x
/
novajoin-tempest-plugin
Code Issues Proposed changes

changes to fix tripleo tests 

1. for compact_services, some services that were not ssl enabled
   are now enabled.  Updated TLS_EXCEPTIONS
2. haproxy.stats is only accessible on localhost on the node that
   had the stats vip.  Check to make sure we have this controller
   before checking connections.
3. certs are only issued for networks that are defined for a controller.
   Therefore do not check for the cert to be issued or tracked if the
   network is not enabled for that controller.

Change-Id: Ied35638bcbdff2260c2c4bb5d6c84329d6894ab1
This commit is contained in:
Ade Lee 2019-02-24 15:17:40 -05:00
parent 3f38833cd4
commit 0b5d1a1a12
3 changed files with 56 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
novajoin_tempest_plugin/tests/scenario/novajoin_manager.py
View File

@ -181,26 +181,38 @@ class NovajoinScenarioTest(manager.ScenarioTest):
return None return None
def verify_compact_services(self, services, host, verify_certs=False): def verify_compact_services(self, services, host,
host_ip, verify_certs=False):
for (service, networks) in services.items(): for (service, networks) in services.items():
for network in networks: for network in networks:
subhost = '{host}.{network}.{domain}'.format( subhost = '{host}.{network}.{domain}'.format(
host=host, network=network, domain=self.ipa_client.domain host=host, network=network, domain=self.ipa_client.domain
) )
LOG.debug("SUBHOST: %s", subhost) LOG.debug("SUBHOST: %s", subhost)
self.verify_service(service, subhost, verify_certs) self.verify_service(service, subhost, host_ip,
verify_certs, network)
def verify_service(self, service, host, verify_certs=False): def verify_service(self, service, host, host_ip,
LOG.debug("verifying: %s %s ", service, host) verify_certs=False, network=False):
LOG.debug("verifying: %s %s", service, host)
if network:
LOG.debug("verifying network %s", network)
self.verify_host_registered_with_ipa(host, add_domain=False) self.verify_host_registered_with_ipa(host, add_domain=False)
self.verify_service_created(service, host) self.verify_service_created(service, host)
self.verify_service_managed_by_host(service, host) self.verify_service_managed_by_host(service, host)
if verify_certs: if verify_certs:
self.verify_service_cert(service, host) self.verify_service_cert(service, host, host_ip, network)
LOG.debug("verified: %s %s ", service, host) LOG.debug("verified: %s %s ", service, host)
def verify_service_cert(self, service, host): def verify_service_cert(self, service, host, host_ip, network=None):
LOG.debug("Verifying cert for %s %s", service, host) LOG.debug("Verifying cert for %s %s", service, host)
if not self.network_defined(host, network, host_ip):
# if the network is not enabled for this host
# no cert will be requested
LOG.debug("No network defined for {network} on {host}.".format(
network=network, host=host))
return
serial = self.get_service_cert(service, host) serial = self.get_service_cert(service, host)
internal_controllers = ['{controller}.internalapi.{domain}'.format( internal_controllers = ['{controller}.internalapi.{domain}'.format(
@ -216,6 +228,17 @@ class NovajoinScenarioTest(manager.ScenarioTest):
self.assertTrue(serial is not None) self.assertTrue(serial is not None)
LOG.debug("Cert verified for %s %s", service, host) LOG.debug("Cert verified for %s %s", service, host)
def network_defined(self, host, network, host_ip):
"""Confirm network is defined on host."""
if network == 'internalapi':
network = 'internal_api'
if network == 'storagemgmt':
network = 'storage_mgmt'
cmd = ('sudo hiera -c /etc/puppet/hiera.yaml fqdn_{network}'.format(
network=network))
result = self.execute_on_controller('heat-admin', host_ip, cmd)
return result.strip() != 'nil'
def verify_managed_services(self, services, verify_certs=False): def verify_managed_services(self, services, verify_certs=False):
for principal in services: for principal in services:
service = principal.split('/', 1)[0] service = principal.split('/', 1)[0]
@ -228,6 +251,12 @@ class NovajoinScenarioTest(manager.ScenarioTest):
'-connect {hostport} -tls1_2'.format(hostport=hostport)) '-connect {hostport} -tls1_2'.format(hostport=hostport))
self.execute_on_controller(user, controller_ip, cmd) self.execute_on_controller(user, controller_ip, cmd)
def get_pcs_node(self, vip, controller_ip, user, hostport):
"""Get controller node that hosts vip"""
cmd = ('sudo pcs status |grep {vip}| '
'sed \'s/.*Started \(.*\)/\\1/\''.format(vip=vip))
return self.execute_on_controller(user, controller_ip, cmd).strip()
def get_server_id(self, name): def get_server_id(self, name):
params = {'all_tenants': '', 'name': name} params = {'all_tenants': '', 'name': name}
resp = self.servers_client.list_servers(detail=True, **params) resp = self.servers_client.list_servers(detail=True, **params)

6
novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py
View File

@ -77,13 +77,15 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
hosts = list(CONF.novajoin.tripleo_controllers) hosts = list(CONF.novajoin.tripleo_controllers)
hosts.extend(CONF.novajoin.tripleo_computes) hosts.extend(CONF.novajoin.tripleo_computes)
for host in hosts: for host in hosts:
host_ip = self.get_overcloud_server_ip(host)
metadata = self.servers_client.list_server_metadata( metadata = self.servers_client.list_server_metadata(
self.get_server_id(host))['metadata'] self.get_server_id(host))['metadata']
compact_services = self.get_compact_services(metadata) compact_services = self.get_compact_services(metadata)
print(compact_services) LOG.debug(compact_services)
self.verify_compact_services( self.verify_compact_services(
services=compact_services, services=compact_services,
host=host, host=host,
host_ip=host_ip,
verify_certs=True verify_certs=True
) )
@ -93,7 +95,7 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
self.get_server_id(host))['metadata'] self.get_server_id(host))['metadata']
managed_services = [metadata[key] for key in metadata.keys() managed_services = [metadata[key] for key in metadata.keys()
if key.startswith('managed_service_')] if key.startswith('managed_service_')]
print(managed_services) LOG.debug(managed_services)
self.verify_managed_services( self.verify_managed_services(
services=managed_services, services=managed_services,
verify_certs=True) verify_certs=True)

25
novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py
View File

@ -20,14 +20,7 @@ from tempest import config
CONF = config.CONF CONF = config.CONF
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
TLS_EXCEPTIONS = [ TLS_EXCEPTIONS = []
("nova_novncproxy", "6080"),
("redis", "6379"),
("nova_metadata", "8775"),
("mysql", "3306"),
("haproxy.stats", "1993"),
("horizon", "80")
]
NOVADB_USER = 'nova::db::mysql::user' NOVADB_USER = 'nova::db::mysql::user'
NOVADB_HOST = 'nova::db::mysql::host' NOVADB_HOST = 'nova::db::mysql::host'
@ -90,6 +83,7 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
for param in params: for param in params:
print(param) print(param)
hostport = self.get_hostport(param) hostport = self.get_hostport(param)
host_ip = re.search('(\S*):\d*', hostport).group(1)
port = re.search('\S*:(\d*)', hostport).group(1) port = re.search('\S*:(\d*)', hostport).group(1)
if "ssl" not in param: if "ssl" not in param:
if (tag, port) in TLS_EXCEPTIONS: if (tag, port) in TLS_EXCEPTIONS:
@ -97,6 +91,21 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest):
continue continue
self.assertTrue("ssl" in param) self.assertTrue("ssl" in param)
if tag == 'haproxy.stats':
# haproxy.stats is supposed to be accessible
# only to localhost - ie. the controller that
# contains the vip
vip_node = self.get_pcs_node(
host_ip, controller_ip, 'heat-admin', hostport)
print("vip_node={vip_node}".format(vip_node=vip_node))
if controller != vip_node:
print("Stats VIP not on controller: {ctl}".format(
ctl=controller))
continue
self.verify_overcloud_tls_connection( self.verify_overcloud_tls_connection(
controller_ip=controller_ip, controller_ip=controller_ip,
user='heat-admin', user='heat-admin',