Adam Collard has proposed merging ~adam-collard/maas-ci/+git/system-tests:extract-setup-vault-tls into ~maas-committers/maas-ci/+git/system-tests:master.
Commit message: extract setup_tls, setup_vault fix: git clone cleanup - don't need to checkout the branch, it's implied by --branch - single-branch is implied by --depth - restrict depth to 1 - set core.abbrev config in the clone - make the submodules shallow Refactor o11y setup Requested reviews: MAAS Committers (maas-committers) For more details, see: https://code.launchpad.net/~adam-collard/maas-ci/+git/system-tests/+merge/435078 -- Your team MAAS Committers is requested to review the proposed merge of ~adam-collard/maas-ci/+git/system-tests:extract-setup-vault-tls into ~maas-committers/maas-ci/+git/system-tests:master.
diff --git a/systemtests/api.py b/systemtests/api.py index 5e164f0..568d6fa 100644 --- a/systemtests/api.py +++ b/systemtests/api.py @@ -6,6 +6,7 @@ from logging import getLogger from subprocess import CalledProcessError from typing import TYPE_CHECKING, Any, Dict, Iterable, Optional, TypedDict, Union +from .tls import MAAS_CONTAINER_CERTS_PATH from .utils import wait_for_machine if TYPE_CHECKING: @@ -15,10 +16,6 @@ if TYPE_CHECKING: LOG = getLogger("systemtests.api") -# Certs must be accessible for MAAS installed by snap, but -# this location is useful also when installed via deb package. -MAAS_CONTAINER_CERTS_PATH = "/var/snap/maas/common/certs/" - class CannotDeleteError(Exception): pass diff --git a/systemtests/conftest.py b/systemtests/conftest.py index 6f1048f..39ef76e 100644 --- a/systemtests/conftest.py +++ b/systemtests/conftest.py @@ -107,9 +107,10 @@ def pytest_report_header(config: pytest.Config) -> list[str]: for machine_config in generate_machines_config(systemtests_config) ) headers.append(f"machines: {machines}") - tls = "tls" in systemtests_config - if tls: + if "tls" in systemtests_config: headers.append("tlsenabled: true") + if "vault" in systemtests_config: + headers.append("vaultenabled: true") return headers diff --git a/systemtests/fixtures.py b/systemtests/fixtures.py index 0d2a5ac..26950bb 100644 --- a/systemtests/fixtures.py +++ b/systemtests/fixtures.py @@ -11,11 +11,12 @@ import pytest import yaml from pytest_steps import one_fixture_per_step -from .api import MAAS_CONTAINER_CERTS_PATH, UnauthenticatedMAASAPIClient +from .api import UnauthenticatedMAASAPIClient from .config import ADMIN_EMAIL, ADMIN_PASSWORD, ADMIN_USER from .lxd import CLILXD, get_lxd from .region import MAASRegion -from .vault import Vault, VaultNotReadyError +from .tls import MAAS_CONTAINER_CERTS_PATH, setup_tls +from .vault import Vault, VaultNotReadyError, setup_vault if TYPE_CHECKING: from logging import Logger @@ -115,24 +116,19 @@ def maas_deb_repo( [ "git", "clone", - "--single-branch", "--branch", maas_git_branch, "--depth", - "100", + "1", + "--shallow-submodules", "--recurse-submodules", + "--config core.abbrev=9", maas_git_repo, "maas", ], environment=proxy_env, ) lxd.execute( - build_container, ["git", "-C", "maas", "checkout", maas_git_branch] - ) - lxd.execute( - build_container, ["git", "config", "--global", "core.abbrev", "9"] - ) - lxd.execute( build_container, [ "mk-build-deps", @@ -446,71 +442,6 @@ def maas_region( except IndexError: version = "" - if vault: - maas_vault_status = yaml.safe_load( - lxd.quietly_execute( - maas_container, ["maas", "config-vault", "status"] - ).stdout.strip() - ) - if maas_vault_status["status"] == "disabled": - role_id, wrapped_token = vault.create_approle(maas_container) - lxd.execute( - maas_container, - [ - "maas", - "config-vault", - "configure", - vault.addr, - role_id, - wrapped_token, - vault.secrets_path, - "--mount", - vault.secrets_mount, - ], - ) - lxd.execute( - maas_container, - [ - "maas", - "config-vault", - "migrate", - ], - ) - - if "tls" in config: - lxd.execute( - maas_container, ["sh", "-c", f"mkdir -p {MAAS_CONTAINER_CERTS_PATH}"] - ) - lxd.execute( - maas_container, - [ - "cp", - "-n", - "/etc/ssl/certs/ssl-cert-snakeoil.pem", - "/etc/ssl/private/ssl-cert-snakeoil.key", - MAAS_CONTAINER_CERTS_PATH, - ], - ) - # We need the cert to add it as CA in client container. - lxd.pull_file( - maas_container, - "/etc/ssl/certs/ssl-cert-snakeoil.pem", - "ssl-cert-snakeoil.pem", - ) - lxd.execute( - maas_container, - [ - "maas", - "config-tls", - "enable", - f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.key", - f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.pem", - "--port", - "5443", - "--yes", - ], - ) - # We never want to access the region via the system proxy if "no_proxy" not in os.environ: os.environ["no_proxy"] = region_ip @@ -519,12 +450,11 @@ def maas_region( url = http_url = f"http://{region_ip}:5240/MAAS/" region_host = region_ip - if "tls" in config: - region_host = lxd.quietly_execute( - maas_container, ["hostname", "-f"] - ).stdout.strip() - url = f"https://{region_host}:5443/MAAS/" + if vault: + setup_vault(vault, lxd, maas_container) + if "tls" in config: + url = setup_tls(lxd, maas_container) region = MAASRegion( url=url, http_url=http_url, @@ -554,19 +484,22 @@ def maas_region( fh.write(f"{version}\n") if o11y := config.get("o11y"): - AGENT_PATH = "/opt/agent/agent-linux-amd64" - if not lxd.file_exists(maas_container, AGENT_PATH): - lxd.execute(maas_container, ["sh", "-c", "mkdir -p /opt/agent/"]) + host_path_to_agent = o11y["grafana_agent_file_path"].strip() + agent_path = "/opt/agent/agent-linux-amd64" + if not lxd.file_exists(maas_container, agent_path): lxd.push_file( - maas_container, o11y["grafana_agent_file_path"].strip(), AGENT_PATH + maas_container, + host_path_to_agent, + agent_path, + mode="0755", + create_dirs=True, ) - lxd.execute(maas_container, ["sh", "-c", f"chmod a+x {AGENT_PATH}"]) - AGENT_MAAS_SAMPLE = "/usr/share/maas/grafana_agent/agent.yaml.example" + agent_maas_sample = "/usr/share/maas/grafana_agent/agent.yaml.example" if installed_from_snap: - AGENT_MAAS_SAMPLE = f"/snap/maas/current{AGENT_MAAS_SAMPLE}" + agent_maas_sample = f"/snap/maas/current{agent_maas_sample}" lxd.execute( maas_container, - ["sh", "-c", f"cp {AGENT_MAAS_SAMPLE} /opt/agent/agent.yml"], + ["cp", agent_maas_sample, "/opt/agent/agent.yml"], ) o11y_ip = o11y["o11y_ip"] # FIXME: Could we have an uniq identifier for each system-tests execution? @@ -584,7 +517,7 @@ def maas_region( -E MAAS_IS_REGION="true" \ -E MAAS_IS_RACK="true" \ -E MAAS_AZ="default" \ - {AGENT_PATH} \ + {agent_path} \ -config.expand-env \ -config.file=/opt/agent/agent.yml \ -server.http.address="0.0.0.0:3100" -server.grpc.address="0.0.0.0:9095" @@ -727,11 +660,11 @@ def maas_client_container( lxd, container, maas_credentials["region_host"], maas_credentials["region_ip"] ) if "tls" in config: - lxd.execute(container, ["sh", "-c", f"mkdir -p {MAAS_CONTAINER_CERTS_PATH}"]) lxd.push_file( container, config["tls"]["cacerts"], f"{MAAS_CONTAINER_CERTS_PATH}cacerts.pem", + create_dirs=True, ) yield container diff --git a/systemtests/lxd.py b/systemtests/lxd.py index 84e45fb..76cf073 100644 --- a/systemtests/lxd.py +++ b/systemtests/lxd.py @@ -118,21 +118,23 @@ class CLILXD: target_file: str, uid: int = 0, gid: int = 0, + mode: str = "", + create_dirs: bool = False, ) -> None: - self._run( - [ - "lxc", - "file", - "--quiet", - "push", - "--uid", - str(uid), - "--gid", - str(gid), - source_file, - f"{container}{target_file}", - ], - ) + args = [ + "--uid", + str(uid), + "--gid", + str(gid), + "--mode", + mode, + source_file, + f"{container}{target_file}", + ] + if