From 4724aac02aa17ce21e9c72a7274996f00b9940c0 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Wed, 19 Apr 2023 00:10:26 +0200 Subject: [PATCH] custom config tests now work --- defaults/main.yml | 2 +- meta/main.yml | 2 +- molecule/default/tests/test_default.py | 2 + molecule/with_custom_config/converge.yml | 7 +++ .../with_custom_config/group_vars/all.yml | 17 +++++++ molecule/with_custom_config/molecule.yml | 41 ++++++++++++++++ molecule/with_custom_config/prepare.yml | 15 ++++++ molecule/with_custom_config/requirements.yml | 5 ++ molecule/with_custom_config/tests/conftest.py | 22 +++++++++ .../with_custom_config/tests/test_default.py | 48 +++++++++++++++++++ 10 files changed, 159 insertions(+), 2 deletions(-) create mode 100644 molecule/with_custom_config/converge.yml create mode 100644 molecule/with_custom_config/group_vars/all.yml create mode 100644 molecule/with_custom_config/molecule.yml create mode 100644 molecule/with_custom_config/prepare.yml create mode 100644 molecule/with_custom_config/requirements.yml create mode 100644 molecule/with_custom_config/tests/conftest.py create mode 100644 molecule/with_custom_config/tests/test_default.py diff --git a/defaults/main.yml b/defaults/main.yml index 073bf75..c81ae35 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,6 +13,6 @@ renew_vault_certificates_info: issuer_path: pki/issue/your-issuer common_name: vault01.example.com ttl: 90d - include_consul_service: true + include_consul_service: false renew_vault_certificates_consul_service_name: vault.service.consul renew_vault_certificates_start_service: false diff --git a/meta/main.yml b/meta/main.yml index 22b46d6..ded7ab5 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: namespace: 'ednxzu' role_name: 'renew_vault_certificates' author: 'Bertrand Lanson' - description: 'Install and configure consul-template for vault TLS certificates renewal for debian-based distros.' + description: 'Install and configure consul-template to renew vault TLS certificates for debian-based distros.' license: 'license (BSD, MIT)' min_ansible_version: '2.10' platforms: diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 638e390..0e8f5ff 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -25,6 +25,8 @@ def test_template_files(host): assert file.user == "vault" assert file.group == "vault" assert file.mode == 0o600 + assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' + assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' def test_vault_certs_service_file(host): """Validate vault-certs service file.""" diff --git a/molecule/with_custom_config/converge.yml b/molecule/with_custom_config/converge.yml new file mode 100644 index 0000000..897496d --- /dev/null +++ b/molecule/with_custom_config/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.renew_vault_certificates" + ansible.builtin.include_role: + name: "ednxzu.renew_vault_certificates" diff --git a/molecule/with_custom_config/group_vars/all.yml b/molecule/with_custom_config/group_vars/all.yml new file mode 100644 index 0000000..70b994a --- /dev/null +++ b/molecule/with_custom_config/group_vars/all.yml @@ -0,0 +1,17 @@ +--- +renew_vault_certificates_config_dir: /etc/consul-template.d/vault +renew_vault_certificates_vault_user: vault +renew_vault_certificates_vault_group: vault +renew_vault_certificates_vault_addr: "https://vault.example.com" +renew_vault_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange +renew_vault_certificates_vault_token_unwrap: false +renew_vault_certificates_vault_token_renew: true +renew_vault_certificates_cert_dest: /opt/vault/tls/cert.pem +renew_vault_certificates_key_dest: /opt/vault/tls/key.pem +renew_vault_certificates_info: + issuer_path: pki/issue/vault-issuer + common_name: vault01.example.com + ttl: 90d + include_consul_service: true +renew_vault_certificates_consul_service_name: vault.service.consul +renew_vault_certificates_start_service: false diff --git a/molecule/with_custom_config/molecule.yml b/molecule/with_custom_config/molecule.yml new file mode 100644 index 0000000..0f4babb --- /dev/null +++ b/molecule/with_custom_config/molecule.yml @@ -0,0 +1,41 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: docker +platforms: + - name: instance + image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible + command: "" + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup + cgroupns_mode: host + privileged: true + pre_build_image: true +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: testinfra +lint: | + yamllint -c .yamllint . + ansible-lint +scenario: + name: with_custom_config + test_sequence: + - dependency + - lint + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/with_custom_config/prepare.yml b/molecule/with_custom_config/prepare.yml new file mode 100644 index 0000000..de48134 --- /dev/null +++ b/molecule/with_custom_config/prepare.yml @@ -0,0 +1,15 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: "Create group vault" + ansible.builtin.group: + name: "vault" + state: present + + - name: "Create user vault" + ansible.builtin.user: + name: "vault" + group: "vault" + shell: /bin/false + state: present diff --git a/molecule/with_custom_config/requirements.yml b/molecule/with_custom_config/requirements.yml new file mode 100644 index 0000000..0a4a9fb --- /dev/null +++ b/molecule/with_custom_config/requirements.yml @@ -0,0 +1,5 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages diff --git a/molecule/with_custom_config/tests/conftest.py b/molecule/with_custom_config/tests/conftest.py new file mode 100644 index 0000000..f7ddb3f --- /dev/null +++ b/molecule/with_custom_config/tests/conftest.py @@ -0,0 +1,22 @@ +"""PyTest Fixtures.""" +from __future__ import absolute_import + +import os + +import pytest + + +def pytest_runtest_setup(item): + """Run tests only when under molecule with testinfra installed.""" + try: + import testinfra + except ImportError: + pytest.skip("Test requires testinfra", allow_module_level=True) + if "MOLECULE_INVENTORY_FILE" in os.environ: + pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ["MOLECULE_INVENTORY_FILE"] + ).get_hosts("all") + else: + pytest.skip( + "Test should run only from inside molecule.", allow_module_level=True + ) diff --git a/molecule/with_custom_config/tests/test_default.py b/molecule/with_custom_config/tests/test_default.py new file mode 100644 index 0000000..4fad31e --- /dev/null +++ b/molecule/with_custom_config/tests/test_default.py @@ -0,0 +1,48 @@ +"""Role testing files using testinfra.""" + + +def test_hosts_file(host): + """Validate /etc/hosts file.""" + etc_hosts = host.file("/etc/hosts") + assert etc_hosts.exists + assert etc_hosts.user == "root" + assert etc_hosts.group == "root" + +def test_consul_template_config(host): + """Validate /etc/consul-template.d/vault/ files.""" + etc_consul_template_d_vault_config_hcl = host.file("/etc/consul-template.d/vault/vault_config.hcl") + assert etc_consul_template_d_vault_config_hcl.exists + assert etc_consul_template_d_vault_config_hcl.user == "vault" + assert etc_consul_template_d_vault_config_hcl.group == "vault" + assert etc_consul_template_d_vault_config_hcl.mode == 0o600 + +def test_template_files(host): + """Validate /etc/consul-template.d/vault/templates/ files.""" + vault_cert_pem_tpl = host.file("/etc/consul-template.d/vault/templates/vault_cert.pem.tpl") + vault_key_pem_tpl = host.file("/etc/consul-template.d/vault/templates/vault_key.pem.tpl") + for file in vault_cert_pem_tpl, vault_key_pem_tpl: + assert file.exists + assert file.user == "vault" + assert file.group == "vault" + assert file.mode == 0o600 + assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' + assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' + +def test_vault_certs_service_file(host): + """Validate vault-certs service file.""" + etc_systemd_system_vault_certs_service = host.file("/etc/systemd/system/vault-certs.service") + assert etc_systemd_system_vault_certs_service.exists + assert etc_systemd_system_vault_certs_service.user == "root" + assert etc_systemd_system_vault_certs_service.group == "root" + assert etc_systemd_system_vault_certs_service.mode == 0o644 + assert etc_systemd_system_vault_certs_service.content_string != "" + +def test_vault_certs_service(host): + """Validate vault-certs service.""" + vault_certs_service = host.service("vault-certs.service") + assert vault_certs_service.is_enabled + assert not vault_certs_service.is_running + assert vault_certs_service.systemd_properties["Restart"] == "on-failure" + assert vault_certs_service.systemd_properties["User"] == "vault" + assert vault_certs_service.systemd_properties["Group"] == "vault" + assert vault_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/vault-certs.service"