(SIMP-10175) simplib Add Puppet 7 acceptance test (#259)

* (SIMP-10175) simplib Add Puppet 7 acceptance test

* Add a Puppet 7 acceptance test
* Fixe ipa_fact test suite
* Reinstate GitLab test jobs for caller_function, ipa_fact, and prelink_fact suites
* Split default nodeset for ipa_fact suite into nodesets for CentOS and Oracle
  boxes and then added corresponding *el8 nodes to them
* Fail acceptance tests if no examples are executed.

[SIMP-9666] #comment pupmod-simp-simplib acceptance tests configured
SIMP-10175 #close
SIMP-10303 #close
SIMP-10243 #close

Co-authored-by: lnemsick-simp <lnemsick.simp@gmail.com>
Co-authored-by: lnemsick-simp <lnemsick-simp@users.noreply.github.com>

Author: trevor-vaughan

.fixtures.yml

@@ -1,8 +1,10 @@
 ---
 fixtures:
   repositories:
+    haveged: https://github.com/simp/pupmod-simp-haveged.git
     simpkv: https://github.com/simp/pupmod-simp-simpkv.git
     stdlib: https://github.com/simp/puppetlabs-stdlib.git
+    systemd: https://github.com/simp/puppet-systemd.git
 
     # This needs to be in place for the rspec-puppet Hiera 5 hook to work
     # No idea why, it may be because Puppet sees a custom backend and loads all

.gitlab-ci.yml

@@ -356,8 +356,47 @@ pup6.pe-oel:
   script:
     - 'bundle exec rake beaker:suites[default,oel]'
 
-pup6.pe-win:
+pup6.pe-caller_function:
+  <<: *acceptance_base
+  <<: *pup_6_pe
+  script:
+    - 'bundle exec rake beaker:suites[caller_function,default]'
+
+pup6.pe-ipa_fact:
+  <<: *acceptance_base
+  <<: *pup_6_pe
+  script:
+    - 'bundle exec rake beaker:suites[ipa_fact,default]'
+
+pup6.pe-ipa_fact-oel:
+  <<: *acceptance_base
+  <<: *pup_6_pe
+  <<: *with_SIMP_ACCEPTANCE_MATRIX_LEVEL_3
+  script:
+    - 'bundle exec rake beaker:suites[ipa_fact,oel]'
+
+pup6.pe-prelink_fact:
+  <<: *acceptance_base
+  <<: *pup_6_pe
+  script:
+    - 'bundle exec rake beaker:suites[prelink_fact,default]'
+
+pup6.pe-windows:
   <<: *acceptance_base
   <<: *pup_6_pe
   script:
     - 'bundle exec rake beaker:suites[windows,default]'
+
+pup7.x:
+  <<: *pup_7_x
+  <<: *acceptance_base
+  script:
+    - 'bundle exec rake beaker:suites[default,default]'
+
+# caller_function exercises code that depends upon Puppet-internals, so make
+# sure it is run for the latest version of Puppet
+pup7.pe-caller_function:
+  <<: *acceptance_base
+  <<: *pup_7_x
+  script:
+    - 'bundle exec rake beaker:suites[caller_function,default]'

CHANGELOG

@@ -1,7 +1,9 @@
-* Tue Jun 22 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.9.0
-- Add a `simplib::cron::to_systemd` function to provide 'best-effort'
+* Tue Jul 06 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.9.0
+- Added a `simplib::cron::to_systemd` function to provide 'best-effort'
   conversions of cron resource parameters to a systemd timespec
-- Fix the simplib__networkmanager fact
+- Fixed the simplib__networkmanager fact
+- Fixed a bug where the ipa fact did not detect when an EL8 client was
+  joined to an IPA domain
 
 * Wed Jun 16 2021 Chris Tessmer <chris.tessmer@onyxpoint.com> - 4.9.0
 - Removed support for Puppet 5

lib/facter/ipa.rb

@@ -23,9 +23,21 @@
   kinit = Facter::Core::Execution.which('kinit')
   confine { kinit }
 
+  klist = Facter::Core::Execution.which('klist')
+  confine { klist }
+
   ipa = Facter::Core::Execution.which('ipa')
   confine { ipa }
 
+  truecmd = Facter::Core::Execution.which('true')
+  confine { truecmd }
+
+  # In EL8 the ipa command needs LC_ALL set to UTF-8 and this is the only
+  # workaround at this time
+  locale = ENV.fetch('LANG', 'en_US.UTF-8')
+  locale = 'en_US.UTF-8' unless locale.match?(/UTF-?8/i)
+  ipacmd = "#{truecmd} && LC_ALL=#{locale} #{ipa}"
+
   # This file is only present if the host has, at some time,
   # been joined to an IPA domain.
   confine { File.exist?('/etc/ipa/default.conf') }
@@ -57,19 +69,19 @@
     # We won't know if we are connected to a server until later
     defaults['connected'] = false
 
