From 25bdb0ef44ba92a143877d584c972da65bb527ff Mon Sep 17 00:00:00 2001 From: David Ames Date: Wed, 13 Mar 2019 20:52:06 +0000 Subject: [PATCH] Enable all keystone tests for HA --- zaza/charm_tests/keystone/__init__.py | 16 ++++++++++++++++ zaza/charm_tests/keystone/tests.py | 16 +++++++++++----- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/zaza/charm_tests/keystone/__init__.py b/zaza/charm_tests/keystone/__init__.py index 8f976c5..ee4323a 100644 --- a/zaza/charm_tests/keystone/__init__.py +++ b/zaza/charm_tests/keystone/__init__.py @@ -33,7 +33,23 @@ class BaseKeystoneTest(test_utils.OpenStackBaseTest): def setUpClass(cls): """Run class setup for running Keystone charm operation tests.""" super(BaseKeystoneTest, cls).setUpClass() + # Local copy of keystone's CA certificate + cls.LOCAL_KEYSTONE_CACERT = "/tmp/keystone_juju_ca_cert.crt" + # Check if we are related to Vault TLS certificates + cls.tls_rid = zaza.model.get_relation_id( + 'keystone', 'vault', remote_interface_name='certificates') + # Check for VIP + cls.vip = (zaza.model.get_application_config('keystone') + .get('vip').get('value')) cls.keystone_ips = zaza.model.get_app_ips('keystone') + # If we have a VIP set and we are using TLS only check the VIP + # If you check the individual IP haproxy may send to a different + # back end which leads to mismatched certificates. + if cls.vip: + if cls.tls_rid: + cls.keystone_ips = [cls.vip] + else: + cls.keystone_ips.append(cls.vip) if (openstack_utils.get_os_release() < openstack_utils.get_os_release('xenial_queens')): cls.default_api_version = '2' diff --git a/zaza/charm_tests/keystone/tests.py b/zaza/charm_tests/keystone/tests.py index 51f5e48..fd2b051 100644 --- a/zaza/charm_tests/keystone/tests.py +++ b/zaza/charm_tests/keystone/tests.py @@ -52,17 +52,15 @@ class CharmOperationTest(BaseKeystoneTest): This test should run early. It validates that if a VIP is set it is in the catalog entry for keystone. """ - vip = (zaza.model.get_application_config('keystone') - .get('vip').get('value')) - if not vip: + if not self.vip: # If the vip is not set skip this test. return endpoint_filter = {'service_type': 'identity', 'interface': 'public', 'region_name': 'RegionOne'} ep = self.admin_keystone_client.session.get_endpoint(**endpoint_filter) - assert vip in ep, ( - "VIP: {} not found in catalog entry: {}".format(vip, ep)) + assert self.vip in ep, ( + "VIP: {} not found in catalog entry: {}".format(self.vip, ep)) def test_pause_resume(self): """Run pause and resume tests. @@ -237,6 +235,10 @@ class AuthenticationAuthorizationTest(BaseKeystoneTest): 'OS_USER_DOMAIN_NAME': DEMO_DOMAIN, 'OS_DOMAIN_NAME': DEMO_DOMAIN, } + if self.tls_rid: + openrc['OS_CACERT'] = self.LOCAL_KEYSTONE_CACERT + openrc['OS_AUTH_URL'] = ( + openrc['OS_AUTH_URL'].replace('http', 'https')) logging.info('keystone IP {}'.format(ip)) keystone_session = openstack_utils.get_keystone_session( openrc, scope='DOMAIN') @@ -263,6 +265,10 @@ class AuthenticationAuthorizationTest(BaseKeystoneTest): of `token-provider`. """ def _validate_token_data(openrc): + if self.tls_rid: + openrc['OS_CACERT'] = self.LOCAL_KEYSTONE_CACERT + openrc['OS_AUTH_URL'] = ( + openrc['OS_AUTH_URL'].replace('http', 'https')) keystone_session = openstack_utils.get_keystone_session( openrc) keystone_client = openstack_utils.get_keystone_session_client(