Drop the package sets, I'm not sure they exist anymore in that form, it
breaks depsolving.
Also pirnt the journal logs during the test to make it easier to debug
failures.
Previously it the `repo` schema didn't mark the `baseurl` property as
required, although Cloud API "technically" requires it and the builder
code also made assumptions about it being always provided.
Note on Cloud API:
Cloud API requires that at least one of `baseurl`, `metalink` or
`mirrorlist` is specified for a repo. Since the plugin schema specifies
only `baseurl` as a property, it is as a result mandatory in order for
the Cloud API request to be valid and succeed.
Mark `baseurl` property as required in the `repo` schema and add unit
test for it.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Reformat the code to be easier to read.
An empty dict was sometimes passed to `osbuildImage()` as the `priority`
argument, because `opts` were already part of `args`. Fix it.
Restructure `test_input_validation()` test to allow multiple test cases.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
CGImport seems to be slow in certain cases. Let's increase the timeout,
otherwise CGImport for the 10 GiB RAW AMI might exceed it.
Fun fact: Fedora's Koji has the timeout configured to 10800 seconds. 🤯
The support for specifying multiple `image_types` for a single compose
has been removed by [1]. This turned out to be problematic, because e.g.
Pungi uses the array type when triggering image builds via osbuild.
Bring back the support for specifying the `image_type` as an array, but
restrict it to a single item. This will cover the Pungi use-case, since
it is always passing a single `image_type` in the array. The array is
then converted to a string in the Hub plugin and passed as such to the
Builder plugin.
Extend unit tests covering the introduced compatibility layer.
[1] c725265081
Extend the integration test with a new case, testing that direct upload
to the cloud works for Koji composes. Test this using a single cloud
provider, specifically AWS.
The test case submits a new osbuild-image build using Koji CLI,
determines the image information once the build finishes and then checks
that such image exists in AWS. The image is then deleted as part of the
test case tear-down.
The AWS credentials are now configured in the worker's configuration, if
the appropriate environment variables are set.
Update the SPEC file with a new test dependency and update the required
osbuild-composer version.
The upload options are expected to be provided as a JSON file. The same
options will be used for all image type and architecture combinations,
similarly as it is done for ostree options.
Extend unit tests to cover the newly added functionality.
While it is technically possible to build more than one image type
as part of a Koji compose in osbuild-composer, this option is not used
in reality and it also makes very little sense. If the user wants to
build more than one image type, they should submit multiple Koji builds.
Adjust affected unit tests.
Refactor the test case implementation to make it easier to reuse
existing code when adding a new testing scenario.
The common pieces were moved under a new `SutInfo` class, which provides
information and convenience methods related to the system on which the
test is running.
This change will make it easier to later add a new scenario testing
upload to the cloud.
Use latest osbuild and osbuild-composer releases. This is important to
be later able to test direct uploading to the cloud for Koji composes.
Also the mock openid server had to be enhanced to be usable for testing
`koji-osbuild`.
Modify used osbuild-worker configuration to use JWT for authentication
with composer. Update configurations of both, composer and worker to
handle multi-tenancy.
Do not start any services in `schutzbot/deploy.sh`, because at that
point, none of the configuration files are in place.
Ensure that the correct units are started and masked by
`test/integration.sh` to simulate the Service scenario more closely.
This means that the local worker is masked and only remote worker is
started.
Co-authored-by: Jakub Rusz <jrusz@redhat.com>
The status calls are sometimes failing on:
upstream connect error or disconnect/reset before headers. reset reason:
connection termination
Since all requests are going through the company proxy, I think that the
networking isn't working 100% reliably. This commit adds a retry mechanism
provided by the urllib3 library. It will retry on all networking issues and
also on some 5xx errors that makes sense to retry (like gateway failures).
A test is added that runs the compose waiting code against a mock server
that fails every second request. This is imho sufficient to mimick a flaky
networking.
RHEL is now shipping podman 4 that encodes the networks differently, let's
implement a small dirty hack to fix it on RHEL before
https://github.com/osbuild/koji-osbuild/pull/100 can land and fix it properly.
The release number in the RPMland canonically starts at 1, not at 0. I think
it technically doesn't cause any harm but let's stick to what all other packages
do.
The Cloud API supports passing in a variety of image customizations,
like e.g. extra packages or pre-defining users.
Add a new command line option to the client `--customizations` which
takes a path to a JSON file which contains the customziations; they
will be passed via the existing `opts` argument to the hub.
Add support for `customizations` to the `opts`/`options` arguments
to the hub plugin. No validation to the object is done. Instead we
rely in Composer for the validation of the content.
Add support for `customizations` the image `ComposeRequest` in the
builder plugin. All specified values are just passed through to
composer as-is.
Add tests for the respective plugins.
We need koji-osbuild-builder to be able to connect to composer via a proxy
because koji builders in our internal deployment cannot reach
api.openshift.com directly. This commit adds a new option `proxy` to the
builder plugin config that controls whether a proxy is used to route all
requests to composer.
configparser treats quotes literally:
client_id = "koji"
translates to the following python string:
'"koji"'
This doesn't matter in the test because the oauth mock from osbuild-composer
actually ignores the credentials and return the token in every case.
