CI: Use Fedora 36, RHEL-8.6 and the latest osbuild and composer

Use latest osbuild and osbuild-composer releases. This is important to be later able to test direct uploading to the cloud for Koji composes. Also the mock openid server had to be enhanced to be usable for testing `koji-osbuild`. Modify used osbuild-worker configuration to use JWT for authentication with composer. Update configurations of both, composer and worker to handle multi-tenancy. Do not start any services in `schutzbot/deploy.sh`, because at that point, none of the configuration files are in place. Ensure that the correct units are started and masked by `test/integration.sh` to simulate the Service scenario more closely. This means that the local worker is masked and only remote worker is started. Co-authored-by: Jakub Rusz <jrusz@redhat.com>
2022-07-29 22:43:29 +02:00 · 2022-07-29 22:43:29 +02:00 · 85d7120d9f
commit 85d7120d9f
parent faa40f1060
9 changed files with 45 additions and 30 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -26,10 +26,10 @@ RPM:
  parallel:
    matrix:
      - RUNNER:
-          - aws/fedora-34-x86_64
-          - aws/fedora-34-aarch64
-          - aws/rhel-8.5-ga-x86_64
-          - aws/rhel-8.5-ga-aarch64
+          - aws/fedora-36-x86_64
+          - aws/fedora-36-aarch64
+          - aws/rhel-8.6-ga-x86_64
+          - aws/rhel-8.6-ga-aarch64

 Testing:
  stage: test
@ -45,10 +45,10 @@ Testing:
      - RUNNER:
          # https://quay.io/repository/osbuild/postgres available only for x86_64
          # - aws/fedora-33-aarch64
-          - aws/fedora-34-x86_64
+          - aws/fedora-36-x86_64
          # - aws/fedora-34-aarch64
      - RUNNER:
-          - aws/rhel-8.5-ga-x86_64
+          - aws/rhel-8.6-ga-x86_64
          # - aws/rhel-8.4-ga-aarch64
        INTERNAL_NETWORK: ["true"]

--- a/schutzbot/deploy.sh
+++ b/schutzbot/deploy.sh
@ -20,8 +20,8 @@ function retry {

 # Variables for where to find osbuild-composer RPMs to test against
 DNF_REPO_BASEURL=http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com
-OSBUILD_COMMIT=bb30ffa0629e16ecff103aaaeb7e931f3f8ff79e             # release 46
-OSBUILD_COMPOSER_COMMIT=346486cd3f06856efee5e982553e28fb387558e6    # commit that contains repo package sets
+OSBUILD_COMMIT=376cbffd136bc4ba86fc7c63697fa5b88fe3acef             # release 62
+OSBUILD_COMPOSER_COMMIT=2d13050ba84a2bb30d9dd980639ee78354fe90f3    # release 59-dev (includes mock openid server fix)

 # Get OS details.
 source /etc/os-release
@ -93,6 +93,3 @@ fi

 # Installing koji-osbuild-tests package
 retry sudo dnf -y install koji-osbuild-tests
-
-# Start services.
-sudo systemctl enable --now osbuild-composer-api.socket
--- a/schutzbot/terraform
+++ b/schutzbot/terraform
@ -1 +1 @@
-fdfd0f7f4cf26907e15d35757f8f61f318db626c
+2227384b389f78fcd024a721cbf18371b8ec4a03
--- a/test/copy-creds.sh
+++ b/test/copy-creds.sh
@ -31,6 +31,8 @@ mkdir -p /etc/osbuild-worker
 cp ${TEST_DATA}/osbuild-worker.toml \
   /etc/osbuild-worker/

+echo "koji" > /etc/osbuild-worker/oauth-secret
+
 echo "Copying system kerberos configuration"
 cp ${TEST_DATA}/krb5.local.conf \
   /etc/krb5.conf.d/local
--- a/test/data/osbuild-composer.toml
+++ b/test/data/osbuild-composer.toml
@ -3,14 +3,20 @@ ca = "/etc/osbuild-composer/ca-crt.pem"
 enable_tls = true
 enable_mtls = false
 enable_jwt = true
-jwt_keys_url = "https://localhost:8081/certs"
+jwt_keys_urls = ["https://localhost:8081/certs"]
 jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
 jwt_acl_file = ""
+jwt_tenant_provider_fields = ["rh-org-id"]

