chore: deprecate RHEL 7 and add Molecule/Gitlab-CI compatibility for Rocky 8

afb08d0c · Jörg Sachse · 79861b67 · afb08d0c · afb08d0c · afb08d0c
Commit afb08d0c authored 10 months ago by Jörg Sachse
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,6 +12,13 @@ default:
    - source /opt/molecule/bin/activate
    - ansible --version
    - molecule --version
+    - echo "CURRENT PATH= '$(pwd)'"
+    # make sure that Ansible Vaults are present and can be decrypted
+    - echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
+    - export ANSIBLE_VAULT_PASSWORD_FILE="../../${ANSIBLE_VAULT_PASSWORD_FILE}"
+    - tree
+    - rm -rf ../ansible_vaults/
+    - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/;
 variables:
  SCENARIO: "default"
  # ANSIBLE_VAULT_PASSWORD_FILE: "molecule/lza_server_hardening.pass"
@@ -19,18 +26,33 @@ variables:
  ANSIBLE_FORCE_COLOR: 'true'
  PY_COLORS: '1'
-test-job:
+test-job-debian:
  stage: test
  tags:
    - "shell"
+  variables:
+    SCENARIO: "default"
+  script:
+    # run Molecule tests
+    - molecule syntax --scenario-name ${SCENARIO}
+    # We cannot use `molecule lint` anymore because:
+    # - https://github.com/ansible-community/molecule/pull/3802 "Remove lint command"
+    # - https://github.com/ansible-community/molecule/discussions/3825#discussioncomment-4908366
+    - yamllint --strict --format colored ./
+    - ansible-lint --format full --profile production --strict --force-color ./
+    - molecule create --scenario-name ${SCENARIO}
+    - molecule converge --scenario-name ${SCENARIO}
+    - molecule idempotence --scenario-name ${SCENARIO}
+    # - molecule verify --scenario-name ${SCENARIO}
+    - molecule destroy --scenario-name ${SCENARIO}
+test-job-rhel:
+  stage: test
+  tags:
+    - "shell"
+  variables:
+    SCENARIO: "virtualbox_rocky8"
  script:
-    - echo "CURRENT PATH= '$(pwd)'" 
-    # make sure that Ansible Vaults are present and can be decrypted
-    - echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
-    - export ANSIBLE_VAULT_PASSWORD_FILE="../../${ANSIBLE_VAULT_PASSWORD_FILE}"
-    - tree
-    - rm -rf ../ansible_vaults/
-    - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
    # run Molecule tests
    - molecule syntax --scenario-name ${SCENARIO}
    # We cannot use `molecule lint` anymore because:

--- a/molecule/resources/playbooks/converge.yml
+++ b/molecule/resources/playbooks/converge.yml
@@ -9,7 +9,7 @@
      become: true
      when: ansible_os_family == "Debian"
    - name: update yum cache
-      ansible.builtin.yum:
+      ansible.builtin.dnf:
        update_cache: true
      become: true
      when: ansible_os_family == "RedHat"

--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -24,9 +24,47 @@
        notify: update package cache
        become: true
+    - name: inform users about supported RHEL versions
+      ansible.builtin.debug:
+        msg: >
+          "RHEL 7 and older versions are EOL and are no longer supported by
+           this Ansible role. This is also true for RHEL compatible Linux
+           distributions like CentOS 7. Please upgrade your systems and try
+           again."
+      when:
+        - ansible_os_family == "RedHat"
+        - "ansible_distribution_major_version is version('8', '<')"
+      failed_when: true    # Always exit on unsupported targets.
    - name: configure additional package repositories for RedHat
-      when: ansible_os_family == "RedHat"
+      when:
+        - ansible_os_family == "RedHat"
+        - "ansible_distribution_major_version is version('8', '>=')"
      block:
+      # https://docs.fedoraproject.org/en-US/epel/getting-started/#_other_rhel_8_compatible_distributions
+      - name: enable powertools repository on RHEL 8 in order to use EPEL
+        community.general.dnf_config_manager:
+          name: "powertools"
+          state: enabled
+        when: "ansible_distribution_major_version is version('8', '==')"
+        become: true
+        notify: update package cache
+      - name: enable crb repository on RHEL 9 in order to use EPEL
+        community.general.dnf_config_manager:
+          name: "crb"
+          state: enabled
+        when: "ansible_distribution_major_version is version('9', '==')"
+        become: true
+        notify: update package cache
+      - name: >
+          flush handlers to immediately update package cache for installing
+          EPEL repo package
+        ansible.builtin.meta: flush_handlers
+      - name: install EPEL package
+        ansible.builtin.dnf:
+          name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
+          disable_gpg_check: true
+        become: true
      - name: add custom repositories
        ansible.builtin.yum_repository:
          name: "{{ item.name }}"
@@ -35,10 +73,6 @@
          gpgcheck: "{{ item.gpgcheck | default('true') }}"
          gpgkey: "{{ item.gpgkey | default(omit) }}"
        loop:
-          - name: "epel"
-            description: EPEL YUM repo
-            baseurl: "https://download.fedoraproject.org/pub/epel/{{ ansible_distribution_major_version }}/x86_64/"
-            gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
          - name: "slub"
            description: SLUB YUM repo
            baseurl: "https://sdvrhelrepo.slub-dresden.de/"

--- a/molecule/centos7/molecule.yml
+++ b/molecule/centos7/molecule.yml
@@ -4,33 +4,29 @@ dependency:
  enabled: false
 driver:
  name: vagrant
-lint: |
-  set -e
-  yamllint .
-  ansible-lint -x no-loop-var-prefix,command-instead-of-module,package-latest
 platforms:
  # Check out the documentation at
  # https://github.com/ansible-community/molecule-vagrant#documentation
  # for more platform parameters.
-  - name: vm-runner
+  - name: vm-harden-mol
-    box: centos/7
+    box: rockylinux/8
    memory: 1024
    # List of raw Vagrant `config` options.
    # provider_raw_config_args:
    #   - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
    # Dictionary of `config` options.
    config_options:
-      ssh.keep_alive: yes
+      ssh.keep_alive: true
      ssh.remote_user: "lza"
+      disksize.size: '20GB'
 provisioner:
  name: ansible
  log: true
  config_options:
    defaults:
      # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
-      #vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
+      # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
-      #vault_identity_list: "${MOLECULE_PROJECT_DIRECTORY}/../../lza_server_hardening.pass"
+      vault_identity_list: "../../../lza_server_hardening.pass"
-      vault_identity_list: "../lza_server_hardening.pass, ../../../lza_server_hardening.pass"
  vvv: false
  playbooks:
    # create: ../resources/playbooks/create.yml