a4b0efb278
`tools/provision.sh` is provisioning SUT always in the same way for
both, the Service scenario and the on-premise scenario. While this is
not causing any issues, it does not realistically represent how we
expect osbuild-composer and worker to be used in these scenarios.
The script currently supports the following authentication options:
- `none`
- Intended for the on-premise scenario with Weldr API.
- NO certificates are generated.
- NO osbuild-composer configuration file is created.
- NO osbuild-worker configuration file is created. This means that no
cloud provider credentials are configured directly in the worker.
- Only the local worker is started and used.
- Only the Weldr API socker is started.
- Appropriate repository definitions are copied to
`/etc/osbuild-composer/repositories/`.
- `jwt`
- Intended for the Service scenario with Cloud API.
- Should be the only method supported in the Service scenario in the
future.
- Certificates are generated and copied to `/etc/osbuild-composer`.
- osbuild-composer configuration file is created and configured for
JWT authentication.
- osbuild-worker configuration file is created, configured for JWT
authentication and with appropriate cloud provider credentials.
- Local worker unit is masked. Only the remote worker is used (the
socket is started and one remote-worker instance is created).
- Only the Cloud API socket is started (Weldr API socket is stopped).
- NO repository definitions are copied to
`/etc/osbuild-composer/repositories/`.
- `tls`
- Intended for the Service scenario with Cloud API.
- Should eventually go away.
- Certificates are generated and copied to `/etc/osbuild-composer`.
- osbuild-composer configuration file is created and configured for
TLS client cert authentication.
- osbuild-worker configuration file is created, configured for TLS
authentication and with appropriate cloud provider credentials.
- Services and sockets are started as they used to be originally:
- Both local and remote worker sockets are started.
- Both Weldr and Cloud API sockets are started.
- Only the local worker unit will be started automatically.
- NO repository definitions are copied to
`/etc/osbuild-composer/repositories/`.
210 lines
9.2 KiB
Bash
Executable file
210 lines
9.2 KiB
Bash
Executable file
#!/bin/bash
|
|
set -euxo pipefail
|
|
|
|
source /usr/libexec/osbuild-composer-test/set-env-variables.sh
|
|
|
|
# create artifacts folder
|
|
ARTIFACTS="${ARTIFACTS:=/tmp/artifacts}"
|
|
mkdir -p "${ARTIFACTS}"
|
|
|
|
# determine the authentication method used by composer
|
|
AUTH_METHOD_TLS="tls"
|
|
AUTH_METHOD_JWT="jwt"
|
|
AUTH_METHOD_NONE="none"
|
|
# default to TLS for now
|
|
AUTH_METHOD="${1:-$AUTH_METHOD_TLS}"
|
|
|
|
# koji and ansible are not in RHEL repositories. Depending on them in the spec
|
|
# file breaks RHEL gating (see OSCI-1541). Therefore, we need to enable epel
|
|
# and install koji and ansible here.
|
|
if [[ $ID == rhel || $ID == centos ]] && ! rpm -q epel-release; then
|
|
curl -Ls --retry 5 --output /tmp/epel.rpm \
|
|
https://dl.fedoraproject.org/pub/epel/epel-release-latest-"${VERSION_ID%.*}".noarch.rpm
|
|
sudo rpm -Uvh /tmp/epel.rpm
|
|
fi
|
|
|
|
# RHEL 8.6+ and CentOS 9 require different handling for ansible
|
|
ge86=$(echo "${VERSION_ID}" | awk '{print $1 >= 8.6}') # do a numerical comparison for the version
|
|
echo -n "${ID}=${VERSION_ID} "
|
|
if [[ "${ID}" == "rhel" || "${ID}" == "centos" ]] && (( ge86 )); then
|
|
sudo dnf install -y ansible-core koji
|
|
else
|
|
sudo dnf install -y ansible koji
|
|
fi
|
|
|
|
# workaround for bug https://bugzilla.redhat.com/show_bug.cgi?id=2057769
|
|
if [[ "$VERSION_ID" == "9.0" || "$VERSION_ID" == "9" ]]; then
|
|
if [[ -f "/usr/share/qemu/firmware/50-edk2-ovmf-amdsev.json" ]]; then
|
|
jq '.mapping += {"nvram-template": {"filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd","format": "raw"}}' /usr/share/qemu/firmware/50-edk2-ovmf-amdsev.json | sudo tee /tmp/50-edk2-ovmf-amdsev.json
|
|
sudo mv /tmp/50-edk2-ovmf-amdsev.json /usr/share/qemu/firmware/50-edk2-ovmf-amdsev.json
