From 9048cf27583e3ec170531f8f44dd778150c0cab3 Mon Sep 17 00:00:00 2001 From: Matt Martz Date: Wed, 4 Jan 2017 23:07:13 -0600 Subject: [PATCH] Changes to the httptester docker image to support new client cert functionality in tests (#19912) * Fix Dockerfile * Add changes to docker image to support new client cert functionality * Update repo:tag for docker --- test/utils/docker/httptester/Dockerfile | 5 ++++ test/utils/docker/httptester/README.rst | 6 ++--- test/utils/docker/httptester/httptester.yml | 23 +++++++++++++++++-- test/utils/docker/httptester/nginx.sites.conf | 15 ++++++++++++ test/utils/docker/httptester/packer.json | 3 ++- 5 files changed, 46 insertions(+), 6 deletions(-) diff --git a/test/utils/docker/httptester/Dockerfile b/test/utils/docker/httptester/Dockerfile index 0bfdbbd399..d9a8e6e76c 100644 --- a/test/utils/docker/httptester/Dockerfile +++ b/test/utils/docker/httptester/Dockerfile @@ -17,7 +17,12 @@ RUN set -x && \ openssl req -new -nodes -out /root/ca/sni2.ansible.http.tests-req.pem -keyout /root/ca/private/sni2.ansible.http.tests-key.pem -config /etc/ssl/openssl.cnf \ -subj "/C=US/ST=North Carolina/L=Durham/O=Ansible/CN=sni2.ansible.http.tests" && \ yes | openssl ca -config /etc/ssl/openssl.cnf -out /root/ca/sni2.ansible.http.tests-cert.pem -infiles /root/ca/sni2.ansible.http.tests-req.pem && \ + openssl req -new -nodes -out /root/ca/client.ansible.http.tests-req.pem -keyout /root/ca/private/client.ansible.http.tests-key.pem -config /etc/ssl/openssl.cnf \ + -subj "/C=US/ST=North Carolina/L=Durham/O=Ansible/CN=client.ansible.http.tests" && \ + yes | openssl ca -config /etc/ssl/openssl.cnf -out /root/ca/client.ansible.http.tests-cert.pem -infiles /root/ca/client.ansible.http.tests-req.pem && \ cp /root/ca/cacert.pem /usr/share/nginx/html/cacert.pem && \ + cp /root/ca/client.ansible.http.tests-cert.pem /usr/share/nginx/html/client.pem && \ + cp /root/ca/private/client.ansible.http.tests-key.pem /usr/share/nginx/html/client.key && \ pip install gunicorn httpbin ADD services.sh /services.sh diff --git a/test/utils/docker/httptester/README.rst b/test/utils/docker/httptester/README.rst index a5e1172c6e..2efa1154b5 100644 --- a/test/utils/docker/httptester/README.rst +++ b/test/utils/docker/httptester/README.rst @@ -22,20 +22,20 @@ manually started using:: Such as when starting a docker container:: - docker run -ti --rm -p 80:80 -p 443:443 --name httptester ansible/httptester /services.sh + docker run -ti --rm -p 80:80 -p 443:443 --name httptester ansible/ansible:httptester /services.sh docker build ^^^^^^^^^^^^ :: - docker build -t ansible/httptester . + docker build -t ansible/ansible:httptester . packer ^^^^^^ The packer build will use ``ansible-playbook`` to perform the -configuration, and will tag the image as ``ansible/httptester`` +configuration, and will tag the image as ``ansible/ansible:httptester`` :: diff --git a/test/utils/docker/httptester/httptester.yml b/test/utils/docker/httptester/httptester.yml index f76f544e99..55a8decc1a 100644 --- a/test/utils/docker/httptester/httptester.yml +++ b/test/utils/docker/httptester/httptester.yml @@ -102,10 +102,29 @@ shell: > yes | openssl ca -config /etc/ssl/openssl.cnf -out /root/ca/sni2.ansible.http.tests-cert.pem -infiles /root/ca/sni2.ansible.http.tests-req.pem + - name: Generate client key + command: > + openssl req -new -nodes -out /root/ca/client.ansible.http.tests-req.pem -keyout /root/ca/private/client.ansible.http.tests-key.pem -config /etc/ssl/openssl.cnf + -subj "/C=US/ST=North Carolina/L=Durham/O=Ansible/CN=client.ansible.http.tests" + + - name: Generate client.ansible.http.tests cert + shell: > + yes | openssl ca -config /etc/ssl/openssl.cnf -out /root/ca/client.ansible.http.tests-cert.pem -infiles /root/ca/client.ansible.http.tests-req.pem + - name: Copy cacert.pem into nginx doc root for easy retrieval copy: - src: /root/ca/cacert.pem - dest: /usr/share/nginx/html/cacert.pem + src: "/root/ca/cacert.pem" + dest: "/usr/share/nginx/html/cacert.pem" + remote_src: true + + - copy: + src: /root/ca/client.ansible.http.tests-cert.pem + dest: /usr/share/nginx/html/client.pem + remote_src: true + + - copy: + src: /root/ca/private/client.ansible.http.tests-key.pem + dest: /usr/share/nginx/html/client.key remote_src: true - name: Install gunicorn and httpbin diff --git a/test/utils/docker/httptester/nginx.sites.conf b/test/utils/docker/httptester/nginx.sites.conf index 161207fe84..7d33f9b0ac 100644 --- a/test/utils/docker/httptester/nginx.sites.conf +++ b/test/utils/docker/httptester/nginx.sites.conf @@ -7,10 +7,25 @@ server { ssl_certificate /root/ca/ansible.http.tests-cert.pem; ssl_certificate_key /root/ca/private/ansible.http.tests-key.pem; + ssl_client_certificate /root/ca/cacert.pem; + ssl_verify_client optional; + location =/cacert.pem { alias /usr/share/nginx/html/cacert.pem; } + location =/client.key { + alias /usr/share/nginx/html/client.key; + } + + location =/client.pem { + alias /usr/share/nginx/html/client.pem; + } + + location =/ssl_client_verify { + return 200 "ansible.http.tests:$ssl_client_verify"; + } + location / { proxy_pass http://127.0.0.1:8000; } diff --git a/test/utils/docker/httptester/packer.json b/test/utils/docker/httptester/packer.json index 48e36d1183..bf2a008456 100644 --- a/test/utils/docker/httptester/packer.json +++ b/test/utils/docker/httptester/packer.json @@ -37,7 +37,8 @@ "post-processors": [ { "type": "docker-tag", - "repository": "ansible/httptester" + "repository": "ansible/ansible", + "tag": "httptester" } ] }