Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CASMNET-2241 - Resolve external DNS test fails with port present in URL #614

Merged
merged 2 commits into from
Oct 30, 2024
Merged

CASMNET-2241 - Resolve external DNS test fails with port present in URL #614

merged 2 commits into from
Oct 30, 2024

Conversation

spillerc-hpe
Copy link
Contributor

Summary and Scope

The Resolve external DNS Goss test fails if LDAP has been configured with a port in the URL as the script doesn't remove the port from the hostname before issuing the DNS query.

FIRST_URL=ldap.example.com:636
host -4 -t A ldap.example.com:636
Host ldap.example.com:636 not found: 3(NXDOMAIN)

This PR changes the test to be able to correctly handle a URL with a port while maintaining backwards compatibility with URLs that do not.

Issues and Related PRs

Testing

List the environments in which these changes were tested.

Tested on:

  • drax

Test description:

URL without port

ncn-m002:~/cspiller # ./check_goss_k8s_resolve_external_dns.sh
SYSTEM_NAME=drax
SITE_DOMAIN=hpc.amslabs.hpecorp.net
SYSTEM_DOMAIN=drax.hpc.amslabs.hpecorp.net
INGRESS=https://auth.cmn.drax.hpc.amslabs.hpecorp.net
FORWARD_ADDR=16.110.135.51
LDAP_PROVIDER={
--snip--
Unbound and LDAP are configured
CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net
FIRST_URL=dcldap2.hpc.amslabs.hpecorp.net
Attempting to resolve (A record) dcldap2.hpc.amslabs.hpecorp.net
dcldap2.hpc.amslabs.hpecorp.net has address 10.101.116.10
PASSED
ncn-m002:~/cspiller # ./check_goss_k8s_resolve_external_dns.sh
SYSTEM_NAME=drax
SITE_DOMAIN=hpc.amslabs.hpecorp.net
SYSTEM_DOMAIN=drax.hpc.amslabs.hpecorp.net
INGRESS=https://auth.cmn.drax.hpc.amslabs.hpecorp.net
FORWARD_ADDR=16.110.135.51
LDAP_PROVIDER={
  "id": "23ef31ae-1143-4e94-935d-4abec8b66836",
  "name": "shasta-user-federation-ldap",
  "providerId": "ldap",
  "providerType": "org.keycloak.storage.UserStorageProvider",
  "parentId": "d086f62a-b2a1-481a-88eb-4a2ae272858f",
  "config": {
    "fullSyncPeriod": [
      "-1"
    ],
    "pagination": [
      "true"
    ],
    "startTls": [
      "false"
    ],
    "usersDn": [
      "dc=dcldap,dc=dit"
    ],
    "connectionPooling": [
      "true"
    ],
    "cachePolicy": [
      "DEFAULT"
    ],
    "useKerberosForPasswordAuthentication": [
      "false"
    ],
    "importEnabled": [
      "true"
    ],
    "enabled": [
      "true"
    ],
    "usernameLDAPAttribute": [
      "uid"
    ],
    "changedSyncPeriod": [
      "-1"
    ],
    "lastSync": [
      "1728039651"
    ],
    "vendor": [
      "other"
    ],
    "uuidLDAPAttribute": [
      "uid"
    ],
    "allowKerberosAuthentication": [
      "false"
    ],
    "connectionUrl": [
      "ldaps://dcldap2.hpc.amslabs.hpecorp.net"
    ],
    "syncRegistrations": [
      "false"
    ],
    "authType": [
      "none"
    ],
    "debug": [
      "true"
    ],
    "searchScope": [
      "2"
    ],
    "useTruststoreSpi": [
      "ldapsOnly"
    ],
    "usePasswordModifyExtendedOp": [
      "false"
    ],
    "trustEmail": [
      "false"
    ],
    "priority": [
      "1"
    ],
    "userObjectClasses": [
      "posixAccount"
    ],
    "rdnLDAPAttribute": [
      "uid"
    ],
    "editMode": [
      "READ_ONLY"
    ],
    "validatePasswordPolicy": [
      "false"
    ],
    "batchSizeForSync": [
      "4000"
    ]
  }
}
Unbound and LDAP are configured
CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net
FIRST_URL=dcldap2.hpc.amslabs.hpecorp.net
Attempting to resolve (A record) dcldap2.hpc.amslabs.hpecorp.net
dcldap2.hpc.amslabs.hpecorp.net has address 10.101.116.10
PASSED

