Skip to content

Commit b7ee45a

Browse files
rkachachrkachach
committed
mgr/cephadm: adding UT for new mgmt-gateway functionality
Signed-off-by: Redouane Kachach <[email protected]>
1 parent 06fccea commit b7ee45a

File tree

1 file changed

+72
-12
lines changed

1 file changed

+72
-12
lines changed

src/pybind/mgr/cephadm/tests/test_services.py

Lines changed: 72 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -3769,14 +3769,19 @@ def test_deploy_smb_join_dns(
37693769
class TestMgmtGateway:
37703770
@patch("cephadm.serve.CephadmServe._run_cephadm")
37713771
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_service_endpoints")
3772+
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_service_discovery_endpoints")
37723773
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_external_certificates",
37733774
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
37743775
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_internal_certificates",
3775-
lambda instance, dspec: (ceph_generated_cert, ceph_generated_key))
3776+
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
37763777
@patch("cephadm.module.CephadmOrchestrator.get_mgr_ip", lambda _: '::1')
37773778
@patch('cephadm.cert_mgr.CertMgr.get_root_ca', lambda instance: cephadm_root_ca)
37783779
@patch("cephadm.services.mgmt_gateway.get_dashboard_endpoints", lambda _: (["ceph-node-2:8443", "ceph-node-2:8443"], "https"))
3779-
def test_mgmt_gw_config_no_auth(self, get_service_endpoints_mock: List[str], _run_cephadm, cephadm_module: CephadmOrchestrator):
3780+
def test_mgmt_gateway_config_no_auth(self,
3781+
get_service_discovery_endpoints_mock: List[str],
3782+
get_service_endpoints_mock: List[str],
3783+
_run_cephadm,
3784+
cephadm_module: CephadmOrchestrator):
37803785

37813786
def get_services_endpoints(name):
37823787
if name == 'prometheus':
@@ -3789,6 +3794,7 @@ def get_services_endpoints(name):
37893794

37903795
_run_cephadm.side_effect = async_side_effect(('{}', '', 0))
37913796
get_service_endpoints_mock.side_effect = get_services_endpoints
3797+
get_service_discovery_endpoints_mock.side_effect = lambda: ["ceph-node-0:8765", "ceph-node-2:8765"]
37923798

37933799
server_port = 5555
37943800
spec = MgmtGatewaySpec(port=server_port,
@@ -3823,6 +3829,7 @@ def get_services_endpoints(name):
38233829
38243830
http {
38253831
3832+
#access_log /dev/stdout;
38263833
client_header_buffer_size 32K;
38273834
large_client_header_buffers 4 32k;
38283835
proxy_busy_buffers_size 512k;
@@ -3831,6 +3838,12 @@ def get_services_endpoints(name):
38313838
proxy_headers_hash_max_size 1024;
38323839
proxy_headers_hash_bucket_size 128;
38333840
3841+
3842+
upstream service_discovery_servers {
3843+
server ceph-node-0:8765;
3844+
server ceph-node-2:8765;
3845+
}
3846+
38343847
upstream dashboard_servers {
38353848
server ceph-node-2:8443;
38363849
server ceph-node-2:8443;
@@ -3938,6 +3951,12 @@ def get_services_endpoints(name):
39383951
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
39393952
ssl_prefer_server_ciphers on;
39403953
3954+
location /internal/sd {
3955+
rewrite ^/internal/(.*) /$1 break;
3956+
proxy_pass https://service_discovery_servers;
3957+
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
3958+
}
3959+
39413960
location /internal/dashboard {
39423961
rewrite ^/internal/dashboard/(.*) /$1 break;
39433962
proxy_pass https://dashboard_servers;
@@ -3993,15 +4012,19 @@ def get_services_endpoints(name):
39934012

