Move multiva to config/ (#4808)

test/config/va-remote-a.json

@@ -0,0 +1,46 @@
+{
+  "va": {
+    "CAASERVFAILExceptions": "test/caa-servfail-exceptions.txt",
+    "userAgent": "boulder-remote-a",
+    "debugAddr": ":8011",
+    "portConfig": {
+      "httpPort": 5002,
+      "httpsPort": 5001,
+      "tlsPort": 5001
+    },
+    "dnsTries": 3,
+    "dnsResolvers": [
+      "127.0.0.1:8053",
+      "127.0.0.1:8054"
+    ],
+    "issuerDomain": "happy-hacker-ca.invalid",
+    "tls": {
+      "caCertfile": "test/grpc-creds/minica.pem",
+      "certFile": "test/grpc-creds/va.boulder/cert.pem",
+      "keyFile": "test/grpc-creds/va.boulder/key.pem"
+    },
+    "grpc": {
+      "address": ":9097",
+      "clientNames": [
+        "va.boulder"
+      ]
+    },
+    "features": {
+      "CAAValidationMethods": true,
+      "CAAAccountURI": true
+    },
+    "accountURIPrefixes": [
+      "http://boulder:4000/acme/reg/"
+    ]
+  },
+
+  "syslog": {
+    "stdoutlevel": 6,
+    "sysloglevel": 4
+  },
+
+  "common": {
+    "dnsTimeout": "1s",
+    "dnsAllowLoopbackAddresses": true
+  }
+}

test/config/va-remote-b.json

@@ -0,0 +1,46 @@
+{
+  "va": {
+    "CAASERVFAILExceptions": "test/caa-servfail-exceptions.txt",
+    "userAgent": "boulder-remote-b",
+    "debugAddr": ":8012",
+    "portConfig": {
+      "httpPort": 5002,
+      "httpsPort": 5001,
+      "tlsPort": 5001
+    },
+    "dnsTries": 3,
+    "dnsResolvers": [
+      "127.0.0.1:8053",
+      "127.0.0.1:8054"
+    ],
+    "issuerDomain": "happy-hacker-ca.invalid",
+    "tls": {
+      "caCertfile": "test/grpc-creds/minica.pem",
+      "certFile": "test/grpc-creds/va.boulder/cert.pem",
+      "keyFile": "test/grpc-creds/va.boulder/key.pem"
+    },
+    "grpc": {
+      "address": ":9098",
+      "clientNames": [
+        "va.boulder"
+      ]
+    },
+    "features": {
+      "CAAValidationMethods": true,
+      "CAAAccountURI": true
+    },
+    "accountURIPrefixes": [
+      "http://boulder:4000/acme/reg/"
+    ]
+  },
+
+  "syslog": {
+    "stdoutlevel": 6,
+    "sysloglevel": 4
+  },
+
+  "common": {
+    "dnsTimeout": "1s",
+    "dnsAllowLoopbackAddresses": true
+  }
+}

test/config/va.json

@@ -26,7 +26,21 @@
       ]
     },
     "features": {
+      "EnforceMultiVA": true,
+      "MultiVAFullResults": true
     },
+    "remoteVAs": [
+      {
+        "serverAddress": "va1.boulder:9097",
+        "timeout": "15s"
+      },
+      {
+        "serverAddress": "va1.boulder:9098",
+        "timeout": "15s"
+      }
+    ],
+    "maxRemoteValidationFailures": 1,
+    "multiVAPolicyFile": "test/example-multiva-policy.yaml",
     "accountURIPrefixes": [
       "http://boulder:4000/acme/reg/",
       "http://boulder:4001/acme/acct/"

test/startservers.py

@@ -59,13 +59,12 @@ def start(race_detection, fakeclock):
     # killed in reverse order.
     progs = []
     if CONFIG_NEXT:
-        # Run the two 'remote' VAs
         progs.extend([
-            [8011, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-a.json")],
-            [8012, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-b.json")],
             [8020, './bin/bad-key-revoker --config %s' % os.path.join(config_dir, "bad-key-revoker.json")],
         ])
     progs.extend([
+        [8011, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-a.json")],
+        [8012, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-b.json")],
         [53, './bin/sd-test-srv --listen :53'], # Service discovery DNS server
         [8003, './bin/boulder-sa --config %s --addr sa1.boulder:9095 --debug-addr :8003' % os.path.join(config_dir, "sa.json")],
         [8103, './bin/boulder-sa --config %s --addr sa2.boulder:9095 --debug-addr :8103' % os.path.join(config_dir, "sa.json")],

test/v2_integration.py

@@ -916,11 +916,6 @@ def multiva_setup(client, guestlist, domain=None):
     return hostname, cleanup
 
 def test_http_multiva_threshold_pass():
-    # Only config-next has remote VAs configured and is appropriate for this
-    # integration test.
-    if not CONFIG_NEXT:
-        return
-
     client = chisel2.make_client()
 
     # Configure a guestlist that will pass the multiVA threshold test by
@@ -937,11 +932,6 @@ def test_http_multiva_threshold_pass():
         cleanup()
 
 def test_http_multiva_primary_fail_remote_pass():
-    # Only config-next has remote VAs configured and is appropriate for this
-    # integration test.
-    if not CONFIG_NEXT:
-        return
-
     client = chisel2.make_client()
 
     # Configure a guestlist that will fail the primary VA check but allow the
@@ -978,11 +968,6 @@ def test_http_multiva_primary_fail_remote_pass():
             raise(Exception("Overall validation did not fail"))
 
 def test_http_multiva_threshold_fail():
-    # Only config-next has remote VAs configured and is appropriate for this
-    # integration test.
-    if not CONFIG_NEXT:
-        return
-
     client = chisel2.make_client()
 
     # Configure a guestlist that will fail the multiVA threshold test by
@@ -1016,11 +1001,6 @@ def test_http_multiva_threshold_fail():
         raise(Exception("expected 'During secondary validation' problem detail, found {0}".format(httpChall.error.detail)))
 
 def test_http_multiva_threshold_fail_domain_disabled():
-    # Only the config-next config dir has remote VAs and a multi VA policy file
-    # configured at the time of writing.
-    if not CONFIG_NEXT:
-        return
-
     client = chisel2.make_client()
 
     # Configure a guestlist that will fail the multiVA threshold test by
@@ -1042,11 +1022,6 @@ def test_http_multiva_threshold_fail_domain_disabled():
         cleanup()
 
 def test_http_multiva_threshold_fail_account_disabled():
-    # Only the config-next config dir has remote VAs and a multi VA policy file
-    # configured at the time of writing.
-    if not CONFIG_NEXT:
-        return
-
     # Create an ACME account
     client = chisel2.make_client()