def test_zones_referenced_in_placement_constraints():
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_TASK_COUNT,
additional_options={
"master_nodes": {
"placement": "[[\"@zone\", \"GROUP_BY\"]]"
},
"data_nodes": {
"placement": "[[\"@zone\", \"GROUP_BY\"]]"
},
"ingest_nodes": {
"placement": "[[\"@zone\", \"GROUP_BY\"]]"
},
"coordinator_nodes": {
"placement": "[[\"@zone\", \"GROUP_BY\"]]"
}
})
nodes_info = config.get_elasticsearch_nodes_info(
service_name=config.SERVICE_NAME)
for node_uid, node in nodes_info["nodes"].items():
assert "zone" == sdk_utils.get_in([
"settings", "cluster", "routing", "allocation", "awareness",
"attributes"
], node)
assert sdk_fault_domain.is_valid_zone(
sdk_utils.get_in(["attributes", "zone"], node))
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_zones_referenced_in_placement_constraints():
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_TASK_COUNT,
additional_options={
"master_nodes": {
"placement": "@zone:GROUP_BY"
},
"data_nodes": {
"placement": "@zone:GROUP_BY"
},
"ingest_nodes": {
"placement": "@zone:GROUP_BY"
},
"coordinator_nodes": {
"placement": "@zone:GROUP_BY"
}
})
nodes_info = config.get_elasticsearch_nodes_info(
service_name=config.SERVICE_NAME)
for node_uid, node in nodes_info["nodes"].items():
assert "zone" == get_in([
"settings", "cluster", "routing", "allocation", "awareness",
"attributes"
], node)
assert sdk_fault_domain.is_valid_zone(
get_in(["attributes", "zone"], node))
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_detect_zones_disabled_by_default():
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(config.PACKAGE_NAME, config.SERVICE_NAME,
config.DEFAULT_TASK_COUNT)
nodes_info = config.get_elasticsearch_nodes_info(
service_name=config.SERVICE_NAME)
for node_uid, node in nodes_info["nodes"].items():
assert None == get_in([
"settings", "cluster", "routing", "allocation", "awareness",
"attributes"
], node)
assert None == get_in(["attributes", "zone"], node)
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def cleanup(args):
input_filename = args["<output_file>"]
log.info("Reading service definition from %s", input_filename)
with open(input_filename) as fp:
services = json.load(fp)
for k, services in services.items():
log.info("Processing cleanup of %s", k)
for s in services:
service_name = s["service"]["name"]
log.info("Uninstalling %s with name %s", s["package_name"],
service_name)
sdk_install.uninstall(s["package_name"], service_name)
service_account = sdk_utils.get_in(["service", "service_account"],
s)
if service_account:
log.info("Removing service accounts and secrets")
sdk_security.cleanup_security(service_name,
s["service_account_info"])
def test_zones_not_referenced_in_placement_constraints():
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(config.PACKAGE_NAME, config.SERVICE_NAME,
config.DEFAULT_TASK_COUNT)
nodes_info = config.get_elasticsearch_nodes_info(
service_name=config.SERVICE_NAME)
for node_uid, node in nodes_info["nodes"].items():
assert None == sdk_utils.get_in([
"settings", "cluster", "routing", "allocation", "awareness",
"attributes"
], node)
assert None == sdk_utils.get_in(["attributes", "zone"], node)
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_tls_ciphers(kafka_service_tls):
task_name = 'kafka-0-broker'
endpoint = sdk_cmd.svc_cli(
config.PACKAGE_NAME,
config.SERVICE_NAME,
'endpoints {}'.format(BROKER_TLS_ENDPOINT),
json=True)['dns'][0]
ciphers_config_path = ['service', 'security', 'transport_encryption', 'ciphers']
expected_ciphers = set(sdk_utils.get_in(ciphers_config_path, sdk_cmd.svc_cli(
config.PACKAGE_NAME,
config.SERVICE_NAME,
'describe',
json=True), '').rstrip().split(','))
possible_ciphers = set(map(cipher_suites.rfc_name, sdk_security.openssl_ciphers()))
enabled_ciphers = set()
assert expected_ciphers, 'Expected ciphers should be non-empty'
assert possible_ciphers, 'Possible ciphers should be non-empty'
sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name, 'openssl version') # Output OpenSSL version.
print("\nExpected ciphers:")
print("\n".join(sdk_utils.sort(list(expected_ciphers))))
print("\n{} ciphers will be checked:".format(len(possible_ciphers)))
print("\n".join(sdk_utils.sort(list(possible_ciphers))))
for cipher in possible_ciphers:
openssl_cipher = cipher_suites.openssl_name(cipher)
if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name, openssl_cipher, endpoint):
enabled_ciphers.add(cipher)
print('{} ciphers enabled out of {}:'.format(len(enabled_ciphers), len(possible_ciphers)))
print("\n".join(sdk_utils.sort(list(enabled_ciphers))))
assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def test_zones_not_referenced_in_placement_constraints():
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(config.PACKAGE_NAME, config.SERVICE_NAME,
config.DEFAULT_TASK_COUNT)
nodes_info = config.get_elasticsearch_nodes_info(
service_name=config.SERVICE_NAME)
for node_uid, node in nodes_info["nodes"].items():
assert None == sdk_utils.get_in([
"settings", "cluster", "routing", "allocation", "awareness",
"attributes"
], node)
assert None == sdk_utils.get_in(["attributes", "zone"], node)
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_detect_zones_enabled():
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_TASK_COUNT,
additional_options={"service": {
"detect_zones": True
}})
nodes_info = config.get_elasticsearch_nodes_info(
service_name=config.SERVICE_NAME)
for node_uid, node in nodes_info["nodes"].items():
assert "zone" == get_in([
"settings", "cluster", "routing", "allocation", "awareness",
"attributes"
], node)
assert sdk_fault_domain.is_valid_zone(
get_in(["attributes", "zone"], node))
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_tls_ciphers(kafka_service):
task_name = "kafka-0-broker"
endpoint = sdk_networks.get_endpoint(config.PACKAGE_NAME,
config.SERVICE_NAME,
BROKER_TLS_ENDPOINT)["dns"][0]
ciphers_config_path = [
"service", "security", "transport_encryption", "ciphers"
]
rc, stdout, _ = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME,
"describe")
assert rc == 0, "Describe command failed"
expected_ciphers = set(
sdk_utils.get_in(
ciphers_config_path,
json.loads(stdout),
"",
).rstrip().split(","))
openssl_ciphers = sdk_security.openssl_ciphers()
missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
openssl_ciphers)
possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
enabled_ciphers = set()
assert openssl_ciphers, "OpenSSL ciphers should be non-empty"
assert expected_ciphers, "Expected ciphers should be non-empty"
assert possible_openssl_ciphers, "Possible OpenSSL ciphers should be non-empty"
# Output OpenSSL version.
sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name,
"openssl version")
log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:",
len(missing_openssl_ciphers))
log.warning("\n".join(to_sorted(list(missing_openssl_ciphers))))
log.info("\n%s expected ciphers:", len(expected_ciphers))
log.info("\n".join(to_sorted(list(expected_ciphers))))
log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers))
for openssl_cipher in to_sorted(list(possible_openssl_ciphers)):
log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher),
openssl_cipher)
for openssl_cipher in possible_openssl_ciphers:
if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
openssl_cipher, endpoint):
enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))
log.info("%s ciphers enabled out of %s:", len(enabled_ciphers),
len(possible_openssl_ciphers))
log.info("\n".join(to_sorted(list(enabled_ciphers))))
assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def test_tls_ciphers(kafka_service_tls):
task_name = 'kafka-0-broker'
endpoint = sdk_cmd.svc_cli(config.PACKAGE_NAME,
config.SERVICE_NAME,
'endpoints {}'.format(BROKER_TLS_ENDPOINT),
json=True)['dns'][0]
ciphers_config_path = [
'service', 'security', 'transport_encryption', 'ciphers'
]
expected_ciphers = set(
sdk_utils.get_in(
ciphers_config_path,
sdk_cmd.svc_cli(config.PACKAGE_NAME,
config.SERVICE_NAME,
'describe',
json=True), '').rstrip().split(','))
openssl_ciphers = sdk_security.openssl_ciphers()
missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
openssl_ciphers)
possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
enabled_ciphers = set()
assert openssl_ciphers, 'OpenSSL ciphers should be non-empty'
assert expected_ciphers, 'Expected ciphers should be non-empty'
assert possible_openssl_ciphers, 'Possible OpenSSL ciphers should be non-empty'
sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name,
'openssl version') # Output OpenSSL version.
log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:",
len(missing_openssl_ciphers))
log.warning("\n".join(sdk_utils.sort(list(missing_openssl_ciphers))))
log.info("\n%s expected ciphers:", len(expected_ciphers))
log.info("\n".join(sdk_utils.sort(list(expected_ciphers))))
log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers))
for openssl_cipher in sdk_utils.sort(list(possible_openssl_ciphers)):
log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher),
openssl_cipher)
for openssl_cipher in possible_openssl_ciphers:
if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
openssl_cipher, endpoint):
enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))
log.info('%s ciphers enabled out of %s:', len(enabled_ciphers),
len(possible_openssl_ciphers))
log.info("\n".join(sdk_utils.sort(list(enabled_ciphers))))
assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def _get_pod_count(service_options: dict, pod_name: str, default: int) -> int:
"""
Return the count of the specified pod name if present in the service config.
Return the default value otherwise.
"""
return int(sdk_utils.get_in([pod_name, 'count'], service_options, default))