-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from RedHatProductSecurity/OSIDB-3712
OSIDB-3712: Create container image
- Loading branch information
Showing
14 changed files
with
191 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,9 @@ on: | |
push: | ||
branches: | ||
- main | ||
pull_request: | ||
branches: | ||
- main | ||
|
||
jobs: | ||
type-check: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,3 +6,4 @@ node_modules/ | |
/playwright/.auth/ | ||
.vscode | ||
.env | ||
*.keytab |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
.gitignore | ||
*.md | ||
.git | ||
.vscode | ||
.github | ||
.husky | ||
test-results | ||
playwright-report | ||
user.json | ||
Dockerfile | ||
node_modules | ||
.env |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
FROM registry.redhat.io/ubi9/ubi:9.5 as base | ||
|
||
ENV LANG=C.UTF-8 | ||
ENV LC_ALL=C.UTF-8 | ||
ENV KRB5CCNAME=/tmp/cache | ||
|
||
COPY docker/krb5.conf /etc/krb5.conf | ||
COPY docker/install-certs.sh /install-certs.sh | ||
COPY docker/auth.sh /auth.sh | ||
|
||
RUN ./install-certs.sh $RH_CERT_URL \ | ||
&& yum update -y \ | ||
&& yum install -y wget git krb5-workstation \ | ||
# Playwright dependencies | ||
libxcb libXdamage libXcursor libXext libXcomposite libXrandr \ | ||
libXi pango cairo cairo-gobject libXrender gtk3 atk gdk-pixbuf2 \ | ||
# NodeJS | ||
&& yum module install -y nodejs:20/common \ | ||
&& yum clean all \ | ||
&& npm install -g yarn \ | ||
&& mkdir -p /krb5 \ | ||
&& chmod 755 /krb5 \ | ||
&& mkdir -p /var/lib/sss/pubconf/krb5.include.d \ | ||
&& chmod 755 /etc/krb5.conf.d \ | ||
&& chown -R 1001:0 /etc/krb5.conf.d \ | ||
&& chown 1001:0 /etc/krb5.conf \ | ||
&& chown -R 1001:0 /krb5 | ||
|
||
FROM base as build | ||
|
||
WORKDIR /app | ||
ENV PLAYWRIGHT_BROWSERS_PATH=0 | ||
|
||
COPY --chown=1001 package.json /app/package.json | ||
COPY --chown=1001 yarn.lock /app/yarn.lock | ||
COPY --chown=1001 playwright.config.ts /app/playwright.config.ts | ||
COPY --chown=1001 tsconfig.json /app/tsconfig.json | ||
COPY --chown=1001 docker/krb5.conf.d /etc/krb5.conf.d | ||
COPY --chown=1001 docker/krb5.keytab /krb5/krb5.keytab | ||
|
||
RUN yarn install --frozen-lockfile \ | ||
&& yarn playwright install chromium firefox | ||
|
||
COPY --chown=1001 . /app | ||
|
||
USER 1001 | ||
|
||
CMD ["/bin/sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# OSIM UI + Kerberos Tests Container | ||
|
||
This is the container that is used to run the tests on the CI/CD pipeline. It is based on redhat's ubi9 image and has the necessary dependencies to run the tests. | ||
|
||
## Building the container | ||
Before building the container, you need to prepare some files. | ||
|
||
1. Create a `krb5.keytab` file in the `docker` directory. This file is used to authenticate with kerberos. | ||
```bash | ||
$ ktutil | ||
ktutil: addent -password -p <principal> -k 1 -e aes256-cts-hmac-sha1-96 -f | ||
ktutil: wkt krb5.keytab | ||
ktutil: quit | ||
``` | ||
2. Create a `crypto-policies` file in the `krb5.conf.d` directory. You should have this file in `/etc/krb5.conf.d/` or `/usr/bin/krb5-conf/` on your machine. | ||
|
||
|
||
3. Provide the correct realm configuration in a file inside the `krb5.conf.d` directory. You should have this file in `/etc/krb5.conf` on your machine. | ||
|
||
|
||
That should look like this: | ||
```bash | ||
|-- docker | ||
| |-- krb5.conf.d | ||
| | |-- crypto-policies | ||
| | |-- realm # name of the file is not important | ||
| |-- krb5.keytab | ||
| |-- krb5.conf | ||
| |-- Dockerfile | ||
``` | ||
|
||
After preparing the files, you can build the container using the following command: | ||
|
||
> [!IMPORTANT] | ||
> Make sure to run the command from the root of the project. | ||
> (outside of the docker folder) | ||
```bash | ||
podman build -t osim-ui-tests -f docker/Dockerfile --ignorefile docker/.dockerignore . | ||
# to install RH certificates add --env RH_CERT_URL=<url> to the command | ||
``` | ||
|
||
## Running the container | ||
Make sure to provide the required [environment variables](/README.md#required-environment-variables) when running the container: | ||
|
||
```bash | ||
podman run --rm -it --env-file .env osim-ui-tests | ||
``` | ||
|
||
## Running the tests | ||
|
||
You need to authenticate with kerberos before running the tests. You can do this by running the script **inside the container**: | ||
|
||
```bash | ||
sh /auth.sh | ||
``` | ||
|
||
After authenticating, you can run the tests using the following command: | ||
|
||
```bash | ||
yarn test | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/sh | ||
|
||
principal="$( klist -kt /krb5/krb5.keytab | grep -Eo -m1 '\w+@[A-Z.]+' )" | ||
|
||
kinit -k -t /krb5/krb5.keytab $principal | ||
klist -c /tmp/cache |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/bin/sh | ||
|
||
if [[ -z "${1}" ]]; then | ||
echo -e "\e[1;33mWARNING: RH_CERT_URL environment variable not set, internal RH resources won't be accessible\e[0m" | ||
else | ||
curl "${1}/certs/Current-IT-Root-CAs.pem" -o /etc/pki/ca-trust/source/anchors/Current-IT-Root-CAs.pem | ||
mkdir -p /etc/ipa | ||
curl "${1}/chains/ipa-ca-chain-2015.crt" -o /etc/ipa/ipa.crt | ||
update-ca-trust | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# To opt out of the system crypto-policies configuration of krb5, remove the | ||
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. | ||
includedir /etc/krb5.conf.d/ | ||
|
||
[logging] | ||
default = FILE:/var/log/krb5libs.log | ||
kdc = FILE:/var/log/krb5kdc.log | ||
admin_server = FILE:/var/log/kadmind.log | ||
|
||
[libdefaults] | ||
dns_lookup_realm = false | ||
ticket_lifetime = 24h | ||
renew_lifetime = 7d | ||
forwardable = true | ||
rdns = false | ||
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt | ||
spake_preauth_groups = edwards25519 | ||
dns_canonicalize_hostname = fallback | ||
qualify_shortname = "" | ||
# default_realm = EXAMPLE.COM | ||
default_ccache_name = KEYRING:persistent:%{uid} | ||
|
||
[realms] | ||
# EXAMPLE.COM = { | ||
# kdc = kerberos.example.com | ||
# admin_server = kerberos.example.com | ||
# } | ||
|
||
[domain_realm] | ||
# .example.com = EXAMPLE.COM | ||
# example.com = EXAMPLE.COM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
* | ||
!.gitignore |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters