)
|
||||
|
|
|
@ -77,13 +77,15 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
|
|||
hosts = list(CONF.novajoin.tripleo_controllers)
|
||||
hosts.extend(CONF.novajoin.tripleo_computes)
|
||||
for host in hosts:
|
||||
host_ip = self.get_overcloud_server_ip(host)
|
||||
metadata = self.servers_client.list_server_metadata(
|
||||
self.get_server_id(host))['metadata']
|
||||
compact_services = self.get_compact_services(metadata)
|
||||
print(compact_services)
|
||||
LOG.debug(compact_services)
|
||||
self.verify_compact_services(
|
||||
services=compact_services,
|
||||
host=host,
|
||||
host_ip=host_ip,
|
||||
verify_certs=True
|
||||
)
|
||||
|
||||
|
@ -93,7 +95,7 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
|
|||
self.get_server_id(host))['metadata']
|
||||
managed_services = [metadata[key] for key in metadata.keys()
|
||||
if key.startswith('managed_service_')]
|
||||
print(managed_services)
|
||||
LOG.debug(managed_services)
|
||||
self.verify_managed_services(
|
||||
services=managed_services,
|
||||
verify_certs=True)
|
||||
|
|
|
@ -20,14 +20,7 @@ from tempest import config
|
|||
CONF = config.CONF
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
TLS_EXCEPTIONS = [
|
||||
("nova_novncproxy", "6080"),
|
||||
("redis", "6379"),
|
||||
("nova_metadata", "8775"),
|
||||
("mysql", "3306"),
|
||||
("haproxy.stats", "1993"),
|
||||
("horizon", "80")
|
||||
]
|
||||
TLS_EXCEPTIONS = []
|
||||
|
||||
NOVADB_USER = 'nova::db::mysql::user'
|
||||
NOVADB_HOST = 'nova::db::mysql::host'
|
||||
|
@ -90,6 +83,7 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
|
|||
for param in params:
|
||||
print(param)
|
||||
hostport = self.get_hostport(param)
|
||||
host_ip = re.search('(\S*):\d*', hostport).group(1)
|
||||
port = re.search('\S*:(\d*)', hostport).group(1)
|
||||
if "ssl" not in param:
|
||||
if (tag, port) in TLS_EXCEPTIONS:
|
||||
|
@ -97,6 +91,21 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
|
|||
continue
|
||||
|
||||
self.assertTrue("ssl" in param)
|
||||
|
||||
if tag == 'haproxy.stats':
|
||||
# haproxy.stats is supposed to be accessible
|
||||
# only to localhost - ie. the controller that
|
||||
# contains the vip
|
||||
|
||||
vip_node = self.get_pcs_node(
|
||||
host_ip, controller_ip, 'heat-admin', hostport)
|
||||
print("vip_node={vip_node}".format(vip_node=vip_node))
|
||||
|
||||
if controller != vip_node:
|
||||
print("Stats VIP not on controller: {ctl}".format(
|
||||
ctl=controller))
|
||||
continue
|
||||
|
||||
self.verify_overcloud_tls_connection(
|
||||
controller_ip=controller_ip,
|
||||
user='heat-admin',
|
||||
|
|
Loading…
Reference in New Issue