From 22f1ce516d530b88c7e1159d77bf8b0f341a923c Mon Sep 17 00:00:00 2001 From: Harsha Cherukuri Date: Fri, 24 Apr 2026 08:53:26 -0400 Subject: [PATCH] Fix sanity and molecule tests --- .github/workflows/cish-keycloak.yml | 141 +++++++++++++++----- molecule/https_revproxy/prepare.yml | 2 + molecule/quarkus/prepare.yml | 4 + molecule/quarkus_ha/molecule.yml | 2 +- molecule/quarkus_ha/prepare.yml | 2 + molecule/quarkus_ha_26.4_below/molecule.yml | 2 +- molecule/quarkus_ha_26.4_below/prepare.yml | 2 + molecule/quarkus_ha_remote/molecule.yml | 2 +- molecule/quarkus_ha_remote/prepare.yml | 4 + molecule/quarkus_upgrade/prepare.yml | 2 + molecule/quarkus_upgrade/verify.yml | 11 +- plugins/modules/keycloak_client_scope.py | 2 +- 12 files changed, 135 insertions(+), 41 deletions(-) diff --git a/.github/workflows/cish-keycloak.yml b/.github/workflows/cish-keycloak.yml index 2d1cb56..c53180f 100644 --- a/.github/workflows/cish-keycloak.yml +++ b/.github/workflows/cish-keycloak.yml @@ -1,6 +1,7 @@ --- # Vendor of ansible-middleware/github-actions/.github/workflows/cish.yml (sync when CI workflow changes). -# Podman Molecule jobs are skipped for fork pull requests (no org self-hosted runners / secrets). +# Podman Molecule jobs: upstream uses self-hosted runners; forks and other repos use ubuntu-22.04 + podman. +# Cross-repo PRs (fork → upstream) are skipped here so untrusted code does not run on org runners with secrets. name: CI on: workflow_call: @@ -205,30 +206,54 @@ jobs: STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' molecule_current: - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} - runs-on: molecule-2.18 + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }} + runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.18' || 'ubuntu-22.04' }} strategy: matrix: python_version: ["3.12"] molecule_test: ${{ fromJSON(inputs.podman_tests_current) }} fail-fast: ${{ inputs.fail_fast }} + env: + PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }} + NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }} steps: - name: Check out code uses: actions/checkout@v4 with: path: ansible_collections/${{ inputs.fqcn }} + - name: Set up Python ${{ matrix.python_version }} + if: ${{ github.repository != 'ansible-middleware/keycloak' }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python_version }} + cache: 'pip' + cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt + - name: Ensure podman is available run: | - if ! command -v podman &> /dev/null; then - echo "::warning::podman not found in PATH, attempting to install" - dnf install -y podman 2>/dev/null || sudo dnf install -y podman || { - echo "::error::Failed to install podman. The self-hosted runner image needs podman pre-installed." - exit 1 - } + if command -v podman &> /dev/null; then + echo "podman $(podman --version)" + exit 0 + fi + echo "::warning::podman not found in PATH, attempting to install" + if command -v apt-get &> /dev/null; then + sudo apt-get update -y + sudo apt-get install -y podman + elif command -v dnf &> /dev/null; then + sudo dnf install -y podman + else + echo "::error::Unsupported package manager; install podman on the runner image." + exit 1 fi echo "podman $(podman --version)" + - name: Use vfs storage for rootless podman (GitHub-hosted) + if: ${{ github.repository != 'ansible-middleware/keycloak' }} + run: | + mkdir -p "${HOME}/.config/containers" + printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf" + - name: Initialize podman for current user run: | podman system migrate || true @@ -242,6 +267,10 @@ jobs: max_attempts: 3 command: | python3.12 -m pip install --upgrade pip + if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then + python3.12 -m pip install --progress-bar off \ + 'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.18' + fi if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then echo "=== Installing python deps" python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt @@ -269,34 +298,56 @@ jobs: PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}' STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}' STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' - PROXY: '10.88.0.1:3128' - NO_PROXY: 'localhost,.redhat.com,.ansible.com' molecule_middle: - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} - runs-on: molecule-2.19 + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }} + runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.19' || 'ubuntu-22.04' }} strategy: matrix: python_version: ["3.12"] molecule_test: ${{ fromJSON(inputs.podman_tests_middle) }} fail-fast: ${{ inputs.fail_fast }} + env: + PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }} + NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }} steps: - name: Check out code uses: actions/checkout@v4 with: path: ansible_collections/${{ inputs.fqcn }} + - name: Set up Python ${{ matrix.python_version }} + if: ${{ github.repository != 'ansible-middleware/keycloak' }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python_version }} + cache: 