From 85d7120d9fe2b3e0513ba3c14d27594014751d59 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Fri, 29 Jul 2022 22:43:29 +0200 Subject: [PATCH] CI: Use Fedora 36, RHEL-8.6 and the latest osbuild and composer Use latest osbuild and osbuild-composer releases. This is important to be later able to test direct uploading to the cloud for Koji composes. Also the mock openid server had to be enhanced to be usable for testing `koji-osbuild`. Modify used osbuild-worker configuration to use JWT for authentication with composer. Update configurations of both, composer and worker to handle multi-tenancy. Do not start any services in `schutzbot/deploy.sh`, because at that point, none of the configuration files are in place. Ensure that the correct units are started and masked by `test/integration.sh` to simulate the Service scenario more closely. This means that the local worker is masked and only remote worker is started. Co-authored-by: Jakub Rusz --- .gitlab-ci.yml | 12 ++++++------ schutzbot/deploy.sh | 7 ++----- schutzbot/terraform | 2 +- test/copy-creds.sh | 2 ++ test/data/osbuild-composer.toml | 12 +++++++++--- test/data/osbuild-worker.toml | 5 +++++ test/integration.sh | 27 ++++++++++++++++++--------- test/run-builder.sh | 6 +----- test/run-openid.sh | 2 +- 9 files changed, 45 insertions(+), 30 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d5d79f0..8159921 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -26,10 +26,10 @@ RPM: parallel: matrix: - RUNNER: - - aws/fedora-34-x86_64 - - aws/fedora-34-aarch64 - - aws/rhel-8.5-ga-x86_64 - - aws/rhel-8.5-ga-aarch64 + - aws/fedora-36-x86_64 + - aws/fedora-36-aarch64 + - aws/rhel-8.6-ga-x86_64 + - aws/rhel-8.6-ga-aarch64 Testing: stage: test @@ -45,10 +45,10 @@ Testing: - RUNNER: # https://quay.io/repository/osbuild/postgres available only for x86_64 # - aws/fedora-33-aarch64 - - aws/fedora-34-x86_64 + - aws/fedora-36-x86_64 # - aws/fedora-34-aarch64 - RUNNER: - - aws/rhel-8.5-ga-x86_64 + - aws/rhel-8.6-ga-x86_64 # - aws/rhel-8.4-ga-aarch64 INTERNAL_NETWORK: ["true"] diff --git a/schutzbot/deploy.sh b/schutzbot/deploy.sh index 4beb040..88b7b25 100755 --- a/schutzbot/deploy.sh +++ b/schutzbot/deploy.sh @@ -20,8 +20,8 @@ function retry { # Variables for where to find osbuild-composer RPMs to test against DNF_REPO_BASEURL=http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com -OSBUILD_COMMIT=bb30ffa0629e16ecff103aaaeb7e931f3f8ff79e # release 46 -OSBUILD_COMPOSER_COMMIT=346486cd3f06856efee5e982553e28fb387558e6 # commit that contains repo package sets +OSBUILD_COMMIT=376cbffd136bc4ba86fc7c63697fa5b88fe3acef # release 62 +OSBUILD_COMPOSER_COMMIT=2d13050ba84a2bb30d9dd980639ee78354fe90f3 # release 59-dev (includes mock openid server fix) # Get OS details. source /etc/os-release @@ -93,6 +93,3 @@ fi # Installing koji-osbuild-tests package retry sudo dnf -y install koji-osbuild-tests - -# Start services. -sudo systemctl enable --now osbuild-composer-api.socket diff --git a/schutzbot/terraform b/schutzbot/terraform index 04c2b61..ed0d14f 100644 --- a/schutzbot/terraform +++ b/schutzbot/terraform @@ -1 +1 @@ -fdfd0f7f4cf26907e15d35757f8f61f318db626c +2227384b389f78fcd024a721cbf18371b8ec4a03 diff --git a/test/copy-creds.sh b/test/copy-creds.sh index c6fe85b..592d431 100755 --- a/test/copy-creds.sh +++ b/test/copy-creds.sh @@ -31,6 +31,8 @@ mkdir -p /etc/osbuild-worker cp ${TEST_DATA}/osbuild-worker.toml \ /etc/osbuild-worker/ +echo "koji" > /etc/osbuild-worker/oauth-secret + echo "Copying system kerberos configuration" cp ${TEST_DATA}/krb5.local.conf \ /etc/krb5.conf.d/local diff --git a/test/data/osbuild-composer.toml b/test/data/osbuild-composer.toml index c2acf9d..3293991 100644 --- a/test/data/osbuild-composer.toml +++ b/test/data/osbuild-composer.toml @@ -3,14 +3,20 @@ ca = "/etc/osbuild-composer/ca-crt.pem" enable_tls = true enable_mtls = false enable_jwt = true -jwt_keys_url = "https://localhost:8081/certs" +jwt_keys_urls = ["https://localhost:8081/certs"] jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem" jwt_acl_file = "" +jwt_tenant_provider_fields = ["rh-org-id"] [koji.servers.localhost.kerberos] principal = "osbuild-krb@LOCAL" keytab = "/etc/osbuild-composer/client.keytab" [worker] -allowed_domains = ["localhost", "client.osbuild.local"] -ca = "/etc/osbuild-composer/ca-crt.pem" +enable_artifacts = false +enable_tls = true +enable_mtls = false +enable_jwt = true +jwt_keys_urls = ["https://localhost:8081/certs"] +jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem" +jwt_tenant_provider_fields = ["rh-org-id"] diff --git a/test/data/osbuild-worker.toml b/test/data/osbuild-worker.toml index cd5224c..5fd3c2b 100644 --- a/test/data/osbuild-worker.toml +++ b/test/data/osbuild-worker.toml @@ -1,3 +1,8 @@ +[authentication] +oauth_url = "https://localhost:8081/token" +client_id = "koji" +client_secret = "/etc/osbuild-worker/oauth-secret" + [koji.localhost.kerberos] principal = "osbuild-krb@LOCAL" keytab = "/etc/osbuild-worker/client.keytab" diff --git a/test/integration.sh b/test/integration.sh index ec8f4e2..1a7b939 100755 --- a/test/integration.sh +++ b/test/integration.sh @@ -26,12 +26,6 @@ sudo dnf -y \ greenprint "Creating composer SSL certificates" sudo /usr/libexec/koji-osbuild-tests/make-certs.sh /usr/share/koji-osbuild-tests -greenprint "Starting osbuild-composer's socket" -sudo systemctl enable --now osbuild-composer-api.socket - -greenprint "Starting mock OpenID server" -sudo /usr/libexec/koji-osbuild-tests/run-openid.sh start - greenprint "Building containers" sudo /usr/libexec/koji-osbuild-tests/build-container.sh /usr/share/koji-osbuild-tests @@ -41,12 +35,27 @@ sudo /usr/libexec/koji-osbuild-tests/run-koji-container.sh start greenprint "Print logs" sudo podman logs org.osbuild.koji.koji -greenprint "Copying credentials and certificates" -sudo /usr/libexec/koji-osbuild-tests/copy-creds.sh /usr/share/koji-osbuild-tests - greenprint "Testing Koji hub API access" koji --server=http://localhost:8080/kojihub --user=osbuild --password=osbuildpass --authtype=password hello +greenprint "Copying credentials, certificates and configuration files" +sudo /usr/libexec/koji-osbuild-tests/copy-creds.sh /usr/share/koji-osbuild-tests + +greenprint "Starting mock OpenID server" +sudo /usr/libexec/koji-osbuild-tests/run-openid.sh start + +greenprint "Starting osbuild-composer's Cloud API socket and a remote worker" +# Start services. +sudo systemctl stop 'osbuild*' +# make sure that the local worker is not running +sudo systemctl mask osbuild-worker@1.service +# enable remote worker API +sudo systemctl start osbuild-remote-worker.socket +# enable Cloud API +sudo systemctl start osbuild-composer-api.socket +# start a remote worker +sudo systemctl start osbuild-remote-worker@localhost:8700.service + greenprint "Starting koji builder" sudo /usr/libexec/koji-osbuild-tests/run-builder.sh start /usr/share/koji-osbuild-tests diff --git a/test/run-builder.sh b/test/run-builder.sh index e8c35bd..d38b825 100755 --- a/test/run-builder.sh +++ b/test/run-builder.sh @@ -23,11 +23,7 @@ fi builder_start() { source /etc/os-release - if [[ $ID == rhel ]]; then - GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].subnets[0].gateway") - else - GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].plugins[0].ipam.ranges[0][0].gateway") - fi + GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].subnets[0].gateway") echo "Gateway IP is $GATEWAY_IP" # maybe copy the 'builder' plugin to the share dir diff --git a/test/run-openid.sh b/test/run-openid.sh index 3a63c39..a22079a 100755 --- a/test/run-openid.sh +++ b/test/run-openid.sh @@ -15,7 +15,7 @@ server_start() { -a ":${SERVER_PORT}" \ -expires 10 & - until curl --output /dev/null --silent --fail "https://localhost:${SERVER_PORT}/token"; do + until curl --data "grant_type=refresh_token" --output /dev/null --silent --fail "https://localhost:${SERVER_PORT}/token"; do sleep 0.5 done