particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

provision.sh: add none authentication method for on-premise scenario

Browse source 
`tools/provision.sh` is provisioning SUT always in the same way for
both, the Service scenario and the on-premise scenario. While this is
not causing any issues, it does not realistically represent how we
expect osbuild-composer and worker to be used in these scenarios.

The script currently supports the following authentication options:
- `none`
  - Intended for the on-premise scenario with Weldr API.
  - NO certificates are generated.
  - NO osbuild-composer configuration file is created.
  - NO osbuild-worker configuration file is created. This means that no
    cloud provider credentials are configured directly in the worker.
  - Only the local worker is started and used.
  - Only the Weldr API socker is started.
  - Appropriate repository definitions are copied to
    `/etc/osbuild-composer/repositories/`.
- `jwt`
  - Intended for the Service scenario with Cloud API.
  - Should be the only method supported in the Service scenario in the
    future.
  - Certificates are generated and copied to `/etc/osbuild-composer`.
  - osbuild-composer configuration file is created and configured for
    JWT authentication.
  - osbuild-worker configuration file is created, configured for JWT
    authentication and with appropriate cloud provider credentials.
  - Local worker unit is masked. Only the remote worker is used (the
    socket is started and one remote-worker instance is created).
  - Only the Cloud API socket is started (Weldr API socket is stopped).
  - NO repository definitions are copied to
    `/etc/osbuild-composer/repositories/`.
- `tls`
  - Intended for the Service scenario with Cloud API.
  - Should eventually go away.
  - Certificates are generated and copied to `/etc/osbuild-composer`.
  - osbuild-composer configuration file is created and configured for
    TLS client cert authentication.
  - osbuild-worker configuration file is created, configured for TLS
    authentication and with appropriate cloud provider credentials.
  - Services and sockets are started as they used to be originally:
    - Both local and remote worker sockets are started.
    - Both Weldr and Cloud API sockets are started.
    - Only the local worker unit will be started automatically.
  - NO repository definitions are copied to
    `/etc/osbuild-composer/repositories/`.
This commit is contained in:
Tomas Hozza 2022-08-03 10:04:10 +02:00 committed by Ondřej Budai
parent 31b1a383f0
commit a4b0efb278
28 changed files with 129 additions and 109 deletions
Download patch file Download diff file Expand all files Collapse all files

