`get_unit_name_from_ip_address` along with the ip from vault client
has proven flaky in this situation.
Not sure why.
But better to reload all vault units anyway,
so we can take a simpler route here.
This ensures initialising and unsealing works nicely
with vault using the raft backend
(which makes race conditions evident because of the time
it takes for the raft cluster to settle).
The tests here run a series of commands on the vault client,
without waiting in between.
This is usually fine, but with the raft backend,
there can be delays between initialising, unsealing,
and the raft cluster settling.
During this time, most vault commands will return errors.
Add a method which will init vault if its present and skip if it
is not. This allows much simpler tests.yaml if all test and
config steps are the same for TLS and non-TLS test cases apart
from initialising vault.
When Vault is running in a LXD container, test_vault_reload is expected
to fail because mlock cannot be enabled in LXD containers. Skip it when
running in containers is detected. It's useful for local development
environments with Juju's localhost/LXD provider. The test won't be
skipped in the OpenStack Charm CI since the Vault units will be run in
KVM, not in LXD containers.
Vault's runs its tests twice. In some circumstances the removal of the
vault key from the test_config dictionary can throw a KeyError. Do not
fail when this happens.
The test_vault_reload test was checking for running config without giving the
config-change time to complete. Simply adding an idle wait resolves the issue.
Closes Issue: #528
The test was failing for xenial-ha-mysql bundle
This fixes the issue for cluster vault
by picking the right vault cluster leader
to run the commands against.
Co-authored-by: Bartosz Woronicz <bartosz.woronicz@canonical.com>
This patch modifies the existing openstack upgrade tests so that they
work with focal (by explicitly supporting mysql-innodb-cluster), and are
also interruptable and resumable (at a charm level). It also makes them
work with the udpated 'get_upgrade_groups()' that ultimately gets a List
of Tuples rather than a dictionary.
* Updates to concurrent series upgrade
Updates to make it run more in parallel and spend less time waiting on
the whole model when updating machines.
* Make the concurrent series upgrade tests work
This is a number of changes to get the concurrent (here called
'parallel' historically) series upgrade tests to work. A number of
changes were required which included limiting the number of concurrent
async co-routines (futures) that could be run as with large models it
hits the limits of the Py3 runtime.
* Fix the tests and change pause order in maybe_pause_things
Due to an additional model helper call, an additional model AsyncMock is
required. Also the pause order had changed, and this is restored to
ensure the original design is retained (for pause order).
Clean up some commented out code and sort out a few PEP8 errors.
* Update comment to reflect code (3 -> 4)
* Fix tests that fail on bionic but pass on focal
Essentially, asyncio.gather has different behaviour on bionic that
focal. Although this doesn't affect testing, it does affect the unit
tests. These changes are simply to normalise the behaviour of unit
tests on focal and bionic.
When configuring the address to use to talk to Keystone,
the format_addr helper should be used to ensure that an
IPv4 or IPv6 address can be correctly handled.
When vault is in its own model with no clients then vault needs
to be initialised without waiting for clients to start executing
and without validating a client has recieved the cert. To achieve
this, this PR adds auto_initialize_no_validation_no_wait.
If the ssl-{key,chain,ca} charm config option have been set than
retrieve the ssl-ca from the vault charm and use it when making
called to the vault api.
The pause/resume test paused the lead unit, but then checked
the first unit. In an HA scenario, the lead unit may not be the
first unit. This PR changes the test to check the lead unit after
the pause/resume test.
Depends On: https://github.com/openstack-charmers/zaza/pull/327
* Add an unseal function for mojo to use.
* Switch mojo to use new function after series upgrade reboot.
* Add fallback if vip client is unavailable (the case if all
hacluster units are paused for series upgrade).
Make it possible for consumers of the ``auto_initialize_no_validation``
function to execute subsequent setup and test code that require vault
and the consumers of the ``certificates`` relation to be ready.
With the current order of execution, it is not possible to use the
configure function in models where ``keystone`` application is not
present.
During testing the vault credentials are stored on the lead unit.
Unfortunatly which unit is the designated leader can change during
the life of the test (particularly if the test involves rebooting
vault units). This change adds a function to search the units for
the credentials file rather than assuming its on the lead unit.
These code snippets were using a hard-coded sleep time, wrapped by a for loop
to retry, which is bad code smell.
Use tenacity retries to simplify the code, and be consistent with the
established approach to similar needs in other tests.
Closes#46
Signed-off-by: Joe Guo <guoqiao@gmail.com>
This is a temporary fix to work around a bug in nova-compute.
The bug causes nova-compute to cache the placement api endpoint
which causes placement api calls to fail when the endpoint switches
from http to https
Currently when vault auto_inititialize [sic] is called a validation
step is run at the end to check that clients connected to vault
have the correct setup. However in sometimes there are no clients
to run validation with (as with cross model relation testing). To
facilitate this expose a new method 'auto_initialize_no_validation'
which skip the client validation.
Also correct the spelling of auto_inititialize but add a partial
to support tests that are already using the old spelling.
Alex Kavanagh
Liam Young
Samuel Walladge
Aurelien Lourot
David Ames
Nobuto Murata
Bartosz Woronicz
Bartosz "mastier" Woronicz
Alex Kavanagh
Chris MacNaughton
Frode Nordahl
Alex Kavanagh
Sahid Orentino Ferdjaoui
Joe Guo
Ryan Beisner