From c73091967d8db449cd5f0fea4472d6a8e1b2ab22 Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Mon, 17 Dec 2018 12:43:14 +0000
Subject: [PATCH] Add http proxy test scenario

This patch adds a test scenario which deploys a squid proxy on
the AIO host and uses deployment_environment_variables to direct
all http and https traffic through that proxy.

In order to make the test reasonably realistic eth0 is removed
from all containers which means they have no default route
and must retrieve all external dependencies via the proxy.

As eth0 is removed we can no longer use it to NAT the traffic to
the neutron public ip address range during tempest tests. Instead
we add static routes to those address ranges to eth1 in the
containers and expect the host to forward via br-mgmt.

Depends-On: https://review.openstack.org/625312
Depends-On: https://review.openstack.org/625670

Change-Id: I554cfd149374f0863ac058f26862b5439c5d53d8
---
 .../openstack_user_config.yml.aio.j2          | 10 +++++++
 tests/roles/bootstrap-host/files/squid.conf   | 20 +++++++++++++
 tests/roles/bootstrap-host/handlers/main.yml  | 19 +++++++++++++
 tests/roles/bootstrap-host/tasks/main.yml     |  7 +++++
 .../bootstrap-host/tasks/prepare_squid.yml    | 28 +++++++++++++++++++
 .../templates/user_variables.aio.yml.j2       | 14 ++++++++++
 tests/roles/bootstrap-host/vars/main.yml      |  2 +-
 zuul.d/jobs.yaml                              |  8 ++++++
 zuul.d/project-templates.yaml                 |  9 ++++++
 zuul.d/project.yaml                           |  1 +
 10 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 tests/roles/bootstrap-host/files/squid.conf
 create mode 100644 tests/roles/bootstrap-host/handlers/main.yml
 create mode 100644 tests/roles/bootstrap-host/tasks/prepare_squid.yml

diff --git a/etc/openstack_deploy/openstack_user_config.yml.aio.j2 b/etc/openstack_deploy/openstack_user_config.yml.aio.j2
index ba1f093c40..c557808134 100644
--- a/etc/openstack_deploy/openstack_user_config.yml.aio.j2
+++ b/etc/openstack_deploy/openstack_user_config.yml.aio.j2
@@ -45,6 +45,16 @@ global_overrides:
           - all_containers
           - hosts
         is_container_address: true
+        # define static routes to the neutron public IP ranges via br-mgmt
+        # this is AIO specific and relies on the host forwarding to reach instance
+        # floating ips using the br-mgmt interface as a gateway
+        static_routes:
+          # neutron public addresses, LXC
+          - cidr: 172.29.248.0/22
+            gateway: 172.29.236.100
+          # neutron public networks, nspawn
+          - cidr: 172.29.240.0/22
+            gateway: 172.29.236.100
     - network:
         container_bridge: "br-vxlan"
         container_type: "veth"
diff --git a/tests/roles/bootstrap-host/files/squid.conf b/tests/roles/bootstrap-host/files/squid.conf
new file mode 100644
index 0000000000..d7845d2b3e
--- /dev/null
+++ b/tests/roles/bootstrap-host/files/squid.conf
@@ -0,0 +1,20 @@
+acl SSL_ports port 443
+acl CONNECT method CONNECT
+acl lan src 172.29.236.0/22
+
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access allow lan
+http_access deny manager
+http_access allow localhost
+http_access deny all
+
+http_port 3128
+
+coredump_dir /var/spool/squid
+
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
+refresh_pattern .               0       20%     4320
diff --git a/tests/roles/bootstrap-host/handlers/main.yml b/tests/roles/bootstrap-host/handlers/main.yml
new file mode 100644
index 0000000000..c5634d4e93
--- /dev/null
+++ b/tests/roles/bootstrap-host/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+# Copyright 2018, BBC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Restart squid
+  service:
+    name: squid
+    state: restarted
diff --git a/tests/roles/bootstrap-host/tasks/main.yml b/tests/roles/bootstrap-host/tasks/main.yml
index 1c209ae92e..20dfaf7433 100644
--- a/tests/roles/bootstrap-host/tasks/main.yml
+++ b/tests/roles/bootstrap-host/tasks/main.yml
@@ -134,6 +134,13 @@
   tags:
     - prepare-ssh-keys
 