-    # Grab the necessary information from 'ipa env'
-    ipa_response = Facter::Core::Execution.execute("#{ipa} env #{needed_keys.join(' ')}", options = {:timeout => ipa_timeout})
-
-    if ipa_response.strip.empty?
+    Facter::Core::Execution.execute(klist)
+    unless $?.success?
       # Obtain host Kerberos token so we can use IPA API
       kinit_msg = Facter::Core::Execution.execute("#{kinit} -k 2>&1", options = {:timeout => kinit_timeout})
-      ipa_response = Facter::Core::Execution.execute("#{ipa} env #{needed_keys.join(' ')}", options = {:timeout => ipa_timeout})
     end
 
+    # Grab the necessary information from 'ipa env'
+    ipa_response = Facter::Core::Execution.execute("#{ipacmd} env #{needed_keys.join(' ')}", options = {:timeout => ipa_timeout})
+
     if ipa_response.strip.empty?
       ipa_response = {}
     else
-      ipa_server_response = Facter::Core::Execution.execute("#{ipa} env --server host", options = {:timeout => ipa_timeout})
+      ipa_server_response = Facter::Core::Execution.execute("#{ipacmd} env --server host", options = {:timeout => ipa_timeout})
 
       defaults['connected'] = !ipa_server_response.strip.empty?
 

spec/acceptance/nodesets/default.yml

@@ -9,7 +9,6 @@ HOSTS:
   el7:
     roles:
       - client
-      # roles migrated from now-removed el6 node(s):
       - default
       - master
       - prelink
@@ -21,7 +20,7 @@ HOSTS:
     roles:
       - client
     platform: el-8-x86_64
-    box: centos/8
+    box: generic/centos8
     hypervisor: <%= hypervisor %>
 
 CONFIG:

spec/acceptance/nodesets/oel.yml

@@ -9,7 +9,6 @@ HOSTS:
   oel7:
     roles:
       - client
-      # roles migrated from now-removed el6 node(s):
       - default
       - master
       - prelink

spec/acceptance/suites/ipa_fact/ipa_fact_spec.rb

@@ -23,38 +23,24 @@ def skip_fips(host)
   ipa_realm = ipa_domain.upcase
 
   hosts.each do |host|
-    it 'should be running haveged for entropy' do
-      if skip_fips(host)
-        pending("#{host} does not work in FIPS mode")
-        expect(false).to eq true
-
-        next
-      else
-        # IPA requires entropy, so use haveged service
-        on(host, 'puppet resource package epel-release ensure=present')
-        on(host, 'puppet resource package haveged ensure=present')
-        on(host, 'puppet resource service haveged ensure=running enable=true')
-
-        # Install the IPA client on all hosts
-        on(host, 'puppet resource package ipa-client ensure=present')
-
-        # Admintools for EL6
-        on(host, 'puppet resource package ipa-admintools ensure=present', :accept_all_exit_codes => true)
-
-        # Ensure that the hostname is set to the FQDN
-        hostname = fact_on(host, 'fqdn')
-        if host.host_hash['platform'] =~ /el-7/
-          on(host, "hostnamectl set-hostname #{hostname}")
-        else
-          on(host, "hostname #{hostname}")
-          create_remote_file(host, '/etc/hostname', "#{hostname}\n")
-          on(host, "sed -i '/HOSTNAME/d' /etc/sysconfig/network")
-          on(host, "echo HOSTNAME=#{hostname} >> /etc/sysconfig/network")
-        end
+    next if skip_fips(host)
 
-        # DBus may need to be restarted after updating, and a reboot is the only way
-        host.reboot
-      end
+    # IPA requires entropy!
+    it 'should be running haveged or rngd for entropy' do
+      apply_manifest_on(host, 'include haveged', :accept_all_exit_codes => true)
+      apply_manifest_on(host, 'include haveged')
+    end
+
+    it 'should install IPA client package' do
+      on(host, 'puppet resource package ipa-client ensure=present')
+    end
+
+    it 'should ensure hostname is set to the FQDN' do
+      hostname = pfact_on(host, 'fqdn')
+      on(host, "hostnamectl set-hostname #{hostname}")
+
+      # DBus may need to be restarted after updating, and a reboot is the only way
+      host.reboot
     end
   end
 
@@ -66,9 +52,7 @@ def skip_fips(host)
         results = apply_manifest_on(server, manifest)
         expect(results.output).to match(/Notice: Type => NilClass Content => null/)
 
-        results = JSON.load(on(server, 'puppet facts').output)
-
-        expect(results['values']['ipa']).to be_nil
+        expect(pfact_on(server, 'ipa')).to be_empty
       end
     end
 
@@ -81,9 +65,7 @@ def skip_fips(host)
         results = apply_manifest_on(server, manifest)
         expect(results.output).to match(/Notice: Type => NilClass Content => null/)
 
-        results = JSON.load(on(server, 'puppet facts').output)
-
-        expect(results['values']['ipa']).to be_nil
+        expect(pfact_on(server, 'ipa')).to be_empty
       end
     end
 
