Bug2246422-(refinement of)ServerSideKeygen static SKID #4647
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: IPA Tests | |
on: [push, pull_request] | |
jobs: | |
init: | |
name: Initialization | |
uses: ./.github/workflows/init.yml | |
secrets: inherit | |
build: | |
name: Waiting for build | |
needs: init | |
runs-on: ubuntu-latest | |
steps: | |
- name: Wait for build | |
uses: lewagon/[email protected] | |
with: | |
ref: ${{ github.ref }} | |
check-name: 'Building PKI' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
wait-interval: 30 | |
if: github.event_name == 'push' | |
- name: Wait for build | |
uses: lewagon/[email protected] | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
check-name: 'Building PKI' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
wait-interval: 30 | |
if: github.event_name == 'pull_request' | |
ipa-test: | |
name: Testing IPA | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Create network | |
run: docker network create example | |
- name: Run IPA container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=ipa \ | |
HOSTNAME=ipa.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect IPA container to network | |
run: docker network connect example ipa --alias ipa.example.com --alias ipa-ca.example.com | |
- name: Install IPA packages in IPA container | |
run: | | |
docker exec ipa dnf install -y freeipa-server freeipa-server-dns \ | |
python3-ipatests freeipa-healthcheck | |
- name: Install IPA server in IPA container | |
run: | | |
docker exec ipa sysctl net.ipv6.conf.lo.disable_ipv6=0 | |
docker exec ipa ipa-server-install \ | |
-U \ | |
--domain example.com \ | |
-r EXAMPLE.COM \ | |
-p Secret.123 \ | |
-a Secret.123 \ | |
--setup-kra \ | |
--no-host-dns \ | |
--no-ntp | |
docker exec ipa bash -c "echo Secret.123 | kinit admin" | |
docker exec ipa ipa ping | |
- name: Verify CA admin in IPA container | |
run: | | |
docker exec ipa pki-server cert-export ca_signing --cert-file ca_signing.crt | |
docker exec ipa pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
docker exec ipa pki client-cert-import \ | |
--pkcs12 /root/ca-agent.p12 \ | |
--pkcs12-password Secret.123 | |
docker exec ipa pki -n ipa-ca-agent ca-user-show admin | |
- name: Enable ACME in IPA container | |
run: | | |
docker exec ipa ipa-acme-manage enable | |
docker exec ipa ipa-acme-manage status | |
echo "Available" > expected | |
docker exec ipa bash -c "pki acme-info | sed -n 's/\s*Status:\s\+\(\S\+\).*/\1/p' > ${PKIDIR}/actual" | |
diff expected actual | |
- name: Run client container | |
run: | | |
docker run \ | |
--detach \ | |
--name=client \ | |
--hostname=client.example.com \ | |
--privileged \ | |
--tmpfs /tmp \ | |
--tmpfs /run \ | |
pki-runner \ | |
/usr/sbin/init | |
- name: Connect client container to network | |
run: docker network connect example client --alias client.example.com | |
- name: Install dependencies in client container | |
run: | | |
docker exec client dnf install -y freeipa-client certbot | |
- name: Install IPA client in client container | |
run: | | |
docker exec client sysctl net.ipv6.conf.lo.disable_ipv6=0 | |
docker exec client ipa-client-install \ | |
-U \ | |
--server=ipa.example.com \ | |
--domain=example.com \ | |
--realm=EXAMPLE.COM \ | |
-p admin \ | |
-w Secret.123 \ | |
--no-ntp | |
docker exec client bash -c "echo Secret.123 | kinit admin" | |
docker exec client klist | |
- name: Verify certbot in client container | |
run: | | |
docker exec client certbot register \ | |
--server https://ipa-ca.example.com/acme/directory \ | |
--email [email protected] \ | |
--agree-tos \ | |
--non-interactive | |
docker exec client certbot certonly \ | |
--server https://ipa-ca.example.com/acme/directory \ | |
-d client.example.com \ | |
--standalone \ | |
--non-interactive | |
docker exec client certbot renew \ | |
--server https://ipa-ca.example.com/acme/directory \ | |
--cert-name client.example.com \ | |
--force-renewal \ | |
--non-interactive | |
docker exec client certbot revoke \ | |
--server https://ipa-ca.example.com/acme/directory \ | |
--cert-name client.example.com \ | |
--non-interactive | |
docker exec client certbot update_account \ | |
--server https://ipa-ca.example.com/acme/directory \ | |
--email [email protected] \ | |
--non-interactive | |
docker exec client certbot unregister \ | |
--server https://ipa-ca.example.com/acme/directory \ | |
