Skip to content

Bug2246422-(refinement of)ServerSideKeygen static SKID #4647

Bug2246422-(refinement of)ServerSideKeygen static SKID

Bug2246422-(refinement of)ServerSideKeygen static SKID #4647

Workflow file for this run

name: IPA Tests
on: [push, pull_request]
jobs:
init:
name: Initialization
uses: ./.github/workflows/init.yml
secrets: inherit
build:
name: Waiting for build
needs: init
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
ipa-test:
name: Testing IPA
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run IPA container
run: |
IMAGE=pki-runner \
NAME=ipa \
HOSTNAME=ipa.example.com \
tests/bin/runner-init.sh
- name: Connect IPA container to network
run: docker network connect example ipa --alias ipa.example.com --alias ipa-ca.example.com
- name: Install IPA packages in IPA container
run: |
docker exec ipa dnf install -y freeipa-server freeipa-server-dns \
python3-ipatests freeipa-healthcheck
- name: Install IPA server in IPA container
run: |
docker exec ipa sysctl net.ipv6.conf.lo.disable_ipv6=0
docker exec ipa ipa-server-install \
-U \
--domain example.com \
-r EXAMPLE.COM \
-p Secret.123 \
-a Secret.123 \
--setup-kra \
--no-host-dns \
--no-ntp
docker exec ipa bash -c "echo Secret.123 | kinit admin"
docker exec ipa ipa ping
- name: Verify CA admin in IPA container
run: |
docker exec ipa pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec ipa pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec ipa pki client-cert-import \
--pkcs12 /root/ca-agent.p12 \
--pkcs12-password Secret.123
docker exec ipa pki -n ipa-ca-agent ca-user-show admin
- name: Enable ACME in IPA container
run: |
docker exec ipa ipa-acme-manage enable
docker exec ipa ipa-acme-manage status
echo "Available" > expected
docker exec ipa bash -c "pki acme-info | sed -n 's/\s*Status:\s\+\(\S\+\).*/\1/p' > ${PKIDIR}/actual"
diff expected actual
- name: Run client container
run: |
docker run \
--detach \
--name=client \
--hostname=client.example.com \
--privileged \
--tmpfs /tmp \
--tmpfs /run \
pki-runner \
/usr/sbin/init
- name: Connect client container to network
run: docker network connect example client --alias client.example.com
- name: Install dependencies in client container
run: |
docker exec client dnf install -y freeipa-client certbot
- name: Install IPA client in client container
run: |
docker exec client sysctl net.ipv6.conf.lo.disable_ipv6=0
docker exec client ipa-client-install \
-U \
--server=ipa.example.com \
--domain=example.com \
--realm=EXAMPLE.COM \
-p admin \
-w Secret.123 \
--no-ntp
docker exec client bash -c "echo Secret.123 | kinit admin"
docker exec client klist
- name: Verify certbot in client container
run: |
docker exec client certbot register \
--server https://ipa-ca.example.com/acme/directory \
--email [email protected] \
--agree-tos \
--non-interactive
docker exec client certbot certonly \
--server https://ipa-ca.example.com/acme/directory \
-d client.example.com \
--standalone \
--non-interactive
docker exec client certbot renew \
--server https://ipa-ca.example.com/acme/directory \
--cert-name client.example.com \
--force-renewal \
--non-interactive
docker exec client certbot revoke \
--server https://ipa-ca.example.com/acme/directory \
--cert-name client.example.com \
--non-interactive
docker exec client certbot update_account \
--server https://ipa-ca.example.com/acme/directory \
--email [email protected] \
--non-interactive
docker exec client certbot unregister \
--server https://ipa-ca.example.com/acme/directory \
--non-interactive
- name: Disable ACME in IPA container
run: |
docker exec ipa ipa-acme-manage disable
docker exec ipa ipa-acme-manage status
echo "Unavailable" > expected
docker exec ipa bash -c "pki acme-info | sed -n 's/\s*Status:\s\+\(\S\+\).*/\1/p' > ${PKIDIR}/actual"
diff expected actual
- name: Run IPA tests in IPA container
run: docker exec ipa ${PKIDIR}/tests/bin/ipa-test.sh
- name: Gather artifacts from IPA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ipa EXAMPLE-COM
tests/bin/pki-artifacts-save.sh ipa
tests/bin/ipa-artifacts-save.sh ipa
- name: Remove IPA server from IPA container
run: docker exec ipa ipa-server-install --uninstall -U
- name: Upload artifacts from IPA container
if: always()
uses: actions/upload-artifact@v3
with:
name: ipa
path: |
/tmp/artifacts/ipa
ipa-clone-test:
name: Testing IPA clone
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run primary container
run: |
IMAGE=pki-runner \
NAME=primary \
HOSTNAME=primary.example.com \
tests/bin/runner-init.sh
- name: Connect primary container to network
run: docker network connect example primary --alias primary.example.com
- name: Install IPA packages in primary container
run: |
docker exec primary dnf install -y freeipa-server freeipa-server-dns
- name: Install IPA server in primary container
run: |
docker exec primary sysctl net.ipv6.conf.lo.disable_ipv6=0
docker exec primary ipa-server-install \
-U \
--domain example.com \
-r EXAMPLE.COM \
-p Secret.123 \
-a Secret.123 \
--setup-kra \
--no-host-dns \
--no-ntp
docker exec primary bash -c "echo Secret.123 | kinit admin"
docker exec primary klist
- name: Run secondary container
run: |
IMAGE=pki-runner \
NAME=secondary \
HOSTNAME=secondary.example.com \
tests/bin/runner-init.sh
- name: Connect secondary container to network
run: docker network connect example secondary --alias secondary.example.com
- name: Install IPA packages in secondary container
run: |
docker exec secondary dnf install -y freeipa-server freeipa-server-dns
- name: Install IPA client in secondary container
run: |
docker exec secondary sysctl net.ipv6.conf.lo.disable_ipv6=0
docker exec secondary ipa-client-install \
-U \
--server=primary.example.com \
--domain=example.com \
--realm=EXAMPLE.COM \
-p admin \
-w Secret.123 \
--no-ntp
docker exec secondary bash -c "echo Secret.123 | kinit admin"
docker exec secondary klist
- name: Promote IPA client into IPA replica in secondary container
run: |
docker exec secondary ipa-replica-install \
--no-host-dns \
--setup-ca \
--setup-kra
- name: Verify CA admin
run: |
docker exec primary cp /root/ca-agent.p12 ${PKIDIR}/ca-agent.p12
docker exec secondary pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec secondary pki client-cert-import --pkcs12 ${PKIDIR}/ca-agent.p12 --pkcs12-password Secret.123
docker exec secondary pki -n ipa-ca-agent ca-user-show admin
- name: Gather artifacts from primary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh primary EXAMPLE-COM
tests/bin/pki-artifacts-save.sh primary
tests/bin/ipa-artifacts-save.sh primary
- name: Gather artifacts from secondary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh secondary EXAMPLE-COM
tests/bin/pki-artifacts-save.sh secondary
tests/bin/ipa-artifacts-save.sh secondary
- name: Disconnect secondary container from network
run: docker network disconnect example secondary
- name: Disconnect primary container from network
run: docker network disconnect example primary
- name: Remove network
run: docker network rm example
- name: Upload artifacts from primary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ipa-clone-primary
path: |
/tmp/artifacts/primary
- name: Upload artifacts from secondary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ipa-clone-secondary
path: |
/tmp/artifacts/secondary