 [koji.servers.localhost.kerberos]
 principal = "osbuild-krb@LOCAL"
 keytab = "/etc/osbuild-composer/client.keytab"

 [worker]
-allowed_domains = ["localhost", "client.osbuild.local"]
-ca = "/etc/osbuild-composer/ca-crt.pem"
+enable_artifacts = false
+enable_tls = true
+enable_mtls = false
+enable_jwt = true
+jwt_keys_urls = ["https://localhost:8081/certs"]
+jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
+jwt_tenant_provider_fields = ["rh-org-id"]
--- a/test/data/osbuild-worker.toml
+++ b/test/data/osbuild-worker.toml
@ -1,3 +1,8 @@
+[authentication]
+oauth_url = "https://localhost:8081/token"
+client_id = "koji"
+client_secret = "/etc/osbuild-worker/oauth-secret"
+
 [koji.localhost.kerberos]
 principal = "osbuild-krb@LOCAL"
 keytab = "/etc/osbuild-worker/client.keytab"
--- a/test/integration.sh
+++ b/test/integration.sh
@ -26,12 +26,6 @@ sudo dnf -y \
 greenprint "Creating composer SSL certificates"
 sudo /usr/libexec/koji-osbuild-tests/make-certs.sh /usr/share/koji-osbuild-tests

-greenprint "Starting osbuild-composer's socket"
-sudo systemctl enable --now osbuild-composer-api.socket
-
-greenprint "Starting mock OpenID server"
-sudo /usr/libexec/koji-osbuild-tests/run-openid.sh start
-
 greenprint "Building containers"
 sudo /usr/libexec/koji-osbuild-tests/build-container.sh /usr/share/koji-osbuild-tests

@ -41,12 +35,27 @@ sudo /usr/libexec/koji-osbuild-tests/run-koji-container.sh start
 greenprint "Print logs"
 sudo podman logs org.osbuild.koji.koji

-greenprint "Copying credentials and certificates"
-sudo /usr/libexec/koji-osbuild-tests/copy-creds.sh /usr/share/koji-osbuild-tests
-
 greenprint "Testing Koji hub API access"
 koji --server=http://localhost:8080/kojihub --user=osbuild --password=osbuildpass --authtype=password hello

+greenprint "Copying credentials, certificates and configuration files"
+sudo /usr/libexec/koji-osbuild-tests/copy-creds.sh /usr/share/koji-osbuild-tests
+
+greenprint "Starting mock OpenID server"
+sudo /usr/libexec/koji-osbuild-tests/run-openid.sh start
+
+greenprint "Starting osbuild-composer's Cloud API socket and a remote worker"
+# Start services.
+sudo systemctl stop 'osbuild*'
+# make sure that the local worker is not running
+sudo systemctl mask osbuild-worker@1.service
+# enable remote worker API
+sudo systemctl start osbuild-remote-worker.socket
+# enable Cloud API
+sudo systemctl start osbuild-composer-api.socket
+# start a remote worker
+sudo systemctl start osbuild-remote-worker@localhost:8700.service
+
 greenprint "Starting koji builder"
 sudo /usr/libexec/koji-osbuild-tests/run-builder.sh start /usr/share/koji-osbuild-tests

--- a/test/run-builder.sh
+++ b/test/run-builder.sh
@ -23,11 +23,7 @@ fi

 builder_start() {
  source /etc/os-release
-  if [[ $ID == rhel ]]; then
-    GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].subnets[0].gateway")
-  else
-    GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].plugins[0].ipam.ranges[0][0].gateway")
-  fi
+  GATEWAY_IP=$(${CONTAINER_RUNTIME} network inspect org.osbuild.koji | jq -r ".[0].subnets[0].gateway")
  echo "Gateway IP is $GATEWAY_IP"

  # maybe copy the 'builder' plugin to the share dir
--- a/test/run-openid.sh
+++ b/test/run-openid.sh
@ -15,7 +15,7 @@ server_start() {
  -a ":${SERVER_PORT}" \
  -expires 10 &

-  until curl --output /dev/null --silent --fail "https://localhost:${SERVER_PORT}/token"; do
+  until curl --data "grant_type=refresh_token" --output /dev/null --silent --fail "https://localhost:${SERVER_PORT}/token"; do
    sleep 0.5
  done