2fe5e01d4d
Extend the `api.sh` to allow testing compose requests with distro name which does not use dot-notation (specifically when the dot is removed from the distro name as it used to be in the past). In addition to that, allow also testing the distro alias using distro name without the minor version in compose requests. Enable these two new test variants in the CI. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
261 lines
11 KiB
Bash
Executable file
261 lines
11 KiB
Bash
Executable file
#!/bin/bash
|
|
set -euxo pipefail
|
|
|
|
source /usr/libexec/osbuild-composer-test/set-env-variables.sh
|
|
source /usr/libexec/tests/osbuild-composer/shared_lib.sh
|
|
|
|
# create artifacts folder
|
|
ARTIFACTS="${ARTIFACTS:=/tmp/artifacts}"
|
|
mkdir -p "${ARTIFACTS}"
|
|
|
|
# determine the authentication method used by composer
|
|
AUTH_METHOD_TLS="tls"
|
|
AUTH_METHOD_JWT="jwt"
|
|
AUTH_METHOD_NONE="none"
|
|
# default to TLS for now
|
|
AUTH_METHOD="${1:-$AUTH_METHOD_TLS}"
|
|
|
|
COMPOSER_CONFIG="/etc/osbuild-composer/osbuild-composer.toml"
|
|
|
|
# Path to a file with additional configuration for composer.
|
|
# The content of this file will be appended to the default configuration.
|
|
EXTRA_COMPOSER_CONFIG="${2:-}"
|
|
|
|
if [[ -n "${EXTRA_COMPOSER_CONFIG}" && ! -f "${EXTRA_COMPOSER_CONFIG}" ]]; then
|
|
echo "ERROR: File '${EXTRA_COMPOSER_CONFIG}' with extra configuration for composer does not exist."
|
|
exit 1
|
|
fi
|
|
|
|
# koji and ansible are not in RHEL repositories. Depending on them in the spec
|
|
# file breaks RHEL gating (see OSCI-1541). Therefore, we need to enable epel
|
|
# and install koji and ansible here.
|
|
if [[ $ID == rhel || $ID == centos ]] && ! rpm -q epel-release; then
|
|
curl -Ls --retry 5 --output /tmp/epel.rpm \
|
|
https://dl.fedoraproject.org/pub/epel/epel-release-latest-"${VERSION_ID%.*}".noarch.rpm
|
|
sudo rpm -Uvh /tmp/epel.rpm
|
|
fi
|
|
|
|
# RHEL 8.6+ and CentOS 9 require different handling for ansible
|
|
ge86=$(echo "${VERSION_ID}" | awk '{print $1 >= 8.6}') # do a numerical comparison for the version
|
|
echo -n "${ID}=${VERSION_ID} "
|
|
if [[ "${ID}" == "rhel" || "${ID}" == "centos" ]] && (( ge86 )); then
|
|
sudo dnf install -y ansible-core koji
|
|
else
|
|
sudo dnf install -y ansible koji
|
|
fi
|
|
|
|
# workaround for bug https://bugzilla.redhat.com/show_bug.cgi?id=2162815
|
|
if [[ "${ID}" == "fedora" && "$VERSION_ID" == "37" ]]; then
|
|
sudo dnf install -y nghttp2
|
|
fi
|
|
|
|
# workaround for bug https://bugzilla.redhat.com/show_bug.cgi?id=2057769
|
|
if [[ "$VERSION_ID" == "9.0" || "$VERSION_ID" == "9" ]]; then
|
|
if [[ -f "/usr/share/qemu/firmware/50-edk2-ovmf-amdsev.json" ]]; then
|
|
jq '.mapping += {"nvram-template": {"filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd","format": "raw"}}' /usr/share/qemu/firmware/50-edk2-ovmf-amdsev.json | sudo tee /tmp/50-edk2-ovmf-amdsev.json
|
|
sudo mv /tmp/50-edk2-ovmf-amdsev.json /usr/share/qemu/firmware/50-edk2-ovmf-amdsev.json
