From 4e810d58000344a788477194fcf43b0d99b6b7f6 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 11:08:49 +0100 Subject: [PATCH 01/46] Remove sites: 100IT and UPV-GRyCAP --- sites/100IT.yaml | 16 ---------------- sites/UPV-GRyCAP.yaml | 16 ---------------- 2 files changed, 32 deletions(-) delete mode 100644 sites/100IT.yaml delete mode 100644 sites/UPV-GRyCAP.yaml diff --git a/sites/100IT.yaml b/sites/100IT.yaml deleted file mode 100644 index 6c5804ec..00000000 --- a/sites/100IT.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -gocdb: 100IT -endpoint: https://cloud-egi.100percentit.com:5000/v3/ -vos: -- name: dteam - auth: - project_id: 0785b78c70ce4e9f91bf851a4fd156b2 -- name: fedcloud.egi.eu - auth: - project_id: 7cfb9087632a4df5b738fbd0b795f2ad -- name: ops - auth: - project_id: 24426f375b494df5b47f1efebc272e5c -- name: vo.digitbrain.eu - auth: - project_id: 3d181dc16e654078a9cbbe1a9df6228f diff --git a/sites/UPV-GRyCAP.yaml b/sites/UPV-GRyCAP.yaml deleted file mode 100644 index f9688baf..00000000 --- a/sites/UPV-GRyCAP.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -gocdb: UPV-GRyCAP -endpoint: https://menoscloud.i3m.upv.es:5000/v3 -vos: -- name: eosc-synergy.eu - auth: - project_id: 6f84e31391024330b16d29d6ccd26932 -- name: fedcloud.egi.eu - auth: - project_id: db929e9034f04d1698c1a0d58283366e -- name: ops - auth: - project_id: 292568ead7454709a17f19189d5a840a -- name: saps-vo.i3m.upv.es - auth: - project_id: e7608e969cfd4f49907cff17d1774898 From 2b793e82f6f67150b434bcd8ffd2614c5bbd356d Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 11:22:39 +0100 Subject: [PATCH 02/46] Remove gone VO --- vo-mappings.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/vo-mappings.yaml b/vo-mappings.yaml index 8f702d69..adc1e84f 100644 --- a/vo-mappings.yaml +++ b/vo-mappings.yaml @@ -6,7 +6,6 @@ vos: bioisi: "urn:mace:egi.eu:group:bioisi:role=vm_operator#aai.egi.eu" biomed: "urn:mace:egi.eu:group:biomed:role=vm_operator#aai.egi.eu" /biomed/vip: "urn:mace:egi.eu:group:biomed:role=vm_operator#aai.egi.eu" - cesga: "urn:mace:egi.eu:group:cesga:role=vm_operator#aai.egi.eu" cesga.es: "urn:mace:egi.eu:group:cesga.es:role=vm_operator#aai.egi.eu" cloud.egi.eu: "urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" cms: "urn:mace:egi.eu:group:cms:role=vm_operator#aai.egi.eu" From 1701020b1c033824d84725344aa7522bd8f1d76b Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 11:45:53 +0100 Subject: [PATCH 03/46] Bring ansible role It was at https://github.com/EGI-Federation/ansible-role-fedcloud-ops and it's not meant be something of general use so makes little sense to keep it separated --- deploy/deploy.sh | 2 - deploy/playbook.yaml | 2 +- deploy/roles/catchall/defaults/main.yaml | 30 ++++++++++ .../catchall/molecule/default/converge.yml | 28 +++++++++ .../catchall/molecule/default/molecule.yml | 14 +++++ .../molecule/default/tests/test_default.py | 31 ++++++++++ .../catchall/molecule/default/verify.yml | 10 ++++ deploy/roles/catchall/requirements.txt | 4 ++ deploy/roles/catchall/tasks/cloud-info.yml | 26 ++++++++ deploy/roles/catchall/tasks/docker.yml | 59 +++++++++++++++++++ deploy/roles/catchall/tasks/main.yml | 49 +++++++++++++++ deploy/roles/catchall/tasks/vo-config.yml | 27 +++++++++ .../catchall/templates/cloud-info.env.j2 | 14 +++++ .../catchall/templates/site-info.yaml.j2 | 11 ++++ deploy/roles/catchall/vars/main.yml | 1 + 15 files changed, 305 insertions(+), 3 deletions(-) create mode 100644 deploy/roles/catchall/defaults/main.yaml create mode 100644 deploy/roles/catchall/molecule/default/converge.yml create mode 100644 deploy/roles/catchall/molecule/default/molecule.yml create mode 100644 deploy/roles/catchall/molecule/default/tests/test_default.py create mode 100644 deploy/roles/catchall/molecule/default/verify.yml create mode 100644 deploy/roles/catchall/requirements.txt create mode 100644 deploy/roles/catchall/tasks/cloud-info.yml create mode 100644 deploy/roles/catchall/tasks/docker.yml create mode 100644 deploy/roles/catchall/tasks/main.yml create mode 100644 deploy/roles/catchall/tasks/vo-config.yml create mode 100644 deploy/roles/catchall/templates/cloud-info.env.j2 create mode 100644 deploy/roles/catchall/templates/site-info.yaml.j2 create mode 100644 deploy/roles/catchall/vars/main.yml diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 252235fb..9c4b3333 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -9,8 +9,6 @@ COMMIT_SHA="$2" SHORT_SHA="$3" SLACK_WEBHOOK_URL="$4" -ansible-galaxy install git+https://github.com/EGI-Federation/ansible-role-fedcloud-ops.git - echo "cloud_info_image: \"ghcr.io/egi-federation/fedcloud-cloud-info:sha-$SHORT_SHA\"" >>extra-vars.yaml # Configure! diff --git a/deploy/playbook.yaml b/deploy/playbook.yaml index 7d9ab46f..61f35053 100644 --- a/deploy/playbook.yaml +++ b/deploy/playbook.yaml @@ -2,7 +2,7 @@ - hosts: all become: true roles: - - role: ansible-role-fedcloud-ops + - role: catchall tags: ["all", "docker"] vars: site_config_dir: ../sites/ diff --git a/deploy/roles/catchall/defaults/main.yaml b/deploy/roles/catchall/defaults/main.yaml new file mode 100644 index 00000000..a3b7d9fc --- /dev/null +++ b/deploy/roles/catchall/defaults/main.yaml @@ -0,0 +1,30 @@ +# VOs +vos: + sample_vo: + auth: + client_secret: foo + client_id: bar + refresh_token: baz + +# AMS details +ams_project: egi_cloud_info +ams_host: msg.argo.grnet.gr +ams_token: secret + +# check-in endpoint +checkin_token_endpoint: "https://aai.egi.eu/oidc/token" + +# docker image for the cloud info provider +cloud_info_image: egifedcloud/ops-cloud-info:latest + +# site configuration location +site_config_dir: sites + +# No site information as default +sites: [] + +cloud_info_cron: + minute: "4,34" + hour: "*" + weekday: "*" + timeout: "600" diff --git a/deploy/roles/catchall/molecule/default/converge.yml b/deploy/roles/catchall/molecule/default/converge.yml new file mode 100644 index 00000000..06768203 --- /dev/null +++ b/deploy/roles/catchall/molecule/default/converge.yml @@ -0,0 +1,28 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ansible-role-fedcloud-ops" + ansible.builtin.include_role: + name: "ansible-role-fedcloud-ops" + vars: + sites: + - endpoint: https://example.com:5000/v3/ + gocdb: foo.bar + vos: + - auth: + project_id: a123456 + name: sample_vo + - auth: + project_id: b987659 + name: vo.example.com + - endpoint: https://site.org:5000/v3/ + gocdb: bar.foo + region: region1 + vos: + - auth: + project_id: a123456 + name: sample_vo + - auth: + project_id: b987659 + name: vo.example.com diff --git a/deploy/roles/catchall/molecule/default/molecule.yml b/deploy/roles/catchall/molecule/default/molecule.yml new file mode 100644 index 00000000..164381a4 --- /dev/null +++ b/deploy/roles/catchall/molecule/default/molecule.yml @@ -0,0 +1,14 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: pycontribs/ubuntu:latest + pre_build_image: true +lint: ansible-lint --exclude .github/ +provisioner: + name: ansible +verifier: + name: testinfra diff --git a/deploy/roles/catchall/molecule/default/tests/test_default.py b/deploy/roles/catchall/molecule/default/tests/test_default.py new file mode 100644 index 00000000..f70c1802 --- /dev/null +++ b/deploy/roles/catchall/molecule/default/tests/test_default.py @@ -0,0 +1,31 @@ +import hashlib +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ["MOLECULE_INVENTORY_FILE"] +).get_hosts("all") + + + +def test_site_files(host): + endpoint_hash = hashlib.md5(b"https://example.com:5000/v3/").hexdigest() + filename = "foo-bar-%s" % endpoint_hash + assert host.file("/etc/egi/cloud-info/").is_directory + assert host.file("/etc/egi/cloud-info/%s.yaml" % filename).exists + assert not host.file("/etc/egi/cloud-info/%s.env" % filename).contains("OS_REGION") + assert host.file("/etc/egi/cloud-info/%s.env" % filename).exists + assert host.file("/etc/cron.d/cloud-info-%s" % filename).exists + + +def test_site_files_region(host): + endpoint_hash = hashlib.md5(b"https://site.org:5000/v3/").hexdigest() + filename = "bar-foo-%s" % endpoint_hash + assert host.file("/etc/egi/cloud-info/").is_directory + assert host.file("/etc/egi/cloud-info/%s.yaml" % filename).exists + assert host.file("/etc/egi/cloud-info/%s.env" % filename).exists + assert host.file("/etc/egi/cloud-info/%s.env" % filename).contains( + "OS_REGION=region1" + ) + assert host.file("/etc/cron.d/cloud-info-%s" % filename).exists diff --git a/deploy/roles/catchall/molecule/default/verify.yml b/deploy/roles/catchall/molecule/default/verify.yml new file mode 100644 index 00000000..a5cfa75e --- /dev/null +++ b/deploy/roles/catchall/molecule/default/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + ansible.builtin.assert: + that: true diff --git a/deploy/roles/catchall/requirements.txt b/deploy/roles/catchall/requirements.txt new file mode 100644 index 00000000..c745c484 --- /dev/null +++ b/deploy/roles/catchall/requirements.txt @@ -0,0 +1,4 @@ +molecule +molecule-plugins[docker] +pytest-testinfra +ansible-lint diff --git a/deploy/roles/catchall/tasks/cloud-info.yml b/deploy/roles/catchall/tasks/cloud-info.yml new file mode 100644 index 00000000..a3019ca4 --- /dev/null +++ b/deploy/roles/catchall/tasks/cloud-info.yml @@ -0,0 +1,26 @@ +--- +- name: Cloud-info config directory + ansible.builtin.template: + src: site-info.yaml.j2 + dest: /etc/egi/cloud-info/{{ filename }}.yaml + mode: "600" + +- name: Cloud info env + ansible.builtin.template: + src: cloud-info.env.j2 + dest: /etc/egi/cloud-info/{{ filename }}.env + mode: "600" + +- name: Cloud info cron + ansible.builtin.cron: + name: cloud-info-provider {{ site.gocdb }} + weekday: "{{ cloud_info_cron.weekday }}" + minute: "{{ cloud_info_cron.minute }}" + hour: "{{ cloud_info_cron.hour }}" + user: root + job: > + flock -n -w {{ cloud_info_cron.timeout }} /var/lock/cloud-info/{{ filename }} + docker run --rm -v /etc/egi:/etc/egi:ro + --env-file /etc/egi/cloud-info/{{ filename }}.env + {{ cloud_info_image }} >> /var/log/cloud-info/{{ filename }}.log 2>&1 + cron_file: "cloud-info-{{ filename }}" diff --git a/deploy/roles/catchall/tasks/docker.yml b/deploy/roles/catchall/tasks/docker.yml new file mode 100644 index 00000000..15405be8 --- /dev/null +++ b/deploy/roles/catchall/tasks/docker.yml @@ -0,0 +1,59 @@ +--- +- name: Install dependencies + ansible.builtin.apt: + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg-agent + - software-properties-common + state: present + update_cache: true + +- name: Docker repo key + ansible.builtin.apt_key: + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + url: https://download.docker.com/linux/ubuntu/gpg + state: present + +- name: Add docker repo + ansible.builtin.apt_repository: + repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + state: present + +- name: Install docker + ansible.builtin.apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + state: present + update_cache: true + +- name: Ensure docker config dir is present + ansible.builtin.file: + path: /etc/docker + state: directory + mode: "775" + +- name: Configure docker + ansible.builtin.copy: + # this is very CESNET-MCC specific, may be better to move as configurable + content: | + { + "mtu": 1442, + "exec-opts": ["native.cgroupdriver=systemd"], + "log-driver": "json-file", + "log-opts": { + "max-size": "100m" + }, + "storage-driver": "overlay2" + } + dest: /etc/docker/daemon.json + mode: "660" + +- name: Restart docker + ansible.builtin.systemd: + name: docker + state: restarted + daemon_reload: true diff --git a/deploy/roles/catchall/tasks/main.yml b/deploy/roles/catchall/tasks/main.yml new file mode 100644 index 00000000..176fa430 --- /dev/null +++ b/deploy/roles/catchall/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: Ensure cron is available + ansible.builtin.apt: + name: cron + state: present + update_cache: true + +- name: Install docker + ansible.builtin.include_tasks: docker.yml + # this is only executed if explicity requested + tags: ['never', 'docker'] + +- name: Load site configuration + ansible.builtin.include_vars: + file: "{{ item }}" + name: "{{ 'site_incl_vars_' ~ item | basename | splitext | first }}" + with_fileglob: + - "{{ site_config_dir }}/*.yaml" + +- name: Set site configuration variable + ansible.builtin.set_fact: + sites: "{{ sites | default([]) + [lookup('vars', item)] }}" + loop: "{{ query('varnames', '^site_incl_vars_(.*)$') }}" + +- name: EGI configuration + block: + - name: Create directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "755" + owner: 1999 + group: 1999 + loop: + - /etc/egi + - /etc/egi/vos + - /etc/egi/cloud-info + - /var/lock/cloud-info + - /var/log/cloud-info + state: directory + mode: "755" + - name: Site specific config + ansible.builtin.include_tasks: cloud-info.yml + vars: + site: "{{ item }}" + filename: "{{ item.gocdb | replace('.', '-') }}-{{ item.endpoint | hash('md5') }}" + with_items: + - "{{ sites }}" + when: sites is iterable diff --git a/deploy/roles/catchall/tasks/vo-config.yml b/deploy/roles/catchall/tasks/vo-config.yml new file mode 100644 index 00000000..3fa93cdf --- /dev/null +++ b/deploy/roles/catchall/tasks/vo-config.yml @@ -0,0 +1,27 @@ +--- +- name: VO directory + ansible.builtin.file: + path: "/etc/egi/vos/{{ item.key }}" + state: directory + mode: "700" + +- name: "VO auth: client id" + ansible.builtin.copy: + content: "{{ item.value.auth.client_id }}" + dest: "/etc/egi/vos/{{ item.key }}/client_id" + mode: "600" + when: item.value.auth is defined + +- name: "VO auth: client secret" + ansible.builtin.copy: + content: "{{ item.value.auth.client_secret }}" + dest: "/etc/egi/vos/{{ item.key }}/client_secret" + mode: "600" + when: item.value.auth is defined + +- name: "VO auth: refresh token" + ansible.builtin.copy: + content: "{{ item.value.auth.refresh_token }}" + dest: "/etc/egi/vos/{{ item.key }}/refresh_token" + mode: "600" + when: item.value.auth is defined diff --git a/deploy/roles/catchall/templates/cloud-info.env.j2 b/deploy/roles/catchall/templates/cloud-info.env.j2 new file mode 100644 index 00000000..9c7c6e2a --- /dev/null +++ b/deploy/roles/catchall/templates/cloud-info.env.j2 @@ -0,0 +1,14 @@ +AMS_HOST={{ ams_host }} +AMS_PROJECT={{ ams_project }} +AMS_TOKEN={{ ams_token }} +CHECKIN_OIDC_TOKEN={{ checkin_token_endpoint }} +CHECKIN_SECRETS_PATH=/etc/egi/vos/ +CLOUD_INFO_CONFIG=/etc/egi/cloud-info/{{ filename }}.yaml +OS_AUTH_TYPE=v3oidcaccesstoken +OS_AUTH_URL={{ site.endpoint }} +OS_IDENTITY_PROVIDER=egi.eu +OS_PROTOCOL={{ site.protocol | default('openid') }} +{% if "region" in site %} +OS_REGION={{ site.region }} +{% endif %} +SITE_NAME={{ site.gocdb }} diff --git a/deploy/roles/catchall/templates/site-info.yaml.j2 b/deploy/roles/catchall/templates/site-info.yaml.j2 new file mode 100644 index 00000000..8f0f8ff6 --- /dev/null +++ b/deploy/roles/catchall/templates/site-info.yaml.j2 @@ -0,0 +1,11 @@ +site: + name: {{ site.gocdb }} + +compute: + shares: +{% for vo in site.vos %} +{% if vo.name in vos %} + {{ vo.name }}: + {{ vo | default({}) | to_nice_yaml(indent=2) | indent(6) }} +{% endif %} +{% endfor %} diff --git a/deploy/roles/catchall/vars/main.yml b/deploy/roles/catchall/vars/main.yml new file mode 100644 index 00000000..44b09048 --- /dev/null +++ b/deploy/roles/catchall/vars/main.yml @@ -0,0 +1 @@ +# Role variables From e6c389f9d4c5da93b05c91ee444a0d69d98b2644 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 11:47:26 +0100 Subject: [PATCH 04/46] Not used anymore --- deploy/roles/catchall/tasks/vo-config.yml | 27 ----------------------- 1 file changed, 27 deletions(-) delete mode 100644 deploy/roles/catchall/tasks/vo-config.yml diff --git a/deploy/roles/catchall/tasks/vo-config.yml b/deploy/roles/catchall/tasks/vo-config.yml deleted file mode 100644 index 3fa93cdf..00000000 --- a/deploy/roles/catchall/tasks/vo-config.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: VO directory - ansible.builtin.file: - path: "/etc/egi/vos/{{ item.key }}" - state: directory - mode: "700" - -- name: "VO auth: client id" - ansible.builtin.copy: - content: "{{ item.value.auth.client_id }}" - dest: "/etc/egi/vos/{{ item.key }}/client_id" - mode: "600" - when: item.value.auth is defined - -- name: "VO auth: client secret" - ansible.builtin.copy: - content: "{{ item.value.auth.client_secret }}" - dest: "/etc/egi/vos/{{ item.key }}/client_secret" - mode: "600" - when: item.value.auth is defined - -- name: "VO auth: refresh token" - ansible.builtin.copy: - content: "{{ item.value.auth.refresh_token }}" - dest: "/etc/egi/vos/{{ item.key }}/refresh_token" - mode: "600" - when: item.value.auth is defined From 3f11fe2c67ca3c9d38c8615d8fdbf6edecccbd44 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:19:35 +0100 Subject: [PATCH 05/46] Move towards better secret management --- .github/workflows/deploy.yml | 27 +++++++++++++++------------ deploy/cloud-init.yaml | 4 ++-- deploy/deploy.sh | 2 ++ 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e6f6a9ec..91df8a23 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -25,17 +25,16 @@ jobs: curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq chmod +x jq pip install yq git+https://github.com/tdviet/fedcloudclient.git - curl -L https://github.com/oidc-mytoken/client/releases/download/v0.3.0/mytoken_0.3.0_Linux_x86_64.tar.gz \ - | tar -xzf - - mkdir ~/.mytoken - curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml > ~/.mytoken/config.yaml - name: Configure providers access env: - MYTOKEN: ${{ secrets.MYTOKEN }} REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} + ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | + # using parametric scopes to only have access to cloud.egi.eu VO + SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" + SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ - -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=openid%20email%20profile%20voperson_id%20eduperson_entitlement" \ + -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \ | jq -r ".access_token") echo "::add-mask::$OIDC_TOKEN" cd deploy @@ -54,6 +53,11 @@ jobs: sed -i -e "s/deploy_secret/$DEPLOY_OS_TOKEN/" clouds.yaml mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml + FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker --oidc-access-token "$OIDC_TOKEN" \ + create --ttl 1h --num-uses 2)" + fedcloud secret put deploy "data=$ANSIBLE_SECRETS" + echo "::add-mask::$FEDCLOUD_LOCKER_TOKEN" + echo "FEDCLOUD_LOCKER_TOKEN=$FEDCLOUD_LOCKER_TOKEN" >> "$GITHUB_ENV" - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -71,16 +75,13 @@ jobs: - name: Adjust cloud-init file env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | cd deploy sed -i -e "s/%TOKEN%/${{ secrets.GITHUB_TOKEN }}/" cloud-init.yaml sed -i -e "s/%REF%/${{ github.sha }}/" cloud-init.yaml sed -i -e "s/%SHORT_REF%/$(git rev-parse --short HEAD)/" cloud-init.yaml sed -i -e "s#%SLACK_WEBHOOK_URL%#$SLACK_WEBHOOK_URL#" cloud-init.yaml - ANSIBLE_ENCODED_SECRETS="$(echo "$ANSIBLE_SECRETS" | base64 -w 0)" - echo "::add-mask::$ANSIBLE_ENCODED_SECRETS" - sed -i -e "s/%ANSIBLE_SECRETS%/$ANSIBLE_ENCODED_SECRETS/" cloud-init.yaml + sed -i -e "s/%FEDCLOUD_LOCKER_TOKEN%/$FEDCLOUD_LOCKER_TOKEN/" cloud-init.yaml sed -i -e "s/%CLOUDS_YAML%/$(base64 -w 0 < clouds.yaml)/" cloud-init.yaml - name: terraform plan id: plan @@ -132,11 +133,13 @@ jobs: terraform output -raw instance-id - name: Re-configure providers access env: - MYTOKEN: ${{ secrets.MYTOKEN }} REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} run: | + # using parametric scopes to only have access to cloud.egi.eu VO + SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" + SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ - -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=openid%20email%20profile%20voperson_id%20eduperson_entitlement" \ + -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \ | jq -r ".access_token") echo "::add-mask::$OIDC_TOKEN" cd deploy diff --git a/deploy/cloud-init.yaml b/deploy/cloud-init.yaml index 06864b62..f51f8fb5 100644 --- a/deploy/cloud-init.yaml +++ b/deploy/cloud-init.yaml @@ -40,14 +40,14 @@ write_files: SLACK_WEBHOOK_URL="%SLACK_WEBHOOK_URL%" COMMIT_SHA="%REF%" SHORT_COMMIT_SHA="%SHORT_REF%" + FEDCLOUD_LOCKER_TOKEN="%FEDCLOUD_LOCKER_TOKEN%" # get the repo code and untar at cwd curl -L -H "Accept: application/vnd.github.v3+raw" \ "https://api.github.com/repos/EGI-Federation/fedcloud-catchall-operations/tarball/$COMMIT_SHA" | \ tar xz --strip=1 cd deploy - echo "%ANSIBLE_SECRETS%" | base64 -d > ./secrets.yaml - ./deploy.sh "$OAUTH_TOKEN" "$COMMIT_SHA" \ + ./deploy.sh "$OAUTH_TOKEN" "$COMMIT_SHA" "$FEDCLOUD_LOCKER_TOKEN" \ "$SHORT_COMMIT_SHA" "$SLACK_WEBHOOK_URL" path: /var/lib/cloud/scripts/per-boot/deploy.sh permissions: '0755' diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 9c4b3333..a8fabfb2 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -25,6 +25,8 @@ else header="Failed deployment :boom:" fi + + # This is a temporary way to get the auto discovery working while we transition for all sites # copy the secrets to the /etc/egi/vos dir which is readable from the containers cp secrets.yaml /etc/egi/vos/secrets.yaml From be47af9a6e483d2477797dc84dd477a29b246f68 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:20:09 +0100 Subject: [PATCH 06/46] Test the ansible --- .github/workflows/molecule.