New minimal test setup

local/Jenkinsfile

@@ -0,0 +1,88 @@
+properties([
+    buildDiscarder(logRotator(artifactDaysToKeepStr: '90', artifactNumToKeepStr: '7', daysToKeepStr: '', numToKeepStr: '')),
+    disableConcurrentBuilds(),
+    disableResume(),
+    parameters([
+        text(defaultValue: '''# will be appended to terraform.tfvars
+# can be used to override openvpn/ovpn-dco source branches
+# e.g.
+# openvpn_branch=release/2.6''', name: 'TERRAFORM_VARIABLES'),
+        string(description: 'Set arguments for all iperf servers',
+               name: 'IPERF_GLOBAL_SERVER_ARGS', trim: true),
+        string(defaultValue: '-t10',
+               description: 'Set arguments for all iperf clients',
+               name: 'IPERF_GLOBAL_CLIENT_ARGS', trim: true),
+    ]),
+    pipelineTriggers([[$class: 'PeriodicFolderTrigger', interval: '30m']])
+])
+
+def terraform_config() {
+    sh(label: 'terraform.tfvars', script: '''
+SANE_NAME=$(perl -wE 'my $n=lc($ARGV[0]);$n=~s/^.*%2f//;$n=substr($n,-30);$n=~s/[^a-z0-9-]/-/g;$n=~s/^-*//;print($n)' "${JOB_BASE_NAME}")
+cat <<EOF | tee terraform.tfvars
+region="eu-west-1"
+owner="$JENKINS_URL"
+email="[email protected]"
+dns_zone_name="${AWS_TEST_DNS_ZONE_NAME}"
+dns_host_name="${SANE_NAME}-${BUILD_NUMBER}"
+cluster_name="${SANE_NAME}-${BUILD_NUMBER}"
+ssh_pub_key="${AWS_TEST_SSH_PUBKEY}"
+assume_role="arn:aws:iam::${AWS_TEST_ACCOUNT}:role/${AWS_TEST_ROLE}"
+test_branch="${CHANGE_BRANCH:-${BRANCH_NAME}}"
+${TERRAFORM_VARIABLES}
+EOF
+''')
+}
+
+def terraform_apply() {
+    timeout(10) {
+        sh(label: 'terraform apply', script: '''
+#export TF_LOG=trace
+terraform init -no-color -lockfile=readonly
+terraform apply -auto-approve -no-color
+''')
+    }
+}
+
+def terraform_destroy() {
+    retry(2) {
+        sh(label: 'terraform destroy', script: '''
+terraform destroy -auto-approve -no-color
+''')
+    }
+}
+
+def git_checkout() {
+    stage("Git checkout") {
+        cleanWs()
+        checkout scm
+    }
+}
+
+node(env.AWS_TEST_TERRAFORM_NODE) {
+    git_checkout()
+    stage('Terraform Prepare') {
+        try {
+            dir('terraform/openvpn-server') {
+                terraform_config()
+                terraform_apply()
+            }
+            sshagent([env.AWS_TEST_SSH_SECRET]) {
+                stage('Run Tests') {
+                    dir('local') {
+                        sh(label: 'Run Tests',
+                           script: './local_test.sh')
+                    }
+                }
+            }
+        }
+        finally {
+            stage("Cleanup") {
+                archiveArtifacts(artifacts: 'local/testlogs-*/**', allowEmptyArchive: true)
+                dir('terraform/openvpn-server') {
+                    terraform_destroy()
+                }
+            }
+        }
+    }
+}

local/README.md

@@ -0,0 +1,5 @@
+Local Tests
+===========
+
+This is intended to be run between the server and
+local client as set up by terraform.

local/client/client.conf

@@ -0,0 +1,10 @@
+port 51199
+client
+nobind
+dev tun
+ca /root/openvpn-test-server/keys/ca.crt
+cert /root/openvpn-test-server/keys/client.crt
+key /root/openvpn-test-server/keys/client.key
+remote-cert-tls server
+writepid openvpn.pid
+verb 4

