diff --git a/roles/rsyslog/tasks/set_certs.yml b/roles/rsyslog/tasks/set_certs.yml index da28febf..b80ecd3d 100644 --- a/roles/rsyslog/tasks/set_certs.yml +++ b/roles/rsyslog/tasks/set_certs.yml @@ -51,8 +51,8 @@ when: item.tls is defined | ternary(item.tls, item.use_cert | d(true)) - name: Check certs - key/certs data are provided, but tls is false - fail: - msg: "Error: you specified tls: false and also specified one or + debug: + msg: "WARNING: you specified tls: false and also specified one or more cert/key files in the configuration named {{ item.name }}" with_items: - '{{ __rsyslog_cert_subject }}' diff --git a/tests/tests_files_elasticsearch.yml b/tests/tests_files_elasticsearch.yml index 86b21363..88cc0083 100644 --- a/tests/tests_files_elasticsearch.yml +++ b/tests/tests_files_elasticsearch.yml @@ -19,9 +19,6 @@ specify all 3 of ca_cert, cert, private_key, or all 3 of ca_cert_src, cert_src, private_key_src, or set tls: false in the configuration named elasticsearch_output" - __expected_err2: "Error: you specified tls: false and also - specified one or more cert/key files in the configuration - named elasticsearch_output" tasks: - name: "local certs are copied to the target host with @@ -91,17 +88,13 @@ stat: path: "{{ __test_outputfiles_conf }}" - - name: Check if the copied ca cert file exists + - name: Check if the copied key/certs files exist stat: - path: "/etc/rsyslog.d/{{ __test_ca_cert | basename }}" - - - name: Check if the copied cert file exists - stat: - path: "/etc/rsyslog.d/{{ __test_cert | basename }}" - - - name: Check if the copied key file exists - stat: - path: "/etc/rsyslog.d/{{ __test_key | basename }}" + path: "{{ item }}" + loop: + - "/etc/rsyslog.d/{{ __test_ca_cert | basename }}" + - "/etc/rsyslog.d/{{ __test_cert | basename }}" + - "/etc/rsyslog.d/{{ __test_key | basename }}" - name: Check certs in {{ __test_outputfiles_conf }} command: >- @@ -223,29 +216,17 @@ - rsyslog-elasticsearch include_tasks: tasks/check_packages.yml - - name: Ensure installed packages - vars: - __expected: - - rsyslog - - ca-certificates - - rsyslog-elasticsearch - include_tasks: tasks/check_packages.yml - - name: Check if the output files config exists stat: path: "{{ __test_outputfiles_conf }}" - - name: Check if the copied ca cert file exists - stat: - path: "{{ __test_ca_cert_target }}" - - - name: Check if the copied cert file exists - stat: - path: "{{ __test_cert_target }}" - - - name: Check if the copied key file exists + - name: Check if the copied key/certs files exist stat: - path: "{{ __test_key_target }}" + path: "{{ item }}" + loop: + - "{{ __test_ca_cert_target }}" + - "{{ __test_cert_target }}" + - "{{ __test_key_target }}" - name: Check key/certs in {{ __test_outputfiles_conf }} command: >- @@ -297,44 +278,81 @@ - "{{ __test_key_target }}" # TEST CASE 2 - - block: - - name: "TEST CASE 2; Error case for Elasticsearch config - - cert and ca_cert_src are missing" - vars: - logging_outputs: - - name: elasticsearch_output - type: elasticsearch - server_host: logging-es - server_port: 9200 - index_prefix: project. - input_type: ovirt - retryfailures: false - ca_cert: /etc/rsyslog.d/ca_cert.crt - private_key: /etc/rsyslog.d/key.pem - cert_src: "{{ __test_cert }}" - private_key_src: "{{ __test_key }}" - logging_inputs: - - name: files_input - type: files - input_log_path: "{{ __test_inputfiles_dir }}/*.log" - logging_flows: - - name: flow_0 - inputs: [files_input] - outputs: [elasticsearch_output, elasticsearch_output_ops] - include_role: - name: linux-system-roles.logging + - name: "TEST CASE 2; Elasticsearch config - + local certs are not copied to the target host as tls is false" + vars: + logging_outputs: + - name: elasticsearch_output + type: elasticsearch + server_host: logging-es + server_port: 9200 + index_prefix: project. + input_type: ovirt + retryfailures: false + tls: false + ca_cert_src: "{{ __test_ca_cert }}" + cert_src: "{{ __test_cert }}" + private_key_src: "{{ __test_key }}" + logging_inputs: + - name: files_input + type: files + input_log_path: "{{ __test_inputfiles_dir }}/*.log" + logging_flows: + - name: flow_0 + inputs: [files_input] + outputs: [elasticsearch_output] + include_role: + name: linux-system-roles.logging - - name: unreachable task - fail: - msg: UNREACH + # notify restart rsyslogd is executed at the end of this test task. + # thus we have to force to invoke handlers + - name: "Force all notified handlers to run at this point, + not waiting for normal sync points" + meta: flush_handlers - rescue: - - debug: - msg: "Caught an expected error - - {{ ansible_failed_result.results }}" - - name: assert... - assert: - that: ansible_failed_result.results.0.msg is match(__expected_err1) + - name: Ensure config file size and counts + vars: + __conf_count: 9 + __conf_size: less + __conf_files: + - "{{ __test_inputfiles_conf }}" + - "{{ __test_outputfiles_conf }}" + __check_systemctl_status: true + include_tasks: tasks/check_daemon_config_files.yml + + - name: Ensure installed packages + vars: + __expected: + - rsyslog + - ca-certificates + - rsyslog-elasticsearch + include_tasks: tasks/check_packages.yml + + - name: Check if the output files config exists + stat: + path: "{{ __test_outputfiles_conf }}" + + - name: Check if the copied key/certs files do not exist + stat: + path: "{{ item }}" + register: __result + failed_when: __result.stat.exists + loop: + - "{{ __test_ca_cert_target }}" + - "{{ __test_cert_target }}" + - "{{ __test_key_target }}" + + - name: Check key/certs not in {{ __test_outputfiles_conf }} + command: >- + /bin/grep 'tls.{{ item.key }}="{{ item.value }}"' + {{ __test_outputfiles_conf }} + with_dict: + - cacert: "{{ __test_ca_cert_target }}" + - mycert: "{{ __test_cert_target }}" + - myprivkey: "{{ __test_key_target }}" + register: __result + changed_when: false + failed_when: __result.rc != 1 - name: END TEST CASE 2; Clean up the deployed config vars: @@ -348,6 +366,9 @@ input_type: ovirt retryfailures: false tls: false + ca_cert_src: "{{ __test_ca_cert }}" + cert_src: "{{ __test_cert }}" + private_key_src: "{{ __test_key }}" state: absent logging_inputs: - name: files_input @@ -363,16 +384,10 @@ not waiting for normal sync points" meta: flush_handlers - - name: clean up fake pki files - file: path="{{ item }}" state=absent - loop: - - /etc/rsyslog.d/es-cert.pem - - /etc/rsyslog.d/key.pem - # TEST CASE 3 - block: - name: "TEST CASE 3; Error case for Elasticsearch config - - although cert paths are specified, tls is false" + cert and ca_cert_src are missing" vars: logging_outputs: - name: elasticsearch_output @@ -382,11 +397,8 @@ index_prefix: project. input_type: ovirt retryfailures: false - tls: false ca_cert: /etc/rsyslog.d/ca_cert.crt - cert: /etc/rsyslog.d/cert.pem private_key: /etc/rsyslog.d/key.pem - ca_cert_src: "{{ __test_ca_cert }}" cert_src: "{{ __test_cert }}" private_key_src: "{{ __test_key }}" logging_inputs: @@ -410,7 +422,7 @@ {{ ansible_failed_result.results }}" - name: assert... assert: - that: ansible_failed_result.results.0.msg is match(__expected_err2) + that: ansible_failed_result.results.0.msg is match(__expected_err1) - name: END TEST CASE 3; Clean up the deployed config vars: @@ -423,13 +435,7 @@ index_prefix: project. input_type: ovirt retryfailures: false - tls: true - ca_cert: /etc/rsyslog.d/ca_cert.crt - cert: /etc/rsyslog.d/cert.pem - private_key: /etc/rsyslog.d/key.pem - ca_cert_src: "{{ __test_ca_cert }}" - cert_src: "{{ __test_cert }}" - private_key_src: "{{ __test_key }}" + tls: false state: absent logging_inputs: - name: files_input @@ -449,7 +455,6 @@ file: path="{{ item }}" state=absent loop: - /etc/rsyslog.d/ca_cert.crt - - /etc/rsyslog.d/cert.pem - /etc/rsyslog.d/key.pem # TEST CASE 4