feat(tests): add tls testing to prepare tls feature
This commit is contained in:
parent
9caa950236
commit
aae5f3bb83
@ -5,6 +5,7 @@ deploy_haproxy_version: latest
|
|||||||
|
|
||||||
deploy_haproxy_env_variables: {}
|
deploy_haproxy_env_variables: {}
|
||||||
deploy_haproxy_start_service: true
|
deploy_haproxy_start_service: true
|
||||||
|
deploy_haproxy_cert_dir: ""
|
||||||
|
|
||||||
# docker-only options
|
# docker-only options
|
||||||
deploy_haproxy_extra_container_volumes: []
|
deploy_haproxy_extra_container_volumes: []
|
||||||
@ -70,3 +71,4 @@ deploy_haproxy_listen:
|
|||||||
- acl health_check_ok nbsrv() ge 1
|
- acl health_check_ok nbsrv() ge 1
|
||||||
- monitor-uri /health
|
- monitor-uri /health
|
||||||
- http-request use-service prometheus-exporter if { path /metrics }
|
- http-request use-service prometheus-exporter if { path /metrics }
|
||||||
|
- 'http-response return 200 ''{"status": "ok"}'' if { path /health }'
|
||||||
|
@ -42,8 +42,8 @@ deploy_haproxy_backends:
|
|||||||
- option forwardfor
|
- option forwardfor
|
||||||
- option httpchk
|
- option httpchk
|
||||||
- http-check send meth GET uri /
|
- http-check send meth GET uri /
|
||||||
- server srv_nginx1 172.17.0.3:80 check inter 5s
|
- server srv_nginx1 172.17.0.2:80 check inter 5s
|
||||||
- server srv_nginx2 172.17.0.2:80 check inter 5s
|
- server srv_nginx2 172.17.0.3:80 check inter 5s
|
||||||
|
|
||||||
# listen configuration blocks
|
# listen configuration blocks
|
||||||
# the default values expose a monitoring listener on all interfaces on port 9000
|
# the default values expose a monitoring listener on all interfaces on port 9000
|
||||||
|
8
molecule/with_tls_enabled_vagrant/converge.yml
Normal file
8
molecule/with_tls_enabled_vagrant/converge.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
become: true
|
||||||
|
tasks:
|
||||||
|
- name: "Include ednxzu.deploy_haproxy"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: "ednxzu.deploy_haproxy"
|
69
molecule/with_tls_enabled_vagrant/group_vars/all.yml
Normal file
69
molecule/with_tls_enabled_vagrant/group_vars/all.yml
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
---
|
||||||
|
deploy_haproxy_deploy_method: docker # deployment method, either host or docker
|
||||||
|
deploy_haproxy_version: "2.8"
|
||||||
|
|
||||||
|
deploy_haproxy_env_variables: {}
|
||||||
|
deploy_haproxy_start_service: true
|
||||||
|
|
||||||
|
# docker-only options
|
||||||
|
deploy_haproxy_extra_container_volumes: []