But if you want to take this config as an example, you will probably put the
credentials automatically inside the quotes which will not work because a real
oauth server will refuse the client ID surrounded by quotes.
Note that .conf works different than .toml:
TOML requires to have strings in quotes. Yeah, consistency. 🤷
Use the `self.secret` and not `self.id` for the secret. Doh. Mea culpa.
Fix the corresponding test as well, which also checked for the wrong
thing.
Reported-By: Ondřej Budai <ondrej@budai.cz>
This adds support for specifing the package sets for repositories;
on the command line this can be done via `--repo-package-set` with
and argument of `;` separated package set names. This will result
in repo information being transported via dict instead of plain
strings. Thus the hub plugin's schema was modified accordingly.
Last but not least, the builder plugin now can decode these dicts
and setup the repos accordingly.
Test were added for plugins as well as the integration test changed
to use this new feature.
The first upstream commit that supports this feature is pinned.
When we are on an RHEL 8.x host we need to supply `rhel-8x` as
target distro. The previous code just used the major version so
we always built `rhel-8`, i.e. RHEL 8.3.
OStree compose requests need special options, like the `ref` the
`parent` and the `url`. Add support for those options to all three
plugins:
The command line plugin now takes `--ostree-{parent,ref,url}`
and passes it to koji via the existing options dictionary.
The JSON schemata in the hub plugin was adjusted to allow these
new options.
Finally the builder plugin will look for the new `ostree` dict
inside the options, create an `OSTreeOptions` object from it,
and attach it to each image request.
NB: since the ostree options are per image request and are thus
architecture dependent we support a "$arch" substition in the
`parent` and `ref` options that will be resolved by the plugin;
this allows to builds arch specific commits for with a single
compose request.
Add the respective unit tests.
Map the image types used by the koji API to the image types used
by the cloud api. This should allow for a smooth transition when
the plugin is upgraded, i.e. the pungi configuration can be used
unmodified. After all the plugins are upgraded the pungi config
should be changed to use the native image types and then this
mapping could be removed again.
Take the current list of valid image types currently supported by
the cloud api and validdate it during the compose request. Also
allow a test "image_type" image type which is used all over the
place in the testing code.
Composer now[1] has integrated the koji API into the "cloud API"
and thus we can use this more general purpose and powerful API
instead of using the specialized koji API endpoint.
Adapt the request and response structures as well as the unit
tests to use that.
[1] PR #2214, commit 11e2ae45284bfb0d89ef1c1e0d2aa4ae230ea573
Switch the authentication method that the koji builder plugin
uses from mTLS to SSO. Since we are using the mock openid
server from the `osbuild-composer-tests` package. Make this
package a dependency of `koji-osbuild-tests`.
Implement support for authentication via OAuth2 using the client
credentials "Client Credentials Grant" flow (4.4 of RFC 6749).
For this a new configuration section is added to the config file,
where the client_id, client_secret and token_url have to be
specified.
The impelmention does currently not support "refresh tokens", but
does support refreshing the token if an `expires_in` is present
in the token itself.
Corresponding unit tests have been added.
[1] https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
Change the integration test so that it adapts to the host, i.e. it
will take the name, version and architecture for the tags and urls
for the repos from the host it is running on. This should make it
more future proof since we now have a central place where this is
configured: the ci configuration, i.e. `.gitlab-ci.yml`.
When the builder is used as an command line binary: have `repo`
be a proper command line argument. It was currently specified
before arch which can be passed multiple times, but so does
repo; hence one of them needs to be optional.
when building the containers the initial `dnf upgrade` will download
content from the latest nightly trees which turns the container into a
Beta system and subsequent `dnf isntall` gets confused!
Podman 2.2.0 doesn't create a gateway by default. See:
https://github.com/containers/podman/issues/8748
This commits introduces a workaround: specifying the gateway manually.
Note that the gateway is used in test/run-builder.sh
If called from within the source directory, i.e. the local plugin
exists, copy those to the share directory so they can be picked
up by the entry point scripts, in case the rpms are not found.
In case `TEST_PATH` was not specified as command line argument,
it was falling back to `test`. Make the latter an absolute path,
by pre-pending `PWD`, otherwise podman complains about the name
of the volume.
Instead of just using the "latest" container everywhere, which will
change every time a new release is made, add a build argument to
specify the version and then match that version to the host in all
the build scripts. This will make it possible to use the tests for
gating, and ensure that we test the plugins on the OS version that
is targeted.
Instead of building on the existing quay.io/osbuild/koji:v1, and
then replacing a lot of it (entry point), move the packages and
the dnf.conf change over from the former base and then directly
depend on Fedora. This gives us more control, especially over
what Fedora version is being used.
This is similar to how other osbuild packages are testing: everything
that's needed for testing is included in the tests package or a
dependency of it. The test runner then runs every executable in
/usr/libexec/tests/<packagename>. This gives a simple test API to
projects depending on this package (notably osbuild-composer).
The local development workflow described in HACKING.md is meant to
continue to work. To ensure this, all relevant scripts gained a
TEST_DATA variable, which defaults to `./test`, but is set from $1 to
the installed path from integration.sh.