|
|
fi
|
|
fi
|
|
|
|
sudo mkdir -p /etc/osbuild-composer
|
|
sudo mkdir -p /etc/osbuild-worker
|
|
|
|
# osbuild-composer and worker need to be configured in a specific way only when using
|
|
# some authentication method (Service scenario). In such case, also credentials for
|
|
# interacting with cloud providers are configured directly in the worker. In addition,
|
|
# no certificates need to be generated, because they are not used anywhere in this
|
|
# scenario.
|
|
if [[ "$AUTH_METHOD" != "$AUTH_METHOD_NONE" ]]; then
|
|
# Generate all X.509 certificates for the tests
|
|
# The whole generation is done in a $CADIR to better represent how osbuild-ca
|
|
# it.
|
|
CERTDIR=/etc/osbuild-composer
|
|
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
|
|
CADIR=/etc/osbuild-composer-test/ca
|
|
|
|
scriptloc=$(dirname "$0")
|
|
sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
|
|
sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
|
|
|
|
# Copy the appropriate configuration files
|
|
if [[ "$AUTH_METHOD" == "$AUTH_METHOD_JWT" ]]; then
|
|
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-jwt.toml"
|
|
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-jwt.toml"
|
|
|
|
# Default orgID
|
|
sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
|
|
123456789
|
|
EOF
|
|
|
|
/usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh start
|
|
|
|
elif [[ "$AUTH_METHOD" == "$AUTH_METHOD_TLS" ]]; then
|
|
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml"
|
|
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml"
|
|
fi
|
|
|
|
sudo cp -a "$COMPOSER_TEST_CONFIG" /etc/osbuild-composer/osbuild-composer.toml
|
|
sudo cp -a "$WORKER_TEST_CONFIG" /etc/osbuild-worker/osbuild-worker.toml
|
|
|
|
# if GCP credentials are defined in the ENV, add them to the worker's configuration
|
|
GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}"
|
|
if [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
|
|
# The credentials file must be copied to a different location. Jenkins places
|
|
# it into /tmp and as a result, the worker would not see it due to using PrivateTmp=true.
|
|
GCP_CREDS_WORKER_PATH="/etc/osbuild-worker/gcp-credentials.json"
|
|
sudo cp "$GOOGLE_APPLICATION_CREDENTIALS" "$GCP_CREDS_WORKER_PATH"
|
|
echo -e "\n[gcp]\ncredentials = \"$GCP_CREDS_WORKER_PATH\"\n" | sudo tee -a /etc/osbuild-worker/osbuild-worker.toml
|
|
fi
|
|
|
|
# if Azure credentials are defined in the env, create the credentials file
|
|
V2_AZURE_CLIENT_ID="${V2_AZURE_CLIENT_ID:-}"
|
|
V2_AZURE_CLIENT_SECRET="${V2_AZURE_CLIENT_SECRET:-}"
|
|
if [[ -n "$V2_AZURE_CLIENT_ID" && -n "$V2_AZURE_CLIENT_SECRET" ]]; then
|
|
set +x
|
|
sudo tee /etc/osbuild-worker/azure-credentials.toml > /dev/null << EOF
|
|
client_id = "$V2_AZURE_CLIENT_ID"
|
|
client_secret = "$V2_AZURE_CLIENT_SECRET"
|
|
EOF
|
|
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
|
|
|
|
[azure]
|
|
credentials = "/etc/osbuild-worker/azure-credentials.toml"
|
|
EOF
|
|
set -x
|
|
fi
|
|
|
|
# if AWS credentials are defined in the ENV, add them to the worker's configuration
|
|
V2_AWS_ACCESS_KEY_ID="${V2_AWS_ACCESS_KEY_ID:-}"
|
|
V2_AWS_SECRET_ACCESS_KEY="${V2_AWS_SECRET_ACCESS_KEY:-}"
|
|
if [[ -n "$V2_AWS_ACCESS_KEY_ID" && -n "$V2_AWS_SECRET_ACCESS_KEY" ]]; then
|
|
set +x
|
|
sudo tee /etc/osbuild-worker/aws-credentials.toml > /dev/null << EOF
|
|
[default]
|
|
aws_access_key_id = "$V2_AWS_ACCESS_KEY_ID"
|
|
aws_secret_access_key = "$V2_AWS_SECRET_ACCESS_KEY"
|
|
EOF
|
|
sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
|
|
|
|
[aws]
|
|
credentials = "/etc/osbuild-worker/aws-credentials.toml"
|
|
bucket = "${AWS_BUCKET}"
