kolla-ansible/tests/run-hashi-vault.yml
Maksim Malchuk 5fd8117098 Fix passwords.yml permissions
The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd
commands now creates or updates passwords.yml with correct
permissions. Also they display warning message about incorrect
permissions.

Closes-Bug: #2018338
Change-Id: I4b50053ced9150499d1d09fd4a0ec2e243cf938b
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
2023-05-31 14:22:34 +03:00

82 lines
2.7 KiB
YAML

---
- hosts: all
any_errors_fatal: true
tasks:
# NOTE(yoctozepto): setting vars as facts for all to have them around in all the plays
- name: set facts for commonly used variables
set_fact:
kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
upper_constraints_file: "{{ ansible_env.HOME }}/src/opendev.org/openstack/requirements/upper-constraints.txt"
pip_user_path_env:
PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}"
- hosts: primary
any_errors_fatal: true
environment: "{{ pip_user_path_env }}"
tasks:
- name: ensure /etc/kolla exists
file:
path: "/etc/kolla"
state: "directory"
mode: 0777
become: true
- name: ensure python3-pip exists
package:
name: python3-pip
become: true
# NOTE(mgoddard): We need a recent pip to install the latest cryptography
# library. See https://github.com/pyca/cryptography/issues/5753
- name: install pip 19.1.1+
pip:
name: "pip>=19.1.1"
executable: "pip3"
extra_args: "--user"
- name: install kolla-ansible and dependencies
pip:
name:
- "{{ kolla_ansible_src_dir }}"
executable: "pip3"
extra_args: "-c {{ upper_constraints_file }} --user"
- name: copy passwords.yml file
copy:
src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
dest: /etc/kolla/passwords.yml
mode: "0640"
remote_src: true
- name: generate passwords
command: kolla-genpwd
# At this point we have generated all necessary configuration, and are
# ready to test Hashicorp Vault.
- name: Run test-hashicorp-vault-passwords.sh script
script:
cmd: test-hashicorp-vault-passwords.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
environment:
BASE_DISTRO: "{{ base_distro }}"
- name: Read template file
slurp:
src: "/etc/kolla/passwords.yml"
register: template_file
- name: Read generated file
slurp:
src: "/tmp/passwords-hashicorp-vault.yml"
register: generated_file
# This test will load in the original input file and the one that was
# generated by Vault and ensure that the keys are the same in both files.
# This ensures that we are not missing any passwords.
- name: Check passwords that were written to Vault are as expected
vars:
input_passwords: "{{ template_file['content'] | b64decode | from_yaml | sort }}"
output_passwords: "{{ generated_file['content'] | b64decode | from_yaml | sort }}"
assert: { that: "input_passwords == output_passwords" }