39944013
@patch("cephadm.serve.CephadmServe._run_cephadm")
39954014
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_service_endpoints")
4015+
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_service_discovery_endpoints")
39964016
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_external_certificates",
39974017
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
39984018
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_internal_certificates",
3999-
lambda instance, dspec: (ceph_generated_cert, ceph_generated_key))
4019+
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
40004020
@patch("cephadm.module.CephadmOrchestrator.get_mgr_ip", lambda _: '::1')
40014021
@patch('cephadm.cert_mgr.CertMgr.get_root_ca', lambda instance: cephadm_root_ca)
40024022
@patch("cephadm.services.mgmt_gateway.get_dashboard_endpoints", lambda _: (["ceph-node-2:8443", "ceph-node-2:8443"], "https"))
4003-
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_oauth2_service_url", lambda _: "https://192.168.100.102:4180")
4004-
def test_mgmt_gw_config_with_auth(self, get_service_endpoints_mock: List[str], _run_cephadm, cephadm_module: CephadmOrchestrator):
4023+
def test_mgmt_gateway_config_with_auth(self,
4024+
get_service_discovery_endpoints_mock: List[str],
4025+
get_service_endpoints_mock: List[str],
4026+
_run_cephadm,
4027+
cephadm_module: CephadmOrchestrator):
40054028

40064029
def get_services_endpoints(name):
40074030
if name == 'prometheus':
@@ -4010,10 +4033,13 @@ def get_services_endpoints(name):
40104033
return ["ceph-node-2:3000", "ceph-node-2:3000"]
40114034
elif name == 'alertmanager':
40124035
return ["192.168.100.100:9093", "192.168.100.102:9093"]
4036+
elif name == 'oauth2-proxy':
4037+
return ["192.168.100.101:4180", "192.168.100.102:4180"]
40134038
return []
40144039

40154040
_run_cephadm.side_effect = async_side_effect(('{}', '', 0))
40164041
get_service_endpoints_mock.side_effect = get_services_endpoints
4042+
get_service_discovery_endpoints_mock.side_effect = lambda: ["ceph-node-0:8765", "ceph-node-2:8765"]
40174043

40184044
server_port = 5555
40194045
spec = MgmtGatewaySpec(port=server_port,
@@ -4049,6 +4075,7 @@ def get_services_endpoints(name):
40494075
40504076
http {
40514077
4078+
#access_log /dev/stdout;
40524079
client_header_buffer_size 32K;
40534080
large_client_header_buffers 4 32k;
40544081
proxy_busy_buffers_size 512k;
@@ -4057,6 +4084,16 @@ def get_services_endpoints(name):
40574084
proxy_headers_hash_max_size 1024;
40584085
proxy_headers_hash_bucket_size 128;
40594086
4087+
upstream oauth2_proxy_servers {
4088+
server 192.168.100.101:4180;
4089+
server 192.168.100.102:4180;
4090+
}
4091+
4092+
upstream service_discovery_servers {
4093+
server ceph-node-0:8765;
4094+
server ceph-node-2:8765;
4095+
}
4096+
40604097
upstream dashboard_servers {
40614098
server ceph-node-2:8443;
40624099
server ceph-node-2:8443;
@@ -4117,7 +4154,7 @@ def get_services_endpoints(name):
41174154
# add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
41184155
41194156
location /oauth2/ {
4120-
proxy_pass https://192.168.100.102:4180;
4157+
proxy_pass https://oauth2_proxy_servers;
41214158
proxy_set_header Host $host;
41224159
proxy_set_header X-Real-IP $remote_addr;
41234160
proxy_set_header X-Scheme $scheme;
@@ -4127,7 +4164,7 @@ def get_services_endpoints(name):
41274164
41284165
location = /oauth2/auth {
41294166
internal;
4130-
proxy_pass https://192.168.100.102:4180;
4167+
proxy_pass https://oauth2_proxy_servers;
41314168
proxy_set_header Host $host;
41324169
proxy_set_header X-Real-IP $remote_addr;
41334170
proxy_set_header X-Scheme $scheme;
@@ -4255,6 +4292,12 @@ def get_services_endpoints(name):
42554292
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
42564293
ssl_prefer_server_ciphers on;
42574294
4295+
location /internal/sd {
4296+
rewrite ^/internal/(.*) /$1 break;
4297+
proxy_pass https://service_discovery_servers;
4298+
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
4299+
}
4300+
42584301
location /internal/dashboard {
42594302
rewrite ^/internal/dashboard/(.*) /$1 break;
42604303
proxy_pass https://dashboard_servers;
@@ -4313,12 +4356,26 @@ def get_services_endpoints(name):
43134356
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_external_certificates",
43144357
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
43154358
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_internal_certificates",
4316-
lambda instance, dspec: (ceph_generated_cert, ceph_generated_key))
4359+
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
43174360
@patch("cephadm.module.CephadmOrchestrator.get_mgr_ip", lambda _: '::1')
43184361
@patch('cephadm.cert_mgr.CertMgr.get_root_ca', lambda instance: cephadm_root_ca)
43194362
@patch("cephadm.services.mgmt_gateway.get_dashboard_endpoints", lambda _: (["ceph-node-2:8443", "ceph-node-2:8443"], "https"))
4320-
def test_oauth2_proxy_service(self, get_service_endpoints_mock: List[str], _run_cephadm, cephadm_module: CephadmOrchestrator):
4363+
def test_oauth2_proxy_service(self, get_service_endpoints_mock, _run_cephadm, cephadm_module):
4364+
self.oauth2_proxy_service_common(get_service_endpoints_mock, _run_cephadm, cephadm_module, virtual_ip=None)
43214365

4366+
@patch("cephadm.serve.CephadmServe._run_cephadm")
4367+
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_service_endpoints")
4368+
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_external_certificates",
4369+
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
4370+
@patch("cephadm.services.mgmt_gateway.MgmtGatewayService.get_internal_certificates",
4371+
lambda instance, svc_spec, dspec: (ceph_generated_cert, ceph_generated_key))
4372+
@patch("cephadm.module.CephadmOrchestrator.get_mgr_ip", lambda _: '::1')
4373+
@patch('cephadm.cert_mgr.CertMgr.get_root_ca', lambda instance: cephadm_root_ca)
4374+
@patch("cephadm.services.mgmt_gateway.get_dashboard_endpoints", lambda _: (["ceph-node-2:8443", "ceph-node-2:8443"], "https"))
4375+
def test_oauth2_proxy_service_with_ha(self, get_service_endpoints_mock, _run_cephadm, cephadm_module):
4376+
self.oauth2_proxy_service_common(get_service_endpoints_mock, _run_cephadm, cephadm_module, virtual_ip="192.168.100.200")
4377+
4378+
def oauth2_proxy_service_common(self, get_service_endpoints_mock, _run_cephadm, cephadm_module: CephadmOrchestrator, virtual_ip=None):
43224379
def get_services_endpoints(name):
43234380
if name == 'prometheus':
43244381
return ["192.168.100.100:9095", "192.168.100.101:9095"]
@@ -4335,7 +4392,8 @@ def get_services_endpoints(name):
43354392
mgmt_gw_spec = MgmtGatewaySpec(port=server_port,
43364393
ssl_certificate=ceph_generated_cert,
43374394
ssl_certificate_key=ceph_generated_key,
4338-
enable_auth=True)
4395+
enable_auth=True,
4396+
virtual_ip=virtual_ip)
43394397

43404398
oauth2_spec = OAuth2ProxySpec(provider_display_name='my_idp_provider',
43414399
client_id='my_client_id',
@@ -4344,6 +4402,8 @@ def get_services_endpoints(name):
43444402
cookie_secret='kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ=',
43454403
ssl_certificate=ceph_generated_cert,
43464404
ssl_certificate_key=ceph_generated_key)
4405+
4406+
redirect_url = f"https://{virtual_ip if virtual_ip else 'host_fqdn'}:5555/oauth2/callback"
43474407
expected = {
43484408
"fsid": "fsid",
43494409
"name": "oauth2-proxy.ceph-node",
@@ -4362,7 +4422,7 @@ def get_services_endpoints(name):
43624422
},
43634423
"config_blobs": {
43644424
"files": {
4365-
"oauth2-proxy.conf": dedent("""
4425+
"oauth2-proxy.conf": dedent(f"""
43664426
# Listen on port 4180 for incoming HTTP traffic.
43674427
https_address= "0.0.0.0:4180"
43684428
@@ -4375,7 +4435,7 @@ def get_services_endpoints(name):
43754435
client_id= "my_client_id"
43764436
client_secret= "my_client_secret"
43774437
oidc_issuer_url= "http://192.168.10.10:8888/dex"
4378-
redirect_url= "https://host_fqdn:5555/oauth2/callback"
4438+
redirect_url= "{redirect_url}"
43794439
43804440
ssl_insecure_skip_verify=true
43814441

0 commit comments

Comments
 (0)