[Puppet-dev] (puppetlabs/puppet-acceptance) (Maint) Ensure agent certs are signed before proceeding

[wearetherobots]

Please review pull request #184: (Maint) Ensure agent certs are signed before proceeding opened by (joshcooper)

Description:

Previously, there was a race condition whereby "slow agents" may not
submit their CSR before 03_PE-SignCerts tries to sign them. As a
result, we might not sign anything (since exit code 24 is acceptable for
situations where the master is also an agent and its cert is always
autosigned). We would then get a failure later on in 05_Agent_test
when validating that the agents could connect to the master.

This commit changes the test to validate that all of the agents'
certificates have been issued before proceeding. Note we only do this
for hosts that are only agents, because the master's cert is autosigned.

• Opened: Tue Mar 27 00:11:06 UTC 2012
• Based on: puppetlabs:master (aee2441216038dad5c4a3d3a0cfef829630f259b)
• Requested merge: joshcooper:maint/master/fix-cert-race-condition (ca678d7f81aada0f2dfc450576801605c84ac534)

Diff follows:

diff --git a/setup/pe/03_PE-SignCerts.rb b/setup/pe/03_PE-SignCerts.rb
index 5472c30..ea862c1 100755
--- a/setup/pe/03_PE-SignCerts.rb
+++ b/setup/pe/03_PE-SignCerts.rb
@@ -1,8 +1,22 @@
 # Agents certs will remain waiting for signing on master until this step
 #
 
-step 'Wait for slow agents to initialize'
-sleep 10
-
 step 'Sign Requested Agent Certs'
-on master, puppet("cert --sign --all"), :acceptable_exit_codes => [0,24]
+on(master, puppet("cert --sign --all"), :acceptable_exit_codes => [0,24])
+
+agents.each do |agent|
+  next unless agent['roles'].length == 1 and agent['roles'].include?('agent')
+
+  (0..10).each do |i|
+    step "Checking if cert issued for #{agent} (#{i})"
+
+    # puppet cert --list <IP> fails, so list all
+    break if on(master, puppet("cert --list --all")).stdout =~ /^#{Regexp.escape("+ #{agent.name}")}/
+
+    fail_test("Failed to sign cert for #{agent}") if i == 10
+
+    step "Wait for agent #{agent}: #{i}"
+    sleep 10
+    on(master, puppet("cert --sign --all"), :acceptable_exit_codes => [0,24])
+  end
+end

    

--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.