def auto_initialize(cacert=None, validation_application='keystone', wait=True): """Auto initialize vault for testing. Generate a csr and uploading a signed certificate. In a stack that includes and relies on certificates in vault, initialize vault by unsealing and creating a certificate authority. :param cacert: Path to CA cert used for vault's api cert. :type cacert: str :param validation_application: Name of application to be used as a client for validation. :type validation_application: str :returns: None :rtype: None """ logging.info('Running auto_initialize') basic_setup(cacert=cacert, unseal_and_authorize=True) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] (cakey, cacertificate) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', generate_ca=True) intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacertificate.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacertificate, allowed_domains='openstack.local') if wait: zaza.model.wait_for_agent_status() test_config = lifecycle_utils.get_charm_config(fatal=False) zaza.model.wait_for_application_states( states=test_config.get('target_deploy_status', {}), timeout=7200) if validation_application: validate_ca(cacertificate, application=validation_application) # Once validation has completed restart nova-compute to work around # bug #1826382 cmd_map = { 'nova-cloud-controller': ('systemctl restart ' 'nova-scheduler nova-conductor'), 'nova-compute': 'systemctl restart nova-compute', } for app in ('nova-compute', 'nova-cloud-controller',): try: for unit in zaza.model.get_units(app): result = zaza.model.run_on_unit( unit.entity_id, cmd_map[app]) assert int(result['Code']) == 0, ( 'Restart of services on {} failed'.format( unit.entity_id)) except KeyError: # Nothing todo if there are no app units pass
def auto_initialize(cacert=None, validation_application='keystone'): """Auto initialize vault for testing. Generate a csr and uploading a signed certificate. In a stack that includes and relies on certificates in vault, initialize vault by unsealing and creating a certificate authority. :param cacert: Path to CA cert used for vault's api cert. :type cacert: str :param validation_application: Name of application to be used as a client for validation. :type validation_application: str :returns: None :rtype: None """ basic_setup(cacert=cacert, unseal_and_authorize=True) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] (cakey, cacertificate) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', generate_ca=True) intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacertificate.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacertificate, allowed_domains='openstack.local') if validation_application: validate_ca(cacertificate, application=validation_application)
def auto_initialize(cacert=None, validation_application='keystone'): """Auto initialize vault for testing. Generate a csr and uploading a signed certificate. In a stack that includes and relies on certificates in vault, initialize vault by unsealing and creating a certificate authority. :param cacert: Path to CA cert used for vault's api cert. :type cacert: str :param validation_application: Name of application to be used as a client for validation. :type validation_application: str :returns: None :rtype: None """ basic_setup(cacert=cacert, unseal_and_authorize=True) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] (cakey, cacertificate) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', generate_ca=True) intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacertificate.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacertificate, allowed_domains='openstack.local') if validation_application: validate_ca(cacertificate, application=validation_application) # Once validation has completed restart nova-compute to work around # bug #1826382 try: cmd = 'systemctl restart nova-compute' for unit in zaza.model.get_units('nova-compute'): result = zaza.model.run_on_unit(unit.entity_id, cmd) assert int(result['Code']) == 0, ( 'Restart of nova-compute on {} failed'.format( unit.entity_id)) except KeyError: # Nothing todo if there are no nova-compute units pass
def test_csr(self): """Test generating a csr and uploading a signed certificate.""" vault_actions = zaza.model.get_actions('vault') if 'get-csr' not in vault_actions: raise unittest.SkipTest('Action not defined') try: zaza.model.get_application('keystone') except KeyError: raise unittest.SkipTest('No client to test csr') action = vault_utils.run_charm_authorize( self.vault_creds['root_token']) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] (cakey, cacert) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', generate_ca=True) intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacert.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacert, allowed_domains='openstack.local') test_config = lifecycle_utils.get_charm_config() del test_config['target_deploy_status']['vault'] zaza.model.block_until_file_has_contents( 'keystone', zaza.openstack.utilities.openstack.KEYSTONE_REMOTE_CACERT, cacert.decode().strip()) zaza.model.wait_for_application_states( states=test_config.get('target_deploy_status', {})) ip = zaza.model.get_app_ips('keystone')[0] with tempfile.NamedTemporaryFile(mode='w') as fp: fp.write(cacert.decode()) fp.flush() requests.get('https://{}:5000'.format(ip), verify=fp.name)
def test_csr(self): """Test generating a csr and uploading a signed certificate.""" vault_actions = zaza.model.get_actions('vault') if 'get-csr' not in vault_actions: raise unittest.SkipTest('Action not defined') try: zaza.model.get_application('keystone') except KeyError: raise unittest.SkipTest('No client to test csr') action = vault_utils.run_charm_authorize( self.vault_creds['root_token']) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] (cakey, cacert) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', generate_ca=True) intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacert.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacert, allowed_domains='openstack.local') test_config = lifecycle_utils.get_charm_config() try: del test_config['target_deploy_status']['vault'] except KeyError: # Already removed pass zaza.model.wait_for_application_states( states=test_config.get('target_deploy_status', {})) vault_utils.validate_ca(cacert)
wl_statuses['designate'] = { 'workload-status-message': """'coordinator-memcached' missing""", 'workload-status': 'blocked'} logging.info("Waiting for statuses with exceptions ...") model.wait_for_application_states( states=wl_statuses) certificate_directory = mojo_utils.get_local_certificate_directory() certfile = mojo_utils.get_overcloud_cacert_file() logging.info("Vault setup basic ...") vault_setup.basic_setup(cacert=certfile) clients = vault_utils.get_clients(cacert=certfile) vault_creds = vault_utils.get_credentails() vault_utils.unseal_all(clients, vault_creds['keys'][0]) action = vault_utils.run_charm_authorize( vault_creds['root_token']) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] with open(os.path.join(certificate_directory, 'ca.key'), 'rb') as f: cakey = f.read() with open(os.path.join(certificate_directory, 'cacert.pem'), 'rb') as f: cacert = f.read() intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacert.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacert, allowed_domains='openstack.local') del wl_statuses['vault']