URL with port

ncn-m002:~/cspiller # ./check_goss_k8s_resolve_external_dns.sh
SYSTEM_NAME=drax
SITE_DOMAIN=hpc.amslabs.hpecorp.net
SYSTEM_DOMAIN=drax.hpc.amslabs.hpecorp.net
INGRESS=https://auth.cmn.drax.hpc.amslabs.hpecorp.net
FORWARD_ADDR=16.110.135.51
LDAP_PROVIDER={
--snip--
Unbound and LDAP are configured
CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net:636
FIRST_URL=dcldap2.hpc.amslabs.hpecorp.net
Attempting to resolve (A record) dcldap2.hpc.amslabs.hpecorp.net
dcldap2.hpc.amslabs.hpecorp.net has address 10.101.116.10
PASSED
ncn-m002:~/cspiller # ./check_goss_k8s_resolve_external_dns.sh
SYSTEM_NAME=drax
SITE_DOMAIN=hpc.amslabs.hpecorp.net
SYSTEM_DOMAIN=drax.hpc.amslabs.hpecorp.net
INGRESS=https://auth.cmn.drax.hpc.amslabs.hpecorp.net
FORWARD_ADDR=16.110.135.51
LDAP_PROVIDER={
  "id": "23ef31ae-1143-4e94-935d-4abec8b66836",
  "name": "shasta-user-federation-ldap",
  "providerId": "ldap",
  "providerType": "org.keycloak.storage.UserStorageProvider",
  "parentId": "d086f62a-b2a1-481a-88eb-4a2ae272858f",
  "config": {
    "fullSyncPeriod": [
      "-1"
    ],
    "pagination": [
      "true"
    ],
    "startTls": [
      "false"
    ],
    "usersDn": [
      "dc=dcldap,dc=dit"
    ],
    "connectionPooling": [
      "true"
    ],
    "cachePolicy": [
      "DEFAULT"
    ],
    "useKerberosForPasswordAuthentication": [
      "false"
    ],
    "importEnabled": [
      "true"
    ],
    "enabled": [
      "true"
    ],
    "usernameLDAPAttribute": [
      "uid"
    ],
    "changedSyncPeriod": [
      "-1"
    ],
    "lastSync": [
      "1728039651"
    ],
    "vendor": [
      "other"
    ],
    "uuidLDAPAttribute": [
      "uid"
    ],
    "connectionUrl": [
      "ldaps://dcldap2.hpc.amslabs.hpecorp.net:636"
    ],
    "allowKerberosAuthentication": [
      "false"
    ],
    "syncRegistrations": [
      "false"
    ],
    "authType": [
      "none"
    ],
    "debug": [
      "true"
    ],
    "searchScope": [
      "2"
    ],
    "useTruststoreSpi": [
      "ldapsOnly"
    ],
    "usePasswordModifyExtendedOp": [
      "false"
    ],
    "trustEmail": [
      "false"
    ],
    "priority": [
      "1"
    ],
    "userObjectClasses": [
      "posixAccount"
    ],
    "rdnLDAPAttribute": [
      "uid"
    ],
    "editMode": [
      "READ_ONLY"
    ],
    "validatePasswordPolicy": [
      "false"
    ],
    "batchSizeForSync": [
      "4000"
    ]
  }
}
Unbound and LDAP are configured
CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net:636
FIRST_URL=dcldap2.hpc.amslabs.hpecorp.net
Attempting to resolve (A record) dcldap2.hpc.amslabs.hpecorp.net
dcldap2.hpc.amslabs.hpecorp.net has address 10.101.116.10
PASSED

Multiple URLs

ncn-m002:~/cspiller # ./check_goss_k8s_resolve_external_dns.sh
SYSTEM_NAME=drax
SITE_DOMAIN=hpc.amslabs.hpecorp.net
SYSTEM_DOMAIN=drax.hpc.amslabs.hpecorp.net
INGRESS=https://auth.cmn.drax.hpc.amslabs.hpecorp.net
FORWARD_ADDR=16.110.135.51
LDAP_PROVIDER={
--snip--
Unbound and LDAP are configured
CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net:636 ldaps://dcldap3.hpc.amslabs.hpecorp.net:636
FIRST_URL=dcldap2.hpc.amslabs.hpecorp.net
Attempting to resolve (A record) dcldap2.hpc.amslabs.hpecorp.net
dcldap2.hpc.amslabs.hpecorp.net has address 10.101.116.10
PASSED
ncn-m002:~/cspiller # ./check_goss_k8s_resolve_external_dns.sh
SYSTEM_NAME=drax
SITE_DOMAIN=hpc.amslabs.hpecorp.net
SYSTEM_DOMAIN=drax.hpc.amslabs.hpecorp.net
INGRESS=https://auth.cmn.drax.hpc.amslabs.hpecorp.net
FORWARD_ADDR=16.110.135.51
LDAP_PROVIDER={
  "id": "23ef31ae-1143-4e94-935d-4abec8b66836",
  "name": "shasta-user-federation-ldap",
  "providerId": "ldap",
  "providerType": "org.keycloak.storage.UserStorageProvider",
  "parentId": "d086f62a-b2a1-481a-88eb-4a2ae272858f",
  "config": {
    "fullSyncPeriod": [
      "-1"
    ],
    "pagination": [
      "true"
    ],
    "startTls": [
      "false"
    ],
    "connectionPooling": [
      "true"
    ],
    "usersDn": [
      "dc=dcldap,dc=dit"
    ],
    "cachePolicy": [
      "DEFAULT"
    ],
    "useKerberosForPasswordAuthentication": [
      "false"
    ],
    "importEnabled": [
      "true"
    ],
    "enabled": [
      "true"
    ],
    "changedSyncPeriod": [
      "-1"
    ],
    "usernameLDAPAttribute": [
      "uid"
    ],
    "lastSync": [
      "1728039651"
    ],
    "vendor": [
      "other"
    ],
    "uuidLDAPAttribute": [
      "uid"
    ],
    "connectionUrl": [
      "ldaps://dcldap2.hpc.amslabs.hpecorp.net:636 ldaps://dcldap3.hpc.amslabs.hpecorp.net:636"
    ],
    "allowKerberosAuthentication": [
      "false"
    ],
    "syncRegistrations": [
      "false"
    ],
    "authType": [
      "none"
    ],
    "debug": [
      "true"
    ],
    "searchScope": [
      "2"
    ],
    "useTruststoreSpi": [
      "ldapsOnly"
    ],
    "usePasswordModifyExtendedOp": [
      "false"
    ],
    "trustEmail": [
      "false"
    ],
    "priority": [
      "1"
    ],
    "userObjectClasses": [
      "posixAccount"
    ],
    "rdnLDAPAttribute": [
      "uid"
    ],
    "editMode": [
      "READ_ONLY"
    ],
    "validatePasswordPolicy": [
      "false"
    ],
    "batchSizeForSync": [
      "4000"
    ]
  }
}
Unbound and LDAP are configured
CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net:636 ldaps://dcldap3.hpc.amslabs.hpecorp.net:636
FIRST_URL=dcldap2.hpc.amslabs.hpecorp.net
Attempting to resolve (A record) dcldap2.hpc.amslabs.hpecorp.net
dcldap2.hpc.amslabs.hpecorp.net has address 10.101.116.10
PASSED

