Merge pull request #328 from hcherukuri/main

Fix sanity and molecule tests
2026-05-06 21:33:05 +00:00 · 2026-04-24 10:26:26 -04:00
parent 7be872cc48 22f1ce516d
commit 1013a05f8c
12 changed files with 135 additions and 41 deletions
--- a/.github/workflows/cish-keycloak.yml
+++ b/.github/workflows/cish-keycloak.yml
@@ -1,6 +1,7 @@
 ---
 # Vendor of ansible-middleware/github-actions/.github/workflows/cish.yml (sync when CI workflow changes).
-# Podman Molecule jobs are skipped for fork pull requests (no org self-hosted runners / secrets).
+# Podman Molecule jobs: upstream uses self-hosted runners; forks and other repos use ubuntu-22.04 + podman.
+# Cross-repo PRs (fork → upstream) are skipped here so untrusted code does not run on org runners with secrets.
 name: CI
 on:
  workflow_call:
@@ -205,30 +206,54 @@ jobs:
          STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'

  molecule_current:
-    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
-    runs-on: molecule-2.18
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }}
+    runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.18' || 'ubuntu-22.04' }}
    strategy:
      matrix:
        python_version: ["3.12"]
        molecule_test: ${{ fromJSON(inputs.podman_tests_current) }}
      fail-fast: ${{ inputs.fail_fast }}
+    env:
+      PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }}
+      NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }}
    steps:
      - name: Check out code
        uses: actions/checkout@v4
        with:
          path: ansible_collections/${{ inputs.fqcn }}

+      - name: Set up Python ${{ matrix.python_version }}
+        if: ${{ github.repository != 'ansible-middleware/keycloak' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python_version }}
+          cache: 'pip'
+          cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt
+
      - name: Ensure podman is available
        run: |
-          if ! command -v podman &> /dev/null; then
-            echo "::warning::podman not found in PATH, attempting to install"
-            dnf install -y podman 2>/dev/null || sudo dnf install -y podman || {
-              echo "::error::Failed to install podman. The self-hosted runner image needs podman pre-installed."
-              exit 1
-            }
+          if command -v podman &> /dev/null; then
+            echo "podman $(podman --version)"
+            exit 0
+          fi
+          echo "::warning::podman not found in PATH, attempting to install"
+          if command -v apt-get &> /dev/null; then
+            sudo apt-get update -y
+            sudo apt-get install -y podman
+          elif command -v dnf &> /dev/null; then
+            sudo dnf install -y podman
+          else
+            echo "::error::Unsupported package manager; install podman on the runner image."
+            exit 1
          fi
          echo "podman $(podman --version)"

+      - name: Use vfs storage for rootless podman (GitHub-hosted)
+        if: ${{ github.repository != 'ansible-middleware/keycloak' }}
+        run: |
+          mkdir -p "${HOME}/.config/containers"
+          printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf"
+
      - name: Initialize podman for current user
        run: |
          podman system migrate || true
@@ -242,6 +267,10 @@ jobs:
          max_attempts: 3
          command: |
            python3.12 -m pip install --upgrade pip
+            if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then
+              python3.12 -m pip install --progress-bar off \
+                'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.18'
+            fi
            if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
              echo "=== Installing python deps"
              python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
@@ -269,34 +298,56 @@ jobs:
          PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}'
          STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}'
          STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'
-          PROXY: '10.88.0.1:3128'
-          NO_PROXY: 'localhost,.redhat.com,.ansible.com'

  molecule_middle:
-    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
-    runs-on: molecule-2.19
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }}
+    runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.19' || 'ubuntu-22.04' }}
    strategy:
      matrix:
        python_version: ["3.12"]
        molecule_test: ${{ fromJSON(inputs.podman_tests_middle) }}
      fail-fast: ${{ inputs.fail_fast }}
+    env:
+      PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }}
+      NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }}
    steps:
      - name: Check out code
        uses: actions/checkout@v4
        with:
          path: ansible_collections/${{ inputs.fqcn }}

+      - name: Set up Python ${{ matrix.python_version }}
+        if: ${{ github.repository != 'ansible-middleware/keycloak' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python_version }}
+          cache: 'pip'
+          cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt
+
      - name: Ensure podman is available
        run: |
-          if ! command -v podman &> /dev/null; then
-            echo "::warning::podman not found in PATH, attempting to install"
-            dnf install -y podman 2>/dev/null || sudo dnf install -y podman || {
-              echo "::error::Failed to install podman. The self-hosted runner image needs podman pre-installed."
-              exit 1
-            }
+          if command -v podman &> /dev/null; then
+            echo "podman $(podman --version)"
+            exit 0
+          fi
+          echo "::warning::podman not found in PATH, attempting to install"
+          if command -v apt-get &> /dev/null; then
+            sudo apt-get update -y
+            sudo apt-get install -y podman
+          elif command -v dnf &> /dev/null; then
+            sudo dnf install -y podman
+          else
+            echo "::error::Unsupported package manager; install podman on the runner image."
+            exit 1
          fi
          echo "podman $(podman --version)"