|
|
fi
|
|
fi
|
|
|
|
sudo mkdir -p /etc/osbuild-composer
|
|
sudo mkdir -p /etc/osbuild-worker
|
|
|
|
# osbuild-composer and worker need to be configured in a specific way only when using
|
|
# some authentication method (Service scenario). In such case, also credentials for
|
|
# interacting with cloud providers are configured directly in the worker. In addition,
|
|
# no certificates need to be generated, because they are not used anywhere in this
|
|
# scenario.
|
|
if [[ "$AUTH_METHOD" != "$AUTH_METHOD_NONE" ]]; then
|
|
# Generate all X.509 certificates for the tests
|
|
# The whole generation is done in a $CADIR to better represent how osbuild-ca
|
|
# it.
|
|
CERTDIR=/etc/osbuild-composer
|
|
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
|
|
CADIR=/etc/osbuild-composer-test/ca
|
|
|
|
scriptloc=$(dirname "$0")
|
|
sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
|
|
sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
|
|
|
|
# Copy the appropriate configuration files
|
|
if [[ "$AUTH_METHOD" == "$AUTH_METHOD_JWT" ]]; then
|
|
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-jwt.toml"
|
|
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-jwt.toml"
|
|
|
|
# Default orgID
|
|
sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
|
|
123456789
|
|
EOF
|
|
|
|
/usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh start
|
|
|
|
elif [[ "$AUTH_METHOD" == "$AUTH_METHOD_TLS" ]]; then
|
|
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml"
|
|
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml"
|
|
fi
|
|
|
|
sudo cp -a "$COMPOSER_TEST_CONFIG" "$COMPOSER_CONFIG"
|
|
sudo cp -a "$WORKER_TEST_CONFIG" /etc/osbuild-worker/osbuild-worker.toml
|
|
|
|
# if GCP credentials are defined in the ENV, add them to the worker's configuration
|
|
GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}"
|
|
if [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
|
|
# The credentials file must be copied to a different location. Jenkins places
|
|
# it into /tmp and as a result, the worker would not see it due to using PrivateTmp=true.
|
|
GCP_CREDS_WORKER_PATH="/etc/osbuild-worker/gcp-credentials.json"
|
|
sudo cp "$GOOGLE_APPLICATION_CREDENTIALS" "$GCP_CREDS_WORKER_PATH"
|
|
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
|
|
|
|
[gcp]
|
|
credentials = "$GCP_CREDS_WORKER_PATH"
|
|
bucket = "$GCP_BUCKET"
|
|
EOF
|
|
fi
|
|
|
|
# if Azure credentials are defined in the env, create the credentials file
|
|
V2_AZURE_CLIENT_ID="${V2_AZURE_CLIENT_ID:-}"
|
|
V2_AZURE_CLIENT_SECRET="${V2_AZURE_CLIENT_SECRET:-}"
|
|
if [[ -n "$V2_AZURE_CLIENT_ID" && -n "$V2_AZURE_CLIENT_SECRET" ]]; then
|
|
set +x
|
|
sudo tee /etc/osbuild-worker/azure-credentials.toml > /dev/null << EOF
|
|
client_id = "$V2_AZURE_CLIENT_ID"
|
|
client_secret = "$V2_AZURE_CLIENT_SECRET"
|
|
EOF
|
|
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
|
|
|
|
[azure]
|
|
credentials = "/etc/osbuild-worker/azure-credentials.toml"
|
|
EOF
|
|
set -x
|
|
fi
|
|
|
|
# if AWS credentials are defined in the ENV, add them to the worker's configuration
|
|
V2_AWS_ACCESS_KEY_ID="${V2_AWS_ACCESS_KEY_ID:-}"
|
|
V2_AWS_SECRET_ACCESS_KEY="${V2_AWS_SECRET_ACCESS_KEY:-}"
|
|
if [[ -n "$V2_AWS_ACCESS_KEY_ID" && -n "$V2_AWS_SECRET_ACCESS_KEY" ]]; then
|
|
set +x
|
|
sudo tee /etc/osbuild-worker/aws-credentials.toml > /dev/null << EOF
|
|
[default]
|
|
aws_access_key_id = "$V2_AWS_ACCESS_KEY_ID"
|
|
aws_secret_access_key = "$V2_AWS_SECRET_ACCESS_KEY"
|
|
EOF
|
|
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
|
|
|
|
[aws]
|
|
credentials = "/etc/osbuild-worker/aws-credentials.toml"
|
|
bucket = "${AWS_BUCKET}"
|
|
EOF
|
|
set -x
|
|
fi
|
|
|
|
# if OCI credentials are defined in the ENV, add them to the worker's configuration
|
|
OCI_SECRETS="${OCI_SECRETS:-}"
|
|
OCI_PRIVATE_KEY="${OCI_PRIVATE_KEY:-}"
|
|
if [[ -n "$OCI_SECRETS" && -n "$OCI_PRIVATE_KEY" ]]; then
|
|
set +x
|
|
OCI_USER=$(jq -r '.user' "$OCI_SECRETS")
|
|
OCI_TENANCY=$(jq -r '.tenancy' "$OCI_SECRETS")
|
|
OCI_REGION=$(jq -r '.region' "$OCI_SECRETS")
|
|
OCI_FINGERPRINT=$(jq -r '.fingerprint' "$OCI_SECRETS")
|
|
OCI_BUCKET_NAME=$(jq -r '.bucket' "$OCI_SECRETS")
|
|
OCI_NAMESPACE=$(jq -r '.namespace' "$OCI_SECRETS")
|
|
OCI_COMPARTMENT=$(jq -r '.compartment' "$OCI_SECRETS")
|
|
OCI_PRIV_KEY=$(cat "$OCI_PRIVATE_KEY")
|
|
|
|
sudo tee /etc/osbuild-worker/oci-credentials.toml > /dev/null << EOF
|
|
user = "$OCI_USER"
|
|
tenancy = "$OCI_TENANCY"
|
|
region = "$OCI_REGION"
|
|
fingerprint = "$OCI_FINGERPRINT"
|
|
namespace = "$OCI_NAMESPACE"
|
|
bucket = "$OCI_BUCKET_NAME"
|
|
private_key = """
|
|
$OCI_PRIV_KEY
|
|
"""
|
|
compartment = "$OCI_COMPARTMENT"
|
|
EOF
|
|
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
|
|
[oci]
|
|
credentials = "/etc/osbuild-worker/oci-credentials.toml"
