def basic_setup(cacert=None, unseal_and_authorize=False):
"""Run basic setup for vault tests.
:param cacert: Path to CA cert used for vaults api cert.
:type cacert: str
:param unseal_and_authorize: Whether to unseal and authorize vault.
:type unseal_and_authorize: bool
"""
clients = vault_utils.get_clients(cacert=cacert)
vip_client = vault_utils.get_vip_client(cacert=cacert)
if vip_client:
unseal_client = vip_client
else:
unseal_client = clients[0]
initialized = vault_utils.is_initialized(unseal_client)
# The credentials are written to a file to allow the tests to be re-run
# this is mainly useful for manually working on the tests.
if initialized:
vault_creds = vault_utils.get_credentails()
else:
vault_creds = vault_utils.init_vault(unseal_client)
vault_utils.store_credentails(vault_creds)
# For use by charms or bundles other than vault
if unseal_and_authorize:
vault_utils.unseal_all(clients, vault_creds['keys'][0])
vault_utils.auth_all(clients, vault_creds['root_token'])
vault_utils.run_charm_authorize(vault_creds['root_token'])
def unseal_by_unit(cacert=None):
"""Unseal any units reported as sealed using mojo cacert."""
cacert = cacert or get_cacert_file()
vault_creds = vault_utils.get_credentials()
for client in vault_utils.get_clients(cacert=cacert):
if client.hvac_client.is_sealed():
client.hvac_client.unseal(vault_creds['keys'][0])
unit_name = juju_utils.get_unit_name_from_ip_address(
client.addr, 'vault')
zaza.model.run_on_unit(unit_name, './hooks/update-status')
def mojo_unseal_by_unit():
"""Unseal any units reported as sealed using mojo cacert."""
cacert = zaza.openstack.utilities.generic.get_mojo_cacert_path()
vault_creds = vault_utils.get_credentails()
for client in vault_utils.get_clients(cacert=cacert):
if client.hvac_client.is_sealed():
client.hvac_client.unseal(vault_creds['keys'][0])
unit_name = juju_utils.get_unit_name_from_ip_address(
client.addr, 'vault')
zaza.model.run_on_unit(unit_name, './hooks/update-status')
def setUpClass(cls):
"""Run setup for Vault tests."""
cls.clients = vault_utils.get_clients()
cls.vip_client = vault_utils.get_vip_client()
if cls.vip_client:
cls.clients.append(cls.vip_client)
cls.vault_creds = vault_utils.get_credentails()
vault_utils.unseal_all(cls.clients, cls.vault_creds['keys'][0])
vault_utils.auth_all(cls.clients, cls.vault_creds['root_token'])
vault_utils.ensure_secret_backend(cls.clients[0])
def setUpClass(cls):
"""Run setup for Vault tests."""
cls.model_name = zaza.model.get_juju_model()
cls.lead_unit = zaza.model.get_lead_unit_name(
"vault", model_name=cls.model_name)
cls.clients = vault_utils.get_clients()
cls.vip_client = vault_utils.get_vip_client()
if cls.vip_client:
cls.clients.append(cls.vip_client)
cls.vault_creds = vault_utils.get_credentails()
vault_utils.unseal_all(cls.clients, cls.vault_creds['keys'][0])
vault_utils.auth_all(cls.clients, cls.vault_creds['root_token'])
vault_utils.ensure_secret_backend(cls.clients[0])
logging.info("Removing designate memcached relation")
model.remove_relation(
'designate',
'coordinator-memcached',
'memcached:cache')
wl_statuses['designate'] = {
'workload-status-message': """'coordinator-memcached' missing""",
'workload-status': 'blocked'}
logging.info("Waiting for statuses with exceptions ...")
model.wait_for_application_states(
states=wl_statuses)
certificate_directory = mojo_utils.get_local_certificate_directory()
certfile = mojo_utils.get_overcloud_cacert_file()
logging.info("Vault setup basic ...")
vault_setup.basic_setup(cacert=certfile)
clients = vault_utils.get_clients(cacert=certfile)
vault_creds = vault_utils.get_credentails()
vault_utils.unseal_all(clients, vault_creds['keys'][0])
action = vault_utils.run_charm_authorize(
vault_creds['root_token'])
action = vault_utils.run_get_csr()
intermediate_csr = action.data['results']['output']
with open(os.path.join(certificate_directory, 'ca.key'), 'rb') as f:
cakey = f.read()
with open(os.path.join(certificate_directory, 'cacert.pem'), 'rb') as f:
cacert = f.read()
intermediate_cert = zaza.openstack.utilities.cert.sign_csr(
intermediate_csr,
cakey.decode(),
cacert.decode(),
generate_ca=True)
