def auto_initialize(cacert=None, validation_application='keystone', wait=True):
"""Auto initialize vault for testing.
Generate a csr and uploading a signed certificate.
In a stack that includes and relies on certificates in vault, initialize
vault by unsealing and creating a certificate authority.
:param cacert: Path to CA cert used for vault's api cert.
:type cacert: str
:param validation_application: Name of application to be used as a
client for validation.
:type validation_application: str
:returns: None
:rtype: None
"""
logging.info('Running auto_initialize')
basic_setup(cacert=cacert, unseal_and_authorize=True)
action = vault_utils.run_get_csr()
intermediate_csr = action.data['results']['output']
(cakey, cacertificate) = zaza.openstack.utilities.cert.generate_cert(
'DivineAuthority',
generate_ca=True)
intermediate_cert = zaza.openstack.utilities.cert.sign_csr(
intermediate_csr,
cakey.decode(),
cacertificate.decode(),
generate_ca=True)
action = vault_utils.run_upload_signed_csr(
pem=intermediate_cert,
root_ca=cacertificate,
allowed_domains='openstack.local')
if wait:
zaza.model.wait_for_agent_status()
test_config = lifecycle_utils.get_charm_config(fatal=False)
zaza.model.wait_for_application_states(
states=test_config.get('target_deploy_status', {}),
timeout=7200)
if validation_application:
validate_ca(cacertificate, application=validation_application)
# Once validation has completed restart nova-compute to work around
# bug #1826382
cmd_map = {
'nova-cloud-controller': ('systemctl restart '
'nova-scheduler nova-conductor'),
'nova-compute': 'systemctl restart nova-compute',
}
for app in ('nova-compute', 'nova-cloud-controller',):
try:
for unit in zaza.model.get_units(app):
result = zaza.model.run_on_unit(
unit.entity_id, cmd_map[app])
assert int(result['Code']) == 0, (
'Restart of services on {} failed'.format(
unit.entity_id))
except KeyError:
# Nothing todo if there are no app units
pass
def auto_initialize(cacert=None, validation_application='keystone'):
"""Auto initialize vault for testing.
Generate a csr and uploading a signed certificate.
In a stack that includes and relies on certificates in vault, initialize
vault by unsealing and creating a certificate authority.
:param cacert: Path to CA cert used for vault's api cert.
:type cacert: str
:param validation_application: Name of application to be used as a
client for validation.
:type validation_application: str
:returns: None
:rtype: None
"""
basic_setup(cacert=cacert, unseal_and_authorize=True)
action = vault_utils.run_get_csr()
intermediate_csr = action.data['results']['output']
(cakey, cacertificate) = zaza.openstack.utilities.cert.generate_cert(
'DivineAuthority', generate_ca=True)
intermediate_cert = zaza.openstack.utilities.cert.sign_csr(
intermediate_csr,
cakey.decode(),
cacertificate.decode(),
generate_ca=True)
action = vault_utils.run_upload_signed_csr(
pem=intermediate_cert,
root_ca=cacertificate,
allowed_domains='openstack.local')
if validation_application:
validate_ca(cacertificate, application=validation_application)
def auto_initialize(cacert=None, validation_application='keystone'):
"""Auto initialize vault for testing.
Generate a csr and uploading a signed certificate.
In a stack that includes and relies on certificates in vault, initialize
vault by unsealing and creating a certificate authority.
:param cacert: Path to CA cert used for vault's api cert.
:type cacert: str
:param validation_application: Name of application to be used as a
client for validation.
:type validation_application: str
:returns: None
:rtype: None
"""
basic_setup(cacert=cacert, unseal_and_authorize=True)
action = vault_utils.run_get_csr()
intermediate_csr = action.data['results']['output']
(cakey, cacertificate) = zaza.openstack.utilities.cert.generate_cert(
'DivineAuthority', generate_ca=True)
intermediate_cert = zaza.openstack.utilities.cert.sign_csr(
intermediate_csr,
cakey.decode(),
cacertificate.decode(),
generate_ca=True)
action = vault_utils.run_upload_signed_csr(
pem=intermediate_cert,
root_ca=cacertificate,
allowed_domains='openstack.local')
if validation_application:
validate_ca(cacertificate, application=validation_application)
# Once validation has completed restart nova-compute to work around
# bug #1826382
try:
cmd = 'systemctl restart nova-compute'
for unit in zaza.model.get_units('nova-compute'):
result = zaza.model.run_on_unit(unit.entity_id, cmd)
assert int(result['Code']) == 0, (
'Restart of nova-compute on {} failed'.format(
unit.entity_id))
except KeyError:
# Nothing todo if there are no nova-compute units
pass
def test_csr(self):
"""Test generating a csr and uploading a signed certificate."""