|
||||||
|
|
||||||
|
# Options from the "default" config block in haproxy.cfg
|
||||||
|
# The default values here are usually set, but you can change any of them.
|
||||||
|
deploy_haproxy_global:
|
||||||
|
- log /dev/log local0
|
||||||
|
- log /dev/log local1 notice
|
||||||
|
- stats socket {{ deploy_haproxy_socket }} level admin
|
||||||
|
- chroot {{ deploy_haproxy_chroot }}
|
||||||
|
- daemon
|
||||||
|
- description hashistack haproxy
|
||||||
|
|
||||||
|
deploy_haproxy_defaults:
|
||||||
|
- log global
|
||||||
|
- mode http
|
||||||
|
- option httplog
|
||||||
|
- option dontlognull
|
||||||
|
- timeout connect 5000
|
||||||
|
- timeout client 5000
|
||||||
|
- timeout server 5000
|
||||||
|
|
||||||
|
deploy_haproxy_frontends:
|
||||||
|
- name: default
|
||||||
|
options:
|
||||||
|
- description default frontend
|
||||||
|
- mode http
|
||||||
|
- bind :1024
|
||||||
|
- default_backend default
|
||||||
|
|
||||||
|
deploy_haproxy_backends:
|
||||||
|
- name: default
|
||||||
|
options:
|
||||||
|
- description default backend
|
||||||
|
- option forwardfor
|
||||||
|
- option httpchk
|
||||||
|
- http-check send meth GET uri /
|
||||||
|
- server srv_nginx1 172.17.0.2:80 check inter 5s
|
||||||
|
- server srv_nginx2 172.17.0.3:80 check inter 5s
|
||||||
|
|
||||||
|
# listen configuration blocks
|
||||||
|
# the default values expose a monitoring listener on all interfaces on port 9000
|
||||||
|
# /stats returns the haproxy dashboard (please change the user and password in the configuration)
|
||||||
|
# /health returns a 200 OK response as long as haproxy is alive and well
|
||||||
|
# /metrics returns prometheus metrics for the haproxy instance
|
||||||
|
deploy_haproxy_listen:
|
||||||
|
- name: monitoring
|
||||||
|
options:
|
||||||
|
- bind :9000
|
||||||
|
- mode http
|
||||||
|
- option httpchk
|
||||||
|
- stats enable
|
||||||
|
- stats uri /stats
|
||||||
|
- stats refresh 30s
|
||||||
|
- stats show-desc
|
||||||
|
- stats show-legends
|
||||||
|
- stats auth admin:password
|
||||||
|
- http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost
|
||||||
|
- http-check expect status 200
|
||||||
|
- acl health_check_ok nbsrv() ge 1
|
||||||
|
- monitor-uri /health
|
||||||
|
- http-request use-service prometheus-exporter if { path /metrics }
|
35
molecule/with_tls_enabled_vagrant/molecule.yml
Normal file
35
molecule/with_tls_enabled_vagrant/molecule.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
dependency:
|
||||||
|
name: galaxy
|
||||||
|
options:
|
||||||
|
requirements-file: ./requirements.yml
|
||||||
|
driver:
|
||||||
|
name: vagrant
|
||||||
|
provider:
|
||||||
|
name: libvirt
|
||||||
|
platforms:
|
||||||
|
- name: instance
|
||||||
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
|
cpus: 4
|
||||||
|
memory: 4096
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
config_options:
|
||||||
|
defaults:
|
||||||
|
remote_tmp: /tmp/.ansible
|
||||||
|
verifier:
|
||||||
|
name: ansible
|
||||||
|
scenario:
|
||||||
|
name: with_tls_enabled_vagrant
|
||||||
|
test_sequence:
|
||||||
|
- dependency
|
||||||
|
- cleanup
|
||||||
|
- destroy
|
||||||
|
- syntax
|
||||||
|
- create
|
||||||
|
- prepare
|
||||||
|
- converge
|
||||||
|
- idempotence
|
||||||
|
- verify
|
||||||
|
- cleanup
|
||||||
|
- destroy
|
40
molecule/with_tls_enabled_vagrant/prepare.yml
Normal file
40
molecule/with_tls_enabled_vagrant/prepare.yml
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
---
|
||||||
|
- name: Prepare
|
||||||
|
hosts: all
|
||||||
|
become: true
|
||||||
|
tasks:
|
||||||
|
- name: "Include ednxzu.install_docker"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednxzu.install_docker
|
||||||
|
vars:
|
||||||
|
install_docker_python_packages: true
|
||||||
|
|
||||||
|
- name: "Generate self-signed certificates" # noqa: run-once[task]
|
||||||
|
delegate_to: localhost
|
||||||
|
run_once: true
|
||||||
|
block:
|
||||||
|
- name: "Create temporary cert directory /tmp/haproxy-cert"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/tmp/haproxy-cert"
|
||||||
|
state: directory
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0777"
|
||||||
|
|
||||||
|
- name: "Create private key"
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: /tmp/haproxy-cert.key
|
||||||
|
|
||||||
|
- name: "Create certificate signing request"
|
||||||
|
community.crypto.openssl_csr_pipe:
|
||||||
|
privatekey_path: /tmp/haproxy-cert.key
|
||||||
|
common_name: haproxy.ansible.test
|
||||||
|
organization_name: Ansible, Inc.
