Skip to content

bump

bump #1227

name: CA handler tests - NCLM
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
nclm_handler_tests:
name: "nclm_handler_tests"
runs-on: ubuntu-latest
strategy:
fail-fast: false
# max-parallel: 1
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Generate UUID"
run: |
echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
- run: echo "UUID ${{ env.UUID }}"
- name: "Build container"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Setup a2c with nclm_ca_handler"
run: |
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: $NCLM_API_HOST" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_user: $NCLM_API_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_password: $NCLM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "tsg_name: $NCLM_TSG_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $NCLM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> examples/Docker/data/acme_srv.cfg
sudo echo "request_timeout: 40" >> examples/Docker/data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }}
NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }}
NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
HOSTNAME_SUFFIX: -${{ env.UUID }}
VERIFY_CERT: false
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
cd examples/Docker
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
- name: "Generate UUID"
run: |
echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
- run: echo "UUID ${{ env.UUID }}"
- name: "Reconfigure nclm handler to test enrollment from MSCA"
run: |
sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" examples/Docker/data/acme_srv.cfg
sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }}
NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }}
NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
USE_RSA: true
HOSTNAME_SUFFIX: -${{ env.UUID }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
mkdir -p ${{ github.workspace }}/artifact/clients
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
# sudo cp *.pem ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data clients
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: nclm_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
nclm_handler_tests_rpm:
name: "nclm_handler_tests_rpm"
runs-on: ubuntu-latest
strategy:
fail-fast: false
# max-parallel: 1
matrix:
rhversion: [8, 9]
execscript: ['rpm_tester.sh', 'django_tester.sh']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Generate UUID"
run: |
echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
- run: echo "UUID ${{ env.UUID }}"
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
- name: "Setup a2c with with nclm_ca_handler"
if: matrix.execscript == 'rpm_tester.sh'
run: |
mkdir -p data/acme_ca
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg
sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg
sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg
sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg
sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg
sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg
sudo echo "request_timeout: 40" >> data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/acme_srv.cfg
env:
NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }}
NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }}
NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
- name: "Setup a2c with with nclm_ca_handler for django"
if: matrix.execscript == 'django_tester.sh'
run: |
sudo mkdir -p data/volume/acme_ca/certs
sudo cp test/ca/certsrv_ca_certs.pem data/volume/acme_ca/ca_certs.pem
sudo touch data/volume/acme_srv.cfg
sudo chmod 777 data/volume/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/volume/acme_srv.cfg
sudo echo "api_host: $NCLM_API_HOST" >> data/volume/acme_srv.cfg
sudo echo "api_user: $NCLM_API_USER" >> data/volume/acme_srv.cfg
sudo echo "api_password: $NCLM_API_PASSWORD" >> data/volume/acme_srv.cfg
sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/volume/acme_srv.cfg
sudo echo "ca_name: $NCLM_CA_NAME" >> data/volume/acme_srv.cfg
sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/volume/acme_srv.cfg
sudo echo "request_timeout: 40" >> data/volume/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/volume/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/volume/acme_srv.cfg
env:
NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }}
NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }}
NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT
env:
EXEC_SCRIPT: ${{ matrix.execscript }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
HOSTNAME_SUFFIX: -${{ env.UUID }}
VERIFY_CERT: false
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
- name: "Generate UUID"
run: |
echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
- run: echo "UUID ${{ env.UUID }}"
- name: "Reconfigure nclm handler to test enrollment from MSCA"
if: matrix.execscript == 'rpm_tester.sh'
run: |
sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/acme_srv.cfg
sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/acme_srv.cfg
env:
NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }}
NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }}
NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
- name: "Reconfigure nclm handler to test enrollment from MSCA"
if: matrix.execscript == 'django_tester.sh'
run: |
sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/volume/acme_srv.cfg
sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/volume/acme_srv.cfg
env:
NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }}
NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }}
NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart
env:
EXEC_SCRIPT: ${{ matrix.execscript }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
USE_RSA: true
HOSTNAME_SUFFIX: -${{ env.UUID }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
continue-on-error: true
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
mkdir -p ${{ github.workspace }}/artifact/clients
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
# sudo cp *.pem ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data clients acme-srv.log
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: nclm_ca_handler_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript}}.tar.gz
path: ${{ github.workspace }}/artifact/upload/