Skip to content

Commit ab01009

Browse files
jpartlowjpartlow
committed
(gh-26) Add a GHA workflow to test the configure task
1 parent 2ab58b6 commit ab01009

File tree

1 file changed

+171
-0
lines changed

1 file changed

+171
-0
lines changed

.github/workflows/pr_testing_configure.yaml

Lines changed: 171 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,171 @@
1+
---
2+
name: 'PR Testing the configure task'
3+
4+
on:
5+
push:
6+
branches:
7+
- main
8+
pull_request:
9+
branches:
10+
- main
11+
12+
env:
13+
# These openvox_bootstrap::configure parameters are used in both
14+
# the agent and server task runs, but puppet_conf will vary.
15+
COMMON_CONFIGURE_PARAMS: |-
16+
"csr_attributes": {
17+
"custom_attributes": {
18+
"1.2.840.113549.1.9.7": "password"
19+
},
20+
"extension_requests": {
21+
"pp_role": "tomato"
22+
}
23+
},
24+
"puppet_service_running": true,
25+
"puppet_service_enabled": false
26+
27+
jobs:
28+
test-configure-task:
29+
strategy:
30+
matrix:
31+
os:
32+
- [almalinux, '9']
33+
- [ubuntu, '24.04']
34+
runs-on: ubuntu-22.04
35+
steps:
36+
- uses: actions/checkout@v4
37+
- id: install-bolt
38+
uses: ./.github/actions/bolt
39+
with:
40+
os-codename: jammy
41+
- id: vm-cluster
42+
uses: jpartlow/nested_vms@v1
43+
with:
44+
os: ${{ matrix.os[0] }}
45+
os-version: ${{ matrix.os[1] }}
46+
os-arch: ${{ matrix.os[2] || 'x86_64' }}
47+
host-root-access: true
48+
ruby-version: '3.3'
49+
install-openvox: false
50+
vms: |-
51+
[
52+
{
53+
"role": "primary",
54+
"cpus": 4,
55+
"mem_mb": 8192,
56+
"cpu_mode": "host-model"
57+
},
58+
{
59+
"role": "agent",
60+
"cpus": 2,
61+
"mem_mb": 4096,
62+
"cpu_mode": "host-model"
63+
}
64+
]
65+
- name: Capture dereferenced inventory for use with openvox_bootstrap
66+
working-directory: kvm_automation_tooling
67+
run: |-
68+
bolt inventory --inventory terraform/instances/inventory.test.yaml show --format json --detail | \
69+
jq '.inventory | with_entries(select(.key == "targets")) | del(.targets[].groups)' | \
70+
yq -P > ../inventory.yaml
71+
cat ../inventory.yaml
72+
- name: Install openvox
73+
run: |-
74+
bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1,test-agent-1
75+
- name: Install openvox-server
76+
run: |-
77+
bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1 package=openvox-server
78+
- name: Disable agents to prevent background service runs
79+
run: |-
80+
bolt command run '/opt/puppetlabs/bin/puppet agent --disable "OpenVox PR testing"' --inventory inventory.yaml --targets test-agent-1,test-primary-1
81+
- name: Write server configure params
82+
run: |-
83+
cat > server-params.yaml <<EOF
84+
{
85+
"puppet_conf": {
86+
"main": {
87+
"server": "test-primary-1.vm"
88+
},
89+
"server": {
90+
"autosign": "/etc/puppetlabs/puppet/sign.sh"
91+
}
92+
},
93+
${COMMON_CONFIGURE_PARAMS}
94+
}
95+
EOF
96+
cat server-params.yaml
97+
- name: Run openvox_boostrap::configure task on the primary
98+
run: |-
99+
bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-primary-1 --params @server-params.yaml
100+
- name: Configure openvox-server
101+
env:
102+
PUPPET_CONF: |-
103+
SIGN_SH: |-
104+
run: |-
105+
cat > sign.sh <<'EOF'
106+
#!/bin/bash
107+
set -e
108+
csr_pem=$(cat)
109+
csr_text=$(openssl req -text <<<"$csr_pem")
110+
password=$(awk -F: -e '/challengePassword/ { print $2 }' <<<"$csr_text")
111+
[[ "${password}" == 'password' ]]
112+
EOF
113+
bolt file upload sign.sh /etc/puppetlabs/puppet/sign.sh --inventory inventory.yaml --targets test-primary-1
114+
115+
cat > standup.sh <<'EOF'
116+
#! /bin/bash
117+
set -e
118+
set -x
119+
120+
chmod 750 /etc/puppetlabs/puppet/sign.sh
121+
chown puppet:puppet /etc/puppetlabs/puppet/sign.sh
122+
123+
/opt/puppetlabs/server/bin/puppetserver ca setup
124+
systemctl start puppetserver
125+
EOF
126+
bolt script run standup.sh --inventory inventory.yaml --targets test-primary-1 --stream
127+
- name: Write agent configure params
128+
run: |-
129+
cat > agent-params.yaml <<EOF
130+
{
131+
"puppet_conf": {
132+
"main": {
133+
"server": "test-primary-1.vm"
134+
}
135+
},
136+
${COMMON_CONFIGURE_PARAMS}
137+
}
138+
EOF
139+
cat agent-params.yaml
140+
- name: Run openvox_bootstrap::configure task on the agent
141+
run: |-
142+
bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-agent-1 --params @agent-params.yaml
143+
- name: Validate agent run on the primary
144+
run: |-
145+
bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/tmp/not_locked.lock --test' --inventory inventory.yaml --targets test-primary-1 --stream
146+
- name: Validate agent run on the agent
147+
run: |-
148+
bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/tmp/not_locked.lock --test' --inventory inventory.yaml --targets test-agent-1 --stream
149+
- name: Validate certificate extensions
150+
run: |-
151+
cat > site.pp <<'EOF'
152+
node default {
153+
notify { "Trusted Facts":
154+
message => $trusted,
155+
}
156+
if $trusted.dig('extensions', 'pp_role') != 'tomato' {
157+
fail("Certificate extension 'pp_role' should be 'tomato'. trusted['extensions'] = ${trusted['extensions']}")
158+
}
159+
}
160+
EOF
161+
bolt file upload site.pp /etc/puppetlabs/code/environments/production/manifests/site.pp --inventory inventory.yaml --targets test-primary-1
162+
bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/tmp/not_locked.lock --onetime --verbose --no-daemonize' --inventory inventory.yaml --targets test-primary-1,test-agent-1 --stream
163+
- name: Validate service state
164+
run: |-
165+
cat > apply.sh <<'EOF'
166+
set -e
167+
/opt/puppetlabs/bin/puppet apply --test -e 'service { "puppet": ensure => running, enable => false }'
168+
EOF
169+
# Use script rather than bolt apply so that we trip if the
170+
# apply produces changes and returns an exitcode of 2.
171+
bolt script run apply.sh --inventory inventory.yaml --targets test-agent-1,test-primary-1 --stream

0 commit comments

Comments
 (0)