Add molecule tests for enterprise edition (#361)

Author: sschmittsva

README.md

@@ -75,6 +75,10 @@ to load any new configuration deployed.
 
 ## [Role Variables](role_variables.md)
 
+## Misc
+
+### [Vault Release Scheme](vault_releases.md)
+
 ## License
 
 BSD-2-Clause

defaults/main.yml

@@ -6,9 +6,12 @@
 # ---------------------------------------------------------------------------
 
 # Package variables
-vault_version_suffix: "{{ '.hsm' if vault_enterprise_hsm else '' }}"
-vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}{{ vault_version_suffix }}"
-vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}-1"
+vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}"
+
+vault_version_release_site_suffix: "{{ '+ent' if vault_enterprise }}{{ '.hsm' if vault_enterprise_hsm }}"
+vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}"
+vault_version_debian_repo_suffix: "-1"
+
 vault_architecture_map:
   # this first entry seems... redundant (but it's required for reasons)
   amd64: amd64
@@ -17,10 +20,13 @@ vault_architecture_map:
   aarch64: arm64
 vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
 vault_os: "{{ ansible_system | lower }}"
-vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
-vault_shasums: "vault_{{ vault_version }}_SHA256SUMS"
-vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
-vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_SHA256SUMS"
+
+vault_pkg_stub: "vault_{{ vault_version }}{{ vault_version_release_site_suffix }}"
+vault_pkg: "{{ vault_pkg_stub }}_{{ vault_os }}_{{ vault_architecture }}.zip"
+vault_shasums: "{{ vault_pkg_stub }}_SHA256SUMS"
+vault_url_stub: "https://releases.hashicorp.com/vault/{{ vault_version }}{{ vault_version_release_site_suffix }}"
+vault_zip_url: "{{ vault_url_stub }}/{{ vault_pkg }}"
+vault_checksum_file_url: "{{ vault_url_stub }}/{{ vault_shasums }}"
 vault_repository_url: "{{ _vault_repository_url | default() }}"
 vault_repository_key_url: "{{ _vault_repository_key_url | default() }}"
 vault_rhsm_subscription_name:
@@ -385,8 +391,6 @@ vault_entropy_seal: false
 # ---------------------------------------------------------------------------
 
 vault_enterprise: "{{ lookup('env', 'VAULT_ENTERPRISE') | default(false, true) }}"
-vault_enterprise_pkg: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
-vault_enterprise_shasums: "vault-enterprise_{{ vault_version }}_SHA256SUMS"
 
 # Manage enterprise license file with this role
 vault_configure_enterprise_license: false

molecule/centos-stream-9-enterprise/molecule.yml

@@ -0,0 +1,32 @@
+---
+platforms:
+  - name: centos-stream-9
+    groups:
+      - vault_raft_servers
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+  - name: centos-stream-9_repo
+    groups:
+      - vault_raft_servers
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+
+provisioner:
+  inventory:
+    host_vars:
+      centos-stream-9:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: false
+      centos-stream-9_repo:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: true
+        vault_bin_path: /usr/bin
+        vault_group: vault

molecule/debian-11-enterprise/molecule.yml

@@ -0,0 +1,33 @@
+---
+platforms:
+  - name: debian-11
+    groups:
+      - vault_raft_servers
+    image: dokken/debian-11
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+  - name: debian-11_repo
+    groups:
+      - vault_raft_servers
+    image: dokken/debian-11
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+
+provisioner:
+  inventory:
+    host_vars:
+      debian-11:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: false
+      debian-11_repo:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: true
+        vault_bin_path: /usr/bin
+        vault_group: vault
+

molecule/verify.yml

@@ -10,46 +10,55 @@
     goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}"
     goss_test_directory: /tmp
     goss_format: tap
+    enterprise: "{{ 'enterprise' in lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}"
   tasks:
-    - name: Download and install Goss
-      get_url:
-        url: "{{ goss_url }}"
-        dest: "{{ goss_dst }}"
-        checksum: "sha256:{{ goss_sha256sum }}"
-        mode: 0755
-      register: download_goss
-      until: download_goss is succeeded
-      retries: 3
+    - name: Check if enterprise
+      ansible.builtin.debug:
+        msg: "Verification is skipped because vault enterprise does not start without license"
+      when: enterprise
+    - name: Verify tasks
+      when: not enterprise
+      block:
+      - name: Download and install Goss
+        get_url:
+          url: "{{ goss_url }}"
+          dest: "{{ goss_dst }}"
+          checksum: "sha256:{{ goss_sha256sum }}"
+          mode: 0755
+        register: download_goss
+        until: download_goss is succeeded
+        retries: 3
+  
+      - name: Copy Goss tests to remote
+        template:
+          src: "{{ item }}"
+          dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}"
+          mode: 0644
+        with_fileglob:
+          - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2"
+  
+      - name: Register test files
+        shell: "ls {{ goss_test_directory }}/test_*.yml"
+        changed_when: false
+        register: test_files
+  
+      - name: Execute Goss tests
+        environment:
+          # yamllint disable-line rule:line-length
+          PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
+        command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}"
+        changed_when: false
+        register: test_results
+        with_items: "{{ test_files.stdout_lines }}"
+  
+      - name: Display details about the Goss results
+        debug:
+          msg: "{{ item.stdout_lines }}"
+        with_items: "{{ test_results.results }}"
+  
+      - name: Fail when tests fail
+        fail:
+          msg: "Goss failed to validate"
+        when: item.rc != 0
+        with_items: "{{ test_results.results }}"
 
-    - name: Copy Goss tests to remote
-      template:
-        src: "{{ item }}"
-        dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}"
-        mode: 0644
-      with_fileglob:
-        - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2"
-
-    - name: Register test files
-      shell: "ls {{ goss_test_directory }}/test_*.yml"
-      changed_when: false
-      register: test_files
-
-    - name: Execute Goss tests
-      environment:
-        # yamllint disable-line rule:line-length
-        PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
-      command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}"
-      changed_when: false
-      register: test_results
-      with_items: "{{ test_files.stdout_lines }}"
-
-    - name: Display details about the Goss results
-      debug:
-        msg: "{{ item.stdout_lines }}"
-      with_items: "{{ test_results.results }}"
-
-    - name: Fail when tests fail
-      fail:
-        msg: "Goss failed to validate"
-      when: item.rc != 0
-      with_items: "{{ test_results.results }}"

tasks/install.yml

@@ -33,7 +33,8 @@
   get_url:
     url: "{{ vault_zip_url }}"
     dest: "{{ role_path }}/files/{{ vault_pkg }}"
-    checksum: "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + vault_pkg + '$') | first).split()[0] }}"
+    checksum:
+      "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + (vault_pkg | regex_escape()) + '$') | first).split()[0] }}"
     timeout: "42"
     mode: "0644"
   become: "{{ vault_privileged_install }}"

tasks/install_enterprise.yml

@@ -71,18 +71,18 @@
     state: absent
   become: true
 
-- name: Install Vault package
+- name: "Install Vault package {{ _vault_repo_pkg }}"
   package:
     name: "{{ _vault_repo_pkg }}"
     state: present
   become: true
   vars:
     _vault_repo_pkg: "{% if (ansible_pkg_mgr in ['yum', 'dnf']) %}\
-                  vault-{{ 'enterprise-' if (vault_enterprise | bool) else '' }}{{ vault_version }}{{ vault_version_repo_suffix }}\
+                  vault{{ '-enterprise' if vault_enterprise }}-{{ vault_version }}{{ vault_version_repo_suffix }}\
                 {% elif (ansible_pkg_mgr == 'apt') %}\
-                  vault{{ '-enterprise' if (vault_enterprise | bool) else '' }}={{ vault_version }}{{ vault_version_repo_suffix }}\
+                  vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}{{ vault_version_debian_repo_suffix }}\
                 {% else %}\
-                  vault{{ '-enterprise' if (vault_enterprise | bool) else '' }}={{ vault_version }}{{ vault_version_repo_suffix }}\
+                  vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}\
                 {% endif %}"
   notify: Restart vault
 

tasks/install_hashi_repo.yml

@@ -51,20 +51,11 @@
 
 - name: Compute if installation is required
   set_fact:
-    installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version }}"
-
-- name: Install OS packages and Vault Enterprise via control host
-  include_tasks: install_enterprise.yml
-  when:
-    - vault_enterprise | bool
-    - not vault_install_remotely | bool
-    - not vault_install_hashi_repo | bool
-    - installation_required | bool
+    installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version~('+ent' if vault_enterprise) }}"
 
 - name: Install OS packages and Vault via control host
   include_tasks: install.yml
   when:
-    - not vault_enterprise | bool
     - not vault_install_remotely | bool
     - not vault_install_hashi_repo | bool
     - installation_required | bool