diff --git a/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py b/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py index b4ba1e3..4768ee3 100644 --- a/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py +++ b/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py @@ -181,26 +181,38 @@ class NovajoinScenarioTest(manager.ScenarioTest): return None - def verify_compact_services(self, services, host, verify_certs=False): + def verify_compact_services(self, services, host, + host_ip, verify_certs=False): for (service, networks) in services.items(): for network in networks: subhost = '{host}.{network}.{domain}'.format( host=host, network=network, domain=self.ipa_client.domain ) LOG.debug("SUBHOST: %s", subhost) - self.verify_service(service, subhost, verify_certs) + self.verify_service(service, subhost, host_ip, + verify_certs, network) - def verify_service(self, service, host, verify_certs=False): - LOG.debug("verifying: %s %s ", service, host) + def verify_service(self, service, host, host_ip, + verify_certs=False, network=False): + LOG.debug("verifying: %s %s", service, host) + if network: + LOG.debug("verifying network %s", network) self.verify_host_registered_with_ipa(host, add_domain=False) self.verify_service_created(service, host) self.verify_service_managed_by_host(service, host) if verify_certs: - self.verify_service_cert(service, host) + self.verify_service_cert(service, host, host_ip, network) LOG.debug("verified: %s %s ", service, host) - def verify_service_cert(self, service, host): + def verify_service_cert(self, service, host, host_ip, network=None): LOG.debug("Verifying cert for %s %s", service, host) + + if not self.network_defined(host, network, host_ip): + # if the network is not enabled for this host + # no cert will be requested + LOG.debug("No network defined for {network} on {host}.".format( + network=network, host=host)) + return serial = self.get_service_cert(service, host) internal_controllers = ['{controller}.internalapi.{domain}'.format( @@ -216,6 +228,17 @@ class NovajoinScenarioTest(manager.ScenarioTest): self.assertTrue(serial is not None) LOG.debug("Cert verified for %s %s", service, host) + def network_defined(self, host, network, host_ip): + """Confirm network is defined on host.""" + if network == 'internalapi': + network = 'internal_api' + if network == 'storagemgmt': + network = 'storage_mgmt' + cmd = ('sudo hiera -c /etc/puppet/hiera.yaml fqdn_{network}'.format( + network=network)) + result = self.execute_on_controller('heat-admin', host_ip, cmd) + return result.strip() != 'nil' + def verify_managed_services(self, services, verify_certs=False): for principal in services: service = principal.split('/', 1)[0] @@ -228,6 +251,12 @@ class NovajoinScenarioTest(manager.ScenarioTest): '-connect {hostport} -tls1_2'.format(hostport=hostport)) self.execute_on_controller(user, controller_ip, cmd) + def get_pcs_node(self, vip, controller_ip, user, hostport): + """Get controller node that hosts vip""" + cmd = ('sudo pcs status |grep {vip}| ' + 'sed \'s/.*Started \(.*\)/\\1/\''.format(vip=vip)) + return self.execute_on_controller(user, controller_ip, cmd).strip() + def get_server_id(self, name): params = {'all_tenants': '', 'name': name} resp = self.servers_client.list_servers(detail=True, **params) diff --git a/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py b/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py index 635a416..bfaf816 100644 --- a/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py +++ b/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py @@ -77,13 +77,15 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest): hosts = list(CONF.novajoin.tripleo_controllers) hosts.extend(CONF.novajoin.tripleo_computes) for host in hosts: + host_ip = self.get_overcloud_server_ip(host) metadata = self.servers_client.list_server_metadata( self.get_server_id(host))['metadata'] compact_services = self.get_compact_services(metadata) - print(compact_services) + LOG.debug(compact_services) self.verify_compact_services( services=compact_services, host=host, + host_ip=host_ip, verify_certs=True ) @@ -93,7 +95,7 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest): self.get_server_id(host))['metadata'] managed_services = [metadata[key] for key in metadata.keys() if key.startswith('managed_service_')] - print(managed_services) + LOG.debug(managed_services) self.verify_managed_services( services=managed_services, verify_certs=True) diff --git a/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py b/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py index 5fb8bb7..a9a8480 100644 --- a/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py +++ b/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py @@ -20,14 +20,7 @@ from tempest import config CONF = config.CONF LOG = logging.getLogger(__name__) -TLS_EXCEPTIONS = [ - ("nova_novncproxy", "6080"), - ("redis", "6379"), - ("nova_metadata", "8775"), - ("mysql", "3306"), - ("haproxy.stats", "1993"), - ("horizon", "80") -] +TLS_EXCEPTIONS = [] NOVADB_USER = 'nova::db::mysql::user' NOVADB_HOST = 'nova::db::mysql::host' @@ -90,6 +83,7 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest): for param in params: print(param) hostport = self.get_hostport(param) + host_ip = re.search('(\S*):\d*', hostport).group(1) port = re.search('\S*:(\d*)', hostport).group(1) if "ssl" not in param: if (tag, port) in TLS_EXCEPTIONS: @@ -97,6 +91,21 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest): continue self.assertTrue("ssl" in param) + + if tag == 'haproxy.stats': + # haproxy.stats is supposed to be accessible + # only to localhost - ie. the controller that + # contains the vip + + vip_node = self.get_pcs_node( + host_ip, controller_ip, 'heat-admin', hostport) + print("vip_node={vip_node}".format(vip_node=vip_node)) + + if controller != vip_node: + print("Stats VIP not on controller: {ctl}".format( + ctl=controller)) + continue + self.verify_overcloud_tls_connection( controller_ip=controller_ip, user='heat-admin',