Run acceptance tests in travis

.sync.yml

@@ -18,5 +18,8 @@ spec/spec_helper.rb:
   - rvm: 2.4.4
     bundler_args: --without system_tests development release
     env: PUPPET_VERSION="~> 5.0" CHECK=build DEPLOY_TO_FORGE=yes
+  - rvm: 2.5.1
+    bundler_args: --without development release
+    env: CHECK=acceptance
 .rubocop.yml:
   unmanaged: true

.travis.yml

@@ -1,12 +1,13 @@
 ---
-sudo: false
 dist: trusty
 language: ruby
 cache: bundler
 before_install:
   - rm -f Gemfile.lock
 script:
   - 'bundle exec rake $CHECK'
+services:
+  - docker
 matrix:
   fast_finish: true
   include:
@@ -22,6 +23,9 @@ matrix:
   - rvm: 2.4.4
     bundler_args: --without system_tests development release
     env: PUPPET_VERSION="~> 5.0" CHECK=build DEPLOY_TO_FORGE=yes
+  - rvm: 2.5.1
+    bundler_args: --without development release
+    env: CHECK=acceptance
 branches:
   only:
   - master

lib/puppet/functions/vault_lookup/lookup.rb

@@ -18,7 +18,8 @@ def lookup(path, vault_url = nil)
     # host is defined.
     raise Puppet::Error, "Unable to parse a hostname from #{vault_url}" unless uri.hostname
 
-    connection = Puppet::Network::HttpPool.http_ssl_instance(uri.host, uri.port)
+    use_ssl = uri.scheme == 'https'
+    connection = Puppet::Network::HttpPool.http_instance(uri.host, uri.port, use_ssl)
 
     token = get_auth_token(connection)
 

spec/acceptance/fixtures/vault_config.hcl

@@ -8,7 +8,8 @@
     "tcp": {
       "address": "0.0.0.0:8200",
       "tls_key_file": "/vault/config/vault.key",
-      "tls_cert_file": "/vault/config/vault.cert"
+      "tls_cert_file": "/vault/config/vault.cert",
+      "tls_client_ca_file": "/vault/config/certbundle.pem"
     }
   }
 }

spec/acceptance/lookup_spec.rb

@@ -15,24 +15,14 @@
     scp_to(vault, 'spec/acceptance/fixtures/unseal.sh', '/root/unseal.sh')
     on(vault, 'su root /root/unseal.sh')
 
-    # Move the PKI infrastructure created on the vault container onto puppetserver
-    tmpdir = Dir.mktmpdir
-    scp_from(vault, '/root/ca/intermediate/private/intermediate.key.pem', tmpdir)
-    scp_from(vault, '/vault/config/crlchain.pem', tmpdir)
-    scp_from(vault, '/vault/config/certbundle.pem', tmpdir)
-    scp_to(master, "#{tmpdir}/crlchain.pem", '/root/crlchain.pem')
-    scp_to(master, "#{tmpdir}/intermediate.key.pem", '/root/intermediate.key.pem')
-    scp_to(master, "#{tmpdir}/certbundle.pem", '/root/certbundle.pem')
-
-    # Something fails here with the find and delete file type, and the ca/infra_serials
-    # is often left behind or instantly regenerated after the delete; sleeping momentarily
-    # and then trying to ensure it is deleted has been successful...
-    on(master, 'find /etc/puppetlabs/puppet/ssl/ -type f -delete')
-    sleep 3
-    on(master, 'rm /etc/puppetlabs/puppet/ssl/ca/infra_serials', acceptable_exit_codes: [0, 1])
-
-    on(master, '/opt/puppetlabs/bin/puppetserver ca import --cert-bundle /root/certbundle.pem --crl-chain /root/crlchain.pem --private-key /root/intermediate.key.pem')
-    on(master, 'service puppetserver reload')
+    step 'ensure the puppetserver is up and available' do
+      opts = { desired_exit_codes: [0], max_retries: 60, retry_interval: 1 }
+      retry_on(
+        master,
+        "/opt/puppetlabs/puppet/bin/curl --insecure --fail \"https://127.0.0.1:8140/production/status/test\" | grep -q '\"is_alive\":true'",
+        opts,
+      )
+    end
   end
 
   it 'retrieves a secret from vault during an agent run' do

spec/acceptance/nodesets/docker/CertsDockerfile

@@ -0,0 +1,67 @@
+FROM alpine:3.8
+
+
+# Install openssl
+RUN apk update && apk add openssl
+
+# Setup cert infrastructure on the machine
+
+RUN mkdir /root/ca
+WORKDIR /root/ca
+COPY spec/acceptance/fixtures/root_ca_openssl.cnf /root/ca/openssl.cnf
+
+RUN mkdir certs crl newcerts private \
+  && touch index.txt \
+  && echo 1000 > serial
+RUN echo 1000 > /root/ca/crlnumber
+
+RUN openssl genrsa -out private/rootca.key.pem 4096
+RUN openssl req -config openssl.cnf \
+  -key private/rootca.key.pem \
+  -new -x509 -days 7300 -sha256 -extensions v3_ca \
+  -subj "/CN=rootca" \
+  -out certs/rootca.cert.pem
+
+RUN mkdir /root/ca/intermediate
+COPY spec/acceptance/fixtures/intermediate_ca_openssl.cnf /root/ca/intermediate/openssl.cnf
+
+WORKDIR /root/ca/intermediate/
+RUN mkdir certs crl csr newcerts private \
+  && touch index.txt \
+  && echo 1000 > serial
+RUN echo 1000 > /root/ca/intermediate/crlnumber
+
+WORKDIR /root/ca
+RUN openssl genrsa -out intermediate/private/intermediate.key.pem 4096
+RUN openssl req -config intermediate/openssl.cnf -new -sha256 \
+      -key intermediate/private/intermediate.key.pem \
+      -subj "/CN=intermediateca" \
+      -out intermediate/csr/intermediate.csr.pem
+
+RUN openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
+      -days 3650 -batch -notext -md sha256 \
+      -in intermediate/csr/intermediate.csr.pem \
+      -out intermediate/certs/intermediate.cert.pem
+
+RUN cat  intermediate/certs/intermediate.cert.pem certs/rootca.cert.pem \
+      > intermediate/certs/ca-bundle.cert.pem
+
+RUN openssl genrsa -out intermediate/private/vault.key.pem 2048
+RUN openssl req -config intermediate/openssl.cnf \
+      -key intermediate/private/vault.key.pem \
+      -subj "/CN=vault.local" \
+      -new -sha256 -out intermediate/csr/vault.csr.pem
+RUN openssl ca -config intermediate/openssl.cnf \
+      -extensions server_cert -days 375 -batch -notext -md sha256 \
+      -in intermediate/csr/vault.csr.pem \
+      -out intermediate/certs/vault.cert.pem
+
+RUN openssl ca -config intermediate/openssl.cnf \
+      -gencrl -out intermediate/crl/intermediate.crl.pem
+
+RUN openssl ca -config openssl.cnf \
+      -gencrl -out crl/rootca.crl.pem
+
+RUN cat intermediate/crl/intermediate.crl.pem crl/rootca.crl.pem > intermediate/crl/crlchain.pem
+
+CMD tail -f /dev/null

spec/acceptance/nodesets/docker/PuppetserverDockerfile

@@ -0,0 +1,12 @@
+FROM certs:latest as certs
+
+FROM puppet/puppetserver-standalone:6.0.1
+
+COPY --from=certs /root/ca/intermediate/private/intermediate.key.pem /root/intermediate.key.pem
+COPY --from=certs /root/ca/intermediate/crl/crlchain.pem /root/crlchain.pem
+COPY --from=certs /root/ca/intermediate/certs/ca-bundle.cert.pem /root/certbundle.pem
+
+RUN /opt/puppetlabs/bin/puppetserver ca import \
+  --cert-bundle /root/certbundle.pem \
+  --crl-chain /root/crlchain.pem \
+  --private-key /root/intermediate.key.pem

