Skip to content

Commit 9604fef

Browse files
jpartlowjpartlow
committed
(gh-26) Add a GHA workflow to test the configure task
1 parent 4bb43a1 commit 9604fef

File tree

1 file changed

+160
-0
lines changed

1 file changed

+160
-0
lines changed

.github/workflows/pr_testing_configure.yaml

Lines changed: 160 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,160 @@
1+
---
2+
name: 'PR Testing the configure task'
3+
4+
on:
5+
push:
6+
branches:
7+
- main
8+
pull_request:
9+
branches:
10+
- main
11+
12+
env:
13+
# These openvox_bootstrap::configure parameters are used in both
14+
# the agent and server task runs, but puppet_conf will vary.
15+
COMMON_CONFIGURE_PARAMS: |-
16+
"csr_attributes": {
17+
"custom_attributes": {
18+
"1.2.840.113549.1.9.7": "password"
19+
},
20+
"extension_requests": {
21+
"pp_role": "tomato"
22+
}
23+
},
24+
"puppet_service_running": true,
25+
"puppet_service_enabled": false
26+
27+
jobs:
28+
test-configure-task:
29+
strategy:
30+
matrix:
31+
os:
32+
- [almalinux, '9']
33+
- [ubuntu, '24.04']
34+
runs-on: ubuntu-22.04
35+
steps:
36+
- uses: actions/checkout@v4
37+
- id: install-bolt
38+
uses: ./.github/actions/bolt
39+
with:
40+
os-codename: jammy
41+
- id: vm-cluster
42+
uses: jpartlow/nested_vms@v1
43+
with:
44+
os: ${{ matrix.os[0] }}
45+
os-version: ${{ matrix.os[1] }}
46+
os-arch: ${{ matrix.os[2] || 'x86_64' }}
47+
host-root-access: true
48+
ruby-version: '3.3'
49+
install-openvox: false
50+
vms: |-
51+
[
52+
{
53+
"role": "primary",
54+
"cpus": 4,
55+
"mem_mb": 8192,
56+
"cpu_mode": "host-model"
57+
},
58+
{
59+
"role": "agent",
60+
"cpus": 2,
61+
"mem_mb": 4096,
62+
"cpu_mode": "host-model"
63+
}
64+
]
65+
- name: Capture dereferenced inventory for use with openvox_bootstrap
66+
working-directory: kvm_automation_tooling
67+
run: |-
68+
bolt inventory --inventory terraform/instances/inventory.test.yaml show --format json --detail | \
69+
jq '.inventory | with_entries(select(.key == "targets")) | del(.targets[].groups)' | \
70+
yq -P > ../inventory.yaml
71+
cat ../inventory.yaml
72+
- name: Install openvox
73+
run: |-
74+
bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1,test-agent-1
75+
- name: Install openvox-server
76+
run: |-
77+
bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1 package=openvox-server
78+
- name: Disable agents to prevent background service runs
79+
run: |-
80+
bolt command run '/opt/puppetlabs/bin/puppet agent --disable "OpenVox PR testing"' --inventory inventory.yaml --targets test-agent-1,test-primary-1
81+
- name: Write server configure params
82+
run: |-
83+
cat > server-params.yaml <<EOF
84+
{
85+
"puppet_conf": {
86+
"main": {
87+
"server": "test-primary-1.vm"
88+
},
89+
"server": {
90+
"autosign": "/etc/puppetlabs/puppet/sign.sh"
91+
}
92+
},
93+
${COMMON_CONFIGURE_PARAMS}
94+
}
95+
EOF
96+
cat server-params.yaml
97+
- name: Run openvox_boostrap::configure task on the primary
98+
run: |-
99+
bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-agent-1 --params @server-params.yaml
100+
- name: Configure openvox-server
101+
env:
102+
PUPPET_CONF: |-
103+
SIGN_SH: |-
104+
run: |-
105+
cat > sign.sh <<'EOF'
106+
#!/bin/bash
107+
csr_pem=$(cat)
108+
csr_text=$(openssl req -text <<<"$csr_pem")
109+
password=$(awk -F: -e '/challengePassword/ { print $2 }' <<<"$csr_text")
110+
[[ "${password}" == 'password' ]]
111+
EOF
112+
bolt file upload sign.sh /etc/puppetlabs/puppet/sign.sh --inventory inventory.yaml --targets test-primary-1
113+
bolt command run --inventory inventory.yaml --targets test-primary-1 --stream <<'EOS'
114+
cat /etc/puppetlabs/puppet/sign.sh
115+
chmod 750 /etc/puppetlabs/puppet/sign.sh
116+
chown puppet:puppet /etc/puppetlabs/puppet/sign.sh
117+
118+
/opt/puppetlabs/server/bin/puppetserver ca setup
119+
systemctl start puppetserver
120+
EOS
121+
- name: Write agent configure params
122+
run: |-
123+
cat > agent-params.yaml <<EOF
124+
{
125+
"puppet_conf": {
126+
"main": {
127+
"server": "test-primary-1.vm"
128+
}
129+
},
130+
${COMMON_CONFIGURE_PARAMS}
131+
}
132+
EOF
133+
cat agent-params.yaml
134+
- name: Run openvox_bootstrap::configure task on the agent
135+
run: |-
136+
bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-agent-1 --params @agent-params.yaml
137+
- name: Validate agent run on the primary
138+
run: |-
139+
bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/dev/null --test' --inventory inventory.yaml --targets test-primary-1 --stream
140+
- name: Validate agent run on the agent
141+
run: |-
142+
bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/dev/null --test' --inventory inventory.yaml --targets test-agent-1 --stream
143+
- name: Validate certificate extensions
144+
run: |-
145+
cat > check_cert_extensions.pp <<'EOF'
146+
notify { "Trusted Facts"
147+
message => $trusted,
148+
}
149+
if $trusted['extensions']['pp_role'] != 'tomato' {
150+
fail("Certificate extension 'pp_role' should be 'tomato', but is ${$trusted['extensions']['pp_role']}")
151+
}
152+
EOF
153+
bolt apply check_cert_extensions.pp --inventory inventory.yaml --targets test-primary-1,test-agent-1
154+
- name: Validate service state
155+
run: |-
156+
# Use command rather than bolt apply so that we trip if the
157+
# apply produces changes and returns an exitcode of 2.
158+
bolt comamnd run --inventory inventory.yaml --targets test-agent-1 --stream <<'EOS'
159+
/opt/puppetlabs/bin/puppet apply --detailed-exitcodes -e 'service { "puppet": ensure => running, enable => true }' --inventory inventory.yaml --targets test-primary-1,test-agent-1
160+
EOS

0 commit comments

Comments
 (0)