+# Prepare local squid proxy
+- include: prepare_squid.yml
+  when:
+    - "bootstrap_host_scenario is search('proxy')"
+  tags:
+    - prepare-squid
+
 # Put the OpenStack-Ansible configuration for an All-In-One on the host
 - include: prepare_aio_config.yml
   when:
diff --git a/tests/roles/bootstrap-host/tasks/prepare_squid.yml b/tests/roles/bootstrap-host/tasks/prepare_squid.yml
new file mode 100644
index 0000000000..27a148d8f4
--- /dev/null
+++ b/tests/roles/bootstrap-host/tasks/prepare_squid.yml
@@ -0,0 +1,28 @@
+---
+# Copyright 2018, BBC.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install squid packages
+  package:
+    name: squid
+    state: present
+    update_cache: "{{ (ansible_pkg_mgr in ['apt', 'zypper']) | ternary('yes', omit) }}"
+  notify: Restart squid
+  tags:
+    - install-packages
+
+- name: Install squid config
+  copy:
+    src: "squid.conf"
+    dest: "/etc/squid/squid.conf"
diff --git a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
index e32e6f8667..07de159482 100644
--- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
@@ -206,3 +206,17 @@ openstack_user_kernel_options:
 neutron_lbaas_octavia: True
 octavia_management_net_subnet_cidr: "{{ (bootstrap_host_container_tech == 'nspawn') | ternary('172.29.240.0/22', '172.29.252.0/22') }}"
 {% endif %}
+
+{% if bootstrap_host_scenario is search('proxy') %}
+# For testing with the 'proxy' scenario configure deployment environment
+# to point to the local squid
+# Playbooks will set a runtime proxy to the AIO host squid
+deployment_environment_variables:
+  http_proxy: http://172.29.236.100:3128/
+  https_proxy: http://172.29.236.100:3128/
+  no_proxy: "localhost,127.0.0.1,172.29.236.100,{{ bootstrap_host_public_address | default(ansible_default_ipv4.address) }}"
+
+# Remove eth0 from all container so there is no default route and everything
+# must go via the http proxy
+lxc_container_networks: {}
+{% endif %}
diff --git a/tests/roles/bootstrap-host/vars/main.yml b/tests/roles/bootstrap-host/vars/main.yml
index 8769e0f6d3..7ffdcd64eb 100644
--- a/tests/roles/bootstrap-host/vars/main.yml
+++ b/tests/roles/bootstrap-host/vars/main.yml
@@ -16,7 +16,7 @@
 bootstrap_host_services: >-
   {%- set scenario_list = (bootstrap_host_scenario.split('_') | reject('equalto', '')) | list %}
   {%- set service_list = ['keystone'] %}
-  {%- set service_list_extra = scenario_list | difference(['aio', 'distro', 'lxc', 'nspawn', 'metal', 'source', 'translations']) %}
+  {%- set service_list_extra = scenario_list | difference(['aio', 'distro', 'lxc', 'nspawn', 'metal', 'source', 'translations', 'proxy']) %}
   {%- if 'metal' not in scenario_list %}
   {%-   set _ = service_list.append('haproxy') %}
   {%- endif %}
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 191d0e9f5d..641a992f9d 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -94,6 +94,14 @@
       action: deploy
       scenario: aio_ceph
 
+- job:
+    name: openstack-ansible-deploy-aio_proxy-ubuntu-bionic
+    parent: openstack-ansible-deploy-aio
+    nodeset: ubuntu-bionic
+    vars:
+      action: deploy
+      scenario: aio_proxy
+
 - job:
     name: openstack-ansible-deploy-aio_distro_ceph-ubuntu-bionic
     parent: openstack-ansible-deploy-aio
diff --git a/zuul.d/project-templates.yaml b/zuul.d/project-templates.yaml
index c7b87881c5..341dac7081 100644
--- a/zuul.d/project-templates.yaml
+++ b/zuul.d/project-templates.yaml
@@ -114,6 +114,15 @@
         - openstack-ansible-deploy-aio_ceph-ubuntu-bionic
         - openstack-ansible-upgrade-aio_ceph-ubuntu-bionic
 
+- project-template:
+    name: openstack-ansible-deploy-proxy-jobs
+    check:
+      jobs:
+        - openstack-ansible-deploy-aio_proxy-ubuntu-bionic
+    gate:
+      jobs:
+        - openstack-ansible-deploy-aio_proxy-ubuntu-bionic
+
 - project-template:
     name: openstack-ansible-deploy-distro_ceph-jobs
     check:
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index be0e9ce071..3d37c832ce 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -20,5 +20,6 @@
       - openstack-ansible-deploy-aio_distro_lxc-jobs
       - openstack-ansible-deploy-aio_metal-jobs
       - openstack-ansible-deploy-ceph-jobs
+      - openstack-ansible-deploy-proxy-jobs
       - openstack-ansible-deploy-distro_ceph-jobs
       - publish-openstack-docs-pti