Update for new IPAClient
IPA code has changed requiring changes to update module paths. Also, tripleo has improved security and changed which networks are accessible, and requiring password authentication for mysql. Also, the format for compact_services has changed. Change-Id: If899dda3950a8020ac1c3e8263a38a3bdcccd325
This commit is contained in:
parent
f657712db4
commit
3f38833cd4
|
@ -16,12 +16,11 @@
|
|||
import os
|
||||
import time
|
||||
import uuid
|
||||
|
||||
try:
|
||||
from gssapi.exceptions import GSSError
|
||||
from ipalib import api
|
||||
from ipalib import errors
|
||||
from ipapython.ipautil import kinit_keytab
|
||||
from ipalib.install.kinit import kinit_keytab
|
||||
ipalib_imported = True
|
||||
except ImportError:
|
||||
# ipalib/ipapython are not available in PyPy yet, don't make it
|
||||
|
|
|
@ -12,6 +12,8 @@
|
|||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
import json
|
||||
import six
|
||||
import subprocess
|
||||
import time
|
||||
|
||||
|
@ -166,6 +168,19 @@ class NovajoinScenarioTest(manager.ScenarioTest):
|
|||
result = self.ipa_client.show_cert(serial)['result']
|
||||
self.assertTrue(result['revoked'])
|
||||
|
||||
def get_compact_services(self, metadata):
|
||||
# compact key-per-service
|
||||
compact_services = {key.split('_', 2)[-1]: json.loads(value)
|
||||
for key, value in six.iteritems(metadata)
|
||||
if key.startswith('compact_service_')}
|
||||
if compact_services:
|
||||
return compact_services
|
||||
# legacy compact json format
|
||||
if 'compact_services' in metadata:
|
||||
return json.loads(metadata['compact_services'])
|
||||
|
||||
return None
|
||||
|
||||
def verify_compact_services(self, services, host, verify_certs=False):
|
||||
for (service, networks) in services.items():
|
||||
for network in networks:
|
||||
|
@ -176,21 +191,30 @@ class NovajoinScenarioTest(manager.ScenarioTest):
|
|||
self.verify_service(service, subhost, verify_certs)
|
||||
|
||||
def verify_service(self, service, host, verify_certs=False):
|
||||
LOG.debug("verifying: %s %s ", service, host)
|
||||
self.verify_host_registered_with_ipa(host, add_domain=False)
|
||||
self.verify_service_created(service, host)
|
||||
self.verify_service_managed_by_host(service, host)
|
||||
if verify_certs:
|
||||
self.verify_service_cert(service, host)
|
||||
LOG.debug("verified: %s %s ", service, host)
|
||||
|
||||
def verify_service_cert(self, service, host):
|
||||
LOG.debug("Verifying cert for %s %s", service, host)
|
||||
serial = self.get_service_cert(service, host)
|
||||
if (service == 'mysql' and host ==
|
||||
'overcloud-controller-0.internalapi.{domain}'.format(
|
||||
domain=self.ipa_client.domain)):
|
||||
|
||||
internal_controllers = ['{controller}.internalapi.{domain}'.format(
|
||||
controller=ctl, domain=self.ipa_client.domain) for ctl in
|
||||
CONF.novajoin.tripleo_controllers]
|
||||
|
||||
# TODO(alee) Need to understand why mysql is different
|
||||
if service == 'mysql' and host in internal_controllers:
|
||||
pass
|
||||
else:
|
||||
if serial is None:
|
||||
LOG.error("Cert NOT verified for %s %s", service, host)
|
||||
self.assertTrue(serial is not None)
|
||||
LOG.debug("Cert verified for %s %s", service, host)
|
||||
|
||||
def verify_managed_services(self, services, verify_certs=False):
|
||||
for principal in services:
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
import ast
|
||||
|
||||
from novajoin_tempest_plugin.tests.scenario import novajoin_manager
|
||||
from oslo_log import log as logging
|
||||
|
@ -80,8 +79,7 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
|
|||
for host in hosts:
|
||||
metadata = self.servers_client.list_server_metadata(
|
||||
self.get_server_id(host))['metadata']
|
||||
services = metadata['compact_services']
|
||||
compact_services = ast.literal_eval(services)
|
||||
compact_services = self.get_compact_services(metadata)
|
||||
print(compact_services)
|
||||
self.verify_compact_services(
|
||||
services=compact_services,
|
||||
|
|
|
@ -132,15 +132,13 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
|
|||
self.verify_overcloud_tls_connection(
|
||||
controller_ip=compute_ip,
|
||||
user='heat-admin',
|
||||
hostport="{host}:{port}".format(host=compute_ip,
|
||||
port=libvirt_port)
|
||||
hostport="{host}.internalapi.{domain}:{port}".format(
|
||||
host=compute,
|
||||
domain=self.ipa_client.domain,
|
||||
port=libvirt_port
|
||||
)
|
||||
)
|
||||
|
||||
def test_mysql_tls_setup(self):
|
||||
for controller in CONF.novajoin.tripleo_controllers:
|
||||
controller_ip = self.get_overcloud_server_ip(controller)
|
||||
self.verify_mysql_tls_connection('heat-admin', controller_ip)
|
||||
|
||||
def test_mysql_nova_connection_with_ssl(self):
|
||||
for controller in CONF.novajoin.tripleo_controllers:
|
||||
controller_ip = self.get_overcloud_server_ip(controller)
|
||||
|
|
Loading…
Reference in New Issue