Rewrite EE test workflows to use ansible-builder 3.0.0; fix EE dependencies (#606)

* Adjust EE tests to ansible-builder 3.0.0. * Remove other CI workflows. * Use docker instead of podman... * Support Rocky Linux 9+. * Add CentOS Stream 9 to EE tests. * Fix installation of PyOpenSSL on CentOS/RHEL/Rocky. * ansible-builder only attempts to install EPEL deps on CentOS. * Make EPEL also available on Rocky Linux 9, even though ansible-builder will ignore it. * Make sure cryptography is already installed. * Try ansible-runner < 2.0.0 for CentOS Stream 8 / RHEL 8. * Show more info. * Start restricting transitive dependencies... * Looks like PyOpenSSL is **broken** on CentOS Stream 9 + EPEL. * ansible-builder will NOT work with Python 3.6. use Python 3.9 on RHEL8 / CentOS Stream 8. Manually install cryptography and PyOpenSSL for Python 3.9 as well. * PyOpenSSL isn't available for Python 3.8 or 3.9. * Revert "Remove other CI workflows." This reverts commit 3a9d125f45. * Use podman instead of docker. * Re-order bindep entries. * python3-pyOpenSSL does not exist on RHEL/CentOS 6 and 7.
2023-05-21 12:43:14 +02:00 · 2023-05-21 12:43:14 +02:00 · c703dd6056
parent 153de3ffef
commit c703dd6056
5 changed files with 108 additions and 19 deletions
--- a/.github/workflows/ee.yml
+++ b/.github/workflows/ee.yml
@ -22,14 +22,68 @@ env:

 jobs:
  build:
-    name: Build and test EE (Ⓐ${{ matrix.runner_tag }})
+    name: Build and test EE (${{ matrix.name }})
    strategy:
+      fail-fast: false
      matrix:
-        runner_tag:
-          - devel
-          - stable-2.12-latest
-          - stable-2.11-latest
-          - stable-2.9-latest
+        name:
+          - ''
+        ansible_core:
+          - ''
+        ansible_runner:
+          - ''
+        base_image:
+          - ''
+        pre_base:
+          - ''
+        extra_vars:
+          - ''
+        other_deps:
+          - ''
+        exclude:
+          - ansible_core: ''
+        include:
+          - name: ansible-core devel @ RHEL UBI 9
+            ansible_core: https://github.com/ansible/ansible/archive/devel.tar.gz
+            ansible_runner: ansible-runner
+            base_image: docker.io/redhat/ubi9:latest
+            pre_base: '"#"'
+            # For some reason ansible-builder will not install EPEL dependencies on RHEL
+            extra_vars: -e has_no_pyopenssl=true
+          - name: ansible-core 2.15 @ Rocky Linux 9
+            ansible_core: https://github.com/ansible/ansible/archive/stable-2.15.tar.gz
+            ansible_runner: ansible-runner
+            base_image: quay.io/rockylinux/rockylinux:9
+            pre_base: RUN dnf install -y epel-release
+            # For some reason ansible-builder will not install EPEL dependencies on Rocky Linux
+            extra_vars: -e has_no_pyopenssl=true
+          - name: ansible-core 2.14 @ CentOS Stream 9
+            ansible_core: https://github.com/ansible/ansible/archive/stable-2.14.tar.gz
+            ansible_runner: ansible-runner
+            base_image: quay.io/centos/centos:stream9
+            pre_base: RUN dnf install -y epel-release epel-next-release
+            # For some reason, PyOpenSSL is **broken** on CentOS Stream 9 / EPEL
+            extra_vars: -e has_no_pyopenssl=true
+          - name: ansible-core 2.13 @ RHEL UBI 8
+            ansible_core: https://github.com/ansible/ansible/archive/stable-2.13.tar.gz
+            ansible_runner: ansible-runner
+            other_deps: |2
+                python_interpreter:
+                  package_system: python39 python39-pip python39-wheel python39-cryptography
+            base_image: docker.io/redhat/ubi8:latest
+            pre_base: '"#"'
+            # We don't have PyOpenSSL for Python 3.9
+            extra_vars: -e has_no_pyopenssl=true
+          - name: ansible-core 2.12 @ CentOS Stream 8
+            ansible_core: https://github.com/ansible/ansible/archive/stable-2.12.tar.gz
+            ansible_runner: ansible-runner
+            other_deps: |2
+                python_interpreter:
+                  package_system: python39 python39-pip python39-wheel python39-cryptography
+            base_image: quay.io/centos/centos:stream8
+            pre_base: '"#"'
+            # We don't have PyOpenSSL for Python 3.9
+            extra_vars: -e has_no_pyopenssl=true
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
@ -40,7 +94,7 @@ jobs:
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
-          python-version: '3.10'
+          python-version: '3.11'

      - name: Install ansible-builder and ansible-navigator
        run: pip install ansible-builder ansible-navigator
@ -74,11 +128,26 @@ jobs:
          # EE config
          cat > execution-environment.yml <<EOF
          ---
-          version: 1
-          build_arg_defaults:
-            EE_BASE_IMAGE: 'quay.io/ansible/ansible-runner:${{ matrix.runner_tag }}'
+          version: 3
          dependencies:
+            ansible_core:
+              package_pip: ${{ matrix.ansible_core }}
+            ansible_runner:
+              package_pip: ${{ matrix.ansible_runner }}
            galaxy: requirements.yml
+          ${{ matrix.other_deps }}
+
+          images:
+            base_image:
+              name: ${{ matrix.base_image }}
+
+          additional_build_files:
+            - src: ${COLLECTION_FILENAME}
+              dest: src
+
+          additional_build_steps:
+            prepend_base:
+              - ${{ matrix.pre_base }}
          EOF
          echo "::group::execution-environment.yml"
          cat execution-environment.yml
@ -88,26 +157,29 @@ jobs:
          cat > requirements.yml <<EOF
          ---
          collections:
-            - name: ${COLLECTION_FILENAME}
+            - name: src/${COLLECTION_FILENAME}
              type: file
          EOF
          echo "::group::requirements.yml"
          cat requirements.yml
          echo "::endgroup::"

-      - name: Build image based on ${{ matrix.runner_tag }}
+      - name: Build image based on ${{ matrix.base_image }}
        run: |
-          mkdir -p context/_build/
-          cp "${{ env.NAMESPACE }}-${{ env.COLLECTION_NAME }}"-*.tar.gz context/_build/
-          ansible-builder build -v 3 -t test-ee:latest --container-runtime=podman
+          ansible-builder build --verbosity 3 --tag test-ee:latest --container-runtime podman
+
+      - name: Show images
+        run: podman image ls

      - name: Run basic tests
        run: >
          ansible-navigator run
          --mode stdout
+          --container-engine podman
          --pull-policy never
          --set-environment-variable ANSIBLE_PRIVATE_ROLE_VARS=true
          --execution-environment-image test-ee:latest
          -v
          all.yml
+          ${{ matrix.extra_vars }}
        working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}/tests/ee
--- a/changelogs/fragments/606-ee-rocky.yml
+++ b/changelogs/fragments/606-ee-rocky.yml
@ -0,0 +1,3 @@
+bugfixes:
+  - "execution environment definition - fix source of ``python3-pyOpenSSL`` package for Rocky Linux 9+ (https://github.com/ansible-collections/community.crypto/pull/606)."
+  - "execution environment definition - fix installation of ``python3-pyOpenSSL`` package on CentOS and RHEL (https://github.com/ansible-collections/community.crypto/pull/606)."
--- a/meta/ee-bindep.txt
+++ b/meta/ee-bindep.txt
@ -11,7 +11,11 @@ openssl [platform:rpm]
 python3-cryptography [platform:dpkg]
 python3-cryptography [platform:rpm]
 python3-openssl [platform:dpkg]
-# On RHEL 9+ and CentOS Stream 9+, python3-pyOpenSSL is part of EPEL
-python3-pyOpenSSL [platform:rpm !platform:rhel !platform:centos]
-python3-pyOpenSSL [platform:rhel-6 platform:centos-6 platform:rhel-7 platform:centos-7 platform:rhel-8 platform:centos-8]
-python3-pyOpenSSL [platform:rhel platform:centos !platform:rhel-6 !platform:centos-6 !platform:rhel-7 !platform:centos-7 !platform:rhel-8 !platform:centos-8 epel]
+# On RHEL 9+, CentOS Stream 9+, and Rocky Linux 9+, python3-pyOpenSSL is part of EPEL
+python3-pyOpenSSL [platform:rpm !platform:rhel !platform:centos !platform:rocky]
+python3-pyOpenSSL [platform:rhel-8]
+python3-pyOpenSSL [platform:rhel !platform:rhel-6 !platform:rhel-7 !platform:rhel-8 epel]
+python3-pyOpenSSL [platform:centos-8]
+python3-pyOpenSSL [platform:centos !platform:centos-6 !platform:centos-7 !platform:centos-8 epel]
+python3-pyOpenSSL [platform:rocky-8]
+python3-pyOpenSSL [platform:rocky !platform:rocky-8 epel]
--- a/tests/ee/all.yml
+++ b/tests/ee/all.yml
@ -5,10 +5,19 @@

 - hosts: localhost
  tasks:
+    - name: Show Python info
+      debug:
+        var: ansible_python
+
    - name: Register cryptography version
      command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
      register: cryptography_version

+    - name: Register pyOpenSSL version
+      command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"
+      ignore_errors: true
+      register: pyopenssl_version
+
    - name: Determine output directory
      set_fact:
        output_path: "{{ 'output-%0x' % ((2**32) | random) }}"
--- a/tests/ee/roles/openssl_pkcs12/tasks/main.yml
+++ b/tests/ee/roles/openssl_pkcs12/tasks/main.yml
@ -43,3 +43,4 @@
    certificate_path: "{{ output_path }}/pkcs12-cert.pem"
    state: present
    select_crypto_backend: pyopenssl
+  when: not (has_no_pyopenssl | default(false))