majic-ansible-roles Changeset

Changeset - 6844c0a01173

Parent rev.

Child rev.

[Not reviewed]

13 6 1

Branko Majic (branko) - 4 years ago 2020-08-27 15:24:59
branko@majic.rs

MAR-150: Use fixtures for X.509 artefacts in the mail_server role:

- Removed the statically generated artefacts.
- Generate X.509 artefacts for tests using Gimmecert.
- Updated paths to point to generated artefacts.
- Introduced cleanup playbook for removing generated artefacts.
- Increase allocated RAM for the mail server to avoid OOM and
swapping.

20 files changed with 82 insertions and 1053 deletions:

roles/mail_server/molecule/default/cleanup.yml

roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/host_vars/ldap-server.yml

roles/mail_server/molecule/default/molecule.yml

roles/mail_server/molecule/default/prepare.yml

roles/mail_server/molecule/default/tests/data/x509/ca.cert.pem

roles/mail_server/molecule/default/tests/data/x509/ca.key.pem

182

roles/mail_server/molecule/default/tests/data/x509/ldap-server_ldap.cert.pem

roles/mail_server/molecule/default/tests/data/x509/ldap-server_ldap.key.pem

134

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.cert.pem

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key.pem

134

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.cert.pem

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key.pem

134

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_imap.cert.pem

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_imap.key.pem

134

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_smtp.cert.pem

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_smtp.key.pem

134

roles/mail_server/molecule/default/tests/data/x509/truststore.pem

roles/mail_server/molecule/default/tests/test_default.py

0 comments (0 inline, 0 general)

roles/mail_server/molecule/default/cleanup.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 - name: Clean-up fixtures
   hosts: localhost
   connection: local
   gather_facts: false
   tasks:
     - name: Remove X.509 material
       file:
         path: "{{ item }}"
         state: absent
       with_items:
         - "tests/data/x509"
         - "tests/data/.gimmecert"

roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml

➞

Show inline comments

@@ @@ -2,16 +2,16 @@ @@
 mail_ldap_base_dn: dc=local
 mail_ldap_url: ldap://ldap-server/
-mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/truststore.pem') }}"
+mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
 imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.cert.pem') }}"
 imap_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.key.pem') }}"
 imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.cert.pem') }}"
 imap_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.key.pem') }}"
 smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.cert.pem') }}"
 smtp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.key.pem') }}"
 smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.cert.pem') }}"
 smtp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.key.pem') }}"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
+  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 mail_ldap_base_dn: dc=local
 mail_ldap_url: ldap://ldap-server/
-mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/truststore.pem') }}"
+mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
 mail_server_tls_protocols:
@@ @@ -15,12 +15,12 @@ mail_user: virtmail @@
 mail_user_uid: 5000
 mail_user_gid: 5000
 imap_max_user_connections_per_ip: 2
 imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.cert.pem') }}"
 imap_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.key.pem') }}"
 imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.cert.pem') }}"
 imap_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.key.pem') }}"
 local_mail_aliases:
   root: "john.doe@domain1"
 smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.cert.pem') }}"
 smtp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.key.pem') }}"
 smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.cert.pem') }}"
 smtp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.key.pem') }}"
 imap_folder_separator: "."
 smtp_rbl:
   - bl.spamcop.net
@@ @@ -33,7 +33,7 @@ mail_message_size_limit: 20480001 @@
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
+  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
 # backup_client (backup username should end in -s64 for Stretch).
 enable_backup: true

roles/mail_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -14,12 +14,12 @@ ldap_server_domain: "local" @@
 ldap_server_groups:
   - name: mail
 ldap_server_organization: "Example"
 ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/ldap-server_ldap.cert.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/ldap-server_ldap.key.pem') }}"
 ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/ldap-server_ldap.cert.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/server/ldap-server_ldap.key.pem') }}"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
+  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
 # ldap_client
 ldap_client_config:

roles/mail_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -57,7 +57,7 @@ platforms: @@
       - parameters-mandatory
       - stretch
     box: debian/contrib-stretch64
-    memory: 1024
+    memory: 1536
     cpus: 1
     interfaces:
       - auto_config: true
@@ @@ -70,7 +70,7 @@ platforms: @@
       - parameters-optional
       - stretch
     box: debian/contrib-stretch64
-    memory: 1024
+    memory: 1536
     cpus: 1
     interfaces:
       - auto_config: true
@@ @@ -80,6 +80,8 @@ platforms: @@
 provisioner:
   name: ansible
   playbooks:
     cleanup: cleanup.yml
   config_options:
     defaults:
       force_valid_group_names: "ignore"