184
tools/provision.sh
View file

@ -10,6 +10,7 @@ mkdir -p "${ARTIFACTS}"
# determine the authentication method used by composer
AUTH_METHOD_TLS="tls"
AUTH_METHOD_JWT="jwt"
AUTH_METHOD_NONE="none"
# default to TLS for now
AUTH_METHOD="${1:-$AUTH_METHOD_TLS}"
@ -42,120 +43,130 @@ fi
sudo mkdir -p /etc/osbuild-composer
sudo mkdir -p /etc/osbuild-worker
# Generate all X.509 certificates for the tests
# The whole generation is done in a $CADIR to better represent how osbuild-ca
# it.
CERTDIR=/etc/osbuild-composer
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
CADIR=/etc/osbuild-composer-test/ca
# osbuild-composer and worker need to be configured in a specific way only when using
# some authentication method (Service scenario). In such case, also credentials for
# interacting with cloud providers are configured directly in the worker. In addition,
# no certificates need to be generated, because they are not used anywhere in this
# scenario.
if [[ "$AUTH_METHOD" != "$AUTH_METHOD_NONE" ]]; then
# Generate all X.509 certificates for the tests
# The whole generation is done in a $CADIR to better represent how osbuild-ca
# it.
CERTDIR=/etc/osbuild-composer
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
CADIR=/etc/osbuild-composer-test/ca
scriptloc=$(dirname "$0")
sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
scriptloc=$(dirname "$0")
sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
# Copy the appropriate configuration files
if [[ "$AUTH_METHOD" == "$AUTH_METHOD_JWT" ]]; then
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-jwt.toml"
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-jwt.toml"
# Copy the appropriate configuration files
if [[ "$AUTH_METHOD" == "$AUTH_METHOD_JWT" ]]; then
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-jwt.toml"
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-jwt.toml"
# Default orgID
sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
# Default orgID
sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
123456789
EOF
/usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh start
/usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh start
elif [[ "$AUTH_METHOD" == "$AUTH_METHOD_TLS" ]]; then
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml"
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml"
fi
elif [[ "$AUTH_METHOD" == "$AUTH_METHOD_TLS" ]]; then
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml"
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml"
fi
sudo cp -a "$COMPOSER_TEST_CONFIG" /etc/osbuild-composer/osbuild-composer.toml
sudo cp -a "$WORKER_TEST_CONFIG" /etc/osbuild-worker/osbuild-worker.toml
sudo cp -a "$COMPOSER_TEST_CONFIG" /etc/osbuild-composer/osbuild-composer.toml
sudo cp -a "$WORKER_TEST_CONFIG" /etc/osbuild-worker/osbuild-worker.toml
# if GCP credentials are defined in the ENV, add them to the worker's configuration
GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}"
if [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
# The credentials file must be copied to a different location. Jenkins places
# it into /tmp and as a result, the worker would not see it due to using PrivateTmp=true.
GCP_CREDS_WORKER_PATH="/etc/osbuild-worker/gcp-credentials.json"
sudo cp "$GOOGLE_APPLICATION_CREDENTIALS" "$GCP_CREDS_WORKER_PATH"
echo -e "\n[gcp]\ncredentials = \"$GCP_CREDS_WORKER_PATH\"\n" | sudo tee -a /etc/osbuild-worker/osbuild-worker.toml
fi
# if GCP credentials are defined in the ENV, add them to the worker's configuration
GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}"
if [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
# The credentials file must be copied to a different location. Jenkins places
# it into /tmp and as a result, the worker would not see it due to using PrivateTmp=true.
GCP_CREDS_WORKER_PATH="/etc/osbuild-worker/gcp-credentials.json"
sudo cp "$GOOGLE_APPLICATION_CREDENTIALS" "$GCP_CREDS_WORKER_PATH"
echo -e "\n[gcp]\ncredentials = \"$GCP_CREDS_WORKER_PATH\"\n" | sudo tee -a /etc/osbuild-worker/osbuild-worker.toml
fi
# if Azure credentials are defined in the env, create the credentials file
V2_AZURE_CLIENT_ID="${V2_AZURE_CLIENT_ID:-}"
V2_AZURE_CLIENT_SECRET="${V2_AZURE_CLIENT_SECRET:-}"
if [[ -n "$V2_AZURE_CLIENT_ID" && -n "$V2_AZURE_CLIENT_SECRET" ]]; then
set +x
sudo tee /etc/osbuild-worker/azure-credentials.toml > /dev/null << EOF
# if Azure credentials are defined in the env, create the credentials file
V2_AZURE_CLIENT_ID="${V2_AZURE_CLIENT_ID:-}"
V2_AZURE_CLIENT_SECRET="${V2_AZURE_CLIENT_SECRET:-}"
if [[ -n "$V2_AZURE_CLIENT_ID" && -n "$V2_AZURE_CLIENT_SECRET" ]]; then
set +x
sudo tee /etc/osbuild-worker/azure-credentials.toml > /dev/null << EOF
client_id = "$V2_AZURE_CLIENT_ID"
client_secret = "$V2_AZURE_CLIENT_SECRET"
EOF
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
[azure]
credentials = "/etc/osbuild-worker/azure-credentials.toml"
EOF
set -x
fi
set -x
fi
# if AWS credentials are defined in the ENV, add them to the worker's configuration
V2_AWS_ACCESS_KEY_ID="${V2_AWS_ACCESS_KEY_ID:-}"