vault_actions = zaza.model.get_actions('vault')
if 'get-csr' not in vault_actions:
raise unittest.SkipTest('Action not defined')
try:
zaza.model.get_application('keystone')
except KeyError:
raise unittest.SkipTest('No client to test csr')
action = vault_utils.run_charm_authorize(
self.vault_creds['root_token'])
action = vault_utils.run_get_csr()
intermediate_csr = action.data['results']['output']
(cakey, cacert) = zaza.openstack.utilities.cert.generate_cert(
'DivineAuthority', generate_ca=True)
intermediate_cert = zaza.openstack.utilities.cert.sign_csr(
intermediate_csr,
cakey.decode(),
cacert.decode(),
generate_ca=True)
action = vault_utils.run_upload_signed_csr(
pem=intermediate_cert,
root_ca=cacert,
allowed_domains='openstack.local')
test_config = lifecycle_utils.get_charm_config()
del test_config['target_deploy_status']['vault']
zaza.model.block_until_file_has_contents(
'keystone',
zaza.openstack.utilities.openstack.KEYSTONE_REMOTE_CACERT,
cacert.decode().strip())
zaza.model.wait_for_application_states(
states=test_config.get('target_deploy_status', {}))
ip = zaza.model.get_app_ips('keystone')[0]
with tempfile.NamedTemporaryFile(mode='w') as fp:
fp.write(cacert.decode())
fp.flush()
requests.get('https://{}:5000'.format(ip), verify=fp.name)
def test_csr(self):
"""Test generating a csr and uploading a signed certificate."""
vault_actions = zaza.model.get_actions('vault')
if 'get-csr' not in vault_actions:
raise unittest.SkipTest('Action not defined')
try:
zaza.model.get_application('keystone')
except KeyError:
raise unittest.SkipTest('No client to test csr')
action = vault_utils.run_charm_authorize(
self.vault_creds['root_token'])
action = vault_utils.run_get_csr()
intermediate_csr = action.data['results']['output']
(cakey, cacert) = zaza.openstack.utilities.cert.generate_cert(
'DivineAuthority', generate_ca=True)
intermediate_cert = zaza.openstack.utilities.cert.sign_csr(
intermediate_csr,
cakey.decode(),
cacert.decode(),
generate_ca=True)
action = vault_utils.run_upload_signed_csr(
pem=intermediate_cert,
root_ca=cacert,
allowed_domains='openstack.local')
test_config = lifecycle_utils.get_charm_config()
try:
del test_config['target_deploy_status']['vault']
except KeyError:
# Already removed
pass
zaza.model.wait_for_application_states(
states=test_config.get('target_deploy_status', {}))
vault_utils.validate_ca(cacert)
wl_statuses['designate'] = {
'workload-status-message': """'coordinator-memcached' missing""",
'workload-status': 'blocked'}
logging.info("Waiting for statuses with exceptions ...")
model.wait_for_application_states(
states=wl_statuses)
certificate_directory = mojo_utils.get_local_certificate_directory()
certfile = mojo_utils.get_overcloud_cacert_file()
logging.info("Vault setup basic ...")
vault_setup.basic_setup(cacert=certfile)
clients = vault_utils.get_clients(cacert=certfile)
vault_creds = vault_utils.get_credentails()
vault_utils.unseal_all(clients, vault_creds['keys'][0])
action = vault_utils.run_charm_authorize(
vault_creds['root_token'])
action = vault_utils.run_get_csr()
intermediate_csr = action.data['results']['output']
with open(os.path.join(certificate_directory, 'ca.key'), 'rb') as f:
cakey = f.read()
with open(os.path.join(certificate_directory, 'cacert.pem'), 'rb') as f:
cacert = f.read()
intermediate_cert = zaza.openstack.utilities.cert.sign_csr(
intermediate_csr,
cakey.decode(),
cacert.decode(),
generate_ca=True)
action = vault_utils.run_upload_signed_csr(
pem=intermediate_cert,
root_ca=cacert,
allowed_domains='openstack.local')
del wl_statuses['vault']