From c703dd60562a502353d756ec0f93035470d3ade2 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 21 May 2023 12:43:14 +0200 Subject: [PATCH] Rewrite EE test workflows to use ansible-builder 3.0.0; fix EE dependencies (#606) * Adjust EE tests to ansible-builder 3.0.0. * Remove other CI workflows. * Use docker instead of podman... * Support Rocky Linux 9+. * Add CentOS Stream 9 to EE tests. * Fix installation of PyOpenSSL on CentOS/RHEL/Rocky. * ansible-builder only attempts to install EPEL deps on CentOS. * Make EPEL also available on Rocky Linux 9, even though ansible-builder will ignore it. * Make sure cryptography is already installed. * Try ansible-runner < 2.0.0 for CentOS Stream 8 / RHEL 8. * Show more info. * Start restricting transitive dependencies... * Looks like PyOpenSSL is **broken** on CentOS Stream 9 + EPEL. * ansible-builder will NOT work with Python 3.6. use Python 3.9 on RHEL8 / CentOS Stream 8. Manually install cryptography and PyOpenSSL for Python 3.9 as well. * PyOpenSSL isn't available for Python 3.8 or 3.9. * Revert "Remove other CI workflows." This reverts commit 3a9d125f45900020940c9c207966bd85aef0721d. * Use podman instead of docker. * Re-order bindep entries. * python3-pyOpenSSL does not exist on RHEL/CentOS 6 and 7. --- .github/workflows/ee.yml | 102 ++++++++++++++++--- changelogs/fragments/606-ee-rocky.yml | 3 + meta/ee-bindep.txt | 12 ++- tests/ee/all.yml | 9 ++ tests/ee/roles/openssl_pkcs12/tasks/main.yml | 1 + 5 files changed, 108 insertions(+), 19 deletions(-) create mode 100644 changelogs/fragments/606-ee-rocky.yml diff --git a/.github/workflows/ee.yml b/.github/workflows/ee.yml index 4c275bfc9..edd4d047b 100644 --- a/.github/workflows/ee.yml +++ b/.github/workflows/ee.yml @@ -22,14 +22,68 @@ env: jobs: build: - name: Build and test EE (Ⓐ${{ matrix.runner_tag }}) + name: Build and test EE (${{ matrix.name }}) strategy: + fail-fast: false matrix: - runner_tag: - - devel - - stable-2.12-latest - - stable-2.11-latest - - stable-2.9-latest + name: + - '' + ansible_core: + - '' + ansible_runner: + - '' + base_image: + - '' + pre_base: + - '' + extra_vars: + - '' + other_deps: + - '' + exclude: + - ansible_core: '' + include: + - name: ansible-core devel @ RHEL UBI 9 + ansible_core: https://github.com/ansible/ansible/archive/devel.tar.gz + ansible_runner: ansible-runner + base_image: docker.io/redhat/ubi9:latest + pre_base: '"#"' + # For some reason ansible-builder will not install EPEL dependencies on RHEL + extra_vars: -e has_no_pyopenssl=true + - name: ansible-core 2.15 @ Rocky Linux 9 + ansible_core: https://github.com/ansible/ansible/archive/stable-2.15.tar.gz + ansible_runner: ansible-runner + base_image: quay.io/rockylinux/rockylinux:9 + pre_base: RUN dnf install -y epel-release + # For some reason ansible-builder will not install EPEL dependencies on Rocky Linux + extra_vars: -e has_no_pyopenssl=true + - name: ansible-core 2.14 @ CentOS Stream 9 + ansible_core: https://github.com/ansible/ansible/archive/stable-2.14.tar.gz + ansible_runner: ansible-runner + base_image: quay.io/centos/centos:stream9 + pre_base: RUN dnf install -y epel-release epel-next-release + # For some reason, PyOpenSSL is **broken** on CentOS Stream 9 / EPEL + extra_vars: -e has_no_pyopenssl=true + - name: ansible-core 2.13 @ RHEL UBI 8 + ansible_core: https://github.com/ansible/ansible/archive/stable-2.13.tar.gz + ansible_runner: ansible-runner + other_deps: |2 + python_interpreter: + package_system: python39 python39-pip python39-wheel python39-cryptography + base_image: docker.io/redhat/ubi8:latest + pre_base: '"#"' + # We don't have PyOpenSSL for Python 3.9 + extra_vars: -e has_no_pyopenssl=true + - name: ansible-core 2.12 @ CentOS Stream 8 + ansible_core: https://github.com/ansible/ansible/archive/stable-2.12.tar.gz + ansible_runner: ansible-runner + other_deps: |2 + python_interpreter: + package_system: python39 python39-pip python39-wheel python39-cryptography + base_image: quay.io/centos/centos:stream8 + pre_base: '"#"' + # We don't have PyOpenSSL for Python 3.9 + extra_vars: -e has_no_pyopenssl=true runs-on: ubuntu-latest steps: - name: Check out code @@ -40,7 +94,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v4 with: - python-version: '3.10' + python-version: '3.11' - name: Install ansible-builder and ansible-navigator run: pip install ansible-builder ansible-navigator @@ -74,11 +128,26 @@ jobs: # EE config cat > execution-environment.yml < requirements.yml < ansible-navigator run --mode stdout + --container-engine podman --pull-policy never --set-environment-variable ANSIBLE_PRIVATE_ROLE_VARS=true --execution-environment-image test-ee:latest -v all.yml + ${{ matrix.extra_vars }} working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}/tests/ee diff --git a/changelogs/fragments/606-ee-rocky.yml b/changelogs/fragments/606-ee-rocky.yml new file mode 100644 index 000000000..135159a10 --- /dev/null +++ b/changelogs/fragments/606-ee-rocky.yml @@ -0,0 +1,3 @@ +bugfixes: + - "execution environment definition - fix source of ``python3-pyOpenSSL`` package for Rocky Linux 9+ (https://github.com/ansible-collections/community.crypto/pull/606)." + - "execution environment definition - fix installation of ``python3-pyOpenSSL`` package on CentOS and RHEL (https://github.com/ansible-collections/community.crypto/pull/606)." diff --git a/meta/ee-bindep.txt b/meta/ee-bindep.txt index 17da84da0..b448d5403 100644 --- a/meta/ee-bindep.txt +++ b/meta/ee-bindep.txt @@ -11,7 +11,11 @@ openssl [platform:rpm] python3-cryptography [platform:dpkg] python3-cryptography [platform:rpm] python3-openssl [platform:dpkg] -# On RHEL 9+ and CentOS Stream 9+, python3-pyOpenSSL is part of EPEL -python3-pyOpenSSL [platform:rpm !platform:rhel !platform:centos] -python3-pyOpenSSL [platform:rhel-6 platform:centos-6 platform:rhel-7 platform:centos-7 platform:rhel-8 platform:centos-8] -python3-pyOpenSSL [platform:rhel platform:centos !platform:rhel-6 !platform:centos-6 !platform:rhel-7 !platform:centos-7 !platform:rhel-8 !platform:centos-8 epel] +# On RHEL 9+, CentOS Stream 9+, and Rocky Linux 9+, python3-pyOpenSSL is part of EPEL +python3-pyOpenSSL [platform:rpm !platform:rhel !platform:centos !platform:rocky] +python3-pyOpenSSL [platform:rhel-8] +python3-pyOpenSSL [platform:rhel !platform:rhel-6 !platform:rhel-7 !platform:rhel-8 epel] +python3-pyOpenSSL [platform:centos-8] +python3-pyOpenSSL [platform:centos !platform:centos-6 !platform:centos-7 !platform:centos-8 epel] +python3-pyOpenSSL [platform:rocky-8] +python3-pyOpenSSL [platform:rocky !platform:rocky-8 epel] diff --git a/tests/ee/all.yml b/tests/ee/all.yml index 1cf316542..28aa0f5e7 100644 --- a/tests/ee/all.yml +++ b/tests/ee/all.yml @@ -5,10 +5,19 @@ - hosts: localhost tasks: + - name: Show Python info + debug: + var: ansible_python + - name: Register cryptography version command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" register: cryptography_version + - name: Register pyOpenSSL version + command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'" + ignore_errors: true + register: pyopenssl_version + - name: Determine output directory set_fact: output_path: "{{ 'output-%0x' % ((2**32) | random) }}" diff --git a/tests/ee/roles/openssl_pkcs12/tasks/main.yml b/tests/ee/roles/openssl_pkcs12/tasks/main.yml index ebd53619d..2fd8edac0 100644 --- a/tests/ee/roles/openssl_pkcs12/tasks/main.yml +++ b/tests/ee/roles/openssl_pkcs12/tasks/main.yml @@ -43,3 +43,4 @@ certificate_path: "{{ output_path }}/pkcs12-cert.pem" state: present select_crypto_backend: pyopenssl + when: not (has_no_pyopenssl | default(false))