|
||||||
|
register: csr
|
||||||
|
|
||||||
|
- name: "Create self-signed certificate from CSR"
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: /tmp/haproxy-cert/cert.pem
|
||||||
|
csr_content: "{{ csr.csr }}"
|
||||||
|
privatekey_path: /tmp/haproxy-cert.key
|
||||||
|
provider: selfsigned
|
6
molecule/with_tls_enabled_vagrant/requirements.yml
Normal file
6
molecule/with_tls_enabled_vagrant/requirements.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
# requirements file for molecule
|
||||||
|
roles:
|
||||||
|
- name: ednxzu.manage_repositories
|
||||||
|
- name: ednxzu.manage_apt_packages
|
||||||
|
- name: ednxzu.install_docker
|
6
molecule/with_tls_enabled_vagrant/verify.yml
Normal file
6
molecule/with_tls_enabled_vagrant/verify.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Verify
|
||||||
|
hosts: all
|
||||||
|
gather_facts: true
|
||||||
|
become: true
|
||||||
|
tasks:
|
@ -21,3 +21,24 @@
|
|||||||
notify:
|
notify:
|
||||||
- "systemctl-enable-haproxy"
|
- "systemctl-enable-haproxy"
|
||||||
- "systemctl-restart-haproxy"
|
- "systemctl-restart-haproxy"
|
||||||
|
|
||||||
|
- name: "Configure haproxy for TLS"
|
||||||
|
when: not deploy_haproxy_cert_dir == ''
|
||||||
|
block:
|
||||||
|
- name: "Create directory {{ deploy_haproxy_cert_dir_dst }}"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ deploy_haproxy_cert_dir_dst }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ deploy_haproxy_user }}"
|
||||||
|
group: "{{ deploy_haproxy_group }}"
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: "Copy TLS certificates"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: "{{ deploy_haproxy_cert_dir_dst }}/{{ (item | basename).split('.')[:-1] | join('.')}}"
|
||||||
|
owner: "{{ deploy_haproxy_user }}"
|
||||||
|
group: "{{ deploy_haproxy_group }}"
|
||||||
|
mode: "0600"
|
||||||
|
with_fileglob:
|
||||||
|
- "{{ deploy_haproxy_cert_dir }}/*"
|
||||||
|
@ -1,8 +1,9 @@
|
|||||||
---
|
---
|
||||||
# vars file for deploy_haproxy
|
# vars file for deploy_haproxy
|
||||||
deploy_haproxy_config_dir: /etc/haproxy
|
deploy_haproxy_config_dir: /etc/haproxy
|
||||||
deploy_haproxy_socket: /var/lib/haproxy/stats
|
|
||||||
deploy_haproxy_chroot: /var/lib/haproxy
|
deploy_haproxy_chroot: /var/lib/haproxy
|
||||||
|
deploy_haproxy_socket: "{{ deploy_haproxy_chroot }}/stats"
|
||||||
|
deploy_haproxy_cert_dir_dst: "{{ deploy_haproxy_chroot }}/certs"
|
||||||
deploy_haproxy_user: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}"
|
deploy_haproxy_user: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}"
|
||||||
deploy_haproxy_group: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}"
|
deploy_haproxy_group: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}"
|
||||||
deploy_haproxy_service_name: "haproxy{{ '_container' if deploy_haproxy_deploy_method == 'docker' }}"
|
deploy_haproxy_service_name: "haproxy{{ '_container' if deploy_haproxy_deploy_method == 'docker' }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user