-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURESIGN-1659] Add AAP testing scenario for collection #119
base: main
Are you sure you want to change the base?
Changes from 98 commits
6afa9ad
fe91385
09f5d4e
79db03e
56c31e7
13da6ed
5b7e354
a15c920
a3b20f5
4ae3b8e
732e4ca
cc8005f
434a56d
090e8d8
e58e38a
6dcd7ed
28c6f67
d21ac2c
03a1fbf
222ed9d
56ac537
e48655f
5f0608c
6e53b53
a740ec0
d898b68
23e97c6
080e917
877e2c2
18d68a4
d467859
13f12fd
17402e0
0a53d2e
28addd4
125c855
ec7505a
b03a02a
521a691
86fc9b2
4cff5d4
7675a2d
bd58cc2
a2925b4
1317323
5c43167
42ddf7f
84a7a74
0d7a3e4
86e5380
06611c1
1dac6e9
74ba143
3bd247d
86d49c6
2b6d6e9
fd976ee
9719c44
9f0b9cf
6fd9251
52b9768
8525140
343199b
8d17da4
0e1a14d
20bc006
d799984
0101ea6
753d4d8
1b0c8ea
7140709
4ef90ab
ca969c7
bbfa3da
fae8411
9662cd1
7c51b55
6d24ab2
ead97c7
8c1fb94
69f600e
da5e4ba
88156a4
49aa9d7
2ead342
af0084f
840bd01
f8a8232
4103808
cc4baa1
ed347a7
41b7303
9d61b88
bc5e465
42b0f43
50c1b38
719e0c7
a486e23
1304f3a
fbae286
61e1748
4873e3b
7f14f17
bd99de9
cf73b0b
cff218d
b3c87dc
c4e78c2
c6f5a51
5cfa42a
04d998f
cd2ee6f
c29f3f1
dcbc2f9
c62ab5d
75bf51a
8a3ff11
fe13a29
ca49022
ddc2c37
cd63244
6f68455
958f939
6e44af1
f3b558d
323ffa7
34071c5
890a833
f9b3391
99d9d8c
4f18fb7
1ec8b61
1d3836f
a0a84d6
c6c8168
e4dcb1e
a200a50
e0248f7
e7a72f1
7149e77
9d47aa7
57c7af9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
name: Using Ansible Molecule, test RHTAS collection from a private AAP | ||
|
||
# on: | ||
# schedule: | ||
# - cron: "0 0 * * *" | ||
|
||
on: | ||
pull_request: | ||
|
||
jobs: | ||
test-aap-collection: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
- name: Install dependencies | ||
run: | | ||
ansible --version | ||
python -m venv venv | ||
source venv/bin/activate | ||
python -m pip install --upgrade pip | ||
pip install -r testing-requirements.txt | ||
ansible-galaxy install -r requirements.yml | ||
ansible-galaxy install -r molecule/requirements.yml | ||
- name: Set up SSH key | ||
run: | | ||
mkdir -p ~/.ssh | ||
echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/id_rsa | ||
chmod 600 ~/.ssh/id_rsa | ||
- name: Run molecule | ||
env: | ||
TAS_SINGLE_NODE_REGISTRY_USERNAME: ${{ secrets.TAS_SINGLE_NODE_REGISTRY_USERNAME }} | ||
TAS_SINGLE_NODE_REGISTRY_PASSWORD: ${{ secrets.TAS_SINGLE_NODE_REGISTRY_PASSWORD }} | ||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }} | ||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | ||
GITHUB_RUN_ID: ${{ github.run_id }} | ||
REDHAT_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} | ||
run: | | ||
source venv/bin/activate | ||
molecule reset | ||
molecule -v create --scenario-name aap-setup | ||
molecule -v converge --scenario-name aap-setup | ||
molecule -v test --scenario-name aap-collection-test | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this isn't using Molecule as it was meant to be used. This whole "setup" should be a part of the Furthermore, we shouldn't install the collection from AAP and run it locally, we want AAP to use it. Let me explain in more detail:
Does that make sense? The important point here is that we need to test not only uploading the collection to AAP, but we need to ensure that it executes correctly from AAP. |
||
- name: Destroy molecule infrastructure | ||
env: | ||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }} | ||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | ||
if: always() | ||
run: | | ||
source venv/bin/activate | ||
molecule -v destroy --scenario-name aap-setup | ||
molecule -v destroy --scenario-name aap-collection-test |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
--- | ||
- name: Converge | ||
hosts: molecule | ||
gather_facts: true | ||
vars_files: | ||
- vars/vars.yml | ||
- vars/podman.yml | ||
- ../aap-setup/aap_vars.yml | ||
tasks: | ||
- name: Error out if registry username is not set | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we can have an |
||
ansible.builtin.fail: | ||
msg: "Username for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_USERNAME env variable" | ||
when: tas_single_node_registry_username == "" | ||
|
||
- name: Error out if registry password is not set | ||
ansible.builtin.fail: | ||
msg: "Password for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_PASSWORD env variable" | ||
when: tas_single_node_registry_password == "" | ||
|
||
- name: Install redhat.artifact_signer collection from the private AAP | ||
delegate_to: localhost | ||
ansible.builtin.shell: | ||
cmd: | | ||
ansible-galaxy collection install redhat.artifact_signer -s https://{{ aap_instance_ip }}/pulp_ansible/galaxy/staging/api/ \ | ||
--ignore-certs --token {{ token }} --force | ||
changed_when: false | ||
|
||
- name: Verify redhat.artifact_signer collection is installed | ||
delegate_to: localhost | ||
ansible.builtin.shell: | ||
cmd: | | ||
bash -c 'set -o pipefail && ansible-galaxy collection list | grep redhat.artifact_signer' | ||
register: collection_check | ||
changed_when: false | ||
failed_when: collection_check.rc != 0 | ||
|
||
- name: Apply redhat.artifact_signer.tas_single_node role from the private AAP | ||
ansible.builtin.include_role: | ||
