open-craft · smarnach · Nov 5, 2016 · Nov 4, 2016 · Nov 5, 2016 · bdero
diff --git a/README.md b/README.md
@@ -62,3 +62,22 @@ To add a new backend, perform the following steps:
    fragment again, use
 
         haproxy-config remove <fragment_name>
+
+Running the integration test playbook
+-------------------------------------
+
+You can run the integration test playbook in `tests/integration.yml` against a
+server with a vanilla Ubuntu 16.04 image.  You need at least one DNS name
+pointing at the server, and DNS changes should already have propagated.
+
+1. Create a Python virtualenv and activate it.
+
+2. Change to the `tests/` directory and run `pip install -r requirements.txt` to
+   install Ansible and further required packages.
+
+3. Run the playbook using
+
+        ansible-playbook -vvv -i test.server.domain, integration.yml
+
+   Replace test.server.domain by the DNS name of your test server, but make sure
+   to keep the trailing comma.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,11 +1,14 @@
 LOAD_BALANCER_SERVER_IP: "{{ lookup('dig', ansible_host) }}"
 
+LOAD_BALANCER_OPS_EMAIL: [email protected]
+
 LOAD_BALANCER_APT_PACKAGES:
   - haproxy
   - letsencrypt
   - inotify-tools
   - python3-openssl
   - socat
+  - ssl-cert
 
 LOAD_BALANCER_CERTS_DIR: /etc/haproxy/certs
 LOAD_BALANCER_CONF_DIR: /etc/haproxy/conf.d

diff --git a/templates/haproxy-config-watcher b/templates/haproxy-config-watcher
@@ -27,14 +27,18 @@ update_cert()
 # It is important to note that haproxy.conf and backend.map are not contained
 # in any of the watched directories, since these files are regenerated upon
 # restart.  Otherwise each restart immediately triggers another restart.
-inotifywait -e close_write -e moved_to -m -q -r \
+inotifywait -e close_write -e moved_to -e delete -m -q -r \
             {{ LOAD_BALANCER_CERTS_DIR }} {{ LOAD_BALANCER_CONF_DIR }} \
             {{ LOAD_BALANCER_BACKENDS_DIR }} {{ LETSENCRYPT_ARCHIVE_DIR }} |
     while read path event file; do
         case "$path" in
             {{ LETSENCRYPT_ARCHIVE_DIR }}/*)
-                update_cert "$path" "$file";;
+                if [ "$event" != "delete" ]; then
+                    update_cert "$path" "$file"
+                fi
+                ;;
             {{ LOAD_BALANCER_CERTS_DIR }}/*|{{ LOAD_BALANCER_CONF_DIR }}/*|{{ LOAD_BALANCER_BACKENDS_DIR }}/*)
-                touch {{ LOAD_BALANCER_RELOAD_FILE }};;
+                touch {{ LOAD_BALANCER_RELOAD_FILE }}
+                ;;
         esac
     done
diff --git a/templates/manage_certs.conf b/templates/manage_certs.conf
@@ -1,7 +1,7 @@
 --server-ip {{ LOAD_BALANCER_SERVER_IP }}
 --haproxy-backend-map {{ LOAD_BALANCER_BACKEND_MAP }}
 --haproxy-certs-dir {{ LOAD_BALANCER_CERTS_DIR }}
---contact-email {{ OPS_EMAIL }}
+--contact-email {{ LOAD_BALANCER_OPS_EMAIL }}
 --log-level {{ LOAD_BALANCER_MANAGE_CERTS_LOG_LEVEL }}
 --keep-certificate {{ LOAD_BALANCER_SNAKE_OIL_CERT }}
 {% if LETSENCRYPT_USE_STAGING %}

diff --git a/tests/.gitignore b/tests/.gitignore
@@ -0,0 +1 @@
+*.retry
diff --git a/tests/integration.yml b/tests/integration.yml
@@ -0,0 +1,63 @@
+---
+
+- name: Install Python 2
+  hosts: all
+  gather_facts: false
+  tasks:
+    - raw: "[ -e /usr/bin/pyton ] || sudo apt-get update -qq && sudo apt-get install -qq python"
+
+- name: Integration test for the load-balancer role
+  hosts: all
+  become: true
+  vars:
+    TEST_DOMAIN: "{{ inventory_hostname }}"
+    LETSENCRYPT_USE_STAGING: true
+    LOAD_BALANCER_MANAGE_CERTS_LOG_LEVEL: debug
+
+  pre_tasks:
+    - assert:
+        that: "lookup('dig', ansible_host) == lookup('dig', TEST_DOMAIN)"
+        msg: "The DNS entry for {{ TEST_DOMAIN }} must point to the test server."
+
+  roles:
+    - load-balancer
+
+  tasks:
+    - name: copy load-balancer configuration fragment to the server
+      copy:
+        content: |
+          backend be-load-balancer-test
+              server srv-pydoc 127.0.0.1:5000
+        dest: /tmp/config-fragment
+    - name: copy load-balancer backend map fragment to the server
+      copy:
+        content: "{{ TEST_DOMAIN }} be-load-balancer-test\n"
+        dest: /tmp/backend-map-fragment
+    - name: apply the new configuration
+      command: haproxy-config apply test /tmp/config-fragment /tmp/backend-map-fragment
+    - name: wait for the certificate to be available
+      wait_for:
+        path: "{{ LOAD_BALANCER_CERTS_DIR }}/{{ TEST_DOMAIN }}.pem"
+        timeout: 360
+    - name: wait for haproxy to be restarted
+      wait_for:
+        path: "{{ LOAD_BALANCER_RELOAD_FILE }}"
+        timeout: 100
+        state: absent
+    - name: start pydoc as test backend on the server
+      become: False
+      command: nohup pydoc -p 5000
+      async: 45
+      poll: 0
+    - name: verify that the backend is accessible via HTTPS
+      become: False
+      local_action: >
+        command wget -O- --ca-certificate=../files/lets-encrypt-fake-cert.crt \
+              "https://{{ TEST_DOMAIN }}/"
+    - name: Remove configuration fragments again
+      command: haproxy-config remove test
+    - name: Wait for the certificate to be deleted again
+      wait_for:
+        path: "{{ LOAD_BALANCER_CERTS_DIR }}/{{ TEST_DOMAIN }}.pem"
+        timeout: 360
+        state: absent
diff --git a/tests/requirements.txt b/tests/requirements.txt
@@ -0,0 +1,2 @@
+ansible==2.0.1
+dnspython==1.15.0
diff --git a/tests/roles/load-balancer b/tests/roles/load-balancer
@@ -0,0 +1 @@
+../..