'pip' + cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt + - name: Ensure podman is available run: | - if ! command -v podman &> /dev/null; then - echo "::warning::podman not found in PATH, attempting to install" - dnf install -y podman 2>/dev/null || sudo dnf install -y podman || { - echo "::error::Failed to install podman. The self-hosted runner image needs podman pre-installed." - exit 1 - } + if command -v podman &> /dev/null; then + echo "podman $(podman --version)" + exit 0 + fi + echo "::warning::podman not found in PATH, attempting to install" + if command -v apt-get &> /dev/null; then + sudo apt-get update -y + sudo apt-get install -y podman + elif command -v dnf &> /dev/null; then + sudo dnf install -y podman + else + echo "::error::Unsupported package manager; install podman on the runner image." + exit 1 fi echo "podman $(podman --version)" + - name: Use vfs storage for rootless podman (GitHub-hosted) + if: ${{ github.repository != 'ansible-middleware/keycloak' }} + run: | + mkdir -p "${HOME}/.config/containers" + printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf" + - name: Initialize podman for current user run: | podman system migrate || true @@ -310,6 +361,10 @@ jobs: max_attempts: 3 command: | python3.12 -m pip install --upgrade pip + if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then + python3.12 -m pip install --progress-bar off \ + 'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.19' + fi if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then echo "=== Installing python deps" python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt @@ -337,34 +392,56 @@ jobs: PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}' STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}' STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' - PROXY: '10.88.0.1:3128' - NO_PROXY: 'localhost,.redhat.com,.ansible.com' molecule_next: - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} - runs-on: molecule-2.20 + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }} + runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.20' || 'ubuntu-22.04' }} strategy: matrix: python_version: ["3.12"] molecule_test: ${{ fromJSON(inputs.podman_tests_next) }} fail-fast: ${{ inputs.fail_fast }} + env: + PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }} + NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }} steps: - name: Check out code uses: actions/checkout@v4 with: path: ansible_collections/${{ inputs.fqcn }} + - name: Set up Python ${{ matrix.python_version }} + if: ${{ github.repository != 'ansible-middleware/keycloak' }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python_version }} + cache: 'pip' + cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt + - name: Ensure podman is available run: | - if ! command -v podman &> /dev/null; then - echo "::warning::podman not found in PATH, attempting to install" - dnf install -y podman 2>/dev/null || sudo dnf install -y podman || { - echo "::error::Failed to install podman. The self-hosted runner image needs podman pre-installed." - exit 1 - } + if command -v podman &> /dev/null; then + echo "podman $(podman --version)" + exit 0 + fi + echo "::warning::podman not found in PATH, attempting to install" + if command -v apt-get &> /dev/null; then + sudo apt-get update -y + sudo apt-get install -y podman + elif command -v dnf &> /dev/null; then + sudo dnf install -y podman + else + echo "::error::Unsupported package manager; install podman on the runner image." + exit 1 fi echo "podman $(podman --version)" + - name: Use vfs storage for rootless podman (GitHub-hosted) + if: ${{ github.repository != 'ansible-middleware/keycloak' }} + run: | + mkdir -p "${HOME}/.config/containers" + printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf" + - name: Initialize podman for current user run: | podman system migrate || true @@ -378,6 +455,10 @@ jobs: max_attempts: 3 command: | python3.12 -m pip install --upgrade pip + if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then + python3.12 -m pip install --progress-bar off \ + 'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.20' + fi if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then echo "=== Installing python deps" python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt @@ -405,5 +486,3 @@ jobs: PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}' STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}' STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' - PROXY: '10.88.0.1:3128' - NO_PROXY: 'localhost,.redhat.com,.ansible.com' diff --git a/molecule/https_revproxy/prepare.yml b/molecule/https_revproxy/prepare.yml index 44018be..0ef0595 100644 --- a/molecule/https_revproxy/prepare.yml +++ b/molecule/https_revproxy/prepare.yml @@ -27,6 +27,8 @@ pre_tasks: - name: Create certificate request ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy' + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost changed_when: false - name: Make certificate directory diff --git a/molecule/quarkus/prepare.yml b/molecule/quarkus/prepare.yml index abe2518..cf33427 100644 --- a/molecule/quarkus/prepare.yml +++ b/molecule/quarkus/prepare.yml @@ -11,6 +11,8 @@ - name: Create certificate request ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance' + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost changed_when: false @@ -31,6 +33,8 @@ - name: Create vault keystore ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost register: keytool_cmd changed_when: False diff --git a/molecule/quarkus_ha/molecule.yml b/molecule/quarkus_ha/molecule.yml index ed09971..54dd70a 100644 --- a/molecule/quarkus_ha/molecule.yml +++ b/molecule/quarkus_ha/molecule.yml @@ -42,7 +42,7 @@ platforms: mounts: - type: bind target: /etc/postgresql/postgresql.conf - source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf + source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf env: POSTGRES_USER: keycloak POSTGRES_PASSWORD: mysecretpass diff --git a/molecule/quarkus_ha/prepare.yml b/molecule/quarkus_ha/prepare.yml index dff1821..a8ff317 100644 --- a/molecule/quarkus_ha/prepare.yml +++ b/molecule/quarkus_ha/prepare.yml @@ -11,6 +11,8 @@ - name: Create certificate request ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'" + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost changed_when: False diff --git a/molecule/quarkus_ha_26.4_below/molecule.yml b/molecule/quarkus_ha_26.4_below/molecule.yml index ed09971..54dd70a 100644 --- a/molecule/quarkus_ha_26.4_below/molecule.yml +++ b/molecule/quarkus_ha_26.4_below/molecule.yml @@ -42,7 +42,7 @@ platforms: mounts: - type: bind target: /etc/postgresql/postgresql.conf - source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf + source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf env: POSTGRES_USER: keycloak POSTGRES_PASSWORD: mysecretpass diff --git a/molecule/quarkus_ha_26.4_below/prepare.yml b/molecule/quarkus_ha_26.4_below/prepare.yml index dff1821..a8ff317 100644 --- a/molecule/quarkus_ha_26.4_below/prepare.yml +++ b/molecule/quarkus_ha_26.4_below/prepare.yml @@ -11,6 +11,8 @@ - name: Create certificate request ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'" + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost changed_when: False diff --git a/molecule/quarkus_ha_remote/molecule.yml b/molecule/quarkus_ha_remote/molecule.yml index 23d8db6..9765cce 100644 --- a/molecule/quarkus_ha_remote/molecule.yml +++ b/molecule/quarkus_ha_remote/molecule.yml @@ -40,7 +40,7 @@ platforms: mounts: - type: bind target: /etc/postgresql/postgresql.conf - source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf + source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf env: POSTGRES_USER: keycloak POSTGRES_PASSWORD: mysecretpass diff --git a/molecule/quarkus_ha_remote/prepare.yml b/molecule/quarkus_ha_remote/prepare.yml index 16ae9b9..dbbfb38 100644 --- a/molecule/quarkus_ha_remote/prepare.yml +++ b/molecule/quarkus_ha_remote/prepare.yml @@ -11,6 +11,8 @@ - name: Create certificate request ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'" + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost changed_when: False @@ -31,6 +33,8 @@ - name: Create vault keystore ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost register: keytool_cmd changed_when: False diff --git a/molecule/quarkus_upgrade/prepare.yml b/molecule/quarkus_upgrade/prepare.yml index 1be16d6..87de97e 100644 --- a/molecule/quarkus_upgrade/prepare.yml +++ b/molecule/quarkus_upgrade/prepare.yml @@ -43,6 +43,8 @@ - name: Create certificate request ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance' + args: + chdir: "{{ playbook_dir }}" delegate_to: localhost changed_when: false roles: diff --git a/molecule/quarkus_upgrade/verify.yml b/molecule/quarkus_upgrade/verify.yml index 1c4a0ba..da7a316 100644 --- a/molecule/quarkus_upgrade/verify.yml +++ b/molecule/quarkus_upgrade/verify.yml @@ -14,10 +14,9 @@ - ansible_facts.services["keycloak.service"]["state"] == "running" - ansible_facts.services["keycloak.service"]["status"] == "enabled" - - name: Verify we are running on requested jvm - ansible.builtin.shell: | - set -eo pipefail - ps -ef | grep 'etc/alternatives/.*21' | grep -v grep + - name: Verify Java 21 runtime is installed (UBI/RHEL) + ansible.builtin.command: + cmd: rpm -q java-21-openjdk-headless changed_when: false - name: Verify token api call @@ -28,5 +27,5 @@ validate_certs: no register: keycloak_auth_response until: keycloak_auth_response.status == 200 - retries: 2 - delay: 2 + retries: 45 + delay: 5 diff --git a/plugins/modules/keycloak_client_scope.py b/plugins/modules/keycloak_client_scope.py index cf5f6ab..1649f31 100644 --- a/plugins/modules/keycloak_client_scope.py +++ b/plugins/modules/keycloak_client_scope.py @@ -49,6 +49,7 @@ options: description: type: str + default: '' description: - Description of the client scope. @@ -179,7 +180,6 @@ end_state: from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \ keycloak_argument_spec, get_token, KeycloakError from ansible.module_utils.basic import AnsibleModule -import copy def main():