local/local_test.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+set -eux
+
+pushd ../terraform/openvpn-server
+CLIENT=$(terraform output -raw cn_client)
+SERVER=$(terraform output -raw cn_server)
+popd
+
+OPENVPN_TESTS_PATH=/root/openvpn-test-server/openvpn-tests/local
+SSH="ssh -o UserKnownHostsFile=known_hosts"
+
+$SSH -o StrictHostKeyChecking=no "ubuntu@$SERVER" true
+$SSH -o StrictHostKeyChecking=no "ubuntu@$CLIENT" true
+$SSH "ubuntu@$SERVER" cloud-init status --wait
+$SSH "ubuntu@$CLIENT" cloud-init status --wait
+
+: ${IPERF_GLOBAL_SERVER_ARGS:=}
+: ${IPERF_GLOBAL_CLIENT_ARGS:=-t10}
+: ${RUN_NODCO:=true}
+: ${RUN_DCO:=true}
+
+LOG_DIR="testlogs-$(hostname)-$(date +%Y%m%d-%H%M%S)"
+mkdir "$LOG_DIR"
+
+TEST_COUNT=1
+
+start_server() {
+    TEST_NAME="$TEST_COUNT:$1"
+    OVPN_ARGS="$2"
+    $SSH "ubuntu@$SERVER" sudo $OPENVPN_TESTS_PATH/openvpn --cd $OPENVPN_TESTS_PATH/server \
+        --config server.conf $OVPN_ARGS >"$LOG_DIR"/$TEST_NAME.ovpn_server.log 2>&1 &
+    ovpn_server_ssh_pid=$!
+    sleep 1
+    $SSH "ubuntu@$SERVER" sudo iperf $IPERF_GLOBAL_SERVER_ARGS -s >"$LOG_DIR"/$TEST_NAME.iperf_server_tcp.log 2>&1 &
+    $SSH "ubuntu@$SERVER" sudo iperf $IPERF_GLOBAL_SERVER_ARGS -u -s >"$LOG_DIR"/$TEST_NAME.iperf_server_udp.log 2>&1 &
+}
+
+start_client() {
+    TEST_NAME="$TEST_COUNT:$1"
+    OVPN_ARGS="$2"
+    $SSH "ubuntu@$CLIENT" sudo $OPENVPN_TESTS_PATH/openvpn --cd $OPENVPN_TESTS_PATH/client \
+        --config client.conf $OVPN_ARGS --remote "$SERVER" \
+        >"$LOG_DIR"/$TEST_NAME.ovpn_client.log 2>&1 &
+    ovpn_client_ssh_pid=$!
+    sleep 5
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -c 10.199.2.1 >"$LOG_DIR"/$TEST_NAME.iperf_client_tcp.log 2>&1
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -u -c 10.199.2.1 >"$LOG_DIR"/$TEST_NAME.iperf_client_udp.log 2>&1
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -c "$SERVER" >"$LOG_DIR"/$TEST_NAME.iperf_client_novpn_tcp.log 2>&1
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -u -c "$SERVER" >"$LOG_DIR"/$TEST_NAME.iperf_client_novpn_udp.log 2>&1
+}
+
+deep_cleanup() {
+    $SSH "ubuntu@$SERVER" sudo killall $OPENVPN_TESTS_PATH/openvpn || true
+    $SSH "ubuntu@$SERVER" sudo killall iperf || true
+    $SSH "ubuntu@$CLIENT" sudo killall $OPENVPN_TESTS_PATH/openvpn || true
+    $SSH "ubuntu@$CLIENT" sudo killall iperf || true
+    sleep 5
+}
+
+post_test_handler() {
+    deep_cleanup
+    echo "Test $TEST_COUNT COMPLETED"
+    TEST_COUNT=$(( TEST_COUNT + 1 ))
+}
+
+retrieve_logs() {
+    for log in syslog cloud-init-output.log; do
+        scp -o UserKnownHostsFile=known_hosts "ubuntu@$SERVER":/var/log/$log "$LOG_DIR"/server.$log
+        scp -o UserKnownHostsFile=known_hosts "ubuntu@$CLIENT":/var/log/$log "$LOG_DIR"/client.$log
+    done
+}
+trap retrieve_logs EXIT
+
+deep_cleanup
+
+if $RUN_NODCO; then
+    start_server nodco_udp "--disable-dco --proto udp6"
+    start_client nodco_udp "--disable-dco --proto udp6"
+    post_test_handler
+
+    start_server nodco_tcp "--disable-dco --proto tcp6"
+    start_client nodco_tcp "--disable-dco --proto tcp6"
+    post_test_handler
+fi
+
+if $RUN_DCO; then
+    start_server dco_udp "--proto udp6"
+    start_client dco_udp "--proto udp6"
+    post_test_handler
+
+    start_server dco_tcp "--proto tcp6"
+    start_client dco_tcp "--proto tcp6"
+    post_test_handler
+fi
+
+deep_cleanup

local/server/server.conf

@@ -0,0 +1,15 @@
+port 51199
+dev tun
+ca /root/openvpn-test-server/keys/ca.crt
+cert /root/openvpn-test-server/keys/server.crt
+key /root/openvpn-test-server/keys/server.key
+dh /root/openvpn-test-server/keys/dh.pem
+server 10.199.2.0 255.255.255.0
+server-ipv6 fd00:abcd:199:2::/64
+topology subnet
+ifconfig-pool-persist ipp.txt 60
+writepid openvpn.pid
+keepalive 10 30
+persist-key
+status openvpn-status.log
+verb 4

terraform/openvpn-server/main.tf

@@ -33,14 +33,21 @@ provider "aws" {
       created-by  = "Terraform/OpenVPN/openvpn-tests/terraform/openvpn-server"
     }
   }
+  dynamic "assume_role" {
+    for_each = var.assume_role != "" ? toset([var.assume_role]) : []
+    content {
+      role_arn     = assume_role.value
+      session_name = var.cluster_name
+    }
+  }
 }
 
 data "aws_caller_identity" "current" {}
 
 module "pki" {
   source = "../openvpn-test-pki/"
 
-  cn       = local.cn
+  cn       = local.cn_server
   locality = var.cluster_name
   province = var.region
 }
@@ -55,5 +62,6 @@ module "vpc" {
 
 locals {
   aws_account_id = data.aws_caller_identity.current.account_id
-  cn             = "${var.dns_host_name}.${var.dns_zone_name}"
+  cn_server      = "${var.dns_host_name}-server.${var.dns_zone_name}"
+  cn_client      = "${var.dns_host_name}-client.${var.dns_zone_name}"
 }

terraform/openvpn-server/outputs.tf

@@ -9,6 +9,9 @@ output "clients" {
   value = module.pki.clients
   sensitive = true
 }
-output "cn" {
-  value = local.cn
+output "cn_server" {
+  value = local.cn_server
+}
+output "cn_client" {
+  value = local.cn_client
 }