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

 ---
 - name: Set-up fixtures
   hosts: localhost
   connection: local
   gather_facts: false
   tasks:
     - name: Initialise CA hierarchy
       command: "gimmecert init"
       args:
         creates: "tests/data/.gimmecert/ca/level1.cert.pem"
         chdir: "tests/data/"
     - name: Generate server private keys and certificates
       command:
       args:
         chdir: "tests/data/"
         creates: "tests/data/.gimmecert/server/{{ item.name }}.cert.pem"
         argv:
           - "gimmecert"
           - "server"
           - "{{ item.name }}"
           - "{{ item.fqdn }}"
           - "{{ item.fqdn[:item.fqdn.rfind('-')] }}"
       with_items:
         - name: ldap-server_ldap
           fqdn: ldap-server
         - name: parameters-mandatory-stretch64_imap
           fqdn: parameters-mandatory-stretch64
         - name: parameters-mandatory-stretch64_smtp
           fqdn: parameters-mandatory-stretch64
         - name: parameters-optional-stretch64_imap
           fqdn: parameters-optional-stretch64
         - name: parameters-optional-stretch64_smtp
           fqdn: parameters-optional-stretch64
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
         dest: "tests/data/x509"
         state: link
 - name: Prepare
   hosts: all
   gather_facts: false
@@ @@ -87,7 +128,7 @@ @@
     - name: Deploy CA certificate
       copy:
         src: tests/data/x509/ca.cert.pem
+        src: tests/data/x509/ca/level1.cert.pem
         dest: /usr/local/share/ca-certificates/testca.crt
         owner: root
         group: root

roles/mail_server/molecule/default/tests/data/x509/ca.cert.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/ca.key.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/ldap-server_ldap.cert.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/ldap-server_ldap.key.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.cert.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.cert.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_imap.cert.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_imap.key.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_smtp.cert.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/parameters-optional-stretch64_smtp.key.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/data/x509/truststore.pem

➞

Show inline comments

deleted file

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -113,14 +113,14 @@ def test_ldap_tls_truststore_file(host): @@
     assert tls_file.user == 'root'
     assert tls_file.group == 'root'
     assert tls_file.mode == 0o644
     assert tls_file.content_string == open("tests/data/x509/ca.cert.pem", "r").read().rstrip()
+    assert tls_file.content_string == open("tests/data/x509/ca/chain-full.cert.pem", "r").read().rstrip()
     tls_file = host.file('/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem')
     assert tls_file.is_file
     assert tls_file.user == 'root'
     assert tls_file.group == 'root'
     assert tls_file.mode == 0o644
     assert tls_file.content_string == open("tests/data/x509/ca.cert.pem", "r").read().rstrip()
+    assert tls_file.content_string == open("tests/data/x509/ca/chain-full.cert.pem", "r").read().rstrip()
 def test_mailname_file(host):
@@ @@ -425,25 +425,25 @@ def test_imap_and_smtp_tls_files(host): @@
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
         assert tls_file.content_string == open("tests/data/x509/%s_smtp.key.pem" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/server/%s_smtp.key.pem" % hostname, "r").read().rstrip()
         tls_file = host.file('/etc/ssl/certs/%s_smtp.pem' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
         assert tls_file.content_string == open("tests/data/x509/%s_smtp.cert.pem" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/server/%s_smtp.cert.pem" % hostname, "r").read().rstrip()
         tls_file = host.file('/etc/ssl/private/%s_imap.key' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
         assert tls_file.content_string == open("tests/data/x509/%s_imap.key.pem" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/server/%s_imap.key.pem" % hostname, "r").read().rstrip()
         tls_file = host.file('/etc/ssl/certs/%s_imap.pem' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
         assert tls_file.content_string == open("tests/data/x509/%s_imap.cert.pem" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/server/%s_imap.cert.pem" % hostname, "r").read().rstrip()

0 comments (0 inline, 0 general)