--non-interactive | |
- name: Disable ACME in IPA container | |
run: | | |
docker exec ipa ipa-acme-manage disable | |
docker exec ipa ipa-acme-manage status | |
echo "Unavailable" > expected | |
docker exec ipa bash -c "pki acme-info | sed -n 's/\s*Status:\s\+\(\S\+\).*/\1/p' > ${PKIDIR}/actual" | |
diff expected actual | |
- name: Run IPA tests in IPA container | |
run: docker exec ipa ${PKIDIR}/tests/bin/ipa-test.sh | |
- name: Gather artifacts from IPA container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh ipa EXAMPLE-COM | |
tests/bin/pki-artifacts-save.sh ipa | |
tests/bin/ipa-artifacts-save.sh ipa | |
- name: Remove IPA server from IPA container | |
run: docker exec ipa ipa-server-install --uninstall -U | |
- name: Upload artifacts from IPA container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ipa | |
path: | | |
/tmp/artifacts/ipa | |
ipa-clone-test: | |
name: Testing IPA clone | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Create network | |
run: docker network create example | |
- name: Run primary container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=primary \ | |
HOSTNAME=primary.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect primary container to network | |
run: docker network connect example primary --alias primary.example.com | |
- name: Install IPA packages in primary container | |
run: | | |
docker exec primary dnf install -y freeipa-server freeipa-server-dns | |
- name: Install IPA server in primary container | |
run: | | |
docker exec primary sysctl net.ipv6.conf.lo.disable_ipv6=0 | |
docker exec primary ipa-server-install \ | |
-U \ | |
--domain example.com \ | |
-r EXAMPLE.COM \ | |
-p Secret.123 \ | |
-a Secret.123 \ | |
--setup-kra \ | |
--no-host-dns \ | |
--no-ntp | |
docker exec primary bash -c "echo Secret.123 | kinit admin" | |
docker exec primary klist | |
- name: Run secondary container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=secondary \ | |
HOSTNAME=secondary.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect secondary container to network | |
run: docker network connect example secondary --alias secondary.example.com | |
- name: Install IPA packages in secondary container | |
run: | | |
docker exec secondary dnf install -y freeipa-server freeipa-server-dns | |
- name: Install IPA client in secondary container | |
run: | | |
docker exec secondary sysctl net.ipv6.conf.lo.disable_ipv6=0 | |
docker exec secondary ipa-client-install \ | |
-U \ | |
--server=primary.example.com \ | |
--domain=example.com \ | |
--realm=EXAMPLE.COM \ | |
-p admin \ | |
-w Secret.123 \ | |
--no-ntp | |
docker exec secondary bash -c "echo Secret.123 | kinit admin" | |
docker exec secondary klist | |
- name: Promote IPA client into IPA replica in secondary container | |
run: | | |
docker exec secondary ipa-replica-install \ | |
--no-host-dns \ | |
--setup-ca \ | |
--setup-kra | |
- name: Verify CA admin | |
run: | | |
docker exec primary cp /root/ca-agent.p12 ${PKIDIR}/ca-agent.p12 | |
docker exec secondary pki-server cert-export ca_signing --cert-file ca_signing.crt | |
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
docker exec secondary pki client-cert-import --pkcs12 ${PKIDIR}/ca-agent.p12 --pkcs12-password Secret.123 | |
docker exec secondary pki -n ipa-ca-agent ca-user-show admin | |
- name: Gather artifacts from primary container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh primary EXAMPLE-COM | |
tests/bin/pki-artifacts-save.sh primary | |
tests/bin/ipa-artifacts-save.sh primary | |
- name: Gather artifacts from secondary container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh secondary EXAMPLE-COM | |
tests/bin/pki-artifacts-save.sh secondary | |
tests/bin/ipa-artifacts-save.sh secondary | |
- name: Disconnect secondary container from network | |
run: docker network disconnect example secondary | |
- name: Disconnect primary container from network | |
run: docker network disconnect example primary | |
- name: Remove network | |
run: docker network rm example | |
- name: Upload artifacts from primary container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ipa-clone-primary | |
path: | | |
/tmp/artifacts/primary | |
- name: Upload artifacts from secondary container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ipa-clone-secondary | |
path: | | |
/tmp/artifacts/secondary |