diff --git a/pbm-functional/pytest/Dockerfile b/pbm-functional/pytest/Dockerfile index b70fdfe1..35f09865 100644 --- a/pbm-functional/pytest/Dockerfile +++ b/pbm-functional/pytest/Dockerfile @@ -1,27 +1,7 @@ ARG PSMDB=percona/percona-server-mongodb ARG GO_VER=bullseye -FROM alpine AS x509 -USER root -ENV EASYRSA_DN=org -ENV EASYRSA_REQ_COUNTRY=US -ENV EASYRSA_REQ_PROVINCE=California -ENV EASYRSA_REQ_CITY=SanFrancisco -ENV EASYRSA_REQ_ORG=Percona -ENV EASYRSA_REQ_EMAIL=pbm@percona.com -RUN apk add --no-cache bash git openssl && cd ~ && \ - git clone https://github.com/OpenVPN/easy-rsa.git && \ - cd easy-rsa/easyrsa3/ && \ - ./easyrsa init-pki && \ - ./easyrsa --req-cn=Percona --batch build-ca nopass && \ - ./easyrsa --req-ou=server --subject-alt-name=DNS:localhost,DNS:rscfg01,DNS:rs101,IP:127.0.0.1 --batch build-server-full psmdb nopass && \ - ./easyrsa --req-ou=client --batch build-client-full pbm nopass && \ - mkdir -p /etc/x509 && \ - cp pki/ca.crt /etc/x509/ca.crt && \ - cat pki/issued/psmdb.crt pki/private/psmdb.key > /etc/x509/psmdb.pem && \ - cat pki/issued/pbm.crt pki/private/pbm.key > /etc/x509/pbm.pem - -FROM pykmip/local AS pykmip +FROM easyrsa/local AS easyrsa FROM golang:$GO_VER AS builder ARG PBM_BRANCH=dev @@ -52,11 +32,13 @@ RUN yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noar mkdir -p /opt/mongodb && tar -C /opt/mongodb --transform='s,^/*[^/]*,,S' -xzvf mongo-ce.tgz || true && rm -rf mongo-ce.tgz || true COPY --from=builder /pbm-new/ /pbm-new/ COPY --from=builder /pbm-old/ /pbm-old/ -COPY --from=pykmip /etc/mongod.pem /etc/pykmip/mongod.pem -COPY --from=pykmip /root/easy-rsa/easyrsa3/pki/ca.crt /etc/pykmip/ca.crt -COPY --from=x509 /etc/x509/ /etc/x509/ +COPY --from=easyrsa /etc/pykmip/mongod.pem /etc/pykmip/mongod.pem +COPY --from=easyrsa /etc/x509/ca.crt /etc/pykmip/ca.crt +COPY --from=easyrsa /etc/x509/ /etc/x509/ +COPY --from=easyrsa /etc/nginx-minio/ca.crt /etc/nginx-minio/ca.crt COPY conf/supervisord.d/ /etc/supervisord.d/ COPY conf/pbm/minio.yaml /etc/pbm.conf +COPY conf/pbm/pbm-1525.yaml /etc/pbm-1525.conf COPY conf/pbm/pbm-1043.yaml /etc/pbm-1043.conf COPY conf/pbm/pbm-1211.yaml /etc/pbm-1211.conf COPY conf/pbm/filesystem-profile.yaml /etc/pbm-fs-profile.conf @@ -71,6 +53,7 @@ RUN echo -e 'vaulttoken' > /etc/vault/token && \ chown -R mongodb /etc/pykmip && chmod 400 /etc/pykmip/mongod.pem && \ chown -R mongodb /etc/vault && chmod 400 /etc/vault/token && \ chown -R mongodb /etc/x509 && chmod 400 /etc/x509/* && \ + chown -R mongodb /etc/nginx-minio && \ if [ -f "/usr/bin/mongosh" ] ; then \ ln -s /usr/bin/mongosh /usr/bin/mongo ; \ fi && \ diff --git a/pbm-functional/pytest/Dockerfile-easyrsa b/pbm-functional/pytest/Dockerfile-easyrsa new file mode 100644 index 00000000..e9e35283 --- /dev/null +++ b/pbm-functional/pytest/Dockerfile-easyrsa @@ -0,0 +1,35 @@ +FROM alpine +USER root +ENV EASYRSA_DN=org +ENV EASYRSA_REQ_COUNTRY=US +ENV EASYRSA_REQ_PROVINCE=California +ENV EASYRSA_REQ_CITY=SanFrancisco +ENV EASYRSA_REQ_ORG=Percona +ENV EASYRSA_REQ_EMAIL=pbm@percona.com +RUN apk add --no-cache bash git openssl && cd ~ && \ + git clone https://github.com/OpenVPN/easy-rsa.git && \ + cd easy-rsa/easyrsa3/ && \ + ./easyrsa init-pki && \ + ./easyrsa --req-cn=Percona --batch build-ca nopass +WORKDIR /root/easy-rsa/easyrsa3 +#For X509 authorization +RUN ./easyrsa --req-ou=server --subject-alt-name=DNS:localhost,DNS:rscfg01,DNS:rs101,IP:127.0.0.1 --batch build-server-full psmdb nopass && \ + ./easyrsa --req-ou=client --batch build-client-full pbm nopass && \ + mkdir -p /etc/x509 && \ + cp pki/ca.crt /etc/x509/ && \ + cat pki/issued/psmdb.crt pki/private/psmdb.key > /etc/x509/psmdb.pem && \ + cat pki/issued/pbm.crt pki/private/pbm.key > /etc/x509/pbm.pem +#For pykmip server +RUN ./easyrsa --batch build-server-full pykmip nopass && \ + ./easyrsa --batch build-client-full mongod nopass && \ + mkdir -p /etc/pykmip && \ + cp pki/ca.crt /etc/pykmip/ && \ + cat pki/issued/mongod.crt pki/private/mongod.key > /etc/pykmip/mongod.pem && \ + cp pki/issued/pykmip.crt /etc/pykmip/ && \ + cp pki/private/pykmip.key /etc/pykmip/ +#For nginx proxy to minio +RUN ./easyrsa --req-ou=server --subject-alt-name=DNS:nginx-minio --batch build-server-full nginx-minio nopass && \ + mkdir -p /etc/nginx-minio && \ + cp pki/ca.crt /etc/nginx-minio/ && \ + cp pki/issued/nginx-minio.crt /etc/nginx-minio/ && \ + cp pki/private/nginx-minio.key /etc/nginx-minio/ diff --git a/pbm-functional/pytest/Dockerfile-nginx b/pbm-functional/pytest/Dockerfile-nginx index 7aab0e59..1cda1ebe 100644 --- a/pbm-functional/pytest/Dockerfile-nginx +++ b/pbm-functional/pytest/Dockerfile-nginx @@ -1,3 +1,6 @@ +FROM easyrsa/local AS easyrsa + FROM nginx:stable-alpine COPY conf/nginx.conf /etc/nginx/nginx.conf -EXPOSE 21114 12111 12112 +COPY --from=easyrsa /etc/nginx-minio/ /etc/nginx-minio/ +EXPOSE 21114 12111 12112 15250 diff --git a/pbm-functional/pytest/Dockerfile-pykmip b/pbm-functional/pytest/Dockerfile-pykmip index 2aa8a4cd..b4721346 100644 --- a/pbm-functional/pytest/Dockerfile-pykmip +++ b/pbm-functional/pytest/Dockerfile-pykmip @@ -1,13 +1,8 @@ +FROM easyrsa/local AS easyrsa + FROM python:3.11-alpine USER root RUN apk add --no-cache libffi-dev build-base bash git openssl && cd ~ && \ - git clone https://github.com/OpenVPN/easy-rsa.git && \ - cd easy-rsa/easyrsa3/ && \ - ./easyrsa init-pki && \ - ./easyrsa --req-cn=Percona --batch build-ca nopass && \ - ./easyrsa --batch build-server-full pykmip nopass && \ - ./easyrsa --batch build-client-full mongod nopass && \ - cat pki/issued/mongod.crt pki/private/mongod.key > /etc/mongod.pem && \ pip install --upgrade --no-cache-dir --break-system-packages pip && \ pip install --upgrade --no-cache-dir --break-system-packages setuptools && \ pip install --no-cache-dir --break-system-packages pykmip && cd ~ && \ @@ -20,9 +15,9 @@ RUN apk add --no-cache libffi-dev build-base bash git openssl && cd ~ && \ database_path=/etc/pykmip/pykmip.database\n\ hostname=pykmip\n\ port=5696\n\ - certificate_path=/root/easy-rsa/easyrsa3/pki/issued/pykmip.crt\n\ - key_path=/root/easy-rsa/easyrsa3/pki/private/pykmip.key\n\ - ca_path=/root/easy-rsa/easyrsa3/pki/ca.crt\n\ + certificate_path=/etc/pykmip/pykmip.crt\n\ + key_path=/etc/pykmip/pykmip.key\n\ + ca_path=/etc/pykmip/ca.crt\n\ auth_suite=TLS1.2\n\ policy_path=/root/PyKMIP/examples/\n\ enable_tls_client_auth=True\n\ @@ -30,5 +25,7 @@ RUN apk add --no-cache libffi-dev build-base bash git openssl && cd ~ && \ logging_level=DEBUG\n\ ' > /etc/pykmip/server.conf +COPY --from=easyrsa /etc/pykmip/ /etc/pykmip/ + EXPOSE 5696 CMD /root/PyKMIP/bin/run_server.py diff --git a/pbm-functional/pytest/cluster.py b/pbm-functional/pytest/cluster.py index 1f7c45fe..fb1efaf3 100644 --- a/pbm-functional/pytest/cluster.py +++ b/pbm-functional/pytest/cluster.py @@ -373,10 +373,10 @@ def create(self): Cluster.log("The cluster was prepared in {} seconds".format(duration)) # setups pbm from default config-file, minio as storage - def setup_pbm(self): + def setup_pbm(self,file="/etc/pbm.conf"): host = self.pbm_cli n = testinfra.get_host("docker://" + host) - result = n.check_output('pbm config --file=/etc/pbm.conf --out=json') + result = n.check_output('pbm config --file=' + file + ' --out=json') Cluster.log("Setup PBM:\n" + result) time.sleep(5) @@ -460,7 +460,7 @@ def make_restore(self, name, **kwargs): time.sleep(1) Cluster.log("Restore started") timeout=kwargs.get('timeout', 240) - result = n.run('timeout ' + str(timeout) + ' pbm restore ' + name + ' --wait') + result = n.run('SSL_CERT_FILE=/etc/nginx-minio/ca.crt timeout ' + str(timeout) + ' pbm restore ' + name + ' --wait') if result.rc == 0 and "Error" not in result.stdout: Cluster.log(result.stdout) diff --git a/pbm-functional/pytest/conf/nginx.conf b/pbm-functional/pytest/conf/nginx.conf index 4056021b..299f9414 100644 --- a/pbm-functional/pytest/conf/nginx.conf +++ b/pbm-functional/pytest/conf/nginx.conf @@ -117,4 +117,32 @@ http { proxy_pass http://minio:9000$request_uri; } } + + server { + listen 15250 ssl; + server_name nginx-minio; + + ssl_certificate /etc/nginx-minio/nginx-minio.crt; + ssl_certificate_key /etc/nginx-minio/nginx-minio.key; + + ignore_invalid_headers off; + client_max_body_size 0; + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + + proxy_pass http://minio:9000/; + } + } + } diff --git a/pbm-functional/pytest/conf/pbm/pbm-1525.yaml b/pbm-functional/pytest/conf/pbm/pbm-1525.yaml new file mode 100644 index 00000000..d95213a4 --- /dev/null +++ b/pbm-functional/pytest/conf/pbm/pbm-1525.yaml @@ -0,0 +1,9 @@ +storage: + type: s3 + s3: + endpointUrl: https://nginx-minio:15250 + bucket: bcp + prefix: pbme2etest + credentials: + access-key-id: "minio1234" + secret-access-key: "minio1234" diff --git a/pbm-functional/pytest/conf/supervisord.d/pbm-agent.ini b/pbm-functional/pytest/conf/supervisord.d/pbm-agent.ini index 5b94cdb3..ef8391b6 100644 --- a/pbm-functional/pytest/conf/supervisord.d/pbm-agent.ini +++ b/pbm-functional/pytest/conf/supervisord.d/pbm-agent.ini @@ -1,5 +1,6 @@ [program:pbm-agent] command=/usr/bin/pbm-agent --mongodb-uri "%(ENV_PBM_MONGODB_URI)s" +environment=SSL_CERT_FILE="/etc/nginx-minio/ca.crt" autorestart=false stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 diff --git a/pbm-functional/pytest/docker-compose.yaml b/pbm-functional/pytest/docker-compose.yaml index 2a8e5644..2cb663b6 100644 --- a/pbm-functional/pytest/docker-compose.yaml +++ b/pbm-functional/pytest/docker-compose.yaml @@ -53,6 +53,7 @@ services: - test depends_on: - minio + - easyrsa createbucket: container_name: createbucket @@ -73,6 +74,8 @@ services: hostname: pykmip networks: - test + depends_on: + - easyrsa vault: image: hashicorp/vault @@ -129,7 +132,14 @@ services: - "PERCONA_TELEMETRY_URL=https://check-dev.percona.com/v1/telemetry/GenericReport" command: /bin/bash depends_on: - - pykmip + - easyrsa + + easyrsa: + image: easyrsa/local + build: + dockerfile: ./Dockerfile-easyrsa + context: . + command: /bin/bash golang_reports: image: golang:bullseye @@ -144,9 +154,9 @@ networks: name: test volumes: - backups: + backups: name: backups - fs: + fs: name: fs keytabs: name: keytabs diff --git a/pbm-functional/pytest/test_PBM-1525.py b/pbm-functional/pytest/test_PBM-1525.py new file mode 100644 index 00000000..66e7a12a --- /dev/null +++ b/pbm-functional/pytest/test_PBM-1525.py @@ -0,0 +1,32 @@ +import pytest +import time + +from cluster import Cluster + +@pytest.fixture(scope="package") +def config(): + return {"_id": "rs1", "members": [{"host": "rs101"}]} + +@pytest.fixture(scope="package") +def cluster(config): + return Cluster(config) + +@pytest.fixture(scope="function") +def start_cluster(cluster, request): + try: + cluster.destroy() + cluster.create() + cluster.setup_pbm('/etc/pbm-1525.conf') + yield True + finally: + if request.config.getoption("--verbose"): + cluster.get_logs() + cluster.destroy() + +@pytest.mark.parametrize('backup_type',['logical','physical']) +def test_s3_custom_ssl_PBM_T296(start_cluster, cluster, backup_type): + cluster.check_pbm_status() + backup=cluster.make_backup(backup_type) + cluster.make_restore(backup,restart_cluster=True, check_pbm_status=True) + Cluster.log('Finished succesfully') +