Skip to content

Commit b338b34

Browse files
jackhodgkissjackhodgkiss
committed
feat: add test for OpenBao high availability
1 parent e31772e commit b338b34

File tree

3 files changed

+165
-0
lines changed

3 files changed

+165
-0
lines changed

.github/workflows/pull_request.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ jobs:
2424
ansible_version: "2.18"
2525
type:
2626
- openbao
27+
- openbao_ha
2728
- vault
2829
steps:
2930
- name: Github Checkout 🛎

tests/inventory

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,8 @@ localhost ansible_connection=local
33

44
[openbao]
55
localhost ansible_connection=local
6+
7+
[openbao_ha]
8+
raft_01 ansible_connection=local openbao_bind_addr=127.0.0.1
9+
raft_02 ansible_connection=local openbao_bind_addr=127.0.0.2
10+
raft_03 ansible_connection=local openbao_bind_addr=127.0.0.3

tests/test_openbao_ha.yml

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,159 @@
1+
---
2+
- name: Prepare for openbao role
3+
gather_facts: true
4+
hosts: openbao_ha
5+
vars:
6+
openbao_config_dir: "/etc/openbao"
7+
openbao_log_keys: true
8+
openbao_api_addr: "{{ 'http' ~ '://' ~ openbao_bind_addr ~ ':8200' }}"
9+
openbao_set_keys_fact: true
10+
openbao_write_keys_file: true
11+
tasks:
12+
- name: Debug
13+
ansible.builtin.debug:
14+
var: openbao_api_addr
15+
16+
- name: Ensure /etc/openbao exists
17+
ansible.builtin.file:
18+
path: /etc/openbao
19+
state: directory
20+
mode: "0700"
21+
become: true
22+
23+
- name: Include openbao role
24+
ansible.builtin.include_role:
25+
name: openbao
26+
27+
- name: Include openbao role (idemoptence test)
28+
ansible.builtin.include_role:
29+
name: openbao
30+
31+
# As this test is evaluating OpenBao configured for high availability backed
32+
# by `Raft` we must first ensure that the primary or leader instance is unsealed
33+
# before attempting to unseal the other members.
34+
- name: Unseal vault
35+
ansible.builtin.include_role:
36+
name: vault_unseal
37+
vars:
38+
vault_api_addr: "{{ openbao_api_addr }}"
39+
vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
40+
run_once: true
41+
42+
# As the first instance is now unsealed the other instances will now need some
43+
# time to connect before we can proceed.
44+
- name: Wait for OpenBao Raft peers to connect
45+
ansible.builtin.wait_for:
46+
timeout: 30
47+
delegate_to: localhost
48+
49+
# Raft peers take few seconds before they report an unsealed state therefore
50+
# we must wait.
51+
- name: Unseal vault
52+
ansible.builtin.include_role:
53+
name: vault_unseal
54+
vars:
55+
vault_api_addr: "{{ openbao_api_addr }}"
56+
vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
57+
vault_unseal_timeout: 10
58+
59+
- name: Configure PKI - create root/intermediate and generate certificates
60+
vars:
61+
vault_pki_certificate_subject:
62+
- role: 'ServerCert'
63+
common_name: "OS-CERT-TEST"
64+
extra_params:
65+
ttl: "8760h"
66+
ip_sans: "127.0.0.1"
67+
alt_names: "example.com"
68+
exclude_cn_from_sans: true
69+
vault_pki_certificates_directory: "/tmp/"
70+
vault_pki_generate_certificates: true
71+
vault_pki_intermediate_ca_name: "OS-TLS-INT"
72+
vault_pki_intermediate_create: true
73+
vault_pki_intermediate_roles:
74+
- name: "ServerCert"
75+
config:
76+
max_ttl: 8760h
77+
ttl: 8760h
78+
allow_any_name: true
79+
allow_ip_sans: true
80+
require_cn: false
81+
server_flag: true
82+
key_type: rsa
83+
key_bits: 4096
84+
country: ["UK"]
85+
locality: ["Bristol"]
86+
organization: ["StackHPC"]
87+
ou: ["HPC"]
88+
vault_pki_root_ca_name: "OS-TLS-ROOT"
89+
vault_pki_root_create: true
90+
vault_pki_write_certificate_files: true
91+
vault_pki_write_int_ca_to_file: true
92+
vault_pki_write_pem_bundle: false
93+
vault_pki_write_root_ca_to_file: true
94+
vault_api_addr: "{{ openbao_api_addr }}"
95+
vault_token: "{{ openbao_keys.root_token }}"
96+
block:
97+
- name: Configure PKI - create root/intermediate and generate certificates
98+
ansible.builtin.include_role:
99+
name: vault_pki
100+
101+
- name: Configure PKI - create root/intermediate and generate certificates (idempotence test)
102+
ansible.builtin.include_role:
103+
name: vault_pki
104+
105+
- name: Configure PKI - generate certificate pem bundle
106+
vars:
107+
vault_pki_certificate_subject:
108+
- role: 'ServerCert'
109+
common_name: "OS-CERT-TEST2"
110+
extra_params:
111+
ttl: "8760h"
112+
ip_sans: "192.168.38.72"
113+
exclude_cn_from_sans: true
114+
vault_pki_certificates_directory: "/tmp/"
115+
vault_pki_generate_certificates: true
116+
vault_pki_intermediate_ca_name: "OS-TLS-INT"
117+
vault_pki_intermediate_create: false
118+
vault_pki_root_ca_name: "OS-TLS-ROOT"
119+
vault_pki_root_create: false
120+
vault_pki_write_certificate_files: true
121+
vault_pki_write_pem_bundle: true
122+
vault_api_addr: "{{ openbao_api_addr }}"
123+
vault_token: "{{ openbao_keys.root_token }}"
124+
block:
125+
- name: Configure PKI - generate certificate pem bundle
126+
ansible.builtin.include_role:
127+
name: vault_pki
128+
129+
- name: Configure PKI - generate certificate pem bundle (idempotence test)
130+
ansible.builtin.include_role:
131+
name: vault_pki
132+
133+
- name: Validate if certificates exist
134+
ansible.builtin.stat:
135+
path: "/tmp/{{ item }}"
136+
register: stat_result
137+
failed_when: not stat_result.stat.exists
138+
loop:
139+
- OS-CERT-TEST.crt
140+
- OS-CERT-TEST2.pem
141+
142+
- name: Concatenate CAs
143+
ansible.builtin.shell: |
144+
cat /tmp/OS-TLS-ROOT.pem /tmp/OS-TLS-INT.crt > /tmp/CA-CHAIN.pem
145+
args:
146+
executable: /bin/bash
147+
become: true
148+
changed_when: true
149+
150+
- name: Verify certificate chain
151+
ansible.builtin.command: |
152+
openssl verify -CAfile /tmp/CA-CHAIN.pem
153+
/tmp/{{ item }}
154+
register: verify_result
155+
failed_when: verify_result.rc != 0
156+
loop:
157+
- OS-CERT-TEST.crt
158+
- OS-CERT-TEST2.pem
159+
changed_when: false

0 commit comments

Comments
 (0)