THREESCALE 12122: Fix tests suite with SSL #576
Conversation
jlledom
force-pushed
the
THREESCALE-12122-test-ssl
branch
from
644af9b to
43544ee
Compare
jlledom
force-pushed
the
THREESCALE-12122-test-ssl
branch
from
3e96487 to
2b3ef8e
Compare
| [allowlist] | ||
| description = "Global Allowlist" | ||
|
|
||
| # Ignore based on any subset of the file path | ||
| paths = [ | ||
| # Ignore all fake private keys for CircleCI, they are for tests | ||
| '''.circleci\/.+\.(pem|key)$''' | ||
| ] |
There was a problem hiding this comment.
This is to bypass our secret leak detector. The certificates I pushed here are fake.
| @@ -1,4 +1,77 @@ | |||
| version: 2.1 | |||
|
|
|||
| commands: | |||
There was a problem hiding this comment.
Both jobs run the same tests, this is to reuse them
| commands: | ||
| bundle_install: | ||
| parameters: | ||
| run_in_zync: |
There was a problem hiding this comment.
When true, we run the command inside zync container, required for SSL
| postgresql_image: | ||
| type: string | ||
| machine: | ||
| image: ubuntu-2204:current |
There was a problem hiding this comment.
The docker executor doesn't accept mounting volumes to the postgres container, I faced the same issue when I added SSL pipelines to apisonator. We must use the mahine executor and launch the containers manually.
| cp /tmp/server.crt /server.crt | ||
| cp /tmp/server.key /server.key | ||
| cp /tmp/ca.crt /ca.crt | ||
| chown postgres:postgres /server.crt /server.key /ca.crt | ||
| chmod 600 /server.key | ||
| exec docker-entrypoint.sh postgres -c ssl=on -c ssl_cert_file=/server.crt -c ssl_key_file=/server.key -c ssl_ca_file=/ca.crt |
There was a problem hiding this comment.
All this is because postgres doesn't accept a cert key which is not owned by itself and with 0600 permissions
| - store_test_results: | ||
| path: test/reports | ||
|
|
||
| chmod 600 $(pwd)/.circleci/circleci.key && \ |
There was a problem hiding this comment.
postgres doesn't accept the client not owning the client key neither, and permissions must be 0600 as well
| run_in_zync: true | ||
| - boot_zync: | ||
| run_in_zync: true | ||
| - save_cache: |
There was a problem hiding this comment.
save cache should be directly under bundle install maybe 🤔
| <<# parameters.run_in_zync >> | ||
| circleci tests glob "test/**/*_test.rb" | circleci tests run --command="xargs docker exec zync bundle exec rake test TESTOPTS='-v'" --verbose --split-by=timings | ||
| <</ parameters.run_in_zync >> | ||
| <<^ parameters.run_in_zync >> |
There was a problem hiding this comment.
can you explain a little the parameters syntax and choices?
There was a problem hiding this comment.
idk when certs will expire but would be nicer if we have a script instead that will generate the certificates on the fly with openssl
2 participants
This is kinda part of https://issues.redhat.com/browse/THREESCALE-12122
Que was not supporting SSL protected DBs at all, and then I opened #573 to fix it. I tested and everything works fine now, and Que can work with a SSL DB properly. However, I found out during the Rails 8 upgrade that the test suite is also broken when using a SSL DB, so this PR is to fix that.
You can find more context in this discussion: #560 (comment)
Now we have a PR only for this, I think it the time to edit the pipeline and add a job to test SSL DBs as well.