opendev/system-config
Code Issues Proposed changes
a4efec61af
system-config/testinfra/test_mirror.py

95 lines
3.5 KiB
Python
Raw Normal View History

Create opendev mirrors This impelements mirrors to live in the opendev.org namespace. The implementation is Ansible native for deployment on a Bionic node. The hostname prefix remains the same (mirrorXX.region.provider.) but the groups.yaml splits the opendev.org mirrors into a separate group. The matches in the puppet group are also updated so to not run puppet on the hosts. The kerberos and openafs client parts do not need any updating and works on the Bionic host. The hosts are setup to provision certificates for themselves from letsencrypt. Note we've added a new handler for mirror nodes to use that restarts apache on certificate issue/renewal. The new "mirror" role is a port of the existing puppet mirror.pp. It installs apache, sets up some modules, makes some symlinks, sets up a cleanup cron job and installs the apache vhost configuration. The vhost configuration is also ported from the extant puppet. It is simplified somewhat; but the biggest change is that we have extracted the main port 80 configuration into a macro which is applied to both port 80 and 443; i.e. the host will have SSL support. The other ports are left alone for now, but can be updated in due course. Thus we should be able to CNAME the existing mirrors to new nodes, and any existing http access can continue. We can update our mirror setup scripts to point to https resources as appropriate. Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
2019-05-10 17:17:49 +10:00
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Correct how ansible-galaxy is proxified ansible-galaxy CLI makes multiple calls to the remote server, with various API endpoint, and expects JSON containing fully qualified URI (scheme://host/path), meaning we must inspect the different files and ensure we're rewriting the content so that it points to the proxy all the time. Also, the remote galaxy.ansible.com has some redirects with absolute paths, breaking for some reason the ProxyPassReverse - this is why we get yet a new pair of dedicated ports for this proxy (TLS/non-TLS). Then, there's the protocol issue: since mod_substitute is apparently unable to take httpd variables such as the REQUEST_SCHEME, we have to use some If statement in order to ensure we're passing the correct scheme, being http or https. Note that ansible-galaxy doesn't understand the "//host/path". This patch also adds some more tests in order to ensure the API answers as expected through the proxy. Change-Id: Icf6f5c83554b51854fabde6e4cc2d646d120c0e9
2022-11-30 15:47:43 +01:00
import json
Enable ssl on all mirror vhosts Previously we had enabled SSL on our main vhost for the mirrors. Do similar for all of the proxy cache vhosts for docker and other external resources. As part of this change we improve the testing to ensure that the new vhosts are working as expected. One testing specific change to note is the testinfra node names did not match our existing system-config-run job nodenames. This has been corrected. Additionally RHRegistryMirror and QuayMirror may not be working and fixing those is left as a followup. Change-Id: I9dbbd4080c3a2cce4acc39d63244f7a645503553
2020-05-18 11:44:52 -07:00
testinfra_hosts = ['mirror01.openafs.provider.opendev.org',
'mirror02.openafs.provider.opendev.org']
Create opendev mirrors This impelements mirrors to live in the opendev.org namespace. The implementation is Ansible native for deployment on a Bionic node. The hostname prefix remains the same (mirrorXX.region.provider.) but the groups.yaml splits the opendev.org mirrors into a separate group. The matches in the puppet group are also updated so to not run puppet on the hosts. The kerberos and openafs client parts do not need any updating and works on the Bionic host. The hosts are setup to provision certificates for themselves from letsencrypt. Note we've added a new handler for mirror nodes to use that restarts apache on certificate issue/renewal. The new "mirror" role is a port of the existing puppet mirror.pp. It installs apache, sets up some modules, makes some symlinks, sets up a cleanup cron job and installs the apache vhost configuration. The vhost configuration is also ported from the extant puppet. It is simplified somewhat; but the biggest change is that we have extracted the main port 80 configuration into a macro which is applied to both port 80 and 443; i.e. the host will have SSL support. The other ports are left alone for now, but can be updated in due course. Thus we should be able to CNAME the existing mirrors to new nodes, and any existing http access can continue. We can update our mirror setup scripts to point to https resources as appropriate. Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
