style: use deb822 format and remove deprecated apt_key (resolves #2233 / ND-2723)

0efd38c9 · Jörg Sachse · 50ce976e · 0efd38c9 · 0efd38c9 · 0efd38c9
Commit 0efd38c9 authored 1 year ago by Jörg Sachse
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,6 +12,15 @@ default:
    - source /opt/molecule/bin/activate
    - ansible --version
    - molecule --version
+  after_script:
+    - source /opt/molecule/bin/activate
+    - molecule destroy --scenario-name ${SCENARIO}
+variables:
+  SCENARIO: "default"
+  ANSIBLE_VAULT_PASSWORD_FILE: "${CI_PROJECT_DIR}/molecule/${SCENARIO}/../../../lza_backup_proxy.pass"
+  ANSIBLE_FORCE_COLOR: 'true'
+  PY_COLORS: '1'
 test-job:
  stage: test
@@ -19,15 +28,18 @@ test-job:
    - "shell"
  script:
    # make sure that Ansible Vaults are present and can be decrypted
-    - echo "${VAULT_LZA_BACKUP_PROXY}" > ../lza_backup_proxy.pass
+    - echo "${VAULT_LZA_BACKUP_PROXY}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
-    - export ANSIBLE_VAULT_IDENTITY_LIST="../lza_backup_proxy.pass"
+    - export ANSIBLE_VAULT_IDENTITY_LIST="${ANSIBLE_VAULT_PASSWORD_FILE}"
    - rm -rf ../ansible_vaults/
    - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
    # run Molecule tests
-    - molecule syntax --scenario-name default
+    - molecule syntax --scenario-name ${SCENARIO}
-    - molecule lint --scenario-name default
+    # We cannot use `molecule lint` anymore because:
-    - molecule create --scenario-name default
+    # - https://github.com/ansible-community/molecule/pull/3802 "Remove lint command"
-    - molecule converge --scenario-name default
+    # - https://github.com/ansible-community/molecule/discussions/3825#discussioncomment-4908366
-    - molecule idempotence --scenario-name default
+    - yamllint --strict --format colored ./
-    # - molecule verify --scenario-name default
+    - ansible-lint --format full --profile production --strict --force-color ./
-    - molecule destroy --scenario-name default
+    - molecule create --scenario-name ${SCENARIO}
+    - molecule converge --scenario-name ${SCENARIO}
+    - molecule idempotence --scenario-name ${SCENARIO}
+    # - molecule verify --scenario-name ${SCENARIO}
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
 ---
 - name: Prepare
  hosts: "*"
-  tasks:
+  pre_tasks:
-    - name: install GPG
+    - name: configure additional package repositories for Debian
-      ansible.builtin.apt:
+      when: ansible_os_family == "Debian"
-        name: "gnupg"
+      block:
-        state: latest
+        - name: install GPG
-        update_cache: true
+          ansible.builtin.apt:
-      become: true
+            name: "gnupg"
-    - name: add GPG key for SLUB Debian repository
+            state: latest
-      ansible.builtin.apt_key:
+            update_cache: true
-        url: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+          become: true
-        state: present
+        - name: add GPG key for SLUB Debian repository
+          ansible.builtin.apt_key:
+            url: "{{ item }}"
+            state: absent
+          loop:
+            - "http://bdv141.slub-dresden.de/deb-repository/pub.gpg.key"
+            - "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+        - name: add repo URL to sources.list
+          ansible.builtin.apt_repository:
+            repo: "{{ item }}"
+            state: absent
+          loop:
+            - "deb http://bdv141.slub-dresden.de/deb-repository lza-testing main"
+            - "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main"
+        - name: modify package repo config
+          ansible.builtin.deb822_repository:
+            architectures: "amd64"
+            components: "{{ item.components | default('main') }}"
+            enabled: "{{ item.enabled | default(true) }}"
+            name: "{{ item.name }}"
+            pdiffs: true
+            signed_by: "{{ item.signed_by }}"
+            suites: "{{ item.suites | default(ansible_lsb.codename) }}"
+            uris: "{{ item.uris }}"
+          loop:
+            # PC @steidl with local Debian repo for SubAp tests
+            # - name: "bdv141"
+            #   signed_by: "http://bdv141.slub-dresden.de/deb-repository/pub.gpg.key"
