particle-os/debian-koji-osbuild
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CI: Use Fedora 36, RHEL-8.6 and the latest osbuild and composer

Browse source 
Use latest osbuild and osbuild-composer releases. This is important to
be later able to test direct uploading to the cloud for Koji composes.
Also the mock openid server had to be enhanced to be usable for testing
`koji-osbuild`.

Modify used osbuild-worker configuration to use JWT for authentication
with composer. Update configurations of both, composer and worker to
handle multi-tenancy.

Do not start any services in `schutzbot/deploy.sh`, because at that
point, none of the configuration files are in place.

Ensure that the correct units are started and masked by
`test/integration.sh` to simulate the Service scenario more closely.
This means that the local worker is masked and only remote worker is
started.

Co-authored-by: Jakub Rusz <jrusz@redhat.com>
This commit is contained in:
Tomas Hozza 2022-07-29 22:43:29 +02:00 committed by Jakub Rusz
parent faa40f1060
commit 85d7120d9f
9 changed files with 45 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.gitlab-ci.yml
View file

@ -26,10 +26,10 @@ RPM:
parallel: parallel:
matrix: matrix:
- RUNNER: - RUNNER:
- aws/fedora-34-x86_64 - aws/fedora-36-x86_64
- aws/fedora-34-aarch64 - aws/fedora-36-aarch64
- aws/rhel-8.5-ga-x86_64 - aws/rhel-8.6-ga-x86_64
- aws/rhel-8.5-ga-aarch64 - aws/rhel-8.6-ga-aarch64
Testing: Testing:
stage: test stage: test
@ -45,10 +45,10 @@ Testing:
- RUNNER: - RUNNER:
# https://quay.io/repository/osbuild/postgres available only for x86_64 # https://quay.io/repository/osbuild/postgres available only for x86_64
# - aws/fedora-33-aarch64 # - aws/fedora-33-aarch64
- aws/fedora-34-x86_64 - aws/fedora-36-x86_64
# - aws/fedora-34-aarch64 # - aws/fedora-34-aarch64
- RUNNER: - RUNNER:
- aws/rhel-8.5-ga-x86_64 - aws/rhel-8.6-ga-x86_64
# - aws/rhel-8.4-ga-aarch64 # - aws/rhel-8.4-ga-aarch64
INTERNAL_NETWORK: ["true"] INTERNAL_NETWORK: ["true"]

7
schutzbot/deploy.sh
View file

@ -20,8 +20,8 @@ function retry {
# Variables for where to find osbuild-composer RPMs to test against # Variables for where to find osbuild-composer RPMs to test against
DNF_REPO_BASEURL=http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com DNF_REPO_BASEURL=http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com
OSBUILD_COMMIT=bb30ffa0629e16ecff103aaaeb7e931f3f8ff79e # release 46 OSBUILD_COMMIT=376cbffd136bc4ba86fc7c63697fa5b88fe3acef # release 62
OSBUILD_COMPOSER_COMMIT=346486cd3f06856efee5e982553e28fb387558e6 # commit that contains repo package sets OSBUILD_COMPOSER_COMMIT=2d13050ba84a2bb30d9dd980639ee78354fe90f3 # release 59-dev (includes mock openid server fix)
# Get OS details. # Get OS details.
source /etc/os-release source /etc/os-release
@ -93,6 +93,3 @@ fi
# Installing koji-osbuild-tests package # Installing koji-osbuild-tests package
retry sudo dnf -y install koji-osbuild-tests retry sudo dnf -y install koji-osbuild-tests
# Start services.
sudo systemctl enable --now osbuild-composer-api.socket

2
schutzbot/terraform
View file

@ -1 +1 @@
fdfd0f7f4cf26907e15d35757f8f61f318db626c 2227384b389f78fcd024a721cbf18371b8ec4a03

2
test/copy-creds.sh
View file

@ -31,6 +31,8 @@ mkdir -p /etc/osbuild-worker
cp ${TEST_DATA}/osbuild-worker.toml \ cp ${TEST_DATA}/osbuild-worker.toml \
/etc/osbuild-worker/ /etc/osbuild-worker/
echo "koji" > /etc/osbuild-worker/oauth-secret
echo "Copying system kerberos configuration" echo "Copying system kerberos configuration"
cp ${TEST_DATA}/krb5.local.conf \ cp ${TEST_DATA}/krb5.local.conf \
/etc/krb5.conf.d/local /etc/krb5.conf.d/local

12
test/data/osbuild-composer.toml
View file

@ -3,14 +3,20 @@ ca = "/etc/osbuild-composer/ca-crt.pem"
enable_tls = true enable_tls = true
enable_mtls = false enable_mtls = false
enable_jwt = true enable_jwt = true
jwt_keys_url = "https://localhost:8081/certs" jwt_keys_urls = ["https://localhost:8081/certs"]
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem" jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
jwt_acl_file = "" jwt_acl_file = ""
jwt_tenant_provider_fields = ["rh-org-id"]
[koji.servers.localhost.kerberos] [koji.servers.localhost.kerberos]
principal = "osbuild-krb@LOCAL" principal = "osbuild-krb@LOCAL"
keytab = "/etc/osbuild-composer/client.keytab" keytab = "/etc/osbuild-composer/client.keytab"
[worker] [worker]
allowed_domains = ["localhost", "client.osbuild.local"] enable_artifacts = false
ca = "/etc/osbuild-composer/ca-crt.pem" enable_tls = true
enable_mtls = false
enable_jwt = true
jwt_keys_urls = ["https://localhost:8081/certs"]
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
jwt_tenant_provider_fields = ["rh-org-id"]

5
test/data/osbuild-worker.toml
View file

@ -1,3 +1,8 @@
[authentication]
oauth_url = "https://localhost:8081/token"
client_id = "koji"
client_secret = "/etc/osbuild-worker/oauth-secret"
[koji.localhost.kerberos] [koji.localhost.kerberos]
principal = "osbuild-krb@LOCAL" principal = "osbuild-krb@LOCAL"
keytab = "/etc/osbuild-worker/client.keytab" keytab = "/etc/osbuild-worker/client.keytab"

27
test/integration.sh
View file

@ -26,12 +26,6 @@ sudo dnf -y \
greenprint "Creating composer SSL certificates" greenprint "Creating composer SSL certificates"
sudo /usr/libexec/koji-osbuild-tests/make-certs.sh /usr/share/koji-osbuild-tests sudo /usr/libexec/koji-osbuild-tests/make-certs.sh /usr/share/koji-osbuild-tests
greenprint "Starting osbuild-composer's socket"
sudo systemctl enable --now osbuild-composer-api.socket
greenprint "Starting mock OpenID server"
sudo /usr/libexec/koji-osbuild-tests/run-openid.sh start
greenprint "Building containers" greenprint "Building containers"
sudo /usr/libexec/koji-osbuild-tests/build-container.sh /usr/share/koji-osbuild-tests sudo /usr/libexec/koji-osbuild-tests/build-container.sh /usr/share/koji-osbuild-tests
@ -41,12 +35,27 @@ sudo /usr/libexec/koji-osbuild-tests/run-koji-container.sh start
greenprint "Print logs" greenprint "Print logs"
sudo podman logs org.osbuild.koji.koji sudo podman logs org.osbuild.koji.koji
greenprint "Copying credentials and certificates"
sudo /usr/libexec/koji-osbuild-tests/copy-creds.sh /usr/share/koji-osbuild-tests
greenprint "Testing Koji hub API access" greenprint "Testing Koji hub API access"
koji --server=http://localhost:8080/kojihub --user=osbuild --password=osbuildpass --authtype=password hello koji --server=http://localhost:8080/kojihub --user=osbuild --password=osbuildpass --authtype=password hello
greenprint "Copying credentials, certificates and configuration files"
sudo /usr/libexec/koji-osbuild-tests/copy-creds.sh /usr/share/koji-osbuild-tests
greenprint "Starting mock OpenID server"
sudo /usr/libexec/koji-osbuild-tests/run-openid.sh start
greenprint "Starting osbuild-composer's Cloud API socket and a remote worker"
# Start services.
sudo systemctl stop 'osbuild*'
# make sure that the local worker is not running
sudo systemctl mask osbuild-worker@1.service
# enable remote worker API
sudo systemctl start osbuild-remote-worker.socket
# enable Cloud API
sudo systemctl start osbuild-composer-api.socket
# start a remote worker
sudo systemctl start osbuild-remote-worker@localhost:8700.service
greenprint "Starting koji builder" greenprint "Starting koji builder"
sudo /usr/libexec/koji-osbuild-tests/run-builder.sh start /usr/share/koji-osbuild-tests sudo /usr/libexec/koji-osbuild-tests/run-builder.sh start /usr/share/koji-osbuild-tests

4
test/run-builder.sh
View file

@ -23,11 +23,7 @@ fi
builder_start() { builder_start() {
source /etc/os-release source /etc/os-release
if [[ $ID == rhel ]]; then
GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].subnets[0].gateway") GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].subnets[0].gateway")
else
GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].plugins[0].ipam.ranges[0][0].gateway")
fi
echo "Gateway IP is $GATEWAY_IP" echo "Gateway IP is $GATEWAY_IP"
# maybe copy the 'builder' plugin to the share dir # maybe copy the 'builder' plugin to the share dir

2
test/run-openid.sh
View file

@ -15,7 +15,7 @@ server_start() {
-a ":${SERVER_PORT}" \ -a ":${SERVER_PORT}" \
-expires 10 & -expires 10 &
until curl --output /dev/null --silent --fail "https://localhost:${SERVER_PORT}/token"; do until curl --data "grant_type=refresh_token" --output /dev/null --silent --fail "https://localhost:${SERVER_PORT}/token"; do
sleep 0.5 sleep 0.5
done done