nixpkgs/nixos/tests/keystone.nix
Antoine Eiche a932f68d9c nixos/keystone: secrets can be read from files
A secret can be stored in a file. It is written at runtime in the
configuration file.
Note it is also possible to write them in the nix store for dev
purposes.
2016-12-16 20:53:32 +01:00

80 lines
2.6 KiB
Nix

{ system ? builtins.currentSystem }:
with import ../lib/testing.nix { inherit system; };
with pkgs.lib;
let
keystoneMysqlPassword = "keystoneMysqlPassword";
keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword";
keystoneAdminPassword = "keystoneAdminPassword";
createKeystoneDb = pkgs.writeText "create-keystone-db.sql" ''
create database keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}';
'';
# The admin keystone account
adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
# The created demo keystone account
demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
in makeTest {
machine =
{ config, pkgs, ... }:
{
# This is to simulate nixops deployment process.
# https://nixos.org/nixops/manual/#opt-deployment.keys
boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}";
services.mysql.enable = true;
services.mysql.initialScript = createKeystoneDb;
virtualisation = {
openstack.keystone = {
enable = true;
# Check if we can get the secret from a file
database.password = {
value = keystoneMysqlPasswordFile;
storage = "fromFile";
};
adminToken = {
value = "adminToken";
storage = "fromNixStore";
};
bootstrap.enable = true;
# Check if we can get the secret from the store
bootstrap.adminPassword = {
value = keystoneAdminPassword;
storage = "fromNixStore";
};
};
memorySize = 2096;
diskSize = 4 * 1024;
};
environment.systemPackages = with pkgs.pythonPackages; with pkgs; [
openstackclient
];
};
testScript =
''
$machine->waitForUnit("keystone-all.service");
# Verify that admin ccount is working
$machine->succeed("${adminOpenstackCmd} token issue");
# Try to create a new user
$machine->succeed("${adminOpenstackCmd} project create --domain default --description 'Demo Project' demo");
$machine->succeed("${adminOpenstackCmd} user create --domain default --password demo demo");
$machine->succeed("${adminOpenstackCmd} role create user");
$machine->succeed("${adminOpenstackCmd} role add --project demo --user demo user");
# Verify this new account is working
$machine->succeed("${demoOpenstackCmd} token issue");
'';
}