CSM health validation using old script

Using CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net:636 ldaps://dcldap3.hpc.amslabs.hpecorp.net:636

ncn-m001:~ # /opt/cray/tests/install/ncn/automated/ncn-k8s-combined-healthcheck
NCN and Kubernetes Checks
------------------------------

DEBUG: cmsdev_test_list='bos cfs conman ims tftp vcs'
Writing full output to /opt/cray/tests/install/logs/print_goss_json_results/20241029_112901.152373-935911-MV3uMl4m/out

Running tests

Checking test results
Only errors will be printed to the screen

Result: FAIL
Source: http://ncn-m001.hmn:8998/ncn-healthcheck-master-single
Test Name: Resolve external DNS
Description: Validates that an external DNS name resolves.

The test passes if LDAP is not configured or if LDAP is configured and the first configured LDAP server hostname can be resolved.
The test fails in any of the following cases:

* Unbound is not configured
* The LDAP 'providerId' is configured but the LDAP 'connectionURL' is not.
* The LDAP server hostname fails to resolve.

In the case of failure, manually run /opt/cray/tests/install/ncn/scripts/check_goss_k8s_resolve_external_dns.sh on a Kubernetes NCN to see why the test failed.
Refer to 'operations/network/dns/Troubleshoot_Common_DNS_Issues.md' in the CSM documentation to troubleshoot external DNS issues.

Test Summary: Command: resolve_external_dns: exit-status:
Expected
    <int>: 1
to equal
    <int>: 0
Execution Time: 0.000020930 seconds
Node: ncn-m001



GRAND TOTAL: 647 passed, 1 failed
ERROR: There was at least one test failure

FAILED

CSM health validation using new script

Using CONNECTION_URLS=ldaps://dcldap2.hpc.amslabs.hpecorp.net:636 ldaps://dcldap3.hpc.amslabs.hpecorp.net:636

ncn-m001:~ # /opt/cray/tests/install/ncn/automated/ncn-k8s-combined-healthcheck
NCN and Kubernetes Checks
------------------------------

DEBUG: cmsdev_test_list='bos cfs conman ims tftp vcs'
Writing full output to /opt/cray/tests/install/logs/print_goss_json_results/20241029_113238.851943-960144-SAcnEddu/out

Running tests

Checking test results
Only errors will be printed to the screen

GRAND TOTAL: 648 passed, 0 failed

PASSED

Risks and Mitigations

Pull Request Checklist

  • Version number(s) incremented, if applicable
  • Copyrights updated
  • License file intact
  • Target branch correct
  • CHANGELOG.md updated
  • Testing is appropriate and complete, if applicable
  • HPC Product Announcement prepared, if applicable

@spillerc-hpe spillerc-hpe requested a review from a team as a code owner October 29, 2024 11:42
@spillerc-hpe spillerc-hpe merged commit baf7b52 into release/1.6 Oct 30, 2024
3 checks passed
@spillerc-hpe spillerc-hpe deleted the CASMNET-2241 branch October 30, 2024 09:53
@spillerc-hpe
Copy link
Contributor Author

/backport release/1.5

@github-actions GitHub Actions
Copy link
Contributor

Backporting into branch release/1.5 was successful. New PR: #616

@github-actions github-actions bot mentioned this pull request Oct 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacobsalmela jacobsalmela jacobsalmela approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spillerc-hpe @jacobsalmela