docker_swarm: more integration tests (#53035)

* Add more tests.

* Added tests for CA options.

* Don't run in docker-in-docker situations where docker daemon becoming instable is really dangerous. Also, restart docker daemon after tests.

* Only run CA tests when openssl_certificate can be run (which is not the case for RHEL7, see #34054).

* Add comment on why docker-based CI runs are skipped.

(cherry picked from commit 04bfec9dfe)
pull/53192/head
Felix Fontein 6 years ago committed by Toshio Kuratomi
parent 05f7fbc93a
commit 25ca40de88

@ -2,3 +2,9 @@ shippable/posix/group2
skip/osx
skip/freebsd
destructive
skip/docker # The tests sometimes make docker daemon unstable; hence,
# we skip all docker-based CI runs to avoid disrupting
# the whole CI system. On VMs, we restart docker daemon
# after finishing the tests to minimize potential effects
# on other tests.
needs/root

@ -1,3 +1,4 @@
---
dependencies:
- setup_docker
- setup_openssl

@ -6,6 +6,21 @@
- "tests/*.yml"
always:
- name: Cleanup (trying)
docker_swarm:
state: absent
force: true
diff: no
ignore_errors: yes
- name: Restart docker daemon
service:
name: docker
state: restarted
become: yes
- name: Wait for docker daemon to be fully restarted
command: docker ps
- name: Cleanup
docker_swarm:
state: absent

@ -0,0 +1,138 @@
---
- block:
- name: Generate privatekey
openssl_privatekey:
path: "{{ output_dir }}/ansible_{{ key }}.key"
size: 2048
mode: "0666"
loop:
- key1
- key2
loop_control:
loop_var: key
- name: Generate CSR
openssl_csr:
path: "{{ output_dir }}/ansible_{{ key }}.csr"
privatekey_path: "{{ output_dir }}/ansible_{{ key }}.key"
basic_constraints:
- "CA:TRUE"
key_usage:
- keyCertSign
loop:
- key1
- key2
loop_control:
loop_var: key
- name: Generate self-signed certificate
openssl_certificate:
path: "{{ output_dir }}/ansible_{{ key }}.pem"
privatekey_path: "{{ output_dir }}/ansible_{{ key }}.key"
csr_path: "{{ output_dir }}/ansible_{{ key }}.csr"
provider: selfsigned
loop:
- key1
- key2
loop_control:
loop_var: key
###################################################################
## signing_ca_cert and signing_ca_key #############################
###################################################################
- name: signing_ca_cert and signing_ca_key (check mode)
docker_swarm:
advertise_addr: "{{ansible_default_ipv4.address | default('127.0.0.1')}}"
state: present
signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
timeout: 120
check_mode: yes
diff: yes
register: output_1
- name: signing_ca_cert and signing_ca_key
docker_swarm:
advertise_addr: "{{ansible_default_ipv4.address | default('127.0.0.1')}}"
state: present
signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
timeout: 120
diff: yes
register: output_2
- name: Private key
debug: msg="{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
- name: Cert
debug: msg="{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
# Idempotence for CA cert and key don't work yet! FIXME
#- name: signing_ca_cert and signing_ca_key (idempotent)
# docker_swarm:
# state: present
# signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
# signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
# timeout: 120
# diff: yes
# register: output_3
#- name: signing_ca_cert and signing_ca_key (idempotent, check mode)
# docker_swarm:
# state: present
# signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
# signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
# timeout: 120
# check_mode: yes
# diff: yes
# register: output_4
- name: signing_ca_cert and signing_ca_key (change, check mode)
docker_swarm:
state: present
signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.pem') }}"
signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.key') }}"
timeout: 120
check_mode: yes
diff: yes
register: output_5
- name: signing_ca_cert and signing_ca_key (change)
docker_swarm:
state: present
signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.pem') }}"
signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.key') }}"
timeout: 120
diff: yes
register: output_6
- name: assert signing_ca_cert and signing_ca_key
assert:
that:
- 'output_1 is changed'
- 'output_1.actions[0] | regex_search("New Swarm cluster created: ")'
- 'output_1.diff.before is defined'
- 'output_1.diff.after is defined'
- 'output_2 is changed'
- 'output_2.actions[0] | regex_search("New Swarm cluster created: ")'
- 'output_2.diff.before is defined'
- 'output_2.diff.after is defined'
#- 'output_3 is not changed'
#- 'output_3.actions[0] == "No modification"'
#- 'output_3.diff.before is defined'
#- 'output_3.diff.after is defined'
#- 'output_4 is not changed'
#- 'output_4.actions[0] == "No modification"'
#- 'output_4.diff.before is defined'
#- 'output_4.diff.after is defined'
- 'output_5 is changed'
- 'output_5.actions[0] == "Swarm cluster updated"'
- 'output_5.diff.before is defined'
- 'output_5.diff.after is defined'
- 'output_6 is changed'
- 'output_6.actions[0] == "Swarm cluster updated"'
- 'output_6.diff.before is defined'
- 'output_6.diff.after is defined'
# https://github.com/ansible/ansible/issues/34054: openssl_certificate unusable on RHEL 7
when: pyopenssl_version.stdout is version('0.15', '>=')
Loading…
Cancel
Save