+            #   suites: "lza-testing"
+            #   uris: "http://bdv141.slub-dresden.de/deb-repository"
+            # on-prem Debian Repo
+            - name: "slub"
+              signed_by: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+              uris: "https://sdvdebianrepo.slub-dresden.de/deb-repository"
+            # add non-free repos to be able to install libmath-random-perl from official Debian public repo
+            - name: "debian"
+              components: ["main", "non-free"]
+              signed_by: "/usr/share/keyrings/debian-archive-keyring.gpg"
+              suites: ["{{ ansible_lsb.codename }}", "{{ ansible_lsb.codename }}-updates"]
+              uris: "http://deb.debian.org/debian"
+          notify: update package cache
+          become: true
+    - name: configure additional package repositories for RedHat
+      when: ansible_os_family == "RedHat"
+      block:
+        - name: add custom repositories
+          ansible.builtin.yum_repository:
+            name: "{{ item.name }}"
+            description: "{{ item.description }}"
+            baseurl: "{{ item.baseurl }}"
+            gpgcheck: "{{ item.gpgcheck | default('true') }}"
+            gpgkey: "{{ item.gpgkey | default(omit) }}"
+          loop:
+            - name: "epel"
+              description: EPEL YUM repo
+              baseurl: "https://download.fedoraproject.org/pub/epel/{{ ansible_distribution_major_version }}/x86_64/"
+              gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
+            - name: "slub"
+              description: SLUB YUM repo
+              baseurl: "https://sdvrhelrepo.slub-dresden.de/"
+              gpgcheck: "false"
+          notify: update package cache
+        - name: remove legacy repo configuration to avoid double configuration for SLUB repo
+          ansible.builtin.file:
+            path: "/etc/yum.repos.d/SLUB.repo"
+            state: absent
+          notify: update package cache
+    # Ansible roles can install a multitude of firewall rules, some of which
+    # will lock us out of our Molecule test VM if we don't take precautions.
+    # As Molecule itself uses SSH just like Ansible, we need to open port
+    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
+    # VM. As we don't know for sure what the address for this subnet is and it
+    # can change across servers/platforms, we gather this information
+    # dynamically and filter it through `ipaddr` to get the address of the
+    # whole subnet. The rule is inserted right on top of the list to make sure
+    # we always get access.
+    - name: add firewall rule to allow access from Molecule host into testing VM
+      ansible.builtin.iptables:
+        action: insert
+        rule_num: 1
+        chain: INPUT
+        comment: "molecule access"
+        jump: "ACCEPT"
+        protocol: tcp
+        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
+        destination_port: "22"
      become: true
-    - name: add repo URL to sources.list
-      ansible.builtin.apt_repository:
+  handlers:
-        repo: "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main"
+    - name: update package cache
-        state: present
+      ansible.builtin.package:
        update_cache: true
-        mode: "0644"
      become: true
--- a/molecule/virtualbox/molecule.yml
+++ b/molecule/virtualbox/molecule.yml
@@ -13,7 +13,7 @@ platforms:
  # https://github.com/ansible-community/molecule-vagrant#documentation
  # for more platform parameters.
  - name: vm-runner
-    box: debian/bullseye64
+    box: debian/bookworm64
    memory: 1024
    # List of raw Vagrant `config` options.
    # provider_raw_config_args:
@@ -21,7 +21,7 @@ platforms:
    # Dictionary of `config` options.
    config_options:
      ssh.keep_alive: yes
-      ssh.remote_user: "'lza'"
+      ssh.remote_user: "lza"
 provisioner:
  name: ansible
  log: true
@@ -29,7 +29,7 @@ provisioner:
    defaults:
      # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
      # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
-      vault_identity_list: "../lza_backup_proxy.pass"
+      vault_identity_list: "../../../lza_backup_proxy.pass"
  vvv: false
  playbooks:
    # create: ../resources/playbooks/create.yml