2019-05-10 17:17:49 +10:00
def test_apache(host):
apache = host.service('apache2')
assert apache.is_running
Correct (again) how ansible-galaxy proxy is configured The mix of <Location> and ProxyPass [path] <target> lead to some issue. This patch corrects them and makes the config more consistent. Until now, the last URI was actually an error page from the main galaxy website. With this change, we now hit the S3 bucket as we should, allowing ansible-galaxy to download the archive, validate its checksum, and install the intended collection/role. This patch was fully tested locally using the httpd container image, a minimal configuration adding only the needed modules and the ansible-galaxy vhost/proxy, and running ansible-galaxy directly. In addition, this patch also makes a better testing of the proxy, using cURL until we actually download the file. Since ansible galaxy will provide a file under any condition, we also assert the downloaded file is really what it should be - a plain archive. If it's a miss on S3 side, it would be a JSON. And if we get an ansible galaxy answer, that would be an HTML file. The following commands were used: Run the container: podman run --rm --security-opt label=disable \ -v ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro \ -p 8080:8080 httpd:2.4 Run ansible-galaxy while ensuring we don't rely on its own internal cache: rm -rf operator ~/.ansible/galaxy_cache/api.json ansible-galaxy collection download -vvvvvvv \ -s http://localhost:8080/ -p ./operator tripleo.operator Then, the following URI were shown in the ansible-galaxy log: http://localhost:8080/ http://localhost:8080/api http://localhost:8080/api/v2/collections/tripleo/operator/ http://localhost:8080/api/v2/collections/tripleo/operator/versions/?page_size=100 http://localhost:8080/api/v2/collections/tripleo/operator/versions/0.9.0/ Then, the actual download: http://localhost:8080/download/tripleo-operator-0.9.0.tar.gz Then the checksum validation, and eventually it ended with: Collection 'tripleo.operator:0.9.0' was downloaded successfully Change-Id: Ibfe846b59bf987df3f533802cb329e15ce83500b
2023-01-11 13:35:51 +01:00
def _run_cmd(host, port, scheme='https', url='', curl_opt=''):
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
hostname = host.backend.get_hostname()
Correct (again) how ansible-galaxy proxy is configured The mix of <Location> and ProxyPass [path] <target> lead to some issue. This patch corrects them and makes the config more consistent. Until now, the last URI was actually an error page from the main galaxy website. With this change, we now hit the S3 bucket as we should, allowing ansible-galaxy to download the archive, validate its checksum, and install the intended collection/role. This patch was fully tested locally using the httpd container image, a minimal configuration adding only the needed modules and the ansible-galaxy vhost/proxy, and running ansible-galaxy directly. In addition, this patch also makes a better testing of the proxy, using cURL until we actually download the file. Since ansible galaxy will provide a file under any condition, we also assert the downloaded file is really what it should be - a plain archive. If it's a miss on S3 side, it would be a JSON. And if we get an ansible galaxy answer, that would be an HTML file. The following commands were used: Run the container: podman run --rm --security-opt label=disable \ -v ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro \ -p 8080:8080 httpd:2.4 Run ansible-galaxy while ensuring we don't rely on its own internal cache: rm -rf operator ~/.ansible/galaxy_cache/api.json ansible-galaxy collection download -vvvvvvv \ -s http://localhost:8080/ -p ./operator tripleo.operator Then, the following URI were shown in the ansible-galaxy log: http://localhost:8080/ http://localhost:8080/api http://localhost:8080/api/v2/collections/tripleo/operator/ http://localhost:8080/api/v2/collections/tripleo/operator/versions/?page_size=100 http://localhost:8080/api/v2/collections/tripleo/operator/versions/0.9.0/ Then, the actual download: http://localhost:8080/download/tripleo-operator-0.9.0.tar.gz Then the checksum validation, and eventually it ended with: Collection 'tripleo.operator:0.9.0' was downloaded successfully Change-Id: Ibfe846b59bf987df3f533802cb329e15ce83500b
2023-01-11 13:35:51 +01:00
return f'curl {curl_opt} --resolve {hostname}:127.0.0.1 {scheme}://{hostname}:{port}{url}'
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
Enable ssl on all mirror vhosts Previously we had enabled SSL on our main vhost for the mirrors. Do similar for all of the proxy cache vhosts for docker and other external resources. As part of this change we improve the testing to ensure that the new vhosts are working as expected. One testing specific change to note is the testinfra node names did not match our existing system-config-run job nodenames. This has been corrected. Additionally RHRegistryMirror and QuayMirror may not be working and fixing those is left as a followup. Change-Id: I9dbbd4080c3a2cce4acc39d63244f7a645503553
2020-05-18 11:44:52 -07:00
def test_base_mirror(host):
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
# base mirror
cmd = host.run(_run_cmd(host, 443))
assert '<a href="debian/">' in cmd.stdout
Create opendev mirrors This impelements mirrors to live in the opendev.org namespace. The implementation is Ansible native for deployment on a Bionic node. The hostname prefix remains the same (mirrorXX.region.provider.) but the groups.yaml splits the opendev.org mirrors into a separate group. The matches in the puppet group are also updated so to not run puppet on the hosts. The kerberos and openafs client parts do not need any updating and works on the Bionic host. The hosts are setup to provision certificates for themselves from letsencrypt. Note we've added a new handler for mirror nodes to use that restarts apache on certificate issue/renewal. The new "mirror" role is a port of the existing puppet mirror.pp. It installs apache, sets up some modules, makes some symlinks, sets up a cleanup cron job and installs the apache vhost configuration. The vhost configuration is also ported from the extant puppet. It is simplified somewhat; but the biggest change is that we have extracted the main port 80 configuration into a macro which is applied to both port 80 and 443; i.e. the host will have SSL support. The other ports are left alone for now, but can be updated in due course. Thus we should be able to CNAME the existing mirrors to new nodes, and any existing http access can continue. We can update our mirror setup scripts to point to https resources as appropriate. Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
2019-05-10 17:17:49 +10:00
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
# mirrors still respond on http
cmd = host.run(_run_cmd(host, 80, scheme='http'))
assert '<a href="debian/">' in cmd.stdout
Create opendev mirrors This impelements mirrors to live in the opendev.org namespace. The implementation is Ansible native for deployment on a Bionic node. The hostname prefix remains the same (mirrorXX.region.provider.) but the groups.yaml splits the opendev.org mirrors into a separate group. The matches in the puppet group are also updated so to not run puppet on the hosts. The kerberos and openafs client parts do not need any updating and works on the Bionic host. The hosts are setup to provision certificates for themselves from letsencrypt. Note we've added a new handler for mirror nodes to use that restarts apache on certificate issue/renewal. The new "mirror" role is a port of the existing puppet mirror.pp. It installs apache, sets up some modules, makes some symlinks, sets up a cleanup cron job and installs the apache vhost configuration. The vhost configuration is also ported from the extant puppet. It is simplified somewhat; but the biggest change is that we have extracted the main port 80 configuration into a macro which is applied to both port 80 and 443; i.e. the host will have SSL support. The other ports are left alone for now, but can be updated in due course. Thus we should be able to CNAME the existing mirrors to new nodes, and any existing http access can continue. We can update our mirror setup scripts to point to https resources as appropriate. Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
