From 6762041ac8d98d18d1ae33ef58224b8a17157b30 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Fri, 7 Jul 2023 15:58:16 +0200 Subject: [PATCH] added gitea actions, debian 12 support and some linting --- .gitea/workflows/test.yml | 52 +++++++++ .gitlab-ci.yml | 82 -------------- LICENSE | 2 +- README.md | 2 +- meta/main.yml | 1 + molecule/default/molecule.yml | 2 +- molecule/default/verify.yml | 138 +++++++++++++++++++++++ molecule/with_custom_config/molecule.yml | 2 +- molecule/with_custom_config/verify.yml | 138 +++++++++++++++++++++++ 9 files changed, 333 insertions(+), 86 deletions(-) create mode 100644 .gitea/workflows/test.yml delete mode 100644 .gitlab-ci.yml create mode 100644 molecule/default/verify.yml create mode 100644 molecule/with_custom_config/verify.yml diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml new file mode 100644 index 0000000..77b20fa --- /dev/null +++ b/.gitea/workflows/test.yml @@ -0,0 +1,52 @@ +--- +name: test +on: [push] + +jobs: + lint: + name: Linting + runs-on: ubuntu-latest + container: + image: git.ednz.fr/container-factory/ansible-runner:act-latest + credentials: + username: ${{ secrets.ACTIONS_USER }} + password: ${{ secrets.ACTIONS_TOKEN }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: "Ansible lint" + run: ansible-lint --force-color + working-directory: ${{ gitea.workspace }} + + - name: "YAML lint" + run: yamllint . -f colored -c .yamllint + working-directory: ${{ gitea.workspace }} + + molecule-test: + name: Molecule tests + runs-on: ubuntu-latest + needs: lint + container: + image: git.ednz.fr/container-factory/ansible-runner:act-latest + credentials: + username: ${{ secrets.ACTIONS_USER }} + password: ${{ secrets.ACTIONS_TOKEN }} + strategy: + matrix: + test_os: [debian11, debian12, ubuntu2004, ubuntu2204] + scenario: [default, with_custom_config] + env: + ANSIBLE_HOST_KEY_CHECKING: 'false' + ANSIBLE_FORCE_COLOR: 'true' + ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3 + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: "Molecule test" + run: molecule test -s ${{ matrix.scenario }} + shell: bash + working-directory: ${{ gitea.workspace }} + env: + MOLECULE_TEST_OS: ${{ matrix.test_os }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 468a01d..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -stages: - - verify - - test-default - - test-with-custom-config - -image: - name: registry.ednz.fr/forge/ansible-runner - -variables: - ANSIBLE_HOST_KEY_CHECKING: 'false' - ANSIBLE_FORCE_COLOR: 'true' - ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3 - DOCKER_AUTH_CONFIG: $CI_DOCKER_AUTH_CONFIG - -.stage-test-default: - stage: test-default - -.stage-test-with-custom-config: - stage: test-with-custom-config - -.variables-ubuntu-2004: - variables: - MOLECULE_TEST_OS: "ubuntu2004" - -.variables-ubuntu-2204: - variables: - MOLECULE_TEST_OS: "ubuntu2204" - -.variables-debian-11: - variables: - MOLECULE_TEST_OS: "debian11" - -.script-molecule-test-default: - script: - - molecule test - -.script-molecule-test-with-custom-config: - script: - - molecule test -s with_custom_config - -ansible-verify: - stage: verify - script: - - yamllint . -c .yamllint - - ansible-lint - -ansible-test-ubuntu-2004-default: - extends: - - .stage-test-default - - .variables-ubuntu-2004 - - .script-molecule-test-default - -ansible-test-ubuntu-2204-default: - extends: - - .stage-test-default - - .variables-ubuntu-2204 - - .script-molecule-test-default - -ansible-test-debian-11-default: - extends: - - .stage-test-default - - .variables-debian-11 - - .script-molecule-test-default - -ansible-test-ubuntu-2004-with-custom-config: - extends: - - .stage-test-with-custom-config - - .variables-ubuntu-2004 - - .script-molecule-test-with-custom-config - -ansible-test-ubuntu-2204-with-custom-config: - extends: - - .stage-test-with-custom-config - - .variables-ubuntu-2204 - - .script-molecule-test-with-custom-config - -ansible-test-debian-11-with-custom-config: - extends: - - .stage-test-with-custom-config - - .variables-debian-11 - - .script-molecule-test-with-custom-config diff --git a/LICENSE b/LICENSE index 9ef042d..c9a37e5 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2017 Jeff Geerling +Copyright (c) 2017 Bertrand Lanson Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in diff --git a/README.md b/README.md index 7a8aa10..d516441 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Renew vault certificates +renew_vault_certificates ========= > This repository is only a mirror. Development and testing is done on a private gitlab server. diff --git a/meta/main.yml b/meta/main.yml index ded7ab5..eb458bc 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -15,6 +15,7 @@ galaxy_info: - name: Debian versions: - bullseye + - bookworm galaxy_tags: - 'ubuntu' - 'debian' diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7a62eb2..49efc7f 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -20,7 +20,7 @@ provisioner: defaults: remote_tmp: /tmp/.ansible verifier: - name: testinfra + name: ansible scenario: name: default test_sequence: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..c084dce --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,138 @@ +--- +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == 'root' + + - name: "Test: directory /etc/consul-template.d/vault" + block: + - name: "Stat directory /etc/consul-template.d/vault" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault" + register: stat_etc_consul_template_d_vault + + - name: "Stat file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/vault_config.hcl" + register: stat_etc_consul_template_d_vault_vault_config_hcl + + - name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/vault/vault_config.hcl" + register: slurp_etc_consul_template_d_vault_vault_config_hcl + + - name: "Verify directory /etc/consul-template.d/vault" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_vault.stat.exists + - stat_etc_consul_template_d_vault.stat.isdir + - stat_etc_consul_template_d_vault.