#!/bin/bash
# Validate the salt-generated nginx configs
[[ $(whoami) == 'root' ]] || { echo 'Please run this script as root'; exit 1; }
source bin/get_colors.sh
reset_nginx() {
rm -rf /etc/nginx
cp -a /etc/nginx_orig /etc/nginx
printf "roles:\n- $role" > /etc/salt/grains
}
reset_ip() {
# Reset the grains-retrieved IPs to 127.0.0.1, as `nginx -t` actually tries
# to bind to any configured listen IP
sed -i -e "s/{{ ip4_.* }}/127.0.0.1/g" pillar/role/$role.sls
}
create_fake_certs() {
# We are replacing both the cert/key pair because:
# - the key is encrypted and the CI worker can't decrypt it
# - the nginx validation command tries to match the pair
PRIVATE_KEYS=( $(grep ssl_certificate_key pillar/role/$role.sls | cut -d':' -f2) )
for key in ${PRIVATE_KEYS[@]}; do
if [[ ${key##*.} != 'key' ]]; then
echo "pillar/role/$role.sls \"ssl_certificate_key: $key\" should have extension .key"
STATUS=1
else
cp test/fixtures/domain.key $key
fi
done
PUBLIC_CERTS=( $(grep "ssl_certificate:" pillar/role/$role.sls | cut -d':' -f2) )
for cert in ${PUBLIC_CERTS[@]}; do
if [[ ${cert##*.} != 'crt' ]]; then
echo "pillar/role/$role.sls \"ssl_certificate: $cert\" should have extension .crt"
STATUS=1
else
cp test/fixtures/domain.crt $cert
fi
done
}
cp -a /etc/nginx /etc/nginx_orig
WEB_ROLES=( $(bin/get_roles.py) )
for role in ${WEB_ROLES[@]}; do
if grep nginx salt/role/$role.sls > /dev/null; then
echo_INFO "Testing role: $role"
reset_nginx
reset_ip
salt-call --local -l quiet state.apply role.$role > /dev/null
create_fake_certs
if $(nginx -tq); then
echo_PASSED
else
echo_FAILED
STATUS=1
fi
echo
fi
done
exit $STATUS