Revise cert tests to use principal names

In wallaby, we move certificate generation from puppet-certmonger
to linux-system-roles, and lost the ability to specify the certmonger
cert request ID.  So the tests that check for the existence of certs
using this ID now fail.  We need to look for certs using principal
name instead.

Change-Id: I23df0b30baf67341cec87017ac00a049ad313064

novajoin_tempest_plugin/config.py

@@ -68,5 +68,11 @@ NovajoinGroup = [
                default=("sudo podman ps |"
                         "grep galera-bundle-podman|"
                         "awk '{print \$NF}'"),
-               help='mysql container find command')
+               help='mysql container find command'),
+    cfg.BoolOpt('check_certs_by_principal',
+                default='False',
+                help='Check certmonger certs using principal'),
+    cfg.StrOpt('tripleo_exclude_pnames',
+               default=[],
+               help='array of principal names to exclude from tests'),
 ]

novajoin_tempest_plugin/tests/scenario/novajoin_manager.py

@@ -169,6 +169,11 @@ class NovajoinScenarioTest(manager.ScenarioTest):
         result = self.execute_on_controller(user, hostip, cmd)
         self.assertTrue('track: yes' in result)
 
+    def verify_overcloud_cert_tracked_by_pname(self, hostip, user, pname):
+        cmd = "sudo getcert list -t |grep 'principal name'|grep " + pname
+        result = self.execute_on_controller(user, hostip, cmd)
+        self.assertTrue(pname in result)
+
     @retry_with_timeout
     def verify_cert_revoked(self, serial):
         # verify that the given certificate has been revoked

novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py

@@ -40,6 +40,35 @@ COMPUTE_CERT_TAGS = [
     'libvirt-server-cert'
 ]
 
+CONTROLLER_PRINCIPAL_NAMES = [
+    'HTTP/<host>.ctlplane.<domain>@<realm>',
+    'HTTP/<host>.storage.<domain>@<realm>',
+    'HTTP/<host>.storagemgmt.<domain>@<realm>',
+    'HTTP/<host>.internalapi.<domain>@<realm>',
+    'HTTP/<host>.external.<domain>@<realm>',
+    'haproxy/overcloud.<domain>@<realm>',
+    'haproxy/<host>.ctlplane.<domain>@<realm>',
+    'haproxy/<host>.storage.<domain>@<realm>',
+    'haproxy/<host>.storagemgmt.<domain>@<realm>',
+    'haproxy/<host>.internalapi.<domain>@<realm>',
+    'mysql/<host>.internalapi.<domain>@<realm>',
+    'neutron_ovn/<host>.internalapi.<domain>@<realm>',
+    'libvirt-vnc/<host>.internalapi.<domain>@<realm>',
+    'novnc-proxy/<host>.internalapi.<domain>@<realm>',
+    'ovn_dbs/<host>.internalapi.<domain>@<realm>',
+    'ovn_controller/<host>.internalapi.<domain>@<realm>',
+    'rabbitmq/<host>.internalapi.<domain>@<realm>'
+]
+
+COMPUTE_PRINCIPAL_NAMES = [
+    'libvirt/<host>.internalapi.<domain>@<realm>',
+    'libvirt/<host>.internalapi.<domain>@<realm>',
+    'qemu/<host>.internalapi.<domain>@<realm>',
+    'qemu/<host>.internalapi.<domain>@<realm>',
+    'ovn_controller/<host>.internalapi.<domain>@<realm>',
+    'ovn_metadata/<host>.internalapi.<domain>@<realm>'
+]
+
 
 class TripleOTest(novajoin_manager.NovajoinScenarioTest):
 
@@ -136,6 +165,8 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
                 verify_certs=True)
 
     def test_verify_controller_certs_are_tracked(self):
+        if CONF.novajoin.check_certs_by_principal:
+            self.skipTest('check_certs_by_principal set, skip requestid')
         for host in CONF.novajoin.tripleo_controllers:
             server_ip = self.get_overcloud_server_ip(host)
             for tag in CONTROLLER_CERT_TAGS:
@@ -147,6 +178,8 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
                     )
 
     def test_verify_compute_certs_are_tracked(self):
+        if CONF.novajoin.check_certs_by_principal:
+            self.skipTest('check_certs_by_principal set, skip requestid')
         for host in CONF.novajoin.tripleo_computes:
             server_ip = self.get_overcloud_server_ip(host)
             for tag in COMPUTE_CERT_TAGS:
@@ -156,6 +189,38 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest):
                     tag
                 )
 
+    def test_verify_controller_certs_are_tracked_by_principal_name(self):
+        if not CONF.novajoin.check_certs_by_principal:
+            self.skipTest('check_certs_by_principal not set')
+        for host in CONF.novajoin.tripleo_controllers:
+            server_ip = self.get_overcloud_server_ip(host)
+            for pn in CONTROLLER_PRINCIPAL_NAMES:
+                pname = (pn.replace('<host>', host)
+                         .replace('<domain>', self.ipa_client.domain)
+                         .replace('<realm>', self.ipa_client.realm))
+                if pname not in CONF.novajoin.tripleo_exclude_pnames:
+                    self.verify_overcloud_cert_tracked_by_pname(
+                        server_ip,
+                        self.get_ssh_user(),
+                        pname
+                    )
+
+    def test_verify_compute_certs_are_tracked_by_principal_name(self):
+        if not CONF.novajoin.check_certs_by_principal:
+            self.skipTest('check_certs_by_principal not set')
+        for host in CONF.novajoin.tripleo_computes:
+            server_ip = self.get_overcloud_server_ip(host)
+            for pn in COMPUTE_PRINCIPAL_NAMES:
+                pname = (pn.replace('<host>', host)
+                         .replace('<domain>', self.ipa_client.domain)
+                         .replace('<realm>', self.ipa_client.realm))
+                if pname not in CONF.novajoin.tripleo_exclude_pnames:
+                    self.verify_overcloud_cert_tracked_by_pname(
+                        server_ip,
+                        self.get_ssh_user(),
+                        pname
+                    )
+
     def test_overcloud_hosts_are_ipaclients(self):
         hosts = list(CONF.novajoin.tripleo_controllers)
         hosts.extend(CONF.novajoin.tripleo_computes)