spec/acceptance/nodesets/docker/VaultDockerfile

@@ -1,70 +1,12 @@
+FROM certs:latest as certs
 FROM vault:0.11.0
 
 COPY spec/acceptance/fixtures/vault_config.hcl /vault/config/vault_config.hcl
 
-# Install openssl
-RUN apk update && apk add openssl
 
-# Setup cert infrastructure on the machine
+COPY --from=certs /root/ca/intermediate/crl/crlchain.pem /vault/config/crlchain.pem
+COPY --from=certs /root/ca/intermediate/private/vault.key.pem /vault/config/vault.key
+COPY --from=certs /root/ca/intermediate/certs/vault.cert.pem /vault/config/vault.cert
+COPY --from=certs /root/ca/intermediate/certs/ca-bundle.cert.pem /vault/config/certbundle.pem
 
-RUN mkdir /root/ca
-WORKDIR /root/ca
-COPY spec/acceptance/fixtures/root_ca_openssl.cnf /root/ca/openssl.cnf
-
-RUN mkdir certs crl newcerts private \
-  && touch index.txt \
-  && echo 1000 > serial
-RUN echo 1000 > /root/ca/crlnumber
-
-RUN openssl genrsa -out private/rootca.key.pem 4096
-RUN openssl req -config openssl.cnf \
-  -key private/rootca.key.pem \
-  -new -x509 -days 7300 -sha256 -extensions v3_ca \
-  -subj "/CN=rootca" \
-  -out certs/rootca.cert.pem
-
-RUN mkdir /root/ca/intermediate
-COPY spec/acceptance/fixtures/intermediate_ca_openssl.cnf /root/ca/intermediate/openssl.cnf
-
-WORKDIR /root/ca/intermediate/
-RUN mkdir certs crl csr newcerts private \
-  && touch index.txt \
-  && echo 1000 > serial
-RUN echo 1000 > /root/ca/intermediate/crlnumber
-
-WORKDIR /root/ca
-RUN openssl genrsa -out intermediate/private/intermediate.key.pem 4096
-RUN openssl req -config intermediate/openssl.cnf -new -sha256 \
-      -key intermediate/private/intermediate.key.pem \
-      -subj "/CN=intermediateca" \
-      -out intermediate/csr/intermediate.csr.pem
-
-RUN openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-      -days 3650 -batch -notext -md sha256 \
-      -in intermediate/csr/intermediate.csr.pem \
-      -out intermediate/certs/intermediate.cert.pem
-
-RUN cat  intermediate/certs/intermediate.cert.pem certs/rootca.cert.pem \
-      > intermediate/certs/ca-bundle.cert.pem
-
-RUN openssl genrsa -out intermediate/private/vault.key.pem 2048
-RUN openssl req -config intermediate/openssl.cnf \
-      -key intermediate/private/vault.key.pem \
-      -subj "/CN=vault.local" \
-      -new -sha256 -out intermediate/csr/vault.csr.pem
-RUN openssl ca -config intermediate/openssl.cnf \
-      -extensions server_cert -days 375 -batch -notext -md sha256 \
-      -in intermediate/csr/vault.csr.pem \
-      -out intermediate/certs/vault.cert.pem
-
-RUN openssl ca -config intermediate/openssl.cnf \
-      -gencrl -out intermediate/crl/intermediate.crl.pem
-
-RUN openssl ca -config openssl.cnf \
-      -gencrl -out crl/rootca.crl.pem
-
-RUN cat intermediate/crl/intermediate.crl.pem crl/rootca.crl.pem > /vault/config/crlchain.pem
-RUN cp /root/ca/intermediate/private/vault.key.pem /vault/config/vault.key
-RUN cp /root/ca/intermediate/certs/vault.cert.pem /vault/config/vault.cert
-RUN cp /root/ca/intermediate/certs/ca-bundle.cert.pem /vault/config/certbundle.pem
 CMD ["server"]

spec/acceptance/nodesets/docker/docker.yml

@@ -1,18 +1,22 @@
 ---
 HOSTS:
-  puppetserver.local:
-    platform: ubuntu-1604-x86_64 
+  certs.local:
+    platform: alpine-3.8-x86_64
     hypervisor: docker
-    image: puppet/puppetserver-standalone:6.0.1
-    roles:
-      - master
-    use_image_entry_point: true
+    dockerfile: spec/acceptance/nodesets/docker/CertsDockerfile
+    tag: certs
   vault.local:
     platform: alpine-3.8-x86_64
     hypervisor: docker
     dockerfile: spec/acceptance/nodesets/docker/VaultDockerfile
     roles:
       - vault
+  puppetserver.local:
+    platform: ubuntu-1604-x86_64 
+    hypervisor: docker
+    dockerfile: spec/acceptance/nodesets/docker/PuppetserverDockerfile
+    roles:
+      - master
 CONFIG:
   nfs_server: none
   consoleport: 443

spec/functions/lookup_spec.rb

@@ -66,7 +66,7 @@
 
   it 'raises a Puppet error when auth fails' do
     connection = instance_double('Puppet::Network::HTTP::Connection', address: 'vault.doesnotexist')
-    expect(Puppet::Network::HttpPool).to receive(:http_ssl_instance).with('vault.doesnotexist', 8200).and_return(connection)
+    expect(Puppet::Network::HttpPool).to receive(:http_instance).and_return(connection)
 
     response = Net::HTTPForbidden.new('1.1', 403, auth_failure_data)
     allow(response).to receive(:body).and_return(auth_failure_data)
@@ -79,7 +79,7 @@
 
   it 'raises a Puppet error when data lookup fails' do
     connection = instance_double('Puppet::Network::HTTP::Connection', address: 'vault.doesnotexist')
-    expect(Puppet::Network::HttpPool).to receive(:http_ssl_instance).with('vault.doesnotexist', 8200).and_return(connection)
+    expect(Puppet::Network::HttpPool).to receive(:http_instance).and_return(connection)
 
     auth_response = Net::HTTPOK.new('1.1', 200, '')
     expect(auth_response).to receive(:body).and_return(auth_success_data)
@@ -99,7 +99,7 @@
 
   it 'logs on, requests a secret using a token, and returns the data wrapped in the Sensitive type' do
     connection = instance_double('Puppet::Network::HTTP::Connection', address: 'vault.doesnotexist')
-    expect(Puppet::Network::HttpPool).to receive(:http_ssl_instance).with('vault.doesnotexist', 8200).and_return(connection)
+    expect(Puppet::Network::HttpPool).to receive(:http_instance).and_return(connection)
 
     auth_response = Net::HTTPOK.new('1.1', 200, '')
     expect(auth_response).to receive(:body).and_return(auth_success_data)
@@ -121,7 +121,7 @@
     stub_const('ENV', ENV.to_hash.merge('VAULT_ADDR' => 'https://vaultenv.doesnotexist:8200'))
 
     connection = instance_double('Puppet::Network::HTTP::Connection', address: 'vaultenv.doesnotexist:8200')
-    expect(Puppet::Network::HttpPool).to receive(:http_ssl_instance).with('vaultenv.doesnotexist', 8200).and_return(connection)
+    expect(Puppet::Network::HttpPool).to receive(:http_instance).with('vaultenv.doesnotexist', 8200, true).and_return(connection)
 
     auth_response = Net::HTTPOK.new('1.1', 200, '')
     expect(auth_response).to receive(:body).and_return(auth_success_data)