sts-sponsors team mailing list archive
-
sts-sponsors team
-
Mailing list archive
-
Message #04197
[Merge] ~adam-collard/maas-ci/+git/system-tests:extract-setup-vault-tls into ~maas-committers/maas-ci/+git/system-tests:master
Adam Collard has proposed merging ~adam-collard/maas-ci/+git/system-tests:extract-setup-vault-tls into ~maas-committers/maas-ci/+git/system-tests:master.
Commit message:
extract setup_tls, setup_vault
fix: git clone cleanup
- don't need to checkout the branch, it's implied by --branch
- single-branch is implied by --depth
- restrict depth to 1
- set core.abbrev config in the clone
- make the submodules shallow
Refactor o11y setup
Requested reviews:
MAAS Committers (maas-committers)
For more details, see:
https://code.launchpad.net/~adam-collard/maas-ci/+git/system-tests/+merge/435078
--
Your team MAAS Committers is requested to review the proposed merge of ~adam-collard/maas-ci/+git/system-tests:extract-setup-vault-tls into ~maas-committers/maas-ci/+git/system-tests:master.
diff --git a/systemtests/api.py b/systemtests/api.py
index 5e164f0..568d6fa 100644
--- a/systemtests/api.py
+++ b/systemtests/api.py
@@ -6,6 +6,7 @@ from logging import getLogger
from subprocess import CalledProcessError
from typing import TYPE_CHECKING, Any, Dict, Iterable, Optional, TypedDict, Union
+from .tls import MAAS_CONTAINER_CERTS_PATH
from .utils import wait_for_machine
if TYPE_CHECKING:
@@ -15,10 +16,6 @@ if TYPE_CHECKING:
LOG = getLogger("systemtests.api")
-# Certs must be accessible for MAAS installed by snap, but
-# this location is useful also when installed via deb package.
-MAAS_CONTAINER_CERTS_PATH = "/var/snap/maas/common/certs/"
-
class CannotDeleteError(Exception):
pass
diff --git a/systemtests/conftest.py b/systemtests/conftest.py
index 6f1048f..39ef76e 100644
--- a/systemtests/conftest.py
+++ b/systemtests/conftest.py
@@ -107,9 +107,10 @@ def pytest_report_header(config: pytest.Config) -> list[str]:
for machine_config in generate_machines_config(systemtests_config)
)
headers.append(f"machines: {machines}")
- tls = "tls" in systemtests_config
- if tls:
+ if "tls" in systemtests_config:
headers.append("tlsenabled: true")
+ if "vault" in systemtests_config:
+ headers.append("vaultenabled: true")
return headers
diff --git a/systemtests/fixtures.py b/systemtests/fixtures.py
index 0d2a5ac..26950bb 100644
--- a/systemtests/fixtures.py
+++ b/systemtests/fixtures.py
@@ -11,11 +11,12 @@ import pytest
import yaml
from pytest_steps import one_fixture_per_step
-from .api import MAAS_CONTAINER_CERTS_PATH, UnauthenticatedMAASAPIClient
+from .api import UnauthenticatedMAASAPIClient
from .config import ADMIN_EMAIL, ADMIN_PASSWORD, ADMIN_USER
from .lxd import CLILXD, get_lxd
from .region import MAASRegion
-from .vault import Vault, VaultNotReadyError
+from .tls import MAAS_CONTAINER_CERTS_PATH, setup_tls
+from .vault import Vault, VaultNotReadyError, setup_vault
if TYPE_CHECKING:
from logging import Logger
@@ -115,24 +116,19 @@ def maas_deb_repo(
[
"git",
"clone",
- "--single-branch",
"--branch",
maas_git_branch,
"--depth",
- "100",
+ "1",
+ "--shallow-submodules",
"--recurse-submodules",
+ "--config core.abbrev=9",
maas_git_repo,
"maas",
],
environment=proxy_env,
)
lxd.execute(
- build_container, ["git", "-C", "maas", "checkout", maas_git_branch]
- )
- lxd.execute(
- build_container, ["git", "config", "--global", "core.abbrev", "9"]
- )
- lxd.execute(
build_container,
[
"mk-build-deps",
@@ -446,71 +442,6 @@ def maas_region(
except IndexError:
version = ""
- if vault:
- maas_vault_status = yaml.safe_load(
- lxd.quietly_execute(
- maas_container, ["maas", "config-vault", "status"]
- ).stdout.strip()
- )
- if maas_vault_status["status"] == "disabled":
- role_id, wrapped_token = vault.create_approle(maas_container)
- lxd.execute(
- maas_container,
- [
- "maas",
- "config-vault",
- "configure",
- vault.addr,
- role_id,
- wrapped_token,
- vault.secrets_path,
- "--mount",
- vault.secrets_mount,
- ],
- )
- lxd.execute(
- maas_container,
- [
- "maas",
- "config-vault",
- "migrate",
- ],
- )
-
- if "tls" in config:
- lxd.execute(
- maas_container, ["sh", "-c", f"mkdir -p {MAAS_CONTAINER_CERTS_PATH}"]
- )
- lxd.execute(
- maas_container,
- [
- "cp",
- "-n",
- "/etc/ssl/certs/ssl-cert-snakeoil.pem",
- "/etc/ssl/private/ssl-cert-snakeoil.key",
- MAAS_CONTAINER_CERTS_PATH,
- ],
- )
- # We need the cert to add it as CA in client container.
