Skip to content

Commit

Permalink
Add molecule tests for enterprise edition (#361)
Browse files Browse the repository at this point in the history
  • Loading branch information
@sschmittsva
sschmittsva authored Dec 12, 2024
1 parent aa950f8 commit 381881a
Show file tree
Hide file tree
Showing 10 changed files with 225 additions and 147 deletions.
4 changes: 4 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ to load any new configuration deployed.

## [Role Variables](role_variables.md)

## Misc

### [Vault Release Scheme](vault_releases.md)

## License

BSD-2-Clause
Expand Down
22 changes: 13 additions & 9 deletions defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,12 @@
# ---------------------------------------------------------------------------

# Package variables
vault_version_suffix: "{{ '.hsm' if vault_enterprise_hsm else '' }}"
vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}{{ vault_version_suffix }}"
vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}-1"
vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}"

vault_version_release_site_suffix: "{{ '+ent' if vault_enterprise }}{{ '.hsm' if vault_enterprise_hsm }}"
vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}"
vault_version_debian_repo_suffix: "-1"

vault_architecture_map:
# this first entry seems... redundant (but it's required for reasons)
amd64: amd64
Expand All @@ -17,10 +20,13 @@ vault_architecture_map:
aarch64: arm64
vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
vault_os: "{{ ansible_system | lower }}"
vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
vault_shasums: "vault_{{ vault_version }}_SHA256SUMS"
vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_SHA256SUMS"

vault_pkg_stub: "vault_{{ vault_version }}{{ vault_version_release_site_suffix }}"
vault_pkg: "{{ vault_pkg_stub }}_{{ vault_os }}_{{ vault_architecture }}.zip"
vault_shasums: "{{ vault_pkg_stub }}_SHA256SUMS"
vault_url_stub: "https://releases.hashicorp.com/vault/{{ vault_version }}{{ vault_version_release_site_suffix }}"
vault_zip_url: "{{ vault_url_stub }}/{{ vault_pkg }}"
vault_checksum_file_url: "{{ vault_url_stub }}/{{ vault_shasums }}"
vault_repository_url: "{{ _vault_repository_url | default() }}"
vault_repository_key_url: "{{ _vault_repository_key_url | default() }}"
vault_rhsm_subscription_name:
Expand Down Expand Up @@ -385,8 +391,6 @@ vault_entropy_seal: false
# ---------------------------------------------------------------------------

vault_enterprise: "{{ lookup('env', 'VAULT_ENTERPRISE') | default(false, true) }}"
vault_enterprise_pkg: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
vault_enterprise_shasums: "vault-enterprise_{{ vault_version }}_SHA256SUMS"

# Manage enterprise license file with this role
vault_configure_enterprise_license: false
Expand Down
32 changes: 32 additions & 0 deletions molecule/centos-stream-9-enterprise/molecule.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
platforms:
- name: centos-stream-9
groups:
- vault_raft_servers
image: dokken/centos-stream-9
pre_build_image: true
command: /lib/systemd/systemd
privileged: true
cgroup_parent: docker.slice
- name: centos-stream-9_repo
groups:
- vault_raft_servers
image: dokken/centos-stream-9
pre_build_image: true
command: /lib/systemd/systemd
privileged: true
cgroup_parent: docker.slice

provisioner:
inventory:
host_vars:
centos-stream-9:
vault_disable_api_health_check: true
vault_enterprise: true
vault_install_hashi_repo: false
centos-stream-9_repo:
vault_disable_api_health_check: true
vault_enterprise: true
vault_install_hashi_repo: true
vault_bin_path: /usr/bin
vault_group: vault
33 changes: 33 additions & 0 deletions molecule/debian-11-enterprise/molecule.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
platforms:
- name: debian-11
groups:
- vault_raft_servers
image: dokken/debian-11
pre_build_image: true
command: /lib/systemd/systemd
privileged: true
cgroup_parent: docker.slice
- name: debian-11_repo
groups:
- vault_raft_servers
image: dokken/debian-11
pre_build_image: true
command: /lib/systemd/systemd
privileged: true
cgroup_parent: docker.slice

provisioner:
inventory:
host_vars:
debian-11:
vault_disable_api_health_check: true
vault_enterprise: true
vault_install_hashi_repo: false
debian-11_repo:
vault_disable_api_health_check: true
vault_enterprise: true
vault_install_hashi_repo: true
vault_bin_path: /usr/bin
vault_group: vault

