changes to fix tripleo tests

1. for compact_services, some services that were not ssl enabled
   are now enabled.  Updated TLS_EXCEPTIONS
2. haproxy.stats is only accessible on localhost on the node that
   had the stats vip.  Check to make sure we have this controller
   before checking connections.
3. certs are only issued for networks that are defined for a controller.
   Therefore do not check for the cert to be issued or tracked if the
   network is not enabled for that controller.

Change-Id: Ied35638bcbdff2260c2c4bb5d6c84329d6894ab1
This commit is contained in:
Ade Lee 2019-02-24 15:17:40 -05:00
parent 3f38833cd4
commit 0b5d1a1a12
3 changed files with 56 additions and 16 deletions

View File

@ -181,26 +181,38 @@ class NovajoinScenarioTest(manager.ScenarioTest):
return None
def verify_compact_services(self, services, host, verify_certs=False):
def verify_compact_services(self, services, host,
host_ip, verify_certs=False):
for (service, networks) in services.items():
for network in networks:
subhost = '{host}.{network}.{domain}'.format(
host=host, network=network, domain=self.ipa_client.domain
)
LOG.debug("SUBHOST: %s", subhost)
self.verify_service(service, subhost, verify_certs)
self.verify_service(service, subhost, host_ip,
verify_certs, network)
def verify_service(self, service, host, verify_certs=False):
LOG.debug("verifying: %s %s ", service, host)
def verify_service(self, service, host, host_ip,
verify_certs=False, network=False):
LOG.debug("verifying: %s %s", service, host)
if network:
LOG.debug("verifying network %s", network)
self.verify_host_registered_with_ipa(host, add_domain=False)
self.verify_service_created(service, host)
self.verify_service_managed_by_host(service, host)
if verify_certs:
self.verify_service_cert(service, host)
self.verify_service_cert(service, host, host_ip, network)
LOG.debug("verified: %s %s ", service, host)
def verify_service_cert(self, service, host):
def verify_service_cert(self, service, host, host_ip, network=None):
LOG.debug("Verifying cert for %s %s", service, host)
if not self.network_defined(host, network, host_ip):
# if the network is not enabled for this host
# no cert will be requested
LOG.debug("No network defined for {network} on {host}.".format(
network=network, host=host))
return
serial = self.get_service_cert(service, host)
internal_controllers = ['{controller}.internalapi.{domain}'.format(
@ -216,6 +228,17 @@ class NovajoinScenarioTest(manager.ScenarioTest):
self.assertTrue(serial is not None)
LOG.debug("Cert verified for %s %s", service, host)
def network_defined(self, host, network, host_ip):
"""Confirm network is defined on host."""
if network == 'internalapi':
network = 'internal_api'
if network == 'storagemgmt':
network = 'storage_mgmt'
cmd = ('sudo hiera -c /etc/puppet/hiera.yaml fqdn_{network}'.format(
network=network))
result = self.execute_on_controller('heat-admin', host_ip, cmd)
return result.strip() != 'nil'
def verify_managed_services(self, services, verify_certs=False):
for principal in services:
service = principal.split('/', 1)[0]
@ -228,6 +251,12 @@ class NovajoinScenarioTest(manager.ScenarioTest):
'-connect {hostport} -tls1_2'.format(hostport=hostport))
self.execute_on_controller(user, controller_ip, cmd)
def get_pcs_node(self, vip, controller_ip, user, hostport):
"""Get controller node that hosts vip"""
cmd = ('sudo pcs status |grep {vip}| '
'sed \'s/.*Started \(.*\)/\\1/\''.format(vip=vip))
return self.execute_on_controller(user, controller_ip, cmd).strip()
def get_server_id(self, name):
params = {'all_tenants': '', 'name': name}
resp = self.servers_client.list_servers(detail=True, **params)

View File

@ -77,13 +77,15 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
hosts = list(CONF.novajoin.tripleo_controllers)
hosts.extend(CONF.novajoin.tripleo_computes)
for host in hosts:
host_ip = self.get_overcloud_server_ip(host)
metadata = self.servers_client.list_server_metadata(
self.get_server_id(host))['metadata']
compact_services = self.get_compact_services(metadata)
print(compact_services)
LOG.debug(compact_services)
self.verify_compact_services(
services=compact_services,
host=host,
host_ip=host_ip,
verify_certs=True
)
@ -93,7 +95,7 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
self.get_server_id(host))['metadata']
managed_services = [metadata[key] for key in metadata.keys()
if key.startswith('managed_service_')]
print(managed_services)
LOG.debug(managed_services)
self.verify_managed_services(
services=managed_services,
verify_certs=True)

View File

@ -20,14 +20,7 @@ from tempest import config
CONF = config.CONF
LOG = logging.getLogger(__name__)
TLS_EXCEPTIONS = [
("nova_novncproxy", "6080"),
("redis", "6379"),
("nova_metadata", "8775"),
("mysql", "3306"),
("haproxy.stats", "1993"),
("horizon", "80")
]
TLS_EXCEPTIONS = []
NOVADB_USER = 'nova::db::mysql::user'
NOVADB_HOST = 'nova::db::mysql::host'
@ -90,6 +83,7 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
for param in params:
print(param)
hostport = self.get_hostport(param)
host_ip = re.search('(\S*):\d*', hostport).group(1)
port = re.search('\S*:(\d*)', hostport).group(1)
if "ssl" not in param:
if (tag, port) in TLS_EXCEPTIONS:
@ -97,6 +91,21 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
continue
self.assertTrue("ssl" in param)
if tag == 'haproxy.stats':
# haproxy.stats is supposed to be accessible
# only to localhost - ie. the controller that
# contains the vip
vip_node = self.get_pcs_node(
host_ip, controller_ip, 'heat-admin', hostport)
print("vip_node={vip_node}".format(vip_node=vip_node))
if controller != vip_node:
print("Stats VIP not on controller: {ctl}".format(
ctl=controller))
continue
self.verify_overcloud_tls_connection(
controller_ip=controller_ip,
user='heat-admin',