- lxd.pull_file(
- maas_container,
- "/etc/ssl/certs/ssl-cert-snakeoil.pem",
- "ssl-cert-snakeoil.pem",
- )
- lxd.execute(
- maas_container,
- [
- "maas",
- "config-tls",
- "enable",
- f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.key",
- f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.pem",
- "--port",
- "5443",
- "--yes",
- ],
- )
-
# We never want to access the region via the system proxy
if "no_proxy" not in os.environ:
os.environ["no_proxy"] = region_ip
@@ -519,12 +450,11 @@ def maas_region(
url = http_url = f"http://{region_ip}:5240/MAAS/";
region_host = region_ip
- if "tls" in config:
- region_host = lxd.quietly_execute(
- maas_container, ["hostname", "-f"]
- ).stdout.strip()
- url = f"https://{region_host}:5443/MAAS/";
+ if vault:
+ setup_vault(vault, lxd, maas_container)
+ if "tls" in config:
+ url = setup_tls(lxd, maas_container)
region = MAASRegion(
url=url,
http_url=http_url,
@@ -554,19 +484,22 @@ def maas_region(
fh.write(f"{version}\n")
if o11y := config.get("o11y"):
- AGENT_PATH = "/opt/agent/agent-linux-amd64"
- if not lxd.file_exists(maas_container, AGENT_PATH):
- lxd.execute(maas_container, ["sh", "-c", "mkdir -p /opt/agent/"])
+ host_path_to_agent = o11y["grafana_agent_file_path"].strip()
+ agent_path = "/opt/agent/agent-linux-amd64"
+ if not lxd.file_exists(maas_container, agent_path):
lxd.push_file(
- maas_container, o11y["grafana_agent_file_path"].strip(), AGENT_PATH
+ maas_container,
+ host_path_to_agent,
+ agent_path,
+ mode="0755",
+ create_dirs=True,
)
- lxd.execute(maas_container, ["sh", "-c", f"chmod a+x {AGENT_PATH}"])
- AGENT_MAAS_SAMPLE = "/usr/share/maas/grafana_agent/agent.yaml.example"
+ agent_maas_sample = "/usr/share/maas/grafana_agent/agent.yaml.example"
if installed_from_snap:
- AGENT_MAAS_SAMPLE = f"/snap/maas/current{AGENT_MAAS_SAMPLE}"
+ agent_maas_sample = f"/snap/maas/current{agent_maas_sample}"
lxd.execute(
maas_container,
- ["sh", "-c", f"cp {AGENT_MAAS_SAMPLE} /opt/agent/agent.yml"],
+ ["cp", agent_maas_sample, "/opt/agent/agent.yml"],
)
o11y_ip = o11y["o11y_ip"]
# FIXME: Could we have an uniq identifier for each system-tests execution?
@@ -584,7 +517,7 @@ def maas_region(
-E MAAS_IS_REGION="true" \
-E MAAS_IS_RACK="true" \
-E MAAS_AZ="default" \
- {AGENT_PATH} \
+ {agent_path} \
-config.expand-env \
-config.file=/opt/agent/agent.yml \
-server.http.address="0.0.0.0:3100" -server.grpc.address="0.0.0.0:9095"
@@ -727,11 +660,11 @@ def maas_client_container(
lxd, container, maas_credentials["region_host"], maas_credentials["region_ip"]
)
if "tls" in config:
- lxd.execute(container, ["sh", "-c", f"mkdir -p {MAAS_CONTAINER_CERTS_PATH}"])
lxd.push_file(
container,
config["tls"]["cacerts"],
f"{MAAS_CONTAINER_CERTS_PATH}cacerts.pem",
+ create_dirs=True,
)
yield container
diff --git a/systemtests/lxd.py b/systemtests/lxd.py
index 84e45fb..76cf073 100644
--- a/systemtests/lxd.py
+++ b/systemtests/lxd.py
@@ -118,21 +118,23 @@ class CLILXD:
target_file: str,
uid: int = 0,
gid: int = 0,
+ mode: str = "",
+ create_dirs: bool = False,
) -> None:
- self._run(
- [
- "lxc",
- "file",
- "--quiet",
- "push",
- "--uid",
- str(uid),
- "--gid",
- str(gid),
- source_file,
- f"{container}{target_file}",
- ],
- )
+ args = [
+ "--uid",
+ str(uid),
+ "--gid",
+ str(gid),
+ "--mode",
+ mode,
+ source_file,
+ f"{container}{target_file}",
+ ]
+ if create_dirs:
+ args.append("--create-dirs")
+
+ self._run(["lxc", "file", "--quiet", "push", *args])
def push_text_file(
self,