|
|
EOF
|
|
set -x
|
|
fi
|
|
|
|
else # AUTH_METHOD_NONE
|
|
# Repositories in /etc/osbuild-composer/repositories are used only in the
|
|
# on-premise scenario (Weldr).
|
|
# Copy rpmrepo snapshots for use in weldr tests
|
|
REPODIR=/etc/osbuild-composer/repositories
|
|
sudo mkdir -p $REPODIR
|
|
# Copy all fedora repo overrides
|
|
sudo cp -a /usr/share/tests/osbuild-composer/repositories/{fedora,centos}-*.json "$REPODIR"
|
|
# Copy RHEL point release repos
|
|
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-85.json "$REPODIR"
|
|
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-86.json "$REPODIR"
|
|
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-87.json "$REPODIR"
|
|
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-90.json "$REPODIR"
|
|
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-91.json "$REPODIR"
|
|
|
|
# RHEL nightly repos need to be overridden
|
|
case "${ID}-${VERSION_ID}" in
|
|
"rhel-8.6")
|
|
# Override old rhel-8.json and rhel-8-beta.json because RHEL 8.6 test needs nightly repos
|
|
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-86.json "$REPODIR/rhel-8.json"
|
|
# If multiple tests are run and call provision.sh the symlink will need to be overridden with -f
|
|
sudo ln -sf /etc/osbuild-composer/repositories/rhel-8.json "$REPODIR/rhel-8-beta.json"
|
|
;;
|
|
"rhel-9.0")
|
|
# Override old rhel-90.json and rhel-90-beta.json because RHEL 9.0 test needs nightly repos
|
|
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-90.json "$REPODIR/rhel-90.json"
|
|
# If multiple tests are run and call provision.sh the symlink will need to be overridden with -f
|
|
sudo ln -sf /etc/osbuild-composer/repositories/rhel-90.json "$REPODIR/rhel-90-beta.json"
|
|
;;
|
|
*) ;;
|
|
esac
|
|
|
|
# overrides for RHEL nightly builds testing
|
|
VERSION_SUFFIX=$(echo "${VERSION_ID}" | tr -d ".")
|
|
if [ -f "rhel-${VERSION_ID%.*}.json" ]; then
|
|
sudo cp rhel-"${VERSION_ID%.*}".json "$REPODIR/rhel-${VERSION_SUFFIX}.json"
|
|
fi
|
|
|
|
if [ -f "rhel-${VERSION_ID%.*}-beta.json" ]; then
|
|
sudo cp rhel-"${VERSION_ID%.*}"-beta.json "$REPODIR/rhel-${VERSION_SUFFIX}-beta.json"
|
|
fi
|
|
fi
|
|
|
|
# start appropriate units
|
|
case "${AUTH_METHOD}" in
|
|
"${AUTH_METHOD_JWT}")
|
|
# JWT is used only in the "Service" scenario. This means that:
|
|
# - only remote workers will be used (no local worker)
|
|
# - only Cloud API socket will be started (no Weldr API)
|
|
sudo systemctl stop 'osbuild*'
|
|
# make sure that the local worker is not running
|
|
sudo systemctl mask osbuild-worker@1.service
|
|
# enable remote worker API
|
|
sudo systemctl start osbuild-remote-worker.socket
|
|
# enable Cloud API
|
|
sudo systemctl start osbuild-composer-api.socket
|
|
# start a remote worker
|
|
sudo systemctl start osbuild-remote-worker@localhost:8700.service
|
|
;;
|
|
|
|
"${AUTH_METHOD_NONE}")
|
|
# No authentication method is used on-premise with Weldr. This means that:
|
|
# - only local worker will be used (started automatically)
|
|
# - only Weldr API socket will be started
|
|
sudo systemctl stop 'osbuild*'
|
|
# enable Weldr API
|
|
sudo systemctl start osbuild-composer.socket
|
|
;;
|
|
|
|
*)
|
|
# the default setup used previously for all tests
|
|
sudo systemctl start osbuild-remote-worker.socket
|
|
sudo systemctl start osbuild-composer.socket
|
|
sudo systemctl start osbuild-composer-api.socket
|
|
|
|
# The keys were regenerated but osbuild-composer might be already running.
|
|
# Let's try to restart it. In ideal world, this shouldn't be needed as every
|
|
# test case is supposed to run on a pristine machine. However, this is
|
|
# currently not true on Schutzbot
|
|
sudo systemctl try-restart osbuild-composer
|
|
;;
|
|
esac
|