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault.stat.mode == '0755' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_vault_vault_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/vault/templates" + block: + - name: "Stat directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/templates" + register: stat_etc_consul_template_d_vault_templates + + - name: "Find in directory /etc/consul-template.d/vault/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/vault/templates" + file_type: file + register: find_etc_consul_template_d_vault_templates + + - name: "Stat in directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: stat_etc_consul_template_d_vault_templates + + - name: "Slurp in directory /etc/consul-template.d/vault/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: slurp_etc_consul_template_d_vault_templates + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl" + vars: + vault_cert_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_cert_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl" + vars: + vault_key_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_key_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_key.pem.tpl' + + - name: "Test: service vault-certs" + block: + - name: "Get service vault-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/vault-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/vault-certs.service" + register: stat_etc_systemd_system_vault_certs_service + + - name: "Slurp file /etc/systemd/system/vault.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/vault-certs.service" + register: slurp_etc_systemd_system_vault_certs_service + + - name: "Verify service vault" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_vault_certs_service.stat.exists + - stat_etc_systemd_system_vault_certs_service.stat.isreg + - stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_vault_certs_service.content != '' + - ansible_facts.services['vault-certs.service'] is defined + - ansible_facts.services['vault-certs.service']['source'] == 'systemd' + - ansible_facts.services['vault-certs.service']['state'] == 'stopped' + - ansible_facts.services['vault-certs.service']['status'] == 'enabled' diff --git a/molecule/with_custom_config/molecule.yml b/molecule/with_custom_config/molecule.yml index 6132acb..4df62e9 100644 --- a/molecule/with_custom_config/molecule.yml +++ b/molecule/with_custom_config/molecule.yml @@ -20,7 +20,7 @@ provisioner: defaults: remote_tmp: /tmp/.ansible verifier: - name: testinfra + name: ansible scenario: name: with_custom_config test_sequence: diff --git a/molecule/with_custom_config/verify.yml b/molecule/with_custom_config/verify.yml new file mode 100644 index 0000000..43586ca --- /dev/null +++ b/molecule/with_custom_config/verify.yml @@ -0,0 +1,138 @@ +--- +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == 'root' + + - name: "Test: directory /etc/consul-template.d/vault" + block: + - name: "Stat directory /etc/consul-template.d/vault" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault" + register: stat_etc_consul_template_d_vault + + - name: "Stat file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/vault_config.hcl" + register: stat_etc_consul_template_d_vault_vault_config_hcl + + - name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/vault/vault_config.hcl" + register: slurp_etc_consul_template_d_vault_vault_config_hcl + + - name: "Verify directory /etc/consul-template.d/vault" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_vault.stat.exists + - stat_etc_consul_template_d_vault.stat.isdir + - stat_etc_consul_template_d_vault.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault.stat.mode == '0755' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_vault_vault_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/vault/templates" + block: + - name: "Stat directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/templates" + register: stat_etc_consul_template_d_vault_templates + + - name: "Find in directory /etc/consul-template.d/vault/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/vault/templates" + file_type: file + register: find_etc_consul_template_d_vault_templates + + - name: "Stat in directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: stat_etc_consul_template_d_vault_templates + + - name: "Slurp in directory /etc/consul-template.d/vault/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: slurp_etc_consul_template_d_vault_templates + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl" + vars: + vault_cert_file: | + {% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_cert_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl" + vars: + vault_key_file: | + {% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_key_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_key.pem.tpl' + + - name: "Test: service vault-certs" + block: + - name: "Get service vault-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/vault-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/vault-certs.service" + register: stat_etc_systemd_system_vault_certs_service + + - name: "Slurp file /etc/systemd/system/vault.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/vault-certs.service" + register: slurp_etc_systemd_system_vault_certs_service + + - name: "Verify service vault" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_vault_certs_service.stat.exists + - stat_etc_systemd_system_vault_certs_service.stat.isreg + - stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_vault_certs_service.content != '' + - ansible_facts.services['vault-certs.service'] is defined + - ansible_facts.services['vault-certs.service']['source'] == 'systemd' + - ansible_facts.services['vault-certs.service']['state'] == 'stopped' + - ansible_facts.services['vault-certs.service']['status'] == 'enabled'