@@ -92,7 +74,7 @@ def skip_fips(host)
       it 'ipa fact should contain domain and IPA server' do
         # ipa-server-install installs both the IPA server and client.
         # The fact uses the client env.
-        fqdn = fact_on(server, 'fqdn')
+        fqdn = pfact_on(server, 'fqdn')
 
         cmd = [
           'umask 0022 &&',
@@ -112,23 +94,23 @@ def skip_fips(host)
         # We only care about this data
         expect(apply_manifest_on(server, manifest).output).to match(/Hash Content => {"/)
 
-        results = JSON.load(on(server, 'puppet facts').output)
+        results = pfact_on(server, 'ipa')
 
-        expect(results['values']['ipa']).to_not be_nil
-        expect(results['values']['ipa']['connected']).to eq true
-        expect(results['values']['ipa']['server']).to eq fqdn
-        expect(results['values']['ipa']['domain']).to eq ipa_domain
-        expect(results['values']['ipa']['realm']).to eq ipa_realm
+        expect(results).to_not be_empty
+        expect(results['connected']).to eq true
+        expect(results['server']).to eq fqdn
+        expect(results['domain']).to eq ipa_domain
+        expect(results['realm']).to eq ipa_realm
       end
 
       it 'ipa fact should have unknown status when connection to IPA server is down' do
         # stop IPA server
         on(server, 'ipactl stop')
 
-        results = JSON.load(on(server, 'puppet facts').output)
+        results = pfact_on(server, 'ipa')
 
-        expect(results['values']['ipa']).to_not be_nil
-        expect(results['values']['ipa']['connected']).to eq false
+        expect(results).to_not be_empty
+        expect(results['connected']).to eq false
       end
 
       it 'should restart the IPA server for further tests' do
@@ -144,15 +126,13 @@ def skip_fips(host)
 
       context 'prior to registration' do
         it 'should not have an IPA fact' do
-          results = JSON.load(on(client, 'puppet facts').output)
-
-          expect(results['values']['ipa']).to be_nil
+          expect(pfact_on(client, 'ipa')).to be_empty
         end
       end
 
       context 'after registration' do
         let(:ipa_server) {
-          fact_on(hosts_with_role(hosts, 'server').first, 'fqdn')
+          pfact_on(hosts_with_role(hosts, 'server').first, 'fqdn')
         }
 
         it 'should register with the IPA server' do
@@ -171,21 +151,19 @@ def skip_fips(host)
             '--principal=admin',
             # Admin password
             "--password='#{admin_password}'",
-            # Don't update using authconfig
-            '--noac'
           ].join(' ')
 
           on(client, ipa_command)
         end
 
         it 'should have the IPA fact populated' do
-          results = JSON.load(on(client, 'puppet facts').output)
+          results = pfact_on(client, 'ipa')
 
-          expect(results['values']['ipa']).to_not be_nil
-          expect(results['values']['ipa']['connected']).to eq true
-          expect(results['values']['ipa']['server']).to eq ipa_server
-          expect(results['values']['ipa']['domain']).to eq ipa_domain
-          expect(results['values']['ipa']['realm']).to eq ipa_realm
+          expect(results).to_not be_empty
+          expect(results['connected']).to eq true
+          expect(results['server']).to eq ipa_server
+          expect(results['domain']).to eq ipa_domain
+          expect(results['realm']).to eq ipa_realm
         end
 
         it 'ipa fact should have unknown status when connection to IPA server is down' do
@@ -194,10 +172,10 @@ def skip_fips(host)
             on(server, 'ipactl stop')
           end
 
-          results = JSON.load(on(client, 'puppet facts').output)
+          results = pfact_on(client, 'ipa')
 
-          expect(results['values']['ipa']).to_not be_nil
-          expect(results['values']['ipa']['connected']).to eq false
+          expect(results).to_not be_empty
+          expect(results['connected']).to eq false
         end
 
         it 'should restart the IPA server for further tests' do

spec/acceptance/suites/ipa_fact/nodesets/default.yml

@@ -9,8 +9,7 @@ HOSTS:
   server-el7:
     roles:
       - default
-      # roles migrated from now-removed el6 node(s):
-      - no
+      - no_fips
       - server
     masterless: true
     platform: el-7-x86_64
@@ -19,20 +18,20 @@ HOSTS:
     vagrant_memsize: 2048
     vagrant_cpus: 2
 
-  client-el7:
+  client-el8:
     roles:
       - client
     masterless: true
-    platform: el-7-x86_64
-    box: centos/7
+    platform: el-8-x86_64
+    box: generic/centos8
     hypervisor: <%= hypervisor %>
 
-  client-oel7:
+  client-el7:
     roles:
       - client
     masterless: true
     platform:   el-7-x86_64
-    box:        onyxpoint/oel-7-x86_64
+    box:        centos/7
     hypervisor: <%= hypervisor %>
 
 CONFIG: