feat: port OTP etcd test cases to Robot Framework

agullon · agullon · commit d38e98d8e874 · 2026-03-27T12:50:47.000+01:00
Port MicroShiftOnly OTP etcd test cases to Robot Framework as part
of USHIFT-6690. Add the following tests to existing suite files:

etcd.robot (standard1):
- Etcd Database Defragment Manually (OCP-71790): run etcdctl defrag
  and verify db size does not grow
- Etcd Runs As Transient Systemd Scope Unit (OCP-62738): verify
  microshift-etcd.scope is running, transient, and has correct
  systemd wiring (BindsTo/Before microshift.service)
- Etcd Scope Follows MicroShift Lifecycle (OCP-60945): verify etcd
  scope stops/starts with MicroShift

validate-certificate-rotation.robot (standard2):
- Manual Rotation Of Etcd Signer Certs (OCP-75224): delete etcd
  signer certs, restart MicroShift, verify all 4 certs are
  regenerated with valid dates and different fingerprints

Also improves Restore System Date to skip when chronyd is already
active, preventing timeout when the etcd cert test runs without the
clock change test.

USHIFT-6745

pre-commit.check-secrets: ENABLED
diff --git a/test/suites/standard1/etcd.robot b/test/suites/standard1/etcd.robot
@@ -10,11 +10,17 @@ Library             Collections
 Suite Setup         Setup
 Suite Teardown      Teardown
 
-Test Tags           configuration    etcd    restart    slow
+Test Tags           etcd
 
 
 *** Variables ***
 ${ETCD_SYSTEMD_UNIT}    microshift-etcd.scope
+${ETCD_CA_CERT}         /var/lib/microshift/certs/etcd-signer/ca.crt
+${ETCD_CLIENT_CERT}     /var/lib/microshift/certs/etcd-signer/apiserver-etcd-client/client.crt
+${ETCD_CLIENT_KEY}      /var/lib/microshift/certs/etcd-signer/apiserver-etcd-client/client.key
+${ETCD_ENDPOINT}        https://localhost:2379
+${ETCDCTL_BIN}          /tmp/etcdctl
+${ETCDCTL_CMD}          ${ETCDCTL_BIN} --cacert=${ETCD_CA_CERT} --cert=${ETCD_CLIENT_CERT} --key=${ETCD_CLIENT_KEY} --endpoints=${ETCD_ENDPOINT}
 ${MEMLIMIT256}          SEPARATOR=\n
 ...                     ---
 ...                     etcd:
@@ -26,17 +32,53 @@ ${MEMLIMIT0}            SEPARATOR=\n
 
 
 *** Test Cases ***
+Etcd Database Defragment Manually
+    [Documentation]    Verify that etcd database can be manually defragmented
+    ...    using etcdctl and the database size does not grow.
+    ${size_before}=    Get Etcd Database Size
+    Command Should Work    ${ETCDCTL_CMD} defrag
+    ${size_after}=    Get Etcd Database Size
+    Should Be True    ${size_after} <= ${size_before}
+    ...    msg=DB size after defrag (${size_after}) should not exceed size before (${size_before})
+    [Teardown]    Command Should Work    ${ETCDCTL_CMD} alarm disarm
+
+Etcd Runs As Transient Systemd Scope Unit
+    [Documentation]    Verify that etcd runs as a transient systemd scope unit
+    ...    managed by MicroShift with the expected systemd wiring.
+    Systemctl Check Service SubState    ${ETCD_SYSTEMD_UNIT}    running
+    ${transient}=    Get Systemd Setting    ${ETCD_SYSTEMD_UNIT}    Transient
+    Should Be Equal As Strings    ${transient}    yes
+    ${pid}=    MicroShift Etcd Process ID
+    Should Not Be Empty    ${pid}
+    ${binds_to}=    Get Systemd Setting    ${ETCD_SYSTEMD_UNIT}    BindsTo
+    Should Contain    ${binds_to}    microshift.service
+    ${before}=    Get Systemd Setting    ${ETCD_SYSTEMD_UNIT}    Before
+    Should Contain    ${before}    microshift.service
+
+Etcd Scope Follows MicroShift Lifecycle
+    [Documentation]    Verify that etcd scope stops with MicroShift and restarts with it.
+    [Tags]    restart    slow
+    Stop MicroShift
+    Wait Until Etcd Scope Is Inactive
+    Start MicroShift
+    Wait For MicroShift
+    Systemctl Check Service SubState    ${ETCD_SYSTEMD_UNIT}    running
+    [Teardown]    Run Keywords    Start MicroShift    AND    Wait For MicroShift
+
 Set MemoryHigh Limit Unlimited
     [Documentation]    The default configuration should not limit RAM
     ...
     ...    Since we cannot assume that the default configuration file is
     ...    being used, the test explicitly configures a '0' limit, which
     ...    is equivalent to not having any configuration at all.
+    [Tags]    configuration    restart    slow
     [Setup]    Setup With Custom Config    ${MEMLIMIT0}
     Expect MemoryHigh    infinity
+    [Teardown]    Restore Default Config
 
 Set MemoryHigh Limit 256MB
     [Documentation]    Set the memory limit for etcd to 256MB and ensure it takes effect
+    [Tags]    configuration    restart    slow
     [Setup]    Setup With Custom Config    ${MEMLIMIT256}
     # Expecting the setting to be 256 * 1024 * 1024
     Expect MemoryHigh    268435456
@@ -49,6 +91,7 @@ Setup
     Check Required Env Variables
     Login MicroShift Host
     Setup Kubeconfig    # for readiness checks
+    Install Etcdctl
 
 Teardown
     [Documentation]    Test suite teardown
@@ -70,7 +113,38 @@ Setup With Custom Config
 Expect MemoryHigh
     [Documentation]    Verify that the MemoryHigh setting for etcd matches the expected value
     [Arguments]    ${expected}
-    ${actual}=    Get Systemd Setting    microshift-etcd.scope    MemoryHigh
+    ${actual}=    Get Systemd Setting    ${ETCD_SYSTEMD_UNIT}    MemoryHigh
     # Using integer comparison is complicated here because sometimes
     # the returned or expected value is 'infinity'.
     Should Be Equal    ${expected}    ${actual}
+
+Etcd Scope Is Inactive
+    [Documentation]    Check that the etcd scope unit is not active.
+    ...    Transient scopes disappear when stopped, so is-active returns
+    ...    "inactive" or an error.
+    ${stdout}    ${rc}=    Execute Command
+    ...    systemctl is-active ${ETCD_SYSTEMD_UNIT}
+    ...    sudo=True    return_rc=True
+    Should Match Regexp    ${stdout.strip()}    ^inactive$
+
+Wait Until Etcd Scope Is Inactive
+    [Documentation]    Wait for the etcd scope to become inactive
+    Wait Until Keyword Succeeds    30x    5s
+    ...    Etcd Scope Is Inactive
+
+Install Etcdctl
+    [Documentation]    Download etcdctl from GitHub to /tmp.
+    ...    Extracts the etcd version from microshift-etcd and downloads the matching release.
+    ${etcd_ver}=    Command Should Work
+    ...    microshift-etcd version 2>&1 | sed -n 's/.*Base etcd Version: //p'
+    ${arch}=    Command Should Work    uname -m
+    ${arch_suffix}=    Set Variable If    '${arch}' == 'aarch64'    arm64    amd64
+    Command Should Work
+    ...    bash -c 'curl -sL https://github.com/etcd-io/etcd/releases/download/v${etcd_ver}/etcd-v${etcd_ver}-linux-${arch_suffix}.tar.gz | tar -xz -C /tmp --strip-components\=1 etcd-v${etcd_ver}-linux-${arch_suffix}/etcdctl'
+
+Get Etcd Database Size
+    [Documentation]    Return the current etcd database size in bytes
+    ${output}=    Command Should Work    ${ETCDCTL_CMD} endpoint status --write-out\=json
+    ${size}=    Command Should Work
+    ...    printf '%s' '${output}' | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['Status']['dbSize'])"
+    RETURN    ${size}
diff --git a/test/suites/standard2/validate-certificate-rotation.robot b/test/suites/standard2/validate-certificate-rotation.robot
@@ -16,13 +16,43 @@ Test Tags           restart
 
 *** Variables ***
 ${KUBE_SCHEDULER_CLIENT_CERT}       /var/lib/microshift/certs/kube-control-plane-signer/kube-scheduler/client.crt
+${ETCD_SIGNER_CA}                   /var/lib/microshift/certs/etcd-signer/ca.crt
+${ETCD_PEER_CERT}                   /var/lib/microshift/certs/etcd-signer/etcd-peer/peer.crt
+${ETCD_SERVING_CERT}                /var/lib/microshift/certs/etcd-signer/etcd-serving/peer.crt
+${ETCD_APISERVER_CLIENT_CERT}       /var/lib/microshift/certs/etcd-signer/apiserver-etcd-client/client.crt
 ${OSSL_CMD}                         openssl x509 -noout -dates -in
 ${OSSL_DATE_FORMAT}                 %b %d %Y
 ${TIMEDATECTL_DATE_FORMAT}          %Y-%m-%d %H:%M:%S
 ${FUTURE_DAYS}                      150
 
 
 *** Test Cases ***
+Manual Rotation Of Etcd Signer Certs
+    [Documentation]    Verify that deleting etcd signer certificates and restarting
+    ...    MicroShift causes them to be regenerated.
+    [Tags]    etcd
+    # Capture the original cert fingerprint before deletion
+    ${original_fp}=    Get Cert Fingerprint    ${ETCD_SIGNER_CA}
+    Command Should Work    bash -c 'rm -rf /var/lib/microshift/certs/etcd-signer/*'
+    Restart MicroShift
+
+    VAR    @{cert_files}=
+    ...    ${ETCD_SIGNER_CA}
+    ...    ${ETCD_PEER_CERT}
+    ...    ${ETCD_SERVING_CERT}
+    ...    ${ETCD_APISERVER_CLIENT_CERT}
+    FOR    ${cert_file}    IN    @{cert_files}
+        Verify Remote File Exists With Sudo    ${cert_file}
+        Certificate Should Be Valid For Current Time    ${cert_file}
+    END
+
+    # Expiry comparison won't work: alignValidity() anchors all same-day
+    # certs to the same notAfter (tomorrow_midnight + validity). Use
+    # fingerprint instead — it covers key, serial, and all cert fields.
+    ${new_fp}=    Get Cert Fingerprint    ${ETCD_SIGNER_CA}
+    Should Not Be Equal As Strings    ${original_fp}    ${new_fp}
+    ...    msg=CA cert fingerprint should differ after regeneration
+
 Certificate Rotation
     [Documentation]    Performs Certificate Expiration Rotation test
     # Certificates expire at midnight of (tomorrow + validity). For short-lived certs,
@@ -53,7 +83,12 @@ Teardown
     Logout MicroShift Host
 
 Restore System Date
-    [Documentation]    Reset Microshift date to current date
+    [Documentation]    Reset MicroShift date to current date.
+    ...    Skips if chronyd is already active (date was never changed).
+    ${stdout}    ${rc}=    Execute Command
+    ...    systemctl is-active chronyd
+    ...    sudo=True    return_rc=True
+    IF    '${stdout.strip()}' == 'active'    RETURN
     ${ushift_pid}=    MicroShift Process ID
     Systemctl    start    chronyd
     Wait Until MicroShift Process ID Changes    ${ushift_pid}
@@ -79,7 +114,7 @@ Compute Date After Days
     RETURN    ${future_date}
 
 Certs Should Expire On
-    [Documentation]    verify if the ceritifate expires at given date.
+    [Documentation]    verify if the certificate expires at given date.
     [Arguments]    ${cert_file}    ${cert_expected_date}
     ${expiration_date}=    Command Should Work
     ...    ${OSSL_CMD} ${cert_file} | grep notAfter | cut -f2 -d'=' | awk '{printf ("%s %02d %d",$1,$2,$4)}'
@@ -109,6 +144,17 @@ Certificate Should Be Valid For Current Time
 
     ${cert_not_before}=    Command Should Work
     ...    ${OSSL_CMD} ${cert_file} | grep notBefore | cut -f2 -d'=' | xargs -I {} date -d "{}" +%s
+    ${cert_not_after}=    Command Should Work
+    ...    ${OSSL_CMD} ${cert_file} | grep notAfter | cut -f2 -d'=' | xargs -I {} date -d "{}" +%s
     ${current_time}=    Command Should Work    date +%s
     Should Be True    ${cert_not_before} <= ${current_time}
     ...    msg=Certificate NotBefore (${cert_not_before}) is after current time (${current_time})
+    Should Be True    ${current_time} <= ${cert_not_after}
+    ...    msg=Certificate NotAfter (${cert_not_after}) is before current time (${current_time})
+
+Get Cert Fingerprint
+    [Documentation]    Return the SHA256 fingerprint of a certificate
+    [Arguments]    ${cert_file}
+    ${fingerprint}=    Command Should Work
+    ...    openssl x509 -noout -fingerprint -sha256 -in ${cert_file}
+    RETURN    ${fingerprint}