+      - name: Use vfs storage for rootless podman (GitHub-hosted)
+        if: ${{ github.repository != 'ansible-middleware/keycloak' }}
+        run: |
+          mkdir -p "${HOME}/.config/containers"
+          printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf"
+
      - name: Initialize podman for current user
        run: |
          podman system migrate || true
@@ -310,6 +361,10 @@ jobs:
          max_attempts: 3
          command: |
            python3.12 -m pip install --upgrade pip
+            if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then
+              python3.12 -m pip install --progress-bar off \
+                'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.19'
+            fi
            if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
              echo "=== Installing python deps"
              python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
@@ -337,34 +392,56 @@ jobs:
          PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}'
          STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}'
          STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'
-          PROXY: '10.88.0.1:3128'
-          NO_PROXY: 'localhost,.redhat.com,.ansible.com'

  molecule_next:
-    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
-    runs-on: molecule-2.20
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }}
+    runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.20' || 'ubuntu-22.04' }}
    strategy:
      matrix:
        python_version: ["3.12"]
        molecule_test: ${{ fromJSON(inputs.podman_tests_next) }}
      fail-fast: ${{ inputs.fail_fast }}
+    env:
+      PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }}
+      NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }}
    steps:
      - name: Check out code
        uses: actions/checkout@v4
        with:
          path: ansible_collections/${{ inputs.fqcn }}

+      - name: Set up Python ${{ matrix.python_version }}
+        if: ${{ github.repository != 'ansible-middleware/keycloak' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python_version }}
+          cache: 'pip'
+          cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt
+
      - name: Ensure podman is available
        run: |
-          if ! command -v podman &> /dev/null; then
-            echo "::warning::podman not found in PATH, attempting to install"
-            dnf install -y podman 2>/dev/null || sudo dnf install -y podman || {
-              echo "::error::Failed to install podman. The self-hosted runner image needs podman pre-installed."
-              exit 1
-            }
+          if command -v podman &> /dev/null; then
+            echo "podman $(podman --version)"
+            exit 0
+          fi
+          echo "::warning::podman not found in PATH, attempting to install"
+          if command -v apt-get &> /dev/null; then
+            sudo apt-get update -y
+            sudo apt-get install -y podman
+          elif command -v dnf &> /dev/null; then
+            sudo dnf install -y podman
+          else
+            echo "::error::Unsupported package manager; install podman on the runner image."
+            exit 1
          fi
          echo "podman $(podman --version)"

+      - name: Use vfs storage for rootless podman (GitHub-hosted)
+        if: ${{ github.repository != 'ansible-middleware/keycloak' }}
+        run: |
+          mkdir -p "${HOME}/.config/containers"
+          printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf"
+
      - name: Initialize podman for current user
        run: |
          podman system migrate || true
@@ -378,6 +455,10 @@ jobs:
          max_attempts: 3
          command: |
            python3.12 -m pip install --upgrade pip
+            if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then
+              python3.12 -m pip install --progress-bar off \
+                'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.20'
+            fi
            if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
              echo "=== Installing python deps"
              python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
@@ -405,5 +486,3 @@ jobs:
          PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}'
          STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}'
          STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'
-          PROXY: '10.88.0.1:3128'
-          NO_PROXY: 'localhost,.redhat.com,.ansible.com'
--- a/molecule/https_revproxy/prepare.yml
+++ b/molecule/https_revproxy/prepare.yml
@@ -27,6 +27,8 @@
  pre_tasks:
    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false
    - name: Make certificate directory
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@@ -11,6 +11,8 @@

    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false

@@ -31,6 +33,8 @@

    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
--- a/molecule/quarkus_ha/molecule.yml
+++ b/molecule/quarkus_ha/molecule.yml
@@ -42,7 +42,7 @@ platforms:
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
-        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
--- a/molecule/quarkus_ha/prepare.yml
+++ b/molecule/quarkus_ha/prepare.yml
@@ -11,6 +11,8 @@

    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: False

--- a/molecule/quarkus_ha_26.4_below/molecule.yml
+++ b/molecule/quarkus_ha_26.4_below/molecule.yml
@@ -42,7 +42,7 @@ platforms:
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
-        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
--- a/molecule/quarkus_ha_26.4_below/prepare.yml
+++ b/molecule/quarkus_ha_26.4_below/prepare.yml
@@ -11,6 +11,8 @@

    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: False

--- a/molecule/quarkus_ha_remote/molecule.yml
+++ b/molecule/quarkus_ha_remote/molecule.yml
@@ -40,7 +40,7 @@ platforms:
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
-        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
--- a/molecule/quarkus_ha_remote/prepare.yml
+++ b/molecule/quarkus_ha_remote/prepare.yml
@@ -11,6 +11,8 @@

    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: False

@@ -31,6 +33,8 @@

    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
--- a/molecule/quarkus_upgrade/prepare.yml
+++ b/molecule/quarkus_upgrade/prepare.yml
@@ -43,6 +43,8 @@

    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false
  roles:
--- a/molecule/quarkus_upgrade/verify.yml
+++ b/molecule/quarkus_upgrade/verify.yml
@@ -14,10 +14,9 @@
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"

-    - name: Verify we are running on requested jvm
-      ansible.builtin.shell: |
-        set -eo pipefail
-        ps -ef | grep 'etc/alternatives/.*21' | grep -v grep
+    - name: Verify Java 21 runtime is installed (UBI/RHEL)
+      ansible.builtin.command:
+        cmd: rpm -q java-21-openjdk-headless
      changed_when: false

    - name: Verify token api call
@@ -28,5 +27,5 @@
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
-      retries: 2
-      delay: 2
+      retries: 45
+      delay: 5
--- a/plugins/modules/keycloak_client_scope.py
+++ b/plugins/modules/keycloak_client_scope.py
@@ -49,6 +49,7 @@ options:

    description:
        type: str
+        default: ''
        description:
            - Description of the client scope.

@@ -179,7 +180,6 @@ end_state:
 from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
 from ansible.module_utils.basic import AnsibleModule
-import copy


 def main():