Skip to content

Commit 7f8b716

Browse files
jpartlowjpartlow
committed
(gh-26) Add a GHA workflow to test the configure task
1 parent e439b0c commit 7f8b716

File tree

1 file changed

+158
-0
lines changed

1 file changed

+158
-0
lines changed

.github/workflows/pr_testing_configure.yaml

Lines changed: 158 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,158 @@
1+
---
2+
name: 'PR Testing the configure task'
3+
4+
on:
5+
push:
6+
branches:
7+
- main
8+
pull_request:
9+
branches:
10+
- main
11+
12+
env:
13+
# These openvox_bootstrap::configure parameters are used in both
14+
# the agent and server task runs, but puppet_conf will vary.
15+
COMMON_CONFIGURE_PARAMS: |-
16+
"csr_attributes": {
17+
"custom_attributes": {
18+
"1.2.840.113549.1.9.7": "password"
19+
},
20+
"extension_requests": {
21+
"pp_role": "tomato"
22+
}
23+
},
24+
"puppet_service_running": true,
25+
"puppet_service_enabled": false
26+
27+
jobs:
28+
test-configure-task:
29+
strategy:
30+
matrix:
31+
os:
32+
- [almalinux, '9']
33+
- [ubuntu, '24.04']
34+
runs-on: ubuntu-22.04
35+
steps:
36+
- uses: actions/checkout@v4
37+
- id: install-bolt
38+
uses: ./.github/actions/bolt
39+
with:
40+
os-codename: jammy
41+
- id: vm-cluster
42+
uses: jpartlow/nested_vms@v1
43+
with:
44+
os: ${{ matrix.os[0] }}
45+
os-version: ${{ matrix.os[1] }}
46+
os-arch: ${{ matrix.os[2] || 'x86_64' }}
47+
host-root-access: true
48+
ruby-version: '3.3'
49+
install-openvox: false
50+
vms: |-
51+
[
52+
{
53+
"role": "primary",
54+
"cpus": 4,
55+
"mem_mb": 8192,
56+
"cpu_mode": "host-model"
57+
},
58+
{
59+
"role": "agent",
60+
"cpus": 2,
61+
"mem_mb": 4096,
62+
"cpu_mode": "host-model"
63+
}
64+
]
65+
- name: Capture dereferenced inventory for use with openvox_bootstrap
66+
working-directory: kvm_automation_tooling
67+
run: |-
68+
bolt inventory --inventory terraform/instances/inventory.test.yaml show --format json --detail | \
69+
jq '.inventory | with_entries(select(.key == "targets")) | .targets | map(del(.groups))' | \
70+
yq -P > ../inventory.yaml
71+
cat ../inventory.yaml
72+
- name: Install openvox
73+
run: |-
74+
bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1,test-agent-1
75+
- name: Install openvox-server
76+
run: |-
77+
bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1 package=openvox-server
78+
- name: Disable agents to prevent background service runs
79+
run: |-
80+
bolt command run '/opt/puppetlabs/bin/puppet agent --disable "OpenVox PR testing"' --inventory inventory.yaml --targets test-agent-1,test-primary-1
81+
- name: Write server configure params
82+
run: |-
83+
cat > agent-params.yaml <<EOF
84+
{
85+
"puppet_conf": {
86+
"main": {
87+
"server": "test-primary-1.vm"
88+
},
89+
"server": {
90+
"autosign": "/etc/puppetlabs/puppet/sign.sh"
91+
}
92+
},
93+
${COMMON_CONFIGURE_PARAMS}
94+
}
95+
EOF
96+
- name: Run openvox_boostrap::configure task on the primary
97+
run: |-
98+
bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-agent-1 --params @server-params.yaml
99+
- name: Configure openvox-server
100+
env:
101+
PUPPET_CONF: |-
102+
SIGN_SH: |-
103+
run: |-
104+
cat > sign.sh <<'EOF'
105+
#!/bin/bash
106+
csr_pem=$(cat)
107+
csr_text=$(openssl req -text <<<"$csr_pem")
108+
password=$(awk -F: -e '/challengePassword/ { print $2 }' <<<"$csr_text")
109+
[[ "${password}" == 'password' ]]
110+
EOF
111+
bolt file upload sign.sh /etc/puppetlabs/puppet/sign.sh --inventory inventory.yaml --targets test-primary-1
112+
bolt command run --inventory inventory.yaml --targets test-primary-1 --stream <<'EOS'
113+
cat /etc/puppetlabs/puppet/sign.sh
114+
chmod 750 /etc/puppetlabs/puppet/sign.sh
115+
chown puppet:puppet /etc/puppetlabs/puppet/sign.sh
116+
117+
/opt/puppetlabs/server/bin/puppetserver ca setup
118+
systemctl start puppetserver
119+
EOS
120+
- name: Write agent configure params
121+
run: |-
122+
cat > agent-params.yaml <<EOF
123+
{
124+
"puppet_conf": {
125+
"main": {
126+
"server": "test-primary-1.vm"
127+
}
128+
},
129+
${COMMON_CONFIGURE_PARAMS}
130+
}
131+
EOF
132+
- name: Run openvox_bootstrap::configure task on the agent
133+
run: |-
134+
bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-agent-1 --params @agent-params.yaml
135+
- name: Validate agent run on the primary
136+
run: |-
137+
bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/dev/null --test' --inventory inventory.yaml --targets test-primary-1 --stream
138+
- name: Validate agent run on the agent
139+
run: |-
140+
bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/dev/null --test' --inventory inventory.yaml --targets test-agent-1 --stream
141+
- name: Validate certificate extensions
142+
run: |-
143+
cat > check_cert_extensions.pp <<'EOF'
144+
notify { "Trusted Facts"
145+
message => $trusted,
146+
}
147+
if $trusted['extensions']['pp_role'] != 'tomato' {
148+
fail("Certificate extension 'pp_role' should be 'tomato', but is ${$trusted['extensions']['pp_role']}")
149+
}
150+
EOF
151+
bolt apply check_cert_extensions.pp --inventory inventory.yaml --targets test-primary-1,test-agent-1
152+
- name: Validate service state
153+
run: |-
154+
# Use command rather than bolt apply so that we trip if the
155+
# apply produces changes and returns an exitcode of 2.
156+
bolt comamnd run --inventory inventory.yaml --targets test-agent-1 --stream <<'EOS'
157+
/opt/puppetlabs/bin/puppet apply --detailed-exitcodes -e 'service { "puppet": ensure => running, enable => true }' --inventory inventory.yaml --targets test-primary-1,test-agent-1
158+
EOS

0 commit comments

Comments
 (0)