91 changes: 50 additions & 41 deletions molecule/verify.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,46 +10,55 @@
goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}"
goss_test_directory: /tmp
goss_format: tap
enterprise: "{{ 'enterprise' in lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}"
tasks:
- name: Download and install Goss
get_url:
url: "{{ goss_url }}"
dest: "{{ goss_dst }}"
checksum: "sha256:{{ goss_sha256sum }}"
mode: 0755
register: download_goss
until: download_goss is succeeded
retries: 3
- name: Check if enterprise
ansible.builtin.debug:
msg: "Verification is skipped because vault enterprise does not start without license"
when: enterprise
- name: Verify tasks
when: not enterprise
block:
- name: Download and install Goss
get_url:
url: "{{ goss_url }}"
dest: "{{ goss_dst }}"
checksum: "sha256:{{ goss_sha256sum }}"
mode: 0755
register: download_goss
until: download_goss is succeeded
retries: 3

- name: Copy Goss tests to remote
template:
src: "{{ item }}"
dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}"
mode: 0644
with_fileglob:
- "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2"

- name: Register test files
shell: "ls {{ goss_test_directory }}/test_*.yml"
changed_when: false
register: test_files

- name: Execute Goss tests
environment:
# yamllint disable-line rule:line-length
PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}"
changed_when: false
register: test_results
with_items: "{{ test_files.stdout_lines }}"

- name: Display details about the Goss results
debug:
msg: "{{ item.stdout_lines }}"
with_items: "{{ test_results.results }}"

- name: Fail when tests fail
fail:
msg: "Goss failed to validate"
when: item.rc != 0
with_items: "{{ test_results.results }}"

- name: Copy Goss tests to remote
template:
src: "{{ item }}"
dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}"
mode: 0644
with_fileglob:
- "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2"

- name: Register test files
shell: "ls {{ goss_test_directory }}/test_*.yml"
changed_when: false
register: test_files

- name: Execute Goss tests
environment:
# yamllint disable-line rule:line-length
PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}"
changed_when: false
register: test_results
with_items: "{{ test_files.stdout_lines }}"

- name: Display details about the Goss results
debug:
msg: "{{ item.stdout_lines }}"
with_items: "{{ test_results.results }}"

- name: Fail when tests fail
fail:
msg: "Goss failed to validate"
when: item.rc != 0
with_items: "{{ test_results.results }}"
3 changes: 2 additions & 1 deletion tasks/install.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@
get_url:
url: "{{ vault_zip_url }}"
dest: "{{ role_path }}/files/{{ vault_pkg }}"
checksum: "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + vault_pkg + '$') | first).split()[0] }}"
checksum:
"sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + (vault_pkg | regex_escape()) + '$') | first).split()[0] }}"
timeout: "42"
mode: "0644"
become: "{{ vault_privileged_install }}"
Expand Down
82 changes: 0 additions & 82 deletions tasks/install_enterprise.yml
View file

This file was deleted.

8 changes: 4 additions & 4 deletions tasks/install_hashi_repo.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,18 +71,18 @@
state: absent
become: true

- name: Install Vault package
- name: "Install Vault package {{ _vault_repo_pkg }}"
package:
name: "{{ _vault_repo_pkg }}"
state: present
become: true
vars:
_vault_repo_pkg: "{% if (ansible_pkg_mgr in ['yum', 'dnf']) %}\
vault-{{ 'enterprise-' if (vault_enterprise | bool) else '' }}{{ vault_version }}{{ vault_version_repo_suffix }}\
vault{{ '-enterprise' if vault_enterprise }}-{{ vault_version }}{{ vault_version_repo_suffix }}\
{% elif (ansible_pkg_mgr == 'apt') %}\
vault{{ '-enterprise' if (vault_enterprise | bool) else '' }}={{ vault_version }}{{ vault_version_repo_suffix }}\
vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}{{ vault_version_debian_repo_suffix }}\
{% else %}\
vault{{ '-enterprise' if (vault_enterprise | bool) else '' }}={{ vault_version }}{{ vault_version_repo_suffix }}\
vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}\
{% endif %}"
notify: Restart vault

Expand Down
11 changes: 1 addition & 10 deletions tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,20 +51,11 @@

- name: Compute if installation is required
set_fact:
installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version }}"

- name: Install OS packages and Vault Enterprise via control host
include_tasks: install_enterprise.yml
when:
- vault_enterprise | bool
- not vault_install_remotely | bool
- not vault_install_hashi_repo | bool
- installation_required | bool
installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version~('+ent' if vault_enterprise) }}"

- name: Install OS packages and Vault via control host
include_tasks: install.yml
when:
- not vault_enterprise | bool
- not vault_install_remotely | bool
- not vault_install_hashi_repo | bool
- installation_required | bool
Expand Down
Loading

0 comments on commit 381881a

Please sign in to comment.