diff --git a/systemtests/region.py b/systemtests/region.py
index a6ef1bf..014cbc8 100644
--- a/systemtests/region.py
+++ b/systemtests/region.py
@@ -27,6 +27,7 @@ class MAASRegion:
self.host = host
self.maas_container = maas_container
self.installed_from_snap = installed_from_snap
+ self.lxd = get_lxd(LOG)
def __repr__(self) -> str:
package = "snap" if self.installed_from_snap else "deb"
@@ -35,8 +36,7 @@ class MAASRegion:
)
def execute(self, command: list[str]) -> subprocess.CompletedProcess[str]:
- lxd = get_lxd(LOG)
- return lxd.execute(self.maas_container, command)
+ return self.lxd.execute(self.maas_container, command)
def get_api_token(self, user: str) -> str:
result = self.execute(["maas", "apikey", "--username", user])
@@ -158,8 +158,7 @@ class MAASRegion:
dhcpd_conf_path = "/var/lib/maas/dhcpd.conf"
if self.installed_from_snap:
dhcpd_conf_path = "/var/snap/maas/common/maas/dhcpd.conf"
- lxd = get_lxd(LOG)
- return lxd.file_exists(self.maas_container, dhcpd_conf_path)
+ return self.lxd.file_exists(self.maas_container, dhcpd_conf_path)
def set_config(self, key: str, value: str = "") -> None:
if self.installed_from_snap:
diff --git a/systemtests/tls.py b/systemtests/tls.py
new file mode 100644
index 0000000..111d572
--- /dev/null
+++ b/systemtests/tls.py
@@ -0,0 +1,43 @@
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+ from .lxd import CLILXD
+
+# Certs must be accessible for MAAS installed by snap, but
+# this location is useful also when installed via deb package.
+MAAS_CONTAINER_CERTS_PATH = "/var/snap/maas/common/certs/"
+
+
+def setup_tls(lxd: CLILXD, maas_container: str) -> str:
+ lxd.execute(maas_container, ["mkdir", "-p", MAAS_CONTAINER_CERTS_PATH])
+ lxd.execute(
+ maas_container,
+ [
+ "cp",
+ "-n",
+ "/etc/ssl/certs/ssl-cert-snakeoil.pem",
+ "/etc/ssl/private/ssl-cert-snakeoil.key",
+ MAAS_CONTAINER_CERTS_PATH,
+ ],
+ )
+ # We need the cert to add it as CA in client container.
+ lxd.pull_file(
+ maas_container,
+ "/etc/ssl/certs/ssl-cert-snakeoil.pem",
+ "ssl-cert-snakeoil.pem",
+ )
+ lxd.execute(
+ maas_container,
+ [
+ "maas",
+ "config-tls",
+ "enable",
+ f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.key",
+ f"{MAAS_CONTAINER_CERTS_PATH}ssl-cert-snakeoil.pem",
+ "--port",
+ "5443",
+ "--yes",
+ ],
+ )
+ region_host = lxd.quietly_execute(maas_container, ["hostname", "-f"]).stdout.strip()
+ return f"https://{region_host}:5443/MAAS/";
diff --git a/systemtests/vault.py b/systemtests/vault.py
index e2f91b2..85f86ca 100644
--- a/systemtests/vault.py
+++ b/systemtests/vault.py
@@ -7,6 +7,7 @@ from logging import Logger
from textwrap import dedent
from typing import Any, cast
+import yaml
from retry.api import retry_call
from .lxd import CLILXD
@@ -162,3 +163,36 @@ class Vault:
f"auth/approle/role/{role_name}/secret-id",
)["wrap_info"]["token"]
return role_id, wrapped_token
+
+
+def setup_vault(vault: Vault, lxd: CLILXD, maas_container: str) -> None:
+ """Configures MAAS to talk to Vault."""
+ maas_vault_status = yaml.safe_load(
+ lxd.quietly_execute(
+ maas_container, ["maas", "config-vault", "status"]
+ ).stdout.strip()
+ )
+ if maas_vault_status["status"] == "disabled":
+ role_id, wrapped_token = vault.create_approle(maas_container)
+ lxd.execute(
+ maas_container,
+ [
+ "maas",
+ "config-vault",
+ "configure",
+ vault.addr,
+ role_id,
+ wrapped_token,
+ vault.secrets_path,
+ "--mount",
+ vault.secrets_mount,
+ ],
+ )
+ lxd.execute(
+ maas_container,
+ [
+ "maas",
+ "config-vault",
+ "migrate",
+ ],
+ )
Follow ups