2019-05-10 17:17:49 +10:00
Enable ssl on all mirror vhosts Previously we had enabled SSL on our main vhost for the mirrors. Do similar for all of the proxy cache vhosts for docker and other external resources. As part of this change we improve the testing to ensure that the new vhosts are working as expected. One testing specific change to note is the testinfra node names did not match our existing system-config-run job nodenames. This has been corrected. Additionally RHRegistryMirror and QuayMirror may not be working and fixing those is left as a followup. Change-Id: I9dbbd4080c3a2cce4acc39d63244f7a645503553
2020-05-18 11:44:52 -07:00
def test_proxy_mirror(host):
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
# pypi proxy mirror
cmd = host.run(_run_cmd(host, 4443, url='/pypi/simple/setuptools'))
assert 'setuptools' in cmd.stdout
Enable ssl on all mirror vhosts Previously we had enabled SSL on our main vhost for the mirrors. Do similar for all of the proxy cache vhosts for docker and other external resources. As part of this change we improve the testing to ensure that the new vhosts are working as expected. One testing specific change to note is the testinfra node names did not match our existing system-config-run job nodenames. This has been corrected. Additionally RHRegistryMirror and QuayMirror may not be working and fixing those is left as a followup. Change-Id: I9dbbd4080c3a2cce4acc39d63244f7a645503553
2020-05-18 11:44:52 -07:00
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
cmd = host.run(_run_cmd(host, 8080, scheme='http', url='/pypi/simple/setuptools'))
assert 'setuptools' in cmd.stdout
Enable ssl on all mirror vhosts Previously we had enabled SSL on our main vhost for the mirrors. Do similar for all of the proxy cache vhosts for docker and other external resources. As part of this change we improve the testing to ensure that the new vhosts are working as expected. One testing specific change to note is the testinfra node names did not match our existing system-config-run job nodenames. This has been corrected. Additionally RHRegistryMirror and QuayMirror may not be working and fixing those is left as a followup. Change-Id: I9dbbd4080c3a2cce4acc39d63244f7a645503553
2020-05-18 11:44:52 -07:00
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
def test_dockerv2_mirror(host):
# Docker v2 mirror
Enable ssl on all mirror vhosts Previously we had enabled SSL on our main vhost for the mirrors. Do similar for all of the proxy cache vhosts for docker and other external resources. As part of this change we improve the testing to ensure that the new vhosts are working as expected. One testing specific change to note is the testinfra node names did not match our existing system-config-run job nodenames. This has been corrected. Additionally RHRegistryMirror and QuayMirror may not be working and fixing those is left as a followup. Change-Id: I9dbbd4080c3a2cce4acc39d63244f7a645503553
2020-05-18 11:44:52 -07:00
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
# NOTE(ianw) 2022-07 : this gets back a 401 .json; maybe something
# better we could do?
cmd = host.run(_run_cmd(host, 4445, url='/v2/'))
assert 'UNAUTHORIZED' in cmd.stdout
Open mirror ssl ports externally This was missed in an earlier change where we enabled these vhosts. Testing worked because testing was communicating to localhost and not the public ip address. This has been addressed as well. Change-Id: I2d91aea466f1b587780a452cfe8e1396515930ed
2020-05-19 15:32:10 -07:00
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
cmd = host.run(_run_cmd(host, 8082, scheme='http', url='/v2/'))
assert 'UNAUTHORIZED' in cmd.stdout
Enable ssl on all mirror vhosts Previously we had enabled SSL on our main vhost for the mirrors. Do similar for all of the proxy cache vhosts for docker and other external resources. As part of this change we improve the testing to ensure that the new vhosts are working as expected. One testing specific change to note is the testinfra node names did not match our existing system-config-run job nodenames. This has been corrected. Additionally RHRegistryMirror and QuayMirror may not be working and fixing those is left as a followup. Change-Id: I9dbbd4080c3a2cce4acc39d63244f7a645503553
2020-05-18 11:44:52 -07:00
Listen on Quay Registry Mirror Ports We need to tell apache to listen on the ports used by the Quay Registry Mirror. Without this we aren't actually able to provide connections to this vhost. Add testing to ensure this is working in a simple manner. Change-Id: I28bdb7aeb9c3252c6319658acaa530a7d7c25a72
2020-05-19 09:05:36 -07:00
def test_quay_mirror(host):
# QuayRegistryMirror
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
cmd = host.run(_run_cmd(host, 4447, url='/'))
assert 'Quay' in cmd.stdout
Listen on Quay Registry Mirror Ports We need to tell apache to listen on the ports used by the Quay Registry Mirror. Without this we aren't actually able to provide connections to this vhost. Add testing to ensure this is working in a simple manner. Change-Id: I28bdb7aeb9c3252c6319658acaa530a7d7c25a72
2020-05-19 09:05:36 -07:00
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
cmd = host.run(_run_cmd(host, 8084, scheme='http', url='/'))
assert 'Quay' in cmd.stdout
Listen on Quay Registry Mirror Ports We need to tell apache to listen on the ports used by the Quay Registry Mirror. Without this we aren't actually able to provide connections to this vhost. Add testing to ensure this is working in a simple manner. Change-Id: I28bdb7aeb9c3252c6319658acaa530a7d7c25a72
2020-05-19 09:05:36 -07:00
# TODO test RHRegistryMirror
Cache Ansible Galaxy on CI mirror servers Ansible Galaxy indexes tarballs of Ansible roles and collections at a central site, which in turn points to a dedicated Amazon S3 subdomain. The tools which consume it support overriding the default Galaxy URL with any arbitrary one, so should be able to take advantage of this in CI jobs. Change-Id: Ib5664e5588f7237a19a2cdb6eec3109452e8a107
2021-11-22 15:21:48 +00:00
def test_galaxy_mirror(host):
Correct how ansible-galaxy is proxified ansible-galaxy CLI makes multiple calls to the remote server, with various API endpoint, and expects JSON containing fully qualified URI (scheme://host/path), meaning we must inspect the different files and ensure we're rewriting the content so that it points to the proxy all the time. Also, the remote galaxy.ansible.com has some redirects with absolute paths, breaking for some reason the ProxyPassReverse - this is why we get yet a new pair of dedicated ports for this proxy (TLS/non-TLS). Then, there's the protocol issue: since mod_substitute is apparently unable to take httpd variables such as the REQUEST_SCHEME, we have to use some If statement in order to ensure we're passing the correct scheme, being http or https. Note that ansible-galaxy doesn't understand the "//host/path". This patch also adds some more tests in order to ensure the API answers as expected through the proxy. Change-Id: Icf6f5c83554b51854fabde6e4cc2d646d120c0e9
2022-11-30 15:47:43 +01:00
cmd = host.run(_run_cmd(host, 4448, url='/'))
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
assert 'Ansible Galaxy' in cmd.stdout
Correct how ansible-galaxy is proxified ansible-galaxy CLI makes multiple calls to the remote server, with various API endpoint, and expects JSON containing fully qualified URI (scheme://host/path), meaning we must inspect the different files and ensure we're rewriting the content so that it points to the proxy all the time. Also, the remote galaxy.ansible.com has some redirects with absolute paths, breaking for some reason the ProxyPassReverse - this is why we get yet a new pair of dedicated ports for this proxy (TLS/non-TLS). Then, there's the protocol issue: since mod_substitute is apparently unable to take httpd variables such as the REQUEST_SCHEME, we have to use some If statement in order to ensure we're passing the correct scheme, being http or https. Note that ansible-galaxy doesn't understand the "//host/path". This patch also adds some more tests in order to ensure the API answers as expected through the proxy. Change-Id: Icf6f5c83554b51854fabde6e4cc2d646d120c0e9
2022-11-30 15:47:43 +01:00
cmd = host.run(_run_cmd(host, 8085, scheme='http', url='/'))
mirror: retwork testinfra testing This is rather different to all our existing testing, probably because it was just written earlier. Convert this all to curl calls like everything else. Don't use direct IP addresses, but use the hostnames. Drop the --insecure flags as the certificates cover the hostnames now. Also drop the separate ipv6 testing as some hosts don't have ipv6; what we are really interested in is if the apache config is responding correctly, not the test node networking setup. Change-Id: I489055e89bfd8dd05487985dd408767b870c3980
2022-07-07 10:00:37 +10:00
assert 'Ansible Galaxy' in cmd.stdout
Correct how ansible-galaxy is proxified ansible-galaxy CLI makes multiple calls to the remote server, with various API endpoint, and expects JSON containing fully qualified URI (scheme://host/path), meaning we must inspect the different files and ensure we're rewriting the content so that it points to the proxy all the time. Also, the remote galaxy.ansible.com has some redirects with absolute paths, breaking for some reason the ProxyPassReverse - this is why we get yet a new pair of dedicated ports for this proxy (TLS/non-TLS). Then, there's the protocol issue: since mod_substitute is apparently unable to take httpd variables such as the REQUEST_SCHEME, we have to use some If statement in order to ensure we're passing the correct scheme, being http or https. Note that ansible-galaxy doesn't understand the "//host/path". This patch also adds some more tests in order to ensure the API answers as expected through the proxy. Change-Id: Icf6f5c83554b51854fabde6e4cc2d646d120c0e9
2022-11-30 15:47:43 +01:00
hostname = host.backend.get_hostname()
# Ensure API properly answers
cmd = host.run(_run_cmd(host, 4448, url='/api/'))
assert 'GALAXY REST API' in cmd.stdout
# Ensure we get data out of a specific collection
cmd = host.run(_run_cmd(host, 4448, url='/api/v2/collections/community/general/'))
assert 'https://{}:4448/api/'.format(hostname) in cmd.stdout
answer = json.loads(cmd.stdout)
version_uri = answer['latest_version']['href'].replace('https://{}:4448'.format(hostname), '')
# Ensure we get a correct download URI
cmd = host.run(_run_cmd(host, 4448, url=version_uri))
assert 'https://{}:4448/api/'.format(hostname) in cmd.stdout
answer = json.loads(cmd.stdout)
download_uri = answer['download_url']
assert download_uri.startswith('https://{}:4448/download/community-general'.format(hostname))
Correct (again) how ansible-galaxy proxy is configured The mix of <Location> and ProxyPass [path] <target> lead to some issue. This patch corrects them and makes the config more consistent. Until now, the last URI was actually an error page from the main galaxy website. With this change, we now hit the S3 bucket as we should, allowing ansible-galaxy to download the archive, validate its checksum, and install the intended collection/role. This patch was fully tested locally using the httpd container image, a minimal configuration adding only the needed modules and the ansible-galaxy vhost/proxy, and running ansible-galaxy directly. In addition, this patch also makes a better testing of the proxy, using cURL until we actually download the file. Since ansible galaxy will provide a file under any condition, we also assert the downloaded file is really what it should be - a plain archive. If it's a miss on S3 side, it would be a JSON. And if we get an ansible galaxy answer, that would be an HTML file. The following commands were used: Run the container: podman run --rm --security-opt label=disable \ -v ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro \ -p 8080:8080 httpd:2.4 Run ansible-galaxy while ensuring we don't rely on its own internal cache: rm -rf operator ~/.ansible/galaxy_cache/api.json ansible-galaxy collection download -vvvvvvv \ -s http://localhost:8080/ -p ./operator tripleo.operator Then, the following URI were shown in the ansible-galaxy log: http://localhost:8080/ http://localhost:8080/api http://localhost:8080/api/v2/collections/tripleo/operator/ http://localhost:8080/api/v2/collections/tripleo/operator/versions/?page_size=100 http://localhost:8080/api/v2/collections/tripleo/operator/versions/0.9.0/ Then, the actual download: http://localhost:8080/download/tripleo-operator-0.9.0.tar.gz Then the checksum validation, and eventually it ended with: Collection 'tripleo.operator:0.9.0' was downloaded successfully Change-Id: Ibfe846b59bf987df3f533802cb329e15ce83500b
2023-01-11 13:35:51 +01:00
# Download a file and check we get an actual archive
download_uri = download_uri.replace('https://{}:4448'.format(hostname), '')
host.run(_run_cmd(host, 4448, url=download_uri, curl_opt='-sL --output /tmp/output.tar.gz'))
check_file = host.run('file /tmp/output.tar.gz')
assert 'gzip compressed data' in check_file.stdout
Copy Permalink