|
|
EOF
|
|
set -x
|
|
fi
|
|
|
|
else # AUTH_METHOD_NONE
|
|
# Repositories in /etc/osbuild-composer/repositories are used only in the
|
|
# on-premise scenario (Weldr).
|
|
# Copy rpmrepo snapshots for use in weldr tests
|
|
REPODIR=/etc/osbuild-composer/repositories
|
|
sudo mkdir -p $REPODIR
|
|
# Copy all fedora repo overrides
|
|
sudo cp -a /usr/share/tests/osbuild-composer/repositories/{fedora,centos}-*.json "$REPODIR"
|
|
# Copy RHEL point release repos
|
|
sudo cp -a /usr/share/tests/osbuild-composer/repositories/rhel-*.json "$REPODIR"
|
|
|
|
# override source repositories to consume content from the nightly compose
|
|
if [ "${NIGHTLY:=false}" == "true" ]; then
|
|
source /usr/libexec/osbuild-composer-test/define-compose-url.sh
|
|
|
|
# TODO: remove once the osbuild-composer v100 is in RHEL
|
|
if ! nvrGreaterOrEqual "osbuild-composer" "100"; then
|
|
VERSION_SUFFIX=$(echo "${VERSION_ID}" | tr -d ".")
|
|
# remove dots from the repo overrides filename, because the installed version of composer can't handle it
|
|
for REPO_FILE in "${REPODIR}"/*.json; do
|
|
REPO_FILE_NO_DOTS="$(basename "${REPO_FILE}" ".json" | tr -d ".").json"
|
|
if [[ "${REPO_FILE}" != "${REPODIR}/${REPO_FILE_NO_DOTS}" ]]; then
|
|
sudo mv "${REPO_FILE}" "${REPODIR}/${REPO_FILE_NO_DOTS}"
|
|
fi
|
|
done
|
|
else
|
|
VERSION_SUFFIX=${VERSION_ID}
|
|
fi
|
|
|
|
for ARCH in aarch64 ppc64le s390x x86_64; do
|
|
for REPO_NAME in BaseOS AppStream RT; do
|
|
REPO_NAME_LOWERCASE=$(echo "$REPO_NAME" | tr "[:upper:]" "[:lower:]")
|
|
# will replace only the lines which match
|
|
sudo sed -i "s|https://rpmrepo.osbuild.org/v2/mirror/rhvpn/el.*${ARCH}-${REPO_NAME_LOWERCASE}-.*|${COMPOSE_URL}/compose/${REPO_NAME}/${ARCH}/os/\",|" "${REPODIR}/rhel-${VERSION_SUFFIX}.json"
|
|
done
|
|
done
|
|
fi
|
|
fi
|
|
|
|
# Append the extra configuration to the default configuration
|
|
if [[ -n "${EXTRA_COMPOSER_CONFIG}" ]]; then
|
|
echo "INFO: Appending extra composer configuration from '${EXTRA_COMPOSER_CONFIG}'"
|
|
cat "${EXTRA_COMPOSER_CONFIG}" | sudo tee -a "${COMPOSER_CONFIG}"
|
|
fi
|
|
|
|
# start appropriate units
|
|
case "${AUTH_METHOD}" in
|
|
"${AUTH_METHOD_JWT}" | "${AUTH_METHOD_TLS}")
|
|
# JWT / TLS are used only in the "Service" scenario. This means that:
|
|
# - only remote workers will be used (no local worker)
|
|
# - only Cloud API socket will be started (no Weldr API)
|
|
sudo systemctl stop 'osbuild*'
|
|
# make sure that the local worker is not running
|
|
sudo systemctl mask osbuild-worker@1.service
|
|
# enable remote worker API
|
|
sudo systemctl start osbuild-remote-worker.socket
|
|
# enable Cloud API
|
|
sudo systemctl start osbuild-composer-api.socket
|
|
# start a remote worker
|
|
sudo systemctl start osbuild-remote-worker@localhost:8700.service
|
|
;;
|
|
|
|
"${AUTH_METHOD_NONE}")
|
|
# No authentication method is used on-premise with Weldr. This means that:
|
|
# - only local worker will be used (started automatically)
|
|
# - only Weldr API socket will be started
|
|
sudo systemctl stop 'osbuild*'
|
|
# enable Weldr API
|
|
sudo systemctl start osbuild-composer.socket
|
|
|
|
# Print debugging info about content sources
|
|
sudo composer-cli status show
|
|
sudo composer-cli sources list
|
|
for SOURCE in $(sudo composer-cli sources list); do
|
|
sudo composer-cli sources info "$SOURCE"
|
|
done
|
|
;;
|
|
esac
|