docker_swarm: more integration tests (#53035)

* Add more tests.

* Added tests for CA options.

* Don't run in docker-in-docker situations where docker daemon becoming instable is really dangerous. Also, restart docker daemon after tests.

* Only run CA tests when openssl_certificate can be run (which is not the case for RHEL7, see #34054).

* Add comment on why docker-based CI runs are skipped.

test/integration/targets/docker_swarm/aliases

@@ -3,3 +3,9 @@ skip/osx
 skip/freebsd
 destructive
 skip/rhel8.0
+skip/docker  # The tests sometimes make docker daemon unstable; hence,
+             # we skip all docker-based CI runs to avoid disrupting
+             # the whole CI system. On VMs, we restart docker daemon
+             # after finishing the tests to minimize potential effects
+             # on other tests.
+needs/root

test/integration/targets/docker_swarm/meta/main.yml

@@ -1,3 +1,4 @@
 ---
 dependencies:
   - setup_docker
+  - setup_openssl

test/integration/targets/docker_swarm/tasks/main.yml

@@ -6,6 +6,21 @@
     - "tests/*.yml"
 
   always:
+  - name: Cleanup (trying)
+    docker_swarm:
+      state: absent
+      force: true
+    diff: no
+    ignore_errors: yes
+
+  - name: Restart docker daemon
+    service:
+      name: docker
+      state: restarted
+    become: yes
+  - name: Wait for docker daemon to be fully restarted
+    command: docker ps
+
   - name: Cleanup
     docker_swarm:
       state: absent

test/integration/targets/docker_swarm/tasks/tests/options-ca.yml

@@ -0,0 +1,141 @@
+---
+- block:
+  - name: Generate privatekey
+    openssl_privatekey:
+      path: "{{ output_dir }}/ansible_{{ key }}.key"
+      size: 2048
+      mode: "0666"
+    loop:
+    - key1
+    - key2
+    loop_control:
+      loop_var: key
+
+  - name: Generate CSR
+    openssl_csr:
+      path: "{{ output_dir }}/ansible_{{ key }}.csr"
+      privatekey_path: "{{ output_dir }}/ansible_{{ key }}.key"
+      basic_constraints:
+      - "CA:TRUE"
+      key_usage:
+      - keyCertSign
+    loop:
+    - key1
+    - key2
+    loop_control:
+      loop_var: key
+
+  - name: Generate self-signed certificate
+    openssl_certificate:
+      path: "{{ output_dir }}/ansible_{{ key }}.pem"
+      privatekey_path: "{{ output_dir }}/ansible_{{ key }}.key"
+      csr_path: "{{ output_dir }}/ansible_{{ key }}.csr"
+      provider: selfsigned
+    loop:
+    - key1
+    - key2
+    loop_control:
+      loop_var: key
+
+  ###################################################################
+  ## signing_ca_cert and signing_ca_key #############################
+  ###################################################################
+  - name: signing_ca_cert and signing_ca_key (check mode)
+    docker_swarm:
+      advertise_addr: "{{ansible_default_ipv4.address | default('127.0.0.1')}}"
+      state: present
+      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
+      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
+      timeout: 120
+    check_mode: yes
+    diff: yes
+    register: output_1
+
+  - name: signing_ca_cert and signing_ca_key
+    docker_swarm:
+      advertise_addr: "{{ansible_default_ipv4.address | default('127.0.0.1')}}"
+      state: present
+      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
+      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
+      timeout: 120
+    diff: yes
+    register: output_2
+
+  - name: Private key
+    debug: msg="{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
+  - name: Cert
+    debug: msg="{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
+  - docker_swarm_facts:
+    register: output
+  - debug: var=output
+
+  # Idempotence for CA cert and key don't work yet! FIXME
+
+  #- name: signing_ca_cert and signing_ca_key (idempotent)
+  #  docker_swarm:
+  #    state: present
+  #    signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
+  #    signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
+  #    timeout: 120
+  #  diff: yes
+  #  register: output_3
+
+  #- name: signing_ca_cert and signing_ca_key (idempotent, check mode)
+  #  docker_swarm:
+  #    state: present
+  #    signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
+  #    signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
+  #    timeout: 120
+  #  check_mode: yes
+  #  diff: yes
+  #  register: output_4
+
+  - name: signing_ca_cert and signing_ca_key (change, check mode)
+    docker_swarm:
+      state: present
+      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.pem') }}"
+      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.key') }}"
+      timeout: 120
+    check_mode: yes
+    diff: yes
+    register: output_5
+
+  - name: signing_ca_cert and signing_ca_key (change)
+    docker_swarm:
+      state: present
+      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.pem') }}"
+      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.key') }}"
+      timeout: 120
+    diff: yes
+    register: output_6
+
+  - name: assert signing_ca_cert and signing_ca_key
+    assert:
+      that:
+         - 'output_1 is changed'
+         - 'output_1.actions[0] | regex_search("New Swarm cluster created: ")'
+         - 'output_1.diff.before is defined'
+         - 'output_1.diff.after is defined'
+         - 'output_2 is changed'
+         - 'output_2.actions[0] | regex_search("New Swarm cluster created: ")'
+         - 'output_2.diff.before is defined'
+         - 'output_2.diff.after is defined'
+         #- 'output_3 is not changed'
+         #- 'output_3.actions[0] == "No modification"'
+         #- 'output_3.diff.before is defined'
+         #- 'output_3.diff.after is defined'
+         #- 'output_4 is not changed'
+         #- 'output_4.actions[0] == "No modification"'
+         #- 'output_4.diff.before is defined'
+         #- 'output_4.diff.after is defined'
+         - 'output_5 is changed'
+         - 'output_5.actions[0] == "Swarm cluster updated"'
+         - 'output_5.diff.before is defined'
+         - 'output_5.diff.after is defined'
+         - 'output_6 is changed'
+         - 'output_6.actions[0] == "Swarm cluster updated"'
+         - 'output_6.diff.before is defined'
+         - 'output_6.diff.after is defined'
+
+  # https://github.com/ansible/ansible/issues/34054: openssl_certificate unusable on RHEL 7
+  when: pyopenssl_version.stdout is version('0.15', '>=')