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/molecule.yml diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml new file mode 100644 index 00000000..999b5771 --- /dev/null +++ b/.github/workflows/molecule.yml @@ -0,0 +1,25 @@ +--- +name: Test role + +on: [push, pull_request] + +jobs: + molecule: + name: Runs molecule for the ansible role + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + path: "${{ github.repository }}" + + - name: Fake the ansible role is at the top dir + run: | + mv deploy/roles/catchall/* . + + - name: Test + uses: robertdebock/molecule-action@6.0.0 + with: + image: "ubuntu" + tag: "latest" From 11d7c041a6612786c76526dee60b97bd381a60d1 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:24:15 +0100 Subject: [PATCH 07/46] Testing --- .github/workflows/molecule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 999b5771..b04718ac 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -16,6 +16,7 @@ jobs: - name: Fake the ansible role is at the top dir run: | + ls -ltra mv deploy/roles/catchall/* . - name: Test From 0aa2c332577f012454c1a133dd969720caa8e6e8 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:25:22 +0100 Subject: [PATCH 08/46] Debug --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 91df8a23..c9ef611c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,6 +30,7 @@ jobs: REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | + set -x # using parametric scopes to only have access to cloud.egi.eu VO SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" From 29b95c381b785ba172e0b187e5e57bb40eeee52d Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:27:57 +0100 Subject: [PATCH 09/46] Black python --- deploy/roles/catchall/molecule/default/tests/test_default.py | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/roles/catchall/molecule/default/tests/test_default.py b/deploy/roles/catchall/molecule/default/tests/test_default.py index f70c1802..5fb4704b 100644 --- a/deploy/roles/catchall/molecule/default/tests/test_default.py +++ b/deploy/roles/catchall/molecule/default/tests/test_default.py @@ -8,7 +8,6 @@ ).get_hosts("all") - def test_site_files(host): endpoint_hash = hashlib.md5(b"https://example.com:5000/v3/").hexdigest() filename = "foo-bar-%s" % endpoint_hash From 7d30bf40b23231ad30aba502c76d23c3a504b5b5 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:28:34 +0100 Subject: [PATCH 10/46] Linting --- deploy/deploy.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/deploy/deploy.sh b/deploy/deploy.sh index a8fabfb2..9c4b3333 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -25,8 +25,6 @@ else header="Failed deployment :boom:" fi - - # This is a temporary way to get the auto discovery working while we transition for all sites # copy the secrets to the /etc/egi/vos dir which is readable from the containers cp secrets.yaml /etc/egi/vos/secrets.yaml From 16924f0dc7b9ff3b2bf1cccf925c38f5d84f49e5 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:30:12 +0100 Subject: [PATCH 11/46] Fix role --- deploy/roles/catchall/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/deploy/roles/catchall/tasks/main.yml b/deploy/roles/catchall/tasks/main.yml index 176fa430..09157e11 100644 --- a/deploy/roles/catchall/tasks/main.yml +++ b/deploy/roles/catchall/tasks/main.yml @@ -37,8 +37,6 @@ - /etc/egi/cloud-info - /var/lock/cloud-info - /var/log/cloud-info - state: directory - mode: "755" - name: Site specific config ansible.builtin.include_tasks: cloud-info.yml vars: From 785de346b789af8e76285340d73a97399a747228 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:32:32 +0100 Subject: [PATCH 12/46] Do not set path for checkout --- .github/workflows/molecule.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index b04718ac..6ef6129e 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -11,8 +11,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - path: "${{ github.repository }}" - name: Fake the ansible role is at the top dir run: | From 4fd06a2f88811db5c8d67042683877953ed3f16b Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:34:04 +0100 Subject: [PATCH 13/46] Debug --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c9ef611c..e26f13a1 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -35,7 +35,7 @@ jobs: SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ - -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \ + -d "grant_type=refresh_token&client_id=token-portal&scope=$SCOPE&refresh_token=$REFRESH_TOKEN" | jq -r ".access_token") echo "::add-mask::$OIDC_TOKEN" cd deploy From c2f8af8c34055cb21d63330668ac7d64ea972410 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:37:46 +0100 Subject: [PATCH 14/46] Path fixing --- .github/workflows/molecule.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 6ef6129e..3be7672c 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -15,7 +15,8 @@ jobs: - name: Fake the ansible role is at the top dir run: | ls -ltra - mv deploy/roles/catchall/* . + mkdir -p "${{ github.repository }}" + mv /deploy/roles/catchall/* "${{ github.repository }}" - name: Test uses: robertdebock/molecule-action@6.0.0 From 293279ce99b390136c64b2934a19293f6daeecc7 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:51:44 +0100 Subject: [PATCH 15/46] Fix path --- .github/workflows/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 3be7672c..a0394eb9 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -16,7 +16,7 @@ jobs: run: | ls -ltra mkdir -p "${{ github.repository }}" - mv /deploy/roles/catchall/* "${{ github.repository }}" + mv deploy/roles/catchall/* "${{ github.repository }}" - name: Test uses: robertdebock/molecule-action@6.0.0 From eebb16a6c1d24223719b8a469efce7d08c62f1a0 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Mon, 17 Jun 2024 15:54:21 +0100 Subject: [PATCH 16/46] Fix command line --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e26f13a1..0154878f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -35,7 +35,7 @@ jobs: SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ - -d "grant_type=refresh_token&client_id=token-portal&scope=$SCOPE&refresh_token=$REFRESH_TOKEN" + -d "grant_type=refresh_token&client_id=token-portal&scope=$SCOPE&refresh_token=$REFRESH_TOKEN" \ | jq -r ".access_token") echo "::add-mask::$OIDC_TOKEN" cd deploy From 9c473eab87e955f640ce826887d8d303cb15fd60 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Tue, 18 Jun 2024 08:26:40 +0100 Subject: [PATCH 17/46] Fix role name --- deploy/roles/catchall/molecule/default/converge.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/roles/catchall/molecule/default/converge.yml b/deploy/roles/catchall/molecule/default/converge.yml index 06768203..2f4ad264 100644 --- a/deploy/roles/catchall/molecule/default/converge.yml +++ b/deploy/roles/catchall/molecule/default/converge.yml @@ -2,9 +2,9 @@ - name: Converge hosts: all tasks: - - name: "Include ansible-role-fedcloud-ops" + - name: "Include catchall role" ansible.builtin.include_role: - name: "ansible-role-fedcloud-ops" + name: "catchall" vars: sites: - endpoint: https://example.com:5000/v3/ From 3881e15104ee4bc470d2602fc22dc27270661c9f Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Tue, 18 Jun 2024 15:08:19 +0100 Subject: [PATCH 18/46] Debug --- .github/workflows/molecule.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index a0394eb9..67953794 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -17,6 +17,14 @@ jobs: ls -ltra mkdir -p "${{ github.repository }}" mv deploy/roles/catchall/* "${{ github.repository }}" + ls -l /github/workspace/EGI-Federation/fedcloud-catchall-operations/molecule/default/roles || echo "NOP" + ls -l /github/home/.cache/molecule/fedcloud-catchall-operations/default/roles || echo "NOP" + ls -l /github/workspace/EGI-Federation || echo "NOP" + ls -l /github/home/.ansible/roles || echo "NOP" + ls -l /usr/share/ansible/roles || echo "NOP" + ls -l /etc/ansible/roles || echo "NOP" + ls -l /github/workspace/EGI-Federation || echo "NOP" + ls -l /github/workspace/EGI-Federation/fedcloud-catchall-operations/molecule/default || echo "NOP" - name: Test uses: robertdebock/molecule-action@6.0.0 From f9bdc4d4e79f03c219476a6bf4a0ae030af8dfba Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Tue, 18 Jun 2024 15:14:49 +0100 Subject: [PATCH 19/46] More debug --- .github/workflows/molecule.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 67953794..a45cf1fb 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -16,7 +16,9 @@ jobs: run: | ls -ltra mkdir -p "${{ github.repository }}" + pwd mv deploy/roles/catchall/* "${{ github.repository }}" + ls "${{ github.repository }}" ls -l /github/workspace/EGI-Federation/fedcloud-catchall-operations/molecule/default/roles || echo "NOP" ls -l /github/home/.cache/molecule/fedcloud-catchall-operations/default/roles || echo "NOP" ls -l /github/workspace/EGI-Federation || echo "NOP" From d86e4bb17ec8ba71c8b440d7c5f68fd470bb59bd Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Tue, 18 Jun 2024 15:37:05 +0100 Subject: [PATCH 20/46] Do not restrict the token --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0154878f..0ecb092a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -33,7 +33,7 @@ jobs: set -x # using parametric scopes to only have access to cloud.egi.eu VO SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" - SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" + #SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ -d "grant_type=refresh_token&client_id=token-portal&scope=$SCOPE&refresh_token=$REFRESH_TOKEN" \ | jq -r ".access_token") From e995130a528d90fa9265e1e79f0367da9edd41af Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Thu, 20 Jun 2024 14:32:56 +0100 Subject: [PATCH 21/46] Fix the scope --- .github/workflows/deploy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0ecb092a..720bb3d8 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -32,8 +32,9 @@ jobs: run: | set -x # using parametric scopes to only have access to cloud.egi.eu VO - SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" - #SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" + SCOPE="openid%20email%20profile%20voperson_id" + SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" + SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=member#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ -d "grant_type=refresh_token&client_id=token-portal&scope=$SCOPE&refresh_token=$REFRESH_TOKEN" \ | jq -r ".access_token") From 3261850c4f0b2e7bd5e904dc4039e653156d211a Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Thu, 20 Jun 2024 15:51:07 +0100 Subject: [PATCH 22/46] Fix fedcloud cli invocation --- .github/workflows/deploy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 720bb3d8..2a73a6a7 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,7 +30,6 @@ jobs: REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | - set -x # using parametric scopes to only have access to cloud.egi.eu VO SCOPE="openid%20email%20profile%20voperson_id" SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" @@ -55,8 +54,9 @@ jobs: sed -i -e "s/deploy_secret/$DEPLOY_OS_TOKEN/" clouds.yaml mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml - FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker --oidc-access-token "$OIDC_TOKEN" \ - create --ttl 1h --num-uses 2)" + FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker create \ + --oidc-access-token "$OIDC_TOKEN" \ + --ttl 1h --num-uses 2)" fedcloud secret put deploy "data=$ANSIBLE_SECRETS" echo "::add-mask::$FEDCLOUD_LOCKER_TOKEN" echo "FEDCLOUD_LOCKER_TOKEN=$FEDCLOUD_LOCKER_TOKEN" >> "$GITHUB_ENV" From c8ee54623054e45b0c7aeabb20faf65ca65568ae Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Thu, 20 Jun 2024 16:08:10 +0100 Subject: [PATCH 23/46] Debug --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2a73a6a7..813fe0eb 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,6 +30,7 @@ jobs: REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | + set -x # using parametric scopes to only have access to cloud.egi.eu VO SCOPE="openid%20email%20profile%20voperson_id" SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" From 151e4e23dfb54e94ef457c47c15e7c1745979e52 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Thu, 20 Jun 2024 16:16:39 +0100 Subject: [PATCH 24/46] Fix cli --- .github/workflows/deploy.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 813fe0eb..e67ef2cc 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,7 +30,6 @@ jobs: REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }} run: | - set -x # using parametric scopes to only have access to cloud.egi.eu VO SCOPE="openid%20email%20profile%20voperson_id" SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" @@ -58,7 +57,7 @@ jobs: FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker create \ --oidc-access-token "$OIDC_TOKEN" \ --ttl 1h --num-uses 2)" - fedcloud secret put deploy "data=$ANSIBLE_SECRETS" + fedcloud secret put --locker-token "$FEDCLOUD_LOCKER_TOKEN" deploy "data=$ANSIBLE_SECRETS" echo "::add-mask::$FEDCLOUD_LOCKER_TOKEN" echo "FEDCLOUD_LOCKER_TOKEN=$FEDCLOUD_LOCKER_TOKEN" >> "$GITHUB_ENV" - name: Setup Terraform From 79f691a322590158b73dc4acb5c4e23460efd60c Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Thu, 20 Jun 2024 16:18:44 +0100 Subject: [PATCH 25/46] Mask secret --- .github/workflows/deploy.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e67ef2cc..d6bebdbc 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -57,8 +57,8 @@ jobs: FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker create \ --oidc-access-token "$OIDC_TOKEN" \ --ttl 1h --num-uses 2)" - fedcloud secret put --locker-token "$FEDCLOUD_LOCKER_TOKEN" deploy "data=$ANSIBLE_SECRETS" echo "::add-mask::$FEDCLOUD_LOCKER_TOKEN" + fedcloud secret put --locker-token "$FEDCLOUD_LOCKER_TOKEN" deploy "data=$ANSIBLE_SECRETS" echo "FEDCLOUD_LOCKER_TOKEN=$FEDCLOUD_LOCKER_TOKEN" >> "$GITHUB_ENV" - name: Setup Terraform uses: hashicorp/setup-terraform@v3 @@ -138,8 +138,9 @@ jobs: REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }} run: | # using parametric scopes to only have access to cloud.egi.eu VO - SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement" - SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" + SCOPE="openid%20email%20profile%20voperson_id" + SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu" + SCOPE="$SCOPE%20eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=member#aai.egi.eu" OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \ -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \ | jq -r ".access_token") From c889e9723b63f404142b7e1cca7d5190ff1ce9b8 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Thu, 20 Jun 2024 16:20:48 +0100 Subject: [PATCH 26/46] Let's break things --- .github/workflows/deploy.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d6bebdbc..76123db3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -87,14 +87,14 @@ jobs: sed -i -e "s/%CLOUDS_YAML%/$(base64 -w 0 < clouds.yaml)/" cloud-init.yaml - name: terraform plan id: plan - if: github.event_name == 'pull_request' + #if: github.event_name == 'pull_request' run: | cd deploy terraform plan -no-color -var-file="$EGI_SITE.tfvars" continue-on-error: true - name: Update Pull Request uses: actions/github-script@v7 - if: github.event_name == 'pull_request' + #if: github.event_name == 'pull_request' env: PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" with: @@ -123,13 +123,13 @@ jobs: run: exit 1 - name: Terraform Apply id: terraform-apply - if: github.ref == 'refs/heads/main' && github.event_name == 'push' + #if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | cd deploy terraform apply -auto-approve -var-file="$EGI_SITE.tfvars" - name: Get VM ID id: terraform-vm-id - if: github.ref == 'refs/heads/main' && github.event_name == 'push' + #if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | cd deploy terraform output -raw instance-id @@ -155,7 +155,7 @@ jobs: mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml - name: Get the status file from swift - if: github.ref == 'refs/heads/main' && github.event_name == 'push' + #if: github.ref == 'refs/heads/main' && github.event_name == 'push' uses: nick-fields/retry@v3 with: timeout_minutes: 10 @@ -167,7 +167,7 @@ jobs: openstack --os-cloud backend object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && openstack --os-cloud backend object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" - name: Look for errors - if: github.ref == 'refs/heads/main' && github.event_name == 'push' + #if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | cd deploy # show the status in the build log From 8e27e2ca247c6bf6e3c61bb42c9a451a8f904517 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 09:14:44 +0100 Subject: [PATCH 27/46] Fix the deployment --- deploy/cloud-init.yaml | 2 ++ deploy/deploy.sh | 20 ++++++++++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/deploy/cloud-init.yaml b/deploy/cloud-init.yaml index f51f8fb5..50b49fc5 100644 --- a/deploy/cloud-init.yaml +++ b/deploy/cloud-init.yaml @@ -23,6 +23,8 @@ packages: - ansible - jq - python3-openstackclient + - python3-pip + - python3.10-venv - retry write_files: diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 9c4b3333..1fec37b5 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -1,13 +1,25 @@ #!/bin/sh # Configure current host with ansible -# Expects as arguments the OAUTH_TOKEN, the COMMIT_SHA and the SLACK_WEBHOOK_URL - +# Expects as arguments: +# - a GitHub OAUTH_TOKEN to update the PR +# - the COMMIT_SHA +# - a locker for fedcloud secret to obtain the secrets +# - the SHORT_SHA used for pulling the docker image to use +# - a SLACK_WEBHOOK_URL to report on the status set -e OAUTH_TOKEN="$1" COMMIT_SHA="$2" -SHORT_SHA="$3" -SLACK_WEBHOOK_URL="$4" +FEDCLOUD_SECRET_LOCKER="$3" +SHORT_SHA="$4" +SLACK_WEBHOOK_URL="$5" + +# create a virtual env for fedcloudclient +python3 -m venv $PWD/.venv +$PWD/.venv/bin/pip install fedcloudclient + +$PWD/.venv/bin/fedcloud secret get --locker-token $FEDCLOUD_SECRET_LOCKER \ + deploy data > secrets.yaml echo "cloud_info_image: \"ghcr.io/egi-federation/fedcloud-cloud-info:sha-$SHORT_SHA\"" >>extra-vars.yaml From a61b7fd6465a10df45ac3aba0a6ca5b595f3dc04 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 09:54:12 +0100 Subject: [PATCH 28/46] We are not using VO-specific auth now --- deploy/roles/catchall/defaults/main.yaml | 8 -------- deploy/roles/catchall/templates/site-info.yaml.j2 | 2 -- 2 files changed, 10 deletions(-) diff --git a/deploy/roles/catchall/defaults/main.yaml b/deploy/roles/catchall/defaults/main.yaml index a3b7d9fc..5f6605cc 100644 --- a/deploy/roles/catchall/defaults/main.yaml +++ b/deploy/roles/catchall/defaults/main.yaml @@ -1,11 +1,3 @@ -# VOs -vos: - sample_vo: - auth: - client_secret: foo - client_id: bar - refresh_token: baz - # AMS details ams_project: egi_cloud_info ams_host: msg.argo.grnet.gr diff --git a/deploy/roles/catchall/templates/site-info.yaml.j2 b/deploy/roles/catchall/templates/site-info.yaml.j2 index 8f0f8ff6..293e3ccf 100644 --- a/deploy/roles/catchall/templates/site-info.yaml.j2 +++ b/deploy/roles/catchall/templates/site-info.yaml.j2 @@ -4,8 +4,6 @@ site: compute: shares: {% for vo in site.vos %} -{% if vo.name in vos %} {{ vo.name }}: {{ vo | default({}) | to_nice_yaml(indent=2) | indent(6) }} -{% endif %} {% endfor %} From 1c447938e42ea28f6977022c858fa85028a43c51 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 09:54:59 +0100 Subject: [PATCH 29/46] Linting --- deploy/deploy.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 1fec37b5..159be470 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -15,11 +15,11 @@ SHORT_SHA="$4" SLACK_WEBHOOK_URL="$5" # create a virtual env for fedcloudclient -python3 -m venv $PWD/.venv -$PWD/.venv/bin/pip install fedcloudclient +python3 -m venv "$PWD/.venv" +"$PWD/.venv/bin/pip" install fedcloudclient -$PWD/.venv/bin/fedcloud secret get --locker-token $FEDCLOUD_SECRET_LOCKER \ - deploy data > secrets.yaml +"$PWD/.venv/bin/fedcloud" secret get --locker-token "$FEDCLOUD_SECRET_LOCKER" \ + deploy data >secrets.yaml echo "cloud_info_image: \"ghcr.io/egi-federation/fedcloud-cloud-info:sha-$SHORT_SHA\"" >>extra-vars.yaml From 0da295f5c494af70a261689a9b857179161d3fa0 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 11:03:23 +0100 Subject: [PATCH 30/46] More debug --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 76123db3..8e776f93 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -164,6 +164,7 @@ jobs: command: > set -x && pushd deploy && + cat clouds.yaml && openstack --os-cloud backend object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && openstack --os-cloud backend object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" - name: Look for errors From bf7b93018216bd8dca6e741d8c5462d88aa2b880 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 11:45:08 +0100 Subject: [PATCH 31/46] More debug --- .github/workflows/deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8e776f93..eb45a235 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -165,8 +165,8 @@ jobs: set -x && pushd deploy && cat clouds.yaml && - openstack --os-cloud backend object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && - openstack --os-cloud backend object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" + openstack --debug --os-cloud backend object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && + openstack --debug --os-cloud backend object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" - name: Look for errors #if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | From 17ef5ea3f568b1db9d967cffa1d579fd0f800f05 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 11:56:41 +0100 Subject: [PATCH 32/46] Recover the backend config --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index eb45a235..751853d3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -146,6 +146,7 @@ jobs: | jq -r ".access_token") echo "::add-mask::$OIDC_TOKEN" cd deploy + git checkout -- clouds.yaml BACKEND_SITE="$(yq -r .clouds.backend.site clouds.yaml)" BACKEND_VO="$(yq -r .clouds.backend.vo clouds.yaml)" BACKEND_OS_TOKEN="$(fedcloud openstack token issue --oidc-access-token "$OIDC_TOKEN" \ From efb753f50d82317ad4268ec3c64ad16317bf76df Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 12:08:28 +0100 Subject: [PATCH 33/46] Do not rebuild every time --- .github/workflows/deploy.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 751853d3..c2d006e5 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -87,14 +87,14 @@ jobs: sed -i -e "s/%CLOUDS_YAML%/$(base64 -w 0 < clouds.yaml)/" cloud-init.yaml - name: terraform plan id: plan - #if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request' run: | cd deploy terraform plan -no-color -var-file="$EGI_SITE.tfvars" continue-on-error: true - name: Update Pull Request uses: actions/github-script@v7 - #if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request' env: PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" with: @@ -123,13 +123,13 @@ jobs: run: exit 1 - name: Terraform Apply id: terraform-apply - #if: github.ref == 'refs/heads/main' && github.event_name == 'push' + if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | cd deploy terraform apply -auto-approve -var-file="$EGI_SITE.tfvars" - name: Get VM ID id: terraform-vm-id - #if: github.ref == 'refs/heads/main' && github.event_name == 'push' + if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | cd deploy terraform output -raw instance-id @@ -169,7 +169,7 @@ jobs: openstack --debug --os-cloud backend object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && openstack --debug --os-cloud backend object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" - name: Look for errors - #if: github.ref == 'refs/heads/main' && github.event_name == 'push' + if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | cd deploy # show the status in the build log From b367024aa7faa0670aa0981d20e96638abf1e50c Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 12:14:33 +0100 Subject: [PATCH 34/46] debug --- .github/workflows/deploy.yml | 1 - .github/workflows/molecule.yml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c2d006e5..4dc533cc 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -151,7 +151,6 @@ jobs: BACKEND_VO="$(yq -r .clouds.backend.vo clouds.yaml)" BACKEND_OS_TOKEN="$(fedcloud openstack token issue --oidc-access-token "$OIDC_TOKEN" \ --site "$BACKEND_SITE" --vo "$BACKEND_VO" -j | jq -r '.[0].Result.id')" - echo "::add-mask::$BACKEND_OS_TOKEN" sed -i -e "s/backend_secret/$BACKEND_OS_TOKEN/" clouds.yaml mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index a45cf1fb..af622f43 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -19,6 +19,9 @@ jobs: pwd mv deploy/roles/catchall/* "${{ github.repository }}" ls "${{ github.repository }}" + echo "THIS" + ls -l /home/runner/work/fedcloud-catchall-operations/fedcloud-catchall-operations/EGI-Federation + echo "THAT" ls -l /github/workspace/EGI-Federation/fedcloud-catchall-operations/molecule/default/roles || echo "NOP" ls -l /github/home/.cache/molecule/fedcloud-catchall-operations/default/roles || echo "NOP" ls -l /github/workspace/EGI-Federation || echo "NOP" From 97a4f95077db88a2958fce09c5b04dfb2e33f0ce Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 12:54:49 +0100 Subject: [PATCH 35/46] Try it another time --- .github/workflows/deploy.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4dc533cc..5b7678c8 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -151,6 +151,8 @@ jobs: BACKEND_VO="$(yq -r .clouds.backend.vo clouds.yaml)" BACKEND_OS_TOKEN="$(fedcloud openstack token issue --oidc-access-token "$OIDC_TOKEN" \ --site "$BACKEND_SITE" --vo "$BACKEND_VO" -j | jq -r '.[0].Result.id')" + echo "::add-mask::$BACKEND_TOKEN" + echo "BACKEND_TOKEN=$BACKEND_TOKEN" >> "$GITHUB_ENV" sed -i -e "s/backend_secret/$BACKEND_OS_TOKEN/" clouds.yaml mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml @@ -162,11 +164,9 @@ jobs: max_attempts: 20 retry_wait_seconds: 40 command: > - set -x && pushd deploy && - cat clouds.yaml && - openstack --debug --os-cloud backend object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && - openstack --debug --os-cloud backend object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" + openstack --os-cloud backend --os-token "$BACKEND_TOKEN" object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && + openstack --os-cloud backend --os-token "$BACKEND_TOKEN" object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" - name: Look for errors if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | From b0261eca5a5d531104b2bb902f19c39d85302696 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 12:57:34 +0100 Subject: [PATCH 36/46] Fix variable name --- .github/workflows/deploy.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 5b7678c8..a3fc45c4 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -151,8 +151,8 @@ jobs: BACKEND_VO="$(yq -r .clouds.backend.vo clouds.yaml)" BACKEND_OS_TOKEN="$(fedcloud openstack token issue --oidc-access-token "$OIDC_TOKEN" \ --site "$BACKEND_SITE" --vo "$BACKEND_VO" -j | jq -r '.[0].Result.id')" - echo "::add-mask::$BACKEND_TOKEN" - echo "BACKEND_TOKEN=$BACKEND_TOKEN" >> "$GITHUB_ENV" + echo "::add-mask::$BACKEND_OS_TOKEN" + echo "BACKEND_OS_TOKEN=$BACKEND_OS_TOKEN" >> "$GITHUB_ENV" sed -i -e "s/backend_secret/$BACKEND_OS_TOKEN/" clouds.yaml mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml @@ -165,8 +165,8 @@ jobs: retry_wait_seconds: 40 command: > pushd deploy && - openstack --os-cloud backend --os-token "$BACKEND_TOKEN" object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && - openstack --os-cloud backend --os-token "$BACKEND_TOKEN" object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" + openstack --os-cloud backend --os-token "$BACKEND_OS_TOKEN" object save fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" && + openstack --os-cloud backend --os-token "$BACKEND_OS_TOKEN" object delete fedcloud-catchall "${{ steps.terraform-vm-id.outputs.stdout }}" - name: Look for errors if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: | From e248ba3bef0d805cf17a8c2fcfb7cb2a1903e45b Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 13:05:04 +0100 Subject: [PATCH 37/46] Debug molecule --- .github/workflows/molecule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index af622f43..0c9d407e 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -17,10 +17,10 @@ jobs: ls -ltra mkdir -p "${{ github.repository }}" pwd - mv