QA: Allow usage of specific RAPI certificates and files

In some situations, we want to make sure the QA runs with a certain set
of certificates, secrets, users, and the like. This patch allows the QA
to look for a directory on the master node where all of these can be
found, and transplant them into the right place. This allow cluster
creation, renew-crypto, or any other cert-affecting operation to be
tested while preserving RAPI access.

Signed-off-by: Hrvoje Ribicic <riba@google.com>
Reviewed-by: Lisa Velden <velden@google.com>

diff --git a/lib/pathutils.py b/lib/pathutils.py
index be6c432..6796da7 100644 (file)
--- a/lib/pathutils.py
+++ b/lib/pathutils.py
@@ -110,7 +110,8 @@ SPICE_CERT_FILE = DATA_DIR + "/spice.pem"
 SPICE_CACERT_FILE = DATA_DIR + "/spice-ca.pem"
 CLUSTER_DOMAIN_SECRET_FILE = DATA_DIR + "/cluster-domain-secret"
 SSH_KNOWN_HOSTS_FILE = DATA_DIR + "/known_hosts"
-RAPI_USERS_FILE = DATA_DIR + "/rapi/users"
+RAPI_DATA_DIR = DATA_DIR + "/rapi"
+RAPI_USERS_FILE = RAPI_DATA_DIR + "/users"
 QUEUE_DIR = DATA_DIR + "/queue"
 INTENT_TO_UPGRADE = DATA_DIR + "/intent-to-upgrade"
 CONF_DIR = SYSCONFDIR + "/ganeti"

diff --git a/qa/qa_rapi.py b/qa/qa_rapi.py
index 955d62a..1c43e7a 100644 (file)
--- a/qa/qa_rapi.py
+++ b/qa/qa_rapi.py
@@ -75,11 +75,51 @@ _rapi_client = None
 _rapi_username = None
 _rapi_password = None
 
+# The files to copy if the RAPI files QA config value is set
+_FILES_TO_COPY = [
+  pathutils.CLUSTER_DOMAIN_SECRET_FILE,
+  pathutils.RAPI_CERT_FILE,
+  pathutils.RAPI_USERS_FILE,
+]
 
-def ReloadCertificates():
+
+def _EnsureRapiFilesPresence():
+  """Ensures that the specified RAPI files are present on the cluster, if any.
+
+  """
+  rapi_files_location = qa_config.get("rapi-files-location", None)
+  if rapi_files_location is None:
+    # No files to be had
+    return
+
+  print qa_logging.FormatWarning("Replacing the certificate and users file on"
+                                 " the node with the ones provided in %s"
+                                 % rapi_files_location)
+
+  # The RAPI files
+  AssertCommand(["mkdir", "-p", pathutils.RAPI_DATA_DIR])
+
+  for filename in _FILES_TO_COPY:
+    basename = os.path.split(filename)[-1]
+    AssertCommand(["cp", os.path.join(rapi_files_location, basename),
+                   filename])
+    AssertCommand(["gnt-cluster", "copyfile", filename])
+
+  # The certificates have to be reloaded now
+  AssertCommand(["service", "ganeti", "restart"])
+
+
+def ReloadCertificates(ensure_presence=True):
   """Reloads the client RAPI certificate with the one present on the node.
 
+  If the QA is set up to use a specific certificate using the
+  "rapi-files-location" parameter, it will be put in place prior to retrieving
+  it.
+
   """
+  if ensure_presence:
+    _EnsureRapiFilesPresence()
+
   if _rapi_username is None or _rapi_password is None:
     raise qa_error.Error("RAPI username and password have to be set before"
                          " attempting to reload a certificate.")
@@ -233,15 +273,18 @@ def SetupRapi():
 
   _rapi_username = qa_config.get("rapi-user", "ganeti-qa")
 
-  if qa_config.TestEnabled("create-cluster"):
-    # For a new cluster, we have to invent a secret and a user
+  if qa_config.TestEnabled("create-cluster") and \
+     qa_config.get("rapi-files-location") is None:
+    # For a new cluster, we have to invent a secret and a user, unless it has
+    # been provided separately
     _rapi_password = _CreateRapiUser(_rapi_username)
   else:
+    _EnsureRapiFilesPresence()
     _rapi_password = _GetRapiSecret(_rapi_username)
 
   # Once a username and password have been set, we can fetch the certs and
   # get all we need for a working RAPI client.
-  ReloadCertificates()
+  ReloadCertificates(ensure_presence=False)
 
 
 INSTANCE_FIELDS = ("name", "os", "pnode", "snodes",