Update for new IPAClient

IPA code has changed requiring changes to update module paths.
Also, tripleo has improved security and changed which networks are
accessible, and requiring password authentication for mysql.
Also, the format for compact_services has changed.

Change-Id: If899dda3950a8020ac1c3e8263a38a3bdcccd325

novajoin_tempest_plugin/ipa/ipa_client.py

@@ -16,12 +16,11 @@
 import os
 import time
 import uuid
-
 try:
     from gssapi.exceptions import GSSError
     from ipalib import api
     from ipalib import errors
-    from ipapython.ipautil import kinit_keytab
+    from ipalib.install.kinit import kinit_keytab
     ipalib_imported = True
 except ImportError:
     # ipalib/ipapython are not available in PyPy yet, don't make it

novajoin_tempest_plugin/tests/scenario/novajoin_manager.py

@@ -12,6 +12,8 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import json
+import six
 import subprocess
 import time
 
@@ -166,6 +168,19 @@ class NovajoinScenarioTest(manager.ScenarioTest):
         result = self.ipa_client.show_cert(serial)['result']
         self.assertTrue(result['revoked'])
 
+    def get_compact_services(self, metadata):
+        # compact key-per-service
+        compact_services = {key.split('_', 2)[-1]: json.loads(value)
+                            for key, value in six.iteritems(metadata)
+                            if key.startswith('compact_service_')}
+        if compact_services:
+            return compact_services
+        # legacy compact json format
+        if 'compact_services' in metadata:
+            return json.loads(metadata['compact_services'])
+
+        return None
+
     def verify_compact_services(self, services, host, verify_certs=False):
         for (service, networks) in services.items():
             for network in networks:
@@ -176,21 +191,30 @@ class NovajoinScenarioTest(manager.ScenarioTest):
                 self.verify_service(service, subhost, verify_certs)
 
     def verify_service(self, service, host, verify_certs=False):
+        LOG.debug("verifying: %s %s ", service, host)
         self.verify_host_registered_with_ipa(host, add_domain=False)
         self.verify_service_created(service, host)
         self.verify_service_managed_by_host(service, host)
         if verify_certs:
             self.verify_service_cert(service, host)
+        LOG.debug("verified: %s %s ", service, host)
 
     def verify_service_cert(self, service, host):
         LOG.debug("Verifying cert for %s %s", service, host)
         serial = self.get_service_cert(service, host)
-        if (service == 'mysql' and host ==
-                'overcloud-controller-0.internalapi.{domain}'.format(
-                domain=self.ipa_client.domain)):
+
+        internal_controllers = ['{controller}.internalapi.{domain}'.format(
+            controller=ctl, domain=self.ipa_client.domain) for ctl in
+            CONF.novajoin.tripleo_controllers]
+
+        # TODO(alee) Need to understand why mysql is different
+        if service == 'mysql' and host in internal_controllers:
             pass
         else:
+            if serial is None:
+                LOG.error("Cert NOT verified for %s %s", service, host)
             self.assertTrue(serial is not None)
+        LOG.debug("Cert verified for %s %s", service, host)
 
     def verify_managed_services(self, services, verify_certs=False):
         for principal in services:

novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py

@@ -11,7 +11,6 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-import ast
 
 from novajoin_tempest_plugin.tests.scenario import novajoin_manager
 from oslo_log import log as logging
@@ -80,8 +79,7 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
         for host in hosts:
             metadata = self.servers_client.list_server_metadata(
                 self.get_server_id(host))['metadata']
-            services = metadata['compact_services']
-            compact_services = ast.literal_eval(services)
+            compact_services = self.get_compact_services(metadata)
             print(compact_services)
             self.verify_compact_services(
                 services=compact_services,

novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py

@@ -132,15 +132,13 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
             self.verify_overcloud_tls_connection(
                 controller_ip=compute_ip,
                 user='heat-admin',
-                hostport="{host}:{port}".format(host=compute_ip,
-                                                port=libvirt_port)
+                hostport="{host}.internalapi.{domain}:{port}".format(
+                    host=compute,
+                    domain=self.ipa_client.domain,
+                    port=libvirt_port
+                )
             )
 
-    def test_mysql_tls_setup(self):
-        for controller in CONF.novajoin.tripleo_controllers:
-            controller_ip = self.get_overcloud_server_ip(controller)
-            self.verify_mysql_tls_connection('heat-admin', controller_ip)
-
     def test_mysql_nova_connection_with_ssl(self):
         for controller in CONF.novajoin.tripleo_controllers:
             controller_ip = self.get_overcloud_server_ip(controller)