Skip to content

Commit

Permalink
ci: rework molecule conf to disable priv escal on GH Actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@rpelisse
rpelisse committed Jan 30, 2025
1 parent e7b0c2a commit 0c393e0
Show file tree
Hide file tree
Showing 23 changed files with 136 additions and 131 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,12 @@ on:

jobs:
ci:
uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main
uses: ansible-middleware/github-actions/.github/workflows/cish.yml@rootperm
secrets: inherit
with:
fqcn: 'middleware_automation/amq'
debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
root_permission_varname: activemq_install_requires_become
molecule_tests: >-
[ "static_cluster", "replication", "live_only", "mirroring" ]
podman_tests_current: >-
Expand Down
4 changes: 4 additions & 0 deletions molecule/mirroring/prepare.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,9 @@
- name: Prepare
hosts: all
tasks:
- name: "Display value of activemq_install_requires_become"
ansible.builtin.debug:
var: activemq_install_requires_become

- name: "Run preparation common to all scenario"
ansible.builtin.include_tasks: ../prepare.yml
7 changes: 4 additions & 3 deletions molecule/static_cluster/prepare.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
---
- name: Prepare
hosts: all
vars:
tasks:
- name: "Run preparation common to all scenario"
ansible.builtin.include_tasks: ../prepare.yml
- name: "Create {{ activemq.service_name }} service user"
become: yes
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.user:
name: amq-broker
home: /opt/amq/
Expand All @@ -24,10 +25,10 @@
owner: root
group: root
mode: 0444
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
loop:
- "nfs/server-ca.crt"
- name: Run update_ca_trust
ansible.builtin.command: update-ca-trust
changed_when: False
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
2 changes: 1 addition & 1 deletion roles/activemq/handlers/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@
owner: "{{ activemq_service_user }}"
group: "{{ activemq_service_group }}"
mode: '0644'
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
listen: "touch broker.xml"
2 changes: 1 addition & 1 deletion roles/activemq/tasks/acceptors.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
no_log: true
notify:
- restart amq_broker
6 changes: 3 additions & 3 deletions roles/activemq/tasks/address_settings.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
- name: Create address settings in broker.xml
when: not activemq_modular_configuration
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
block:
- name: Create address settings configuration string
ansible.builtin.set_fact:
Expand All @@ -21,13 +21,13 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
notify:
- restart amq_broker with no config refresh

- name: Create modular address-settings configuration
when: activemq_modular_configuration
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
block:
- name: Remove address-settings element from broker.xml
middleware_automation.common.xml:
Expand Down
6 changes: 3 additions & 3 deletions roles/activemq/tasks/addresses.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
- name: Create addresses in broker.xml
when: not activemq_modular_configuration
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
block:
- name: Create addresses string
ansible.builtin.set_fact:
Expand All @@ -21,13 +21,13 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
notify:
- restart amq_broker with no config refresh

- name: Create modular addresses configuration
when: activemq_modular_configuration
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
block:
- name: Remove addresses element from broker.xml
middleware_automation.common.xml:
Expand Down
4 changes: 2 additions & 2 deletions roles/activemq/tasks/broker_connections.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"

- name: Create broker connections configuration in broker.xml
middleware_automation.common.xml:
Expand All @@ -29,6 +29,6 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
notify:
- restart amq_broker with no config refresh
3 changes: 1 addition & 2 deletions roles/activemq/tasks/configure_broker.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
- name: Configure ha policy
when: activemq_ha_enabled or activemq_cluster_enabled
become: "{{ activemq_install_requires_become | default(true) }}"
block:
- name: "Ensure ha-policy element exists"
middleware_automation.common.xml:
Expand All @@ -12,7 +13,6 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
notify:
- restart amq_broker
- name: "Configure ha-policy"
Expand All @@ -25,7 +25,6 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
notify:
- restart amq_broker

Expand Down
10 changes: 5 additions & 5 deletions roles/activemq/tasks/configure_files.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
- name: "Configure AMQ broker logging"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.template:
src: "{{ activemq_logger_config_template_path }}{{ activemq_logger_config_template }}"
dest: "{{ activemq.instance_home }}/etc/{{ activemq_logger_config_template | basename | regex_replace('[.]j2$', '') }}"
Expand All @@ -11,7 +11,7 @@
- restart amq_broker

- name: "Configure jolokia access"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.template:
src: jolokia-access.xml.j2
dest: "{{ activemq.instance_home }}/etc/jolokia-access.xml"
Expand All @@ -22,7 +22,7 @@
- restart amq_broker

- name: "Configure jaas"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.template:
src: "{{ activemq_auth_template }}"
dest: "{{ activemq.instance_home }}/etc/login.config"
Expand All @@ -33,7 +33,7 @@
- restart amq_broker

- name: "Configure console binding"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
middleware_automation.common.xml:
path: "{{ activemq.instance_home }}/etc/bootstrap.xml"
xpath: '/b:broker/b:web/b:binding'
Expand All @@ -45,7 +45,7 @@
- restart amq_broker

- name: "Configure using properties file"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.template:
src: "{{ activemq_properties_file }}"
dest: "{{ activemq.instance_home }}/etc/{{ activemq_properties_file | basename }}"
Expand Down
10 changes: 5 additions & 5 deletions roles/activemq/tasks/connectors.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"

- name: Create connector configuration in broker.xml
middleware_automation.common.xml:
Expand All @@ -35,13 +35,13 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
no_log: false
notify:
- restart amq_broker

- name: Configure discovery/broadcast groups
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
when:
- activemq_cluster_discovery == 'static' or activemq_cluster_discovery == 'provided'
block:
Expand All @@ -64,7 +64,7 @@
core: urn:activemq:core

- name: Configure cluster connections
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
when:
- activemq_cluster_discovery == 'static' or activemq_cluster_discovery == 'provided'
- activemq_ha_enabled or activemq_cluster_enabled
Expand All @@ -86,6 +86,6 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
notify:
- restart amq_broker
8 changes: 4 additions & 4 deletions roles/activemq/tasks/diverts.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
- name: Create diverts in broker.xml
when: not activemq_modular_configuration
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
block:
- name: Create diverts configuration string
ansible.builtin.set_fact:
Expand All @@ -21,7 +21,7 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"

- name: Create diverts configuration in broker.xml
middleware_automation.common.xml:
Expand All @@ -33,13 +33,13 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
notify:
- restart amq_broker with no config refresh

- name: Create modular diverts configuration
when: activemq_modular_configuration
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
block:
- name: Remove diverts element from broker.xml
middleware_automation.common.xml:
Expand Down
2 changes: 1 addition & 1 deletion roles/activemq/tasks/fastpackages.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"

- name: "Install packages: {{ packages_to_install }}"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.dnf:
name: "{{ packages_to_install }}"
state: present
Expand Down
4 changes: 2 additions & 2 deletions roles/activemq/tasks/federations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"

- name: Create federations configuration in broker.xml
middleware_automation.common.xml:
Expand All @@ -29,6 +29,6 @@
conf: urn:activemq
core: urn:activemq:core
pretty_print: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
notify:
- restart amq_broker with no config refresh
22 changes: 11 additions & 11 deletions roles/activemq/tasks/install.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,15 @@
quiet: true

- name: "Create {{ activemq.service_name }} service group"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.group:
name: "{{ activemq_service_group }}"
system: true

- name: "Create service user"
block:
- name: "Create {{ activemq.service_name }} service user"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.user:
name: "{{ activemq_service_user }}"
group: "{{ activemq_service_group }}"
Expand All @@ -37,13 +37,13 @@
notify: restart amq_broker

- name: "Check {{ activemq.service_name }} install location"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.stat:
path: "{{ activemq_dest }}"
register: install_location

- name: "Create {{ activemq.service_name }} install location"
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.file:
dest: "{{ activemq_dest }}"
state: directory
Expand All @@ -58,7 +58,7 @@
chown -R {{ activemq_service_user }}:{{ activemq_service_group }} {{ activemq_dest }}
register: chown_status
changed_when: chown_status.stdout != ""
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
when:
- install_location.stat.exists

Expand All @@ -68,7 +68,7 @@
archive: "{{ activemq_dest }}/{{ activemq.bundle }}"

- name: Check download archive path
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
Expand Down Expand Up @@ -147,13 +147,13 @@
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: true
become: "{{ activemq_install_requires_become | default(true) }}"

- name: "Check target directory: {{ activemq.home }}"
ansible.builtin.stat:
path: "{{ activemq.home }}"
register: path_to_workdir
become: true
become: "{{ activemq_install_requires_become | default(true) }}"

- name: "Extract zipfile"
when:
Expand All @@ -167,7 +167,7 @@
owner: "{{ activemq_service_user }}"
group: "{{ activemq_service_group }}"
list_files: true
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
register: new_version_extracted
when:
- new_version_downloaded.changed or not path_to_workdir.stat.exists
Expand All @@ -178,10 +178,10 @@
ansible.builtin.stat:
path: "{{ activemq.home }}"
register: path_to_workdir_after_extract
become: true
become: "{{ activemq_install_requires_become | default(true) }}"

- name: Link zipfile directory to wanted directory
become: true
become: "{{ activemq_install_requires_become | default(true) }}"
ansible.builtin.file:
state: link
src: "{{ activemq_dest }}/{{ new_version_extracted.files | first }}"
Expand Down
Loading

0 comments on commit 0c393e0

Please sign in to comment.