deploy/roles/catchall/* "${{ github.repository }}" + #mv deploy/roles/catchall/* "${{ github.repository }}" ls "${{ github.repository }}" echo "THIS" - ls -l /home/runner/work/fedcloud-catchall-operations/fedcloud-catchall-operations/EGI-Federation + #ls -l /home/runner/work/fedcloud-catchall-operations/fedcloud-catchall-operations/EGI-Federation echo "THAT" ls -l /github/workspace/EGI-Federation/fedcloud-catchall-operations/molecule/default/roles || echo "NOP" ls -l /github/home/.cache/molecule/fedcloud-catchall-operations/default/roles || echo "NOP" From e3d548002003b0efece2151222ea68c05b1e7244 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 13:25:49 +0100 Subject: [PATCH 38/46] Revert debugging --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a3fc45c4..58c205e5 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -157,7 +157,7 @@ jobs: mkdir -p ~/.config/openstack touch ~/.config/openstack/secure.yaml - name: Get the status file from swift - #if: github.ref == 'refs/heads/main' && github.event_name == 'push' + if: github.ref == 'refs/heads/main' && github.event_name == 'push' uses: nick-fields/retry@v3 with: timeout_minutes: 10 From 116c82d7af5029ba1815b6090d29010b7751f393 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 13:37:06 +0100 Subject: [PATCH 39/46] Move to another molecule action --- .github/workflows/molecule.yml | 29 ++++++----------------------- 1 file changed, 6 insertions(+), 23 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 0c9d407e..a930e834 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -12,27 +12,10 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Fake the ansible role is at the top dir - run: | - ls -ltra - mkdir -p "${{ github.repository }}" - pwd - #mv deploy/roles/catchall/* "${{ github.repository }}" - ls "${{ github.repository }}" - echo "THIS" - #ls -l /home/runner/work/fedcloud-catchall-operations/fedcloud-catchall-operations/EGI-Federation - echo "THAT" - ls -l /github/workspace/EGI-Federation/fedcloud-catchall-operations/molecule/default/roles || echo "NOP" - ls -l /github/home/.cache/molecule/fedcloud-catchall-operations/default/roles || echo "NOP" - ls -l /github/workspace/EGI-Federation || echo "NOP" - ls -l /github/home/.ansible/roles || echo "NOP" - ls -l /usr/share/ansible/roles || echo "NOP" - ls -l /etc/ansible/roles || echo "NOP" - ls -l /github/workspace/EGI-Federation || echo "NOP" - ls -l /github/workspace/EGI-Federation/fedcloud-catchall-operations/molecule/default || echo "NOP" - - - name: Test - uses: robertdebock/molecule-action@6.0.0 + - name: Test the role + uses: gofrolist/molecule-action@v2 with: - image: "ubuntu" - tag: "latest" + molecule_command: test + molecule_working_dir: "${{ github.repository }}/deploy" + env: + ANSIBLE_FORCE_COLOR: '1' From 8ec5b1c18ee48e6efd0a5d26e667f7edc92032da Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 13:41:02 +0100 Subject: [PATCH 40/46] Fix path --- .github/workflows/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index a930e834..f849f462 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -16,6 +16,6 @@ jobs: uses: gofrolist/molecule-action@v2 with: molecule_command: test - molecule_working_dir: "${{ github.repository }}/deploy" + molecule_working_dir: "deploy/roles" env: ANSIBLE_FORCE_COLOR: '1' From 0ce727ffc9350f604a645b9f0dcbda03595be16e Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 13:52:10 +0100 Subject: [PATCH 41/46] More debug --- .github/workflows/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index f849f462..911a488a 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -16,6 +16,6 @@ jobs: uses: gofrolist/molecule-action@v2 with: molecule_command: test - molecule_working_dir: "deploy/roles" + molecule_working_dir: "deploy/roles/catchall" env: ANSIBLE_FORCE_COLOR: '1' From a5ab8f6bafbf3c97f46292a9e345f6dc6d2dfe6d Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 14:20:08 +0100 Subject: [PATCH 42/46] Remove example file --- deploy/roles/catchall/molecule/default/verify.yml | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 deploy/roles/catchall/molecule/default/verify.yml diff --git a/deploy/roles/catchall/molecule/default/verify.yml b/deploy/roles/catchall/molecule/default/verify.yml deleted file mode 100644 index a5cfa75e..00000000 --- a/deploy/roles/catchall/molecule/default/verify.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - gather_facts: false - tasks: - - name: Example assertion - ansible.builtin.assert: - that: true From 5c379c7c5e9fabb47cf5c7a77da80d0e28ec44c0 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 14:31:07 +0100 Subject: [PATCH 43/46] Tired of testing already :( --- .github/workflows/molecule.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 911a488a..95147963 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -11,11 +11,16 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - - - name: Test the role - uses: gofrolist/molecule-action@v2 - with: - molecule_command: test - molecule_working_dir: "deploy/roles/catchall" + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + - name: Install dependencies + run: | + pip install molecule molecule-plugins[docker] pytest pytest-testinfra + - name: Test Ansible Bootstrap + run: | + cd deploy/roles/catchall + molecule test env: - ANSIBLE_FORCE_COLOR: '1' + PY_COLORS: 1 From 4da7d6a1d4f29adecedc56c62278e37c2256396e Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 14:35:31 +0100 Subject: [PATCH 44/46] Fix file --- .github/workflows/molecule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 95147963..62869861 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -13,8 +13,8 @@ jobs: uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v2 - with: - python-version: '3.x' + with: + python-version: '3.x' - name: Install dependencies run: | pip install molecule molecule-plugins[docker] pytest pytest-testinfra From cd59c85429e1796a2d14fb62b5012dd766131928 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 14:42:09 +0100 Subject: [PATCH 45/46] Update python --- .github/workflows/molecule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 62869861..45453d56 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -12,9 +12,9 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v5 with: - python-version: '3.x' + python-version: '>=3.9' - name: Install dependencies run: | pip install molecule molecule-plugins[docker] pytest pytest-testinfra From a708ad80ddb08e4571ce3e5d9428f77a61438c07 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Fri, 21 Jun 2024 14:53:14 +0100 Subject: [PATCH 46/46] Update image --- deploy/roles/catchall/molecule/default/molecule.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy/roles/catchall/molecule/default/molecule.yml b/deploy/roles/catchall/molecule/default/molecule.yml index 164381a4..fcdd0e07 100644 --- a/deploy/roles/catchall/molecule/default/molecule.yml +++ b/deploy/roles/catchall/molecule/default/molecule.yml @@ -5,8 +5,7 @@ driver: name: docker platforms: - name: instance - image: pycontribs/ubuntu:latest - pre_build_image: true + image: ubuntu:latest lint: ansible-lint --exclude .github/ provisioner: name: ansible