name: redhat.artifact_signer.tas_single_node |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../default/create.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../default/destroy.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../default/molecule.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../default/prepare.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../default/vars/podman.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
tas_single_node_oidc_issuers: | ||
- issuer: "http://dex-idp:5556/dex" | ||
url: "http://dex-idp:5556/dex" | ||
client_id: example-app | ||
type: email | ||
tas_single_node_base_hostname: myrhtas | ||
tas_single_node_cockpit: | ||
enabled: false | ||
tas_single_node_registry_username: "{{ lookup('env', 'TAS_SINGLE_NODE_REGISTRY_USERNAME') }}" | ||
tas_single_node_registry_password: "{{ lookup('env', 'TAS_SINGLE_NODE_REGISTRY_PASSWORD') }}" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../default/verify.yml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
--- | ||
- name: Converge | ||
hosts: molecule | ||
gather_facts: true | ||
tags: aap_installation | ||
vars_files: | ||
- vars/vars.yml | ||
- vars/aap_nodes.yml | ||
tasks: | ||
- name: Error out if registry username is not set | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @SequeI , I don't think we can use it, the when condition is based on different variable here: |
||
ansible.builtin.fail: | ||
msg: "Username for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_USERNAME env variable" | ||
when: aap_setup_prep_inv_secrets.all.registry_username == "" | ||
|
||
- name: Error out if registry password is not set | ||
ansible.builtin.fail: | ||
msg: "Password for registry.redhat.io is not set, please provide it via TAS_SINGLE_NODE_REGISTRY_PASSWORD env variable" | ||
when: aap_setup_prep_inv_secrets.all.registry_password == "" | ||
|
||
- name: Include and execute AAP utility roles for setup | ||
ansible.builtin.include_role: | ||
name: "{{ item }}" | ||
loop: | ||
- infra.aap_utilities.aap_setup_download | ||
- infra.aap_utilities.aap_setup_prepare | ||
|
||
- name: Find the latest AAP setup folder | ||
ansible.builtin.find: | ||
paths: /var/tmp | ||
patterns: ansible-automation-platform-containerized-setup-* | ||
file_type: directory | ||
recurse: false | ||
register: aap_folders | ||
|
||
- name: Set the latest AAP setup path | ||
ansible.builtin.set_fact: | ||
aap_setup_path: >- | ||
{{ | ||
(aap_folders.files | sort(attribute='mtime', reverse=true) | first | default('')).path | ||
if aap_folders.files | length > 0 else '' | ||
}} | ||
|
||
- name: Install AAP | ||
ansible.builtin.shell: | ||
cmd: | | ||
cd {{ aap_setup_path }} | ||
ansible-playbook -i inventory ansible.containerized_installer.install | ||
async: 1800 | ||
poll: 0 | ||
register: aap_install_task | ||
changed_when: false | ||
|
||
- name: Wait for AAP installation to complete | ||
ansible.builtin.async_status: | ||
jid: "{{ aap_install_task.ansible_job_id }}" | ||
register: job_result | ||
until: job_result.finished | ||
retries: 100 | ||
delay: 30 | ||
|
||
- name: Create a new token using username/password | ||
infra.ah_configuration.ah_token: | ||
state: present | ||
ah_host: https://{{ aap_instance_ip }}/ | ||
ah_username: "admin" | ||
ah_password: "password" | ||
validate_certs: false | ||
|
||
- name: Create "redhat" namespace | ||
delegate_to: localhost | ||
infra.ah_configuration.ah_namespace: | ||
name: redhat | ||
description: "Redhat Namespace" | ||
company: "Redhat" | ||
email: "[email protected]" | ||
links: | ||
- name: "homepage" | ||
url: "https://www.redhat.com" | ||
state: present | ||
ah_host: https://{{ aap_instance_ip }}/ | ||
ah_token: "{{ ah_token.token }}" | ||
validate_certs: false | ||
|
||
- name: Build redhat.artifact_signer collection | ||
delegate_to: localhost | ||
infra.ah_configuration.ah_build: | ||
path: ../../. | ||
force: true | ||
output_path: /var/tmp | ||
|
||
- name: Find the collection build path | ||
delegate_to: localhost | ||
ansible.builtin.shell: | ||
cmd: | | ||
bash -c 'set -o pipefail; find /var/tmp -maxdepth 1 -type f \ | ||
-name "redhat-artifact_signer-*.tar.gz" -printf "%T@ %p\n" | sort -n -r | head -n 1 | cut -d" " -f2' | ||
register: collection_build_path | ||
changed_when: false | ||
failed_when: collection_build_path.rc != 0 | ||
|
||
- name: Set the latest collection build path | ||
ansible.builtin.set_fact: | ||
collection_build_path: "{{ collection_build_path.stdout }}" | ||
|
||
- name: Upload redhat.artifact_signer to the private AAP | ||
delegate_to: localhost | ||
retries: 10 | ||
delay: 30 | ||
infra.ah_configuration.ah_collection_upload: | ||
path: "{{ collection_build_path }}" | ||
ah_host: https://{{ aap_instance_ip }}/ | ||
ah_token: "{{ ah_token.token }}" | ||
validate_certs: false | ||
|
||
- name: Export AAP details | ||
delegate_to: localhost | ||
ansible.builtin.copy: | ||
dest: "{{ playbook_dir }}/aap_vars.yml" | ||
mode: "0666" | ||
content: | | ||
aap_instance_ip: "{{ aap_instance_ip }}" | ||
token: "{{ ah_token.token }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be uncommented once the PR is reviewed and build log is verified.