V2_AWS_SECRET_ACCESS_KEY="${V2_AWS_SECRET_ACCESS_KEY:-}"
if [[ -n "$V2_AWS_ACCESS_KEY_ID" && -n "$V2_AWS_SECRET_ACCESS_KEY" ]]; then
set +x
# if AWS credentials are defined in the ENV, add them to the worker's configuration
V2_AWS_ACCESS_KEY_ID="${V2_AWS_ACCESS_KEY_ID:-}"
V2_AWS_SECRET_ACCESS_KEY="${V2_AWS_SECRET_ACCESS_KEY:-}"
if [[ -n "$V2_AWS_ACCESS_KEY_ID" && -n "$V2_AWS_SECRET_ACCESS_KEY" ]]; then
set +x
sudo tee /etc/osbuild-worker/aws-credentials.toml > /dev/null << EOF
[default]
aws_access_key_id = "$V2_AWS_ACCESS_KEY_ID"
aws_secret_access_key = "$V2_AWS_SECRET_ACCESS_KEY"
EOF
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
[aws]
credentials = "/etc/osbuild-worker/aws-credentials.toml"
bucket = "${AWS_BUCKET}"
EOF
set -x
fi
set -x
fi
# Copy rpmrepo snapshots for use in weldr tests
REPODIR=/etc/osbuild-composer/repositories
sudo mkdir -p $REPODIR
# Copy all fedora repo overrides
sudo cp -a /usr/share/tests/osbuild-composer/repositories/{fedora,centos}-*.json "$REPODIR"
# Copy RHEL point release repos
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-85.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-86.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-87.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-90.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-91.json "$REPODIR"
else # AUTH_METHOD_NONE
# Repositories in /etc/osbuild-composer/repositories are used only in the
# on-premise scenario (Weldr).
# Copy rpmrepo snapshots for use in weldr tests
REPODIR=/etc/osbuild-composer/repositories
sudo mkdir -p $REPODIR
# Copy all fedora repo overrides
sudo cp -a /usr/share/tests/osbuild-composer/repositories/{fedora,centos}-*.json "$REPODIR"
# Copy RHEL point release repos
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-85.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-86.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-87.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-90.json "$REPODIR"
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-91.json "$REPODIR"
# RHEL nightly repos need to be overridden
case "${ID}-${VERSION_ID}" in
"rhel-8.6")
# Override old rhel-8.json and rhel-8-beta.json because RHEL 8.6 test needs nightly repos
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-86.json "$REPODIR/rhel-8.json"
# If multiple tests are run and call provision.sh the symlink will need to be overridden with -f
sudo ln -sf /etc/osbuild-composer/repositories/rhel-8.json "$REPODIR/rhel-8-beta.json"
;;
"rhel-9.0")
# Override old rhel-90.json and rhel-90-beta.json because RHEL 9.0 test needs nightly repos
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-90.json "$REPODIR/rhel-90.json"
# If multiple tests are run and call provision.sh the symlink will need to be overridden with -f
sudo ln -sf /etc/osbuild-composer/repositories/rhel-90.json "$REPODIR/rhel-90-beta.json"
;;
*) ;;
esac
# RHEL nightly repos need to be overridden
case "${ID}-${VERSION_ID}" in
"rhel-8.6")
# Override old rhel-8.json and rhel-8-beta.json because RHEL 8.6 test needs nightly repos
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-86.json "$REPODIR/rhel-8.json"
# If multiple tests are run and call provision.sh the symlink will need to be overridden with -f
sudo ln -sf /etc/osbuild-composer/repositories/rhel-8.json "$REPODIR/rhel-8-beta.json"
;;
"rhel-9.0")
# Override old rhel-90.json and rhel-90-beta.json because RHEL 9.0 test needs nightly repos
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-90.json "$REPODIR/rhel-90.json"
# If multiple tests are run and call provision.sh the symlink will need to be overridden with -f
sudo ln -sf /etc/osbuild-composer/repositories/rhel-90.json "$REPODIR/rhel-90-beta.json"
;;
*) ;;
esac
# overrides for RHEL nightly builds testing
VERSION_SUFFIX=$(echo "${VERSION_ID}" | tr -d ".")
if [ -f "rhel-${VERSION_ID%.*}.json" ]; then
sudo cp rhel-"${VERSION_ID%.*}".json "$REPODIR/rhel-${VERSION_SUFFIX}.json"
fi
# overrides for RHEL nightly builds testing
VERSION_SUFFIX=$(echo "${VERSION_ID}" | tr -d ".")
if [ -f "rhel-${VERSION_ID%.*}.json" ]; then
sudo cp rhel-"${VERSION_ID%.*}".json "$REPODIR/rhel-${VERSION_SUFFIX}.json"
fi
if [ -f "rhel-${VERSION_ID%.*}-beta.json" ]; then
sudo cp rhel-"${VERSION_ID%.*}"-beta.json "$REPODIR/rhel-${VERSION_SUFFIX}-beta.json"
if [ -f "rhel-${VERSION_ID%.*}-beta.json" ]; then
sudo cp rhel-"${VERSION_ID%.*}"-beta.json "$REPODIR/rhel-${VERSION_SUFFIX}-beta.json"
fi
fi
# start appropriate units
@ -175,6 +186,15 @@ case "${AUTH_METHOD}" in
sudo systemctl start osbuild-remote-worker@localhost:8700.service
;;
"${AUTH_METHOD_NONE}")
# No authentication method is used on-premise with Weldr. This means that:
# - only local worker will be used (started automatically)
# - only Weldr API socket will be started
sudo systemctl stop 'osbuild*'
# enable Weldr API
sudo systemctl start osbuild-composer.socket
;;
*)
# the default setup used previously for all tests
sudo systemctl start osbuild-remote-worker.socket