From fc0c6b44a807eb4e2cee1a6f68ba9e283372ec88 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: May 25 2021 07:45:49 +0000
Subject: azure: Run Base and XMLRPC tests is isolated network


The tests in these envs make DNS requests to wild(internet) NSs,
though usually tests assume the opposite making requests to
`test.` zone. This makes CI unstable and dependent on wild
resolvers and logically wrong.

In future there can be tests which may want to check BIND as
resolver(cache) for external networks. In this case such tests
should be placed on not isolated mode.

By default, a test env is not isolated from internet(as it was
before), but it may be a good idea to change this default in
future.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipatests/azure/Dockerfiles/docker-compose.yml b/ipatests/azure/Dockerfiles/docker-compose.yml
index 3bfd1a1..a6fc4e1 100644
--- a/ipatests/azure/Dockerfiles/docker-compose.yml
+++ b/ipatests/azure/Dockerfiles/docker-compose.yml
@@ -56,3 +56,4 @@ networks:
       driver: default
       config:
       - subnet: ${IPA_IPV6_SUBNET}
+    internal: ${IPA_NETWORK_INTERNAL}
diff --git a/ipatests/azure/azure_definitions/base-fedora.yml b/ipatests/azure/azure_definitions/base-fedora.yml
index f9cc3b9..a5ae194 100644
--- a/ipatests/azure/azure_definitions/base-fedora.yml
+++ b/ipatests/azure/azure_definitions/base-fedora.yml
@@ -13,6 +13,7 @@ vms:
     - test_xmlrpc/test_dns_plugin.py
     args: "-k 'not test_dns_soa'"
     type: base
+    isolated: "true"
 
   - container_job: xmlrpc
     tests:
@@ -20,3 +21,4 @@ vms:
     ignore:
     - test_xmlrpc/test_dns_plugin.py
     type: base
+    isolated: "true"
diff --git a/ipatests/azure/scripts/azure-run-base-tests.sh b/ipatests/azure/scripts/azure-run-base-tests.sh
index ee2b36c..fce1b7a 100755
--- a/ipatests/azure/scripts/azure-run-base-tests.sh
+++ b/ipatests/azure/scripts/azure-run-base-tests.sh
@@ -28,13 +28,29 @@ server_password=Secret123
 
 echo "Installing FreeIPA master for the domain ${IPA_TESTS_DOMAIN} and realm ${IPA_TESTS_REALM}"
 
+case "$IPA_NETWORK_INTERNAL" in
+    true )
+    AUTO_FORWARDERS='--no-forwarders'
+    ;;
+
+    false )
+    AUTO_FORWARDERS='--auto-forwarders'
+    ;;
+
+    * )
+    echo "Unsupported value for IPA_NETWORK_INTERNAL: '$IPA_NETWORK_INTERNAL'"
+    exit 1
+    ;;
+esac
+
 install_result=1
 { ipa-server-install -U \
     --domain "$IPA_TESTS_DOMAIN" \
     --realm "$IPA_TESTS_REALM" \
     -p "$server_password" -a "$server_password" \
-    --setup-dns --setup-kra --auto-forwarders && install_result=0 ; } || \
-    install_result=$?
+    --setup-dns --setup-kra \
+    $AUTO_FORWARDERS \
+    && install_result=0 ; } || install_result=$?
 
 rm -rf "$IPA_TESTS_LOGSDIR"
 mkdir "$IPA_TESTS_LOGSDIR"
diff --git a/ipatests/azure/scripts/azure-run-tests.sh b/ipatests/azure/scripts/azure-run-tests.sh
index 47fc066..661185a 100755
--- a/ipatests/azure/scripts/azure-run-tests.sh
+++ b/ipatests/azure/scripts/azure-run-tests.sh
@@ -44,6 +44,9 @@ IPA_TESTS_REPLICAS="${!IPA_TESTS_REPLICAS_VARNAME:-0}"
 IPA_TESTS_CONTROLLER="${PROJECT_ID}_master_1"
 IPA_TESTS_LOGSDIR="${IPA_TESTS_REPO_PATH}/ipa_envs/${IPA_TESTS_ENV_NAME}/${CI_RUNNER_LOGS_DIR}"
 
+IPA_TESTS_NETWORK_INTERNAL_VARNAME="IPA_TESTS_NETWORK_INTERNAL_${PROJECT_ID}"
+IPA_NETWORK_INTERNAL="${!IPA_TESTS_NETWORK_INTERNAL_VARNAME:-false}"
+
 IPA_TESTS_DOMAIN="${IPA_TESTS_DOMAIN:-ipa.test}"
 # bash4
 IPA_TESTS_REALM="${IPA_TESTS_DOMAIN^^}"
@@ -102,6 +105,7 @@ pushd "$project_dir"
 BUILD_REPOSITORY_LOCALPATH="$BUILD_REPOSITORY_LOCALPATH" \
 IPA_DOCKER_IMAGE="${IPA_DOCKER_IMAGE:-freeipa-azure-builder}" \
 IPA_NETWORK="${IPA_NETWORK:-ipanet}" \
+IPA_NETWORK_INTERNAL="$IPA_NETWORK_INTERNAL" \
 IPA_IPV6_SUBNET="2001:db8:1:${PROJECT_ID}::/64" \
 docker-compose -p "$PROJECT_ID" up \
     --scale replica="$IPA_TESTS_REPLICAS" \
@@ -141,6 +145,7 @@ tests_result=1
     --env IPA_TESTS_TO_RUN="$IPA_TESTS_TO_RUN" \
     --env IPA_TESTS_TO_IGNORE="$IPA_TESTS_TO_IGNORE" \
     --env IPA_TESTS_ARGS="$IPA_TESTS_ARGS" \
+    --env IPA_NETWORK_INTERNAL="$IPA_NETWORK_INTERNAL" \
     "$IPA_TESTS_CONTROLLER" \
     $BASH_CMD \
     -eux "$tests_runner" && tests_result=0 ; } || tests_result=$?
@@ -176,6 +181,7 @@ pushd "$project_dir"
 BUILD_REPOSITORY_LOCALPATH="$BUILD_REPOSITORY_LOCALPATH" \
 IPA_DOCKER_IMAGE="${IPA_DOCKER_IMAGE:-freeipa-azure-builder}" \
 IPA_NETWORK="${IPA_NETWORK:-ipanet}" \
+IPA_NETWORK_INTERNAL="$IPA_NETWORK_INTERNAL" \
 IPA_IPV6_SUBNET="2001:db8:1:${PROJECT_ID}::/64" \
 docker-compose -p "$PROJECT_ID" down
 popd
diff --git a/ipatests/azure/scripts/generate-matrix.py b/ipatests/azure/scripts/generate-matrix.py
index 56a8af9..03d97aa 100644
--- a/ipatests/azure/scripts/generate-matrix.py
+++ b/ipatests/azure/scripts/generate-matrix.py
@@ -28,6 +28,9 @@ with open(args.azure_template) as f:
             jobs[f'ipa_tests_type_{job_id}'] = vm_job.get(
                 'type', 'integration')
             jobs[f'ipa_tests_args_{job_id}'] = vm_job.get('args', '')
+            jobs[f'ipa_tests_network_internal_{job_id}'] = vm_job.get(
+                'isolated', 'false'
+            )
 
             containers = vm_job.get('containers')
             replicas = 0