create_dirs: + args.append("--create-dirs") + + self._run(["lxc", "file", "--quiet", "push", *args]) def push_text_file( self, diff --git a/systemtests/region.py b/systemtests/region.py index a6ef1bf..014cbc8 100644 --- a/systemtests/region.py +++ b/systemtests/region.py @@ -27,6 +27,7 @@ class MAASRegion: self.host = host self.maas_container = maas_container self.installed_from_snap = installed_from_snap + self.lxd = get_lxd(LOG) def __repr__(self) -> str: package = "snap" if self.installed_from_snap else "deb" @@ -35,8 +36,7 @@ class MAASRegion: ) def execute(self, command: list[str]) -> subprocess.CompletedProcess[str]: - lxd = get_lxd(LOG) - return lxd.execute(self.maas_container, command) + return self.lxd.execute(self.maas_container, command) def get_api_token(self, user: str) -> str: result = self.execute(["maas", "apikey", "--username", user]) @@ -158,8 +158,7 @@ class MAASRegion: dhcpd_conf_path = "/var/lib/maas/dhcpd.conf" if self.installed_from_snap: dhcpd_conf_path = "/var/snap/maas/common/maas/dhcpd.conf" - lxd = get_lxd(LOG) - return lxd.file_exists(self.maas_container, dhcpd_conf_path) + return self.lxd.file_exists(self.maas_container, dhcpd_conf_path) def set_config(self, key: str, value: str = "") -> None: if self.installed_from_snap: diff --git a/systemtests/tls.py b/systemtests/tls.py new file mode 100644 index 0000000..111d572 --- /dev/null +++ b/systemtests/tls.py @@ -0,0 +1,43 @@ +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from .lxd import CLILXD + +# Certs must be accessible for MAAS installed by snap, but +# this location is useful also when installed via deb package. +MAAS_CONTAINER_CERTS_PATH = "/var/snap/maas/common/certs/" + + +def setup_tls(lxd: CLILXD, maas_container: str) -> str: + lxd.execute(maas_container, ["mkdir", "-p", MAAS_CONTAINER_CERTS_PATH]) + lxd.execute( + maas_container, + [ + "cp", + "-n", + "/etc/ssl/certs/ssl-cert-snakeoil.pem", + "/etc/ssl/private/ssl-cert-snakeoil.key", + MAAS_CONTAINER_CERTS_PATH, + ], + ) + # We need the cert to add it as CA in client container. + lxd.pull_file( + maas_container, + "/etc/ssl/certs/ssl-cert-snakeoil.pem", + "ssl-cert-snakeoil.pem", + ) + lxd.execute( + maas_container, + [ + "maas", + "config-tls", + "enable", + f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.key", + f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.pem", + "--port", + "5443", + "--yes", + ], + ) + region_host = lxd.quietly_execute(maas_container, ["hostname", "-f"]).stdout.strip() + return f"https://{region_host}:5443/MAAS/" diff --git a/systemtests/vault.py b/systemtests/vault.py index e2f91b2..85f86ca 100644 --- a/systemtests/vault.py +++ b/systemtests/vault.py @@ -7,6 +7,7 @@ from logging import Logger from textwrap import dedent from typing import Any, cast +import yaml from retry.api import retry_call from .lxd import CLILXD @@ -162,3 +163,36 @@ class Vault: f"auth/approle/role/{role_name}/secret-id", )["wrap_info"]["token"] return role_id, wrapped_token + + +def setup_vault(vault: Vault, lxd: CLILXD, maas_container: str) -> None: + """Configures MAAS to talk to Vault.""" + maas_vault_status = yaml.safe_load( + lxd.quietly_execute( + maas_container, ["maas", "config-vault", "status"] + ).stdout.strip() + ) + if maas_vault_status["status"] == "disabled": + role_id, wrapped_token = vault.create_approle(maas_container) + lxd.execute( + maas_container, + [ + "maas", + "config-vault", + "configure", + vault.addr, + role_id, + wrapped_token, + vault.secrets_path, + "--mount", + vault.secrets_mount, + ], + ) + lxd.execute( + maas_container, + [ + "maas", + "config-vault", + "migrate", + ], + )
-- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp