For unknown certificates OCSP should have unknown CertStatus (part 2) #4331

Workflow file for this run

.github/workflows/ipa-tests.yml at 941e64a

	name: IPA Tests

	on: [push, pull_request]

	jobs:
	init:
	name: Initialization
	uses: ./.github/workflows/init.yml
	secrets: inherit

	build:
	name: Waiting for build
	needs: init
	runs-on: ubuntu-latest
	steps:
	- name: Wait for build
	uses: lewagon/[email protected]
	with:
	ref: ${{ github.ref }}
	check-name: 'Building PKI'
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	wait-interval: 30
	if: github.event_name == 'push'

	- name: Wait for build
	uses: lewagon/[email protected]
	with:
	ref: ${{ github.event.pull_request.head.sha }}
	check-name: 'Building PKI'
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	wait-interval: 30
	if: github.event_name == 'pull_request'

	ipa-test:
	name: Testing IPA
	needs: [init, build]
	runs-on: ubuntu-latest
	env:
	PKIDIR: /tmp/workdir/pki
	steps:
	- name: Clone repository
	uses: actions/checkout@v3

	- name: Retrieve pki-runner image
	uses: actions/cache@v3
	with:
	key: pki-runner-${{ github.sha }}
	path: pki-runner.tar

	- name: Load runner image
	run: docker load --input pki-runner.tar

	- name: Create network
	run: docker network create example

	- name: Run IPA container
	run: \|
	IMAGE=pki-runner \
	NAME=ipa \
	HOSTNAME=ipa.example.com \
	tests/bin/runner-init.sh

	- name: Connect IPA container to network
	run: docker network connect example ipa --alias ipa.example.com --alias ipa-ca.example.com

	- name: Install IPA packages in IPA container
	run: \|
	docker exec ipa dnf install -y freeipa-server freeipa-server-dns \
	python3-ipatests freeipa-healthcheck

	- name: Install IPA server in IPA container
	run: \|
	docker exec ipa sysctl net.ipv6.conf.lo.disable_ipv6=0
	docker exec ipa ipa-server-install \
	-U \
	--domain example.com \
	-r EXAMPLE.COM \
	-p Secret.123 \
	-a Secret.123 \
	--setup-kra \
	--no-host-dns \
	--no-ntp
	docker exec ipa bash -c "echo Secret.123 \| kinit admin"
	docker exec ipa ipa ping

	- name: Verify CA admin in IPA container
	run: \|
	docker exec ipa pki-server cert-export ca_signing --cert-file ca_signing.crt
	docker exec ipa pki client-cert-import ca_signing --ca-cert ca_signing.crt
	docker exec ipa pki client-cert-import \
	--pkcs12 /root/ca-agent.p12 \
	--pkcs12-password Secret.123
	docker exec ipa pki -n ipa-ca-agent ca-user-show admin

	- name: Enable ACME in IPA container
	run: \|
	docker exec ipa ipa-acme-manage enable
	docker exec ipa ipa-acme-manage status
	echo "Available" > expected
	docker exec ipa bash -c "pki acme-info \| sed -n 's/\sStatus:\s\+$\S\+$./\1/p' > ${PKIDIR}/actual"
	diff expected actual

	- name: Run client container
	run: \|
	docker run \
	--detach \
	--name=client \
	--hostname=client.example.com \
	--privileged \
	--tmpfs /tmp \
	--tmpfs /run \
	pki-runner \
	/usr/sbin/init

	- name: Connect client container to network
	run: docker network connect example client --alias client.example.com

	- name: Install dependencies in client container
	run: \|
	docker exec client dnf install -y freeipa-client certbot

	- name: Install IPA client in client container
	run: \|
	docker exec client sysctl net.ipv6.conf.lo.disable_ipv6=0
	docker exec client ipa-client-install \
	-U \
	--server=ipa.example.com \
	--domain=example.com \
	--realm=EXAMPLE.COM \
	-p admin \
	-w Secret.123 \
	--no-ntp
	docker exec client bash -c "echo Secret.123 \| kinit admin"
	docker exec client klist

	- name: Verify certbot in client container
	run: \|
	docker exec client certbot register \
	--server https://ipa-ca.example.com/acme/directory \
	--email [email protected] \
	--agree-tos \
	--non-interactive
	docker exec client certbot certonly \
	--server https://ipa-ca.example.com/acme/directory \
	-d client.example.com \
	--standalone \
	--non-interactive
	docker exec client certbot renew \
	--server https://ipa-ca.example.com/acme/directory \
	--cert-name client.example.com \
	--force-renewal \
	--non-interactive
	docker exec client certbot revoke \
	--server https://ipa-ca.example.com/acme/directory \
	--cert-name client.example.com \
	--non-interactive
	docker exec client certbot update_account \
	--server https://ipa-ca.example.com/acme/directory \
	--email [email protected] \
	--non-interactive
	docker exec client certbot unregister \
	--server https://ipa-ca.example.com/acme/directory \
	--non-interactive

	- name: Disable ACME in IPA container
	run: \|
	docker exec ipa ipa-acme-manage disable
	docker exec ipa ipa-acme-manage status
	echo "Unavailable" > expected
	docker exec ipa bash -c "pki acme-info \| sed -n 's/\sStatus:\s\+$\S\+$./\1/p' > ${PKIDIR}/actual"
	diff expected actual

	- name: Run IPA tests in IPA container
	run: docker exec ipa ${PKIDIR}/tests/bin/ipa-test.sh

	- name: Gather artifacts from IPA container
	if: always()
	run: \|
	tests/bin/ds-artifacts-save.sh ipa EXAMPLE-COM
	tests/bin/pki-artifacts-save.sh ipa
	tests/bin/ipa-artifacts-save.sh ipa

	- name: Remove IPA server from IPA container
	run: docker exec ipa ipa-server-install --uninstall -U

	- name: Upload artifacts from IPA container
	if: always()
	uses: actions/upload-artifact@v3
	with:
	name: ipa
	path: \|
	/tmp/artifacts/ipa

	ipa-clone-test:
	name: Testing IPA clone
	needs: [init, build]
	runs-on: ubuntu-latest
	env:
	PKIDIR: /tmp/workdir/pki
	steps:
	- name: Clone repository
	uses: actions/checkout@v3

	- name: Retrieve pki-runner image
	uses: actions/cache@v3
	with:
	key: pki-runner-${{ github.sha }}
	path: pki-runner.tar

	- name: Load runner image
	run: docker load --input pki-runner.tar

	- name: Create network
	run: docker network create example

	- name: Run primary container
	run: \|
	IMAGE=pki-runner \
	NAME=primary \
	HOSTNAME=primary.example.com \
	tests/bin/runner-init.sh

	- name: Connect primary container to network
	run: docker network connect example primary --alias primary.example.com

	- name: Install IPA packages in primary container
	run: \|
	docker exec primary dnf install -y freeipa-server freeipa-server-dns

	- name: Install IPA server in primary container
	run: \|
	docker exec primary sysctl net.ipv6.conf.lo.disable_ipv6=0
	docker exec primary ipa-server-install \
	-U \
	--domain example.com \
	-r EXAMPLE.COM \
	-p Secret.123 \
	-a Secret.123 \
	--setup-kra \
	--no-host-dns \
	--no-ntp
	docker exec primary bash -c "echo Secret.123 \| kinit admin"
	docker exec primary klist

	- name: Run secondary container
	run: \|
	IMAGE=pki-runner \
	NAME=secondary \
	HOSTNAME=secondary.example.com \
	tests/bin/runner-init.sh

	- name: Connect secondary container to network
	run: docker network connect example secondary --alias secondary.example.com

	- name: Install IPA packages in secondary container
	run: \|
	docker exec secondary dnf install -y freeipa-server freeipa-server-dns

	- name: Install IPA client in secondary container
	run: \|
	docker exec secondary sysctl net.ipv6.conf.lo.disable_ipv6=0
	docker exec secondary ipa-client-install \
	-U \
	--server=primary.example.com \
	--domain=example.com \
	--realm=EXAMPLE.COM \
	-p admin \
	-w Secret.123 \
	--no-ntp
	docker exec secondary bash -c "echo Secret.123 \| kinit admin"
	docker exec secondary klist

	- name: Promote IPA client into IPA replica in secondary container
	run: \|
	docker exec secondary ipa-replica-install \
	--no-host-dns \
	--setup-ca \
	--setup-kra

	- name: Verify CA admin
	run: \|
	docker exec primary cp /root/ca-agent.p12 ${PKIDIR}/ca-agent.p12
	docker exec secondary pki-server cert-export ca_signing --cert-file ca_signing.crt
	docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
	docker exec secondary pki client-cert-import --pkcs12 ${PKIDIR}/ca-agent.p12 --pkcs12-password Secret.123
	docker exec secondary pki -n ipa-ca-agent ca-user-show admin

	- name: Gather artifacts from primary container
	if: always()
	run: \|
	tests/bin/ds-artifacts-save.sh primary EXAMPLE-COM
	tests/bin/pki-artifacts-save.sh primary
	tests/bin/ipa-artifacts-save.sh primary

	- name: Gather artifacts from secondary container
	if: always()
	run: \|
	tests/bin/ds-artifacts-save.sh secondary EXAMPLE-COM
	tests/bin/pki-artifacts-save.sh secondary
	tests/bin/ipa-artifacts-save.sh secondary

	- name: Disconnect secondary container from network
	run: docker network disconnect example secondary

	- name: Disconnect primary container from network
	run: docker network disconnect example primary

	- name: Remove network
	run: docker network rm example

	- name: Upload artifacts from primary container
	if: always()
	uses: actions/upload-artifact@v3
	with:
	name: ipa-clone-primary
	path: \|
	/tmp/artifacts/primary

	- name: Upload artifacts from secondary container
	if: always()
	uses: actions/upload-artifact@v3
	with:
	name: ipa-clone-secondary
	path: \|
	/tmp/artifacts/secondary

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

For unknown certificates OCSP should have unknown CertStatus (part 2) #4331

Workflow file

For unknown certificates OCSP should have unknown CertStatus (part 2) #4331

Jobs

Run details

Workflow file for this run