Add beaker tests for openstack_project::server

The openstack_project::server class is the most important piece of
puppet configuration we have, so add tests for it so that we can be
confident about upgrading it.

Unlike the other puppet modules, this module is a subdirectory of the
main repository, so all the tests and Gemfile need to be there. We
symlink back to the main Gemfile in the root of the repository (which is
used by the puppet-syntax check) and update it to be Zuul-compatible
like the Gemfiles in the other modules.

The spec helper depends on having a metadata.json file so it can read
the module name, so add that.

Add in-repo zuul jobs that inherit from the main jobs defined in
openstack-zuul-jobs. We're defining them in-repo instead of just adding
system-config to the list of repositories using these jobs because we
need to override the project_src_dir variable.

Depends-On: https://review.openstack.org/581308
Depends-On: https://review.openstack.org/581004
Depends-On: https://review.openstack.org/581448

Change-Id: Ic56d258573aa2a18d7ca27ea7fe1c2f121cd268f

.zuul.yaml

@@ -0,0 +1,37 @@
+- job:
+    name: puppet-beaker-rspec-infra-system-config
+    parent: puppet-beaker-rspec-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-infra-centos-7-system-config
+    parent: puppet-beaker-rspec-centos-7-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-puppet-4-infra-system-config
+    parent: puppet-beaker-rspec-puppet-4-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
+    parent: puppet-beaker-rspec-puppet-4-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- project:
+    check:
+      jobs:
+        - puppet-beaker-rspec-infra-system-config
+        - puppet-beaker-rspec-infra-centos-7-system-config
+        - puppet-beaker-rspec-puppet-4-infra-system-config:
+            voting: false
+        - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config:
+            voting: false
+    gate:
+      jobs:
+        - puppet-beaker-rspec-infra-system-config
+        - puppet-beaker-rspec-infra-centos-7-system-config

Gemfile

@@ -1,9 +1,15 @@
 source 'https://rubygems.org'
 
+if File.exists?('/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper')
+  gem_checkout_method = {:path => '/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'}
+else
+  gem_checkout_method = {:git => 'https://git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'}
+end
+gem_checkout_method[:require] = false
+
 group :development, :test, :system_tests do
   gem 'puppet-openstack_infra_spec_helper',
-      :git     => 'https://git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper',
-      :require => false
+      gem_checkout_method
 end
 
 # vim:ft=ruby

modules/openstack_project/Gemfile

@@ -0,0 +1 @@
+../../Gemfile

modules/openstack_project/metadata.json

@@ -0,0 +1,11 @@
+{
+  "name": "openstackinfra-openstack_project",
+  "version": "0.0.1",
+  "author": "Openstack CI",
+  "summary": "Puppet module for openstack_project",
+  "license": "Apache 2.0",
+  "source": "git://git.openstack.org/openstack-infra/system-config.git",
+  "project_page": "http://docs.openstack.org/infra/system-config/",
+  "issues_url": "https://storyboard.openstack.org/#!/project/778",
+  "dependencies": []
+}

modules/openstack_project/spec/acceptance/basic_spec.rb

@@ -0,0 +1,90 @@
+require 'puppet-openstack_infra_spec_helper/spec_helper_acceptance'
+
+describe 'openstack_project::server' do
+
+  def pp_path
+    base_path = File.dirname(__FILE__)
+    File.join(base_path, 'fixtures')
+  end
+
+  def puppet_manifest
+    manifest_path = File.join(pp_path, 'default.pp')
+    File.read(manifest_path)
+  end
+
+  def postconditions_puppet_manifest
+    manifest_path = File.join(pp_path, 'postconditions.pp')
+    File.read(manifest_path)
+  end
+
+  before(:all) do
+    # The ssh_authorized_key resource uses the key comment as a universal
+    # identifier, so if a user's key is already in root's authorized keys, it
+    # conflicts with adding the key for the user itself. Move root's key list
+    # aside temporarily.
+    shell('mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys.bak')
+    # epel is needed to install exim
+    if os[:family] == 'redhat'
+      shell('yum-config-manager --enable epel')
+    end
+  end
+
+  it 'should work with no errors' do
+    apply_manifest(puppet_manifest, catch_failures: true)
+  end
+
+  it 'should be idempotent' do
+    apply_manifest(puppet_manifest, catch_changes: true)
+  end
+
+  it 'should turn root ssh back on' do
+    apply_manifest(postconditions_puppet_manifest, catch_failures: true)
+    shell('mv /root/.ssh/authorized_keys.bak /root/.ssh/authorized_keys')
+  end
+
+  ['mordred',
+   'corvus',
+   'clarkb',
+   'fungi',
+   'jhesketh',
+   'yolanda',
+   'pabelanger',
+   'rcarrillocruz',
+   'ianw',
+   'shrews',
+   'dmsimard',
+   'frickler'].each do |user|
+    describe user(user) do
+      it { should exist }
+    end
+  end
+
+  ['slukjanov', 'elizabeth', 'nibz'].each do |user|
+    describe user(user) do
+      it { should_not exist }
+    end
+  end
+
+  exim = os[:family] == 'ubuntu' ? 'exim4' : 'exim'
+  ntp = os[:family] == 'ubuntu' ? 'ntp' : 'ntpd'
+  services = ['rsyslog', 'unbound', exim, 'snmpd', ntp]
+  if os[:family] == 'ubuntu'
+    services.push('openafs-client')
+  end
+  services.each do |service|
+    describe service(service) do
+      it { should be_running }
+    end
+  end
+
+  describe command('iptables -S') do
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
+    its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
+  end
+
+end

modules/openstack_project/spec/acceptance/fixtures/default.pp

@@ -0,0 +1,12 @@
+$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
+$manage_afs = $::operatingsystem ? {
+  'CentOS' => false,
+  default  => true
+}
+
+class { 'openstack_project::server':
+  iptables_public_tcp_ports => [80, 443, 29418],
+  iptables_rules6           => $iptables_rules,
+  iptables_rules4           => $iptables_rules,
+  afs                       => $manage_afs,
+}

modules/openstack_project/spec/acceptance/fixtures/postconditions.pp

@@ -0,0 +1,6 @@
+# Turn root ssh back on, otherwise we can't post logs
+class { 'ssh':
+  trusted_ssh_type   => 'address',
+  trusted_ssh_source => '23.253.245.198,2001:4800:7818:101:3c21:a454:23ed:4072',
+  permit_root_login  => 'yes',
+}

modules/openstack_project/spec/acceptance/nodesets/default.yml

@@ -0,0 +1,11 @@
+HOSTS:
+  ubuntu-server-1404-x64:
+    roles:
+      - master
+    platform: ubuntu-14.04-amd64
+    box: puppetlabs/ubuntu-14.04-64-nocm
+    box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
+    hypervisor: vagrant
+CONFIG:
+  log_level: debug
+  type: git

modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml

@@ -0,0 +1,10 @@
+HOSTS:
+  centos-70-x64:
+    roles:
+      - master
+    platform: el-7-x86_64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false

modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml

@@ -0,0 +1,10 @@
+HOSTS:
+  ubuntu-14.04-amd64:
+    roles:
+      - master
+    platform: ubuntu-14.04-amd64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false

modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml

@@ -0,0 +1,10 @@
+HOSTS:
+  ubuntu-16.04-amd64:
+    roles:
+      - master
+    platform: ubuntu-16.04-amd64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false