Conversation
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
1020afe to
0753276
Compare
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
aadff72 to
4f55611
Compare
neha-p6
changed the title
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
2 times, most recently
from
a2e83ba to
b923ad8
Compare
neha-p6
changed the title
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
b923ad8 to
269b294
Compare
|
|
Stromweld
left a comment
Stromweld
left a comment
There was a problem hiding this comment.
I don't think we should rename the kitchen.*.yml files in the repo as they are not legacy they'd be the same for both community test-kitchen and test-kitchen-enterprise. Enterprise just adding support for additional config options for licensing.
|
Without app bundler to update code to latest PR committed then we are not testing new code changes before merging. This would break the meaning of doing these tests and thus this shouldn't be merged until that issue is resolved. |
yes appbundle-updater work is in progress and this will not be merged till that is resolved. Agree on it. |
@Stromweld We had reached a conclusion to go this way in internal discussion reason being, with all the changes which we will have to do in future in those configuration yml files (eg, remove the omnitruck installations, other configurations specific omnibus installation path), each of those files are pretty much going to get changed, nothing apart from the VM boxes names is going to get reused. So we decided we will rename those as |
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
269b294 to
a62cd07
Compare
@neha-p6 @tpowell-progress @Stromweld I believe this requires additional discussion. While i agree we may have to run those in parallel however we will have regroup on how this will be from long term perspective. I still think naming can be done differently and exclude legacy to be able to proceed. We will try to have a discussion on this when we regroup on the review. |
|
@rahulgoel1 just for clarity renaming the Github actions jobs is fine and makes sense the actual kitchen.yml files though are simply a configuration file test-kitchen reads in to know what to do. Those wont change from community to enterprise additions of test-kitchen except to add parameter for provisioner to add the license key for chef-client. All the other changes @neha-p6 is talking about would be done in code for the infra-client provisioner. Not in the kitchen.yml file that lives in cookbooks. You also can't remove all of the omnibus stuff or you break functionality for chef-client 18 and older versions of chef-client testing. |
|
@neha-p6 moving to draft because based on several of our understanding, this should be merged to a "feature" branch for the moment ( |
Yes sounds good. I'm going to maintain this branch itself as the feature branch, with any sub-task work being done on branches off of this branch as the base branch. |
@Stromweld None of this is going to be backported to previous chef version branches if that's what we are thinking. Chef18 and previous versions are going to continue to use the community test-kitchen. |
|
@neha-p6 I understand that this is only for 19+ and not for backporting to chef-18. I think our wires are getting crossed here somewhere. I'll schedule a quick meeting for tomorrow to ensure we are all on the same page and understanding each other. |
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
2 times, most recently
from
7b15a12 to
1f66935
Compare
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
9759482 to
dd81072
Compare
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
2 times, most recently
from
aaa87cf to
a271aa7
Compare
|
@neha-p6 it looks like both the front of the |
|
OK, so we discussed this at length in the meeting. The right call is most likely: If you use GEM_PATH or PATH, you have to make guesses, which is going to cause real issues. If you use There is one case where this won't work and that is if someone called So basically we're looking at code like: def hab_chef_client_binary
path = File.realpath($PROGRAM_NAME)
bin = File.basename(path)
return path if bin == 'chef-client'
# this chunk optional...
dir = File.dirname(path)
probably = File.join(dir, 'chef-client')
return probably if File.exist?(probably)
fail "Cannot determine our chef-client binary"
end |
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
2 times, most recently
from
c810191 to
67ee1f1
Compare
|
@jaymzh @tpowell-progress After rebasing with main, which pulls in #14911, I'm seeing |
|
Well, since this is only happening on the new modified hab-based docker tests in this PR, and everything else works fine, my guess is it's something amis with the hab builds. This feels very Habitat-specific. Paging @mwrock ... |
|
I just submitted #15038 which I think may fix this. |
jaymzh
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
0f09c39 to
91bb688
Compare
|
I merged Matt's PR and rebased this, it should solve that issue. |
|
So I mentioned this to @mwrock in slack, but based on what I'm seeing in the tests, it looks like this PR may be fundamentally flawed. I'm not sure, so if I'm misunderstanding @neha-p6 please clarify. This PR seems to be installing previously-built chef-infra habitat packages. This means that when it is running on a PR it is in fact not testing the code in the PR. The current tests on If I'm correct, that would be a severe regression in the testing, and we should definitely not move in this direction. If the goal is to move kitchen testing to habitat packages, then the testing infra needs to build an adhoc hab package and use it. Doing that on each Linux platform is obviously a bit silly, but would suffice. Better would be to have an earlier workflow build and stash the package, later platforms depend on that, and pull the package. Either way, it doesn't make sense regress the tests in a way that mean the PR the tests are running against not be what we're actually testing. |
@jaymzh It is testing the code in the inside the PR by rebasing the commit on top of previously built habitat package installation using e.g Version installed from test-kitchen-enterprise, which is the last RC release: After updating binstubs and code to the commit SHA using |
|
Ah, I see. Thanks for explaining. Assuming appbundler-updater works properly in habitat packages, that should be fine, but , you'll need to build a new hab package (however that happens), to get a usable hab packages for this PR to work correctly on. |
We have already made |
|
Yes, I understand that. However, you need a version that has Matt's build fixes in it to start from. That's not Ruby code so it won't be affected by appbundler-updater. |
Ah I see. I thought you were referring to incorrect package being testing this PR in general. |
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
2 times, most recently
from
0129b5c to
d27d952
Compare
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
4 times, most recently
from
0328ea4 to
8bd710a
Compare
| if os.windows? | ||
| openssl_paths = Dir.glob("C:/hab/pkgs/core/openssl/*/*/bin/openssl.exe").sort | ||
| openssl_bin = openssl_paths.last | ||
| ca_file = "C:\\ssl_test\\my_ca.crt" | ||
| cert_file = "C:\\ssl_test\\my_signed_cert.crt" | ||
|
|
||
| # Currently community test kitchen is still used to run kitchen tests on windows, so we need to use omnibus path there | ||
| # We will to do this until test-kitchen-enterprise supports other platforms and drivers. | ||
| if !openssl_bin || !File.exist?(openssl_bin) | ||
| openssl_bin = "C:\\opscode\\chef\\embedded\\bin\\openssl.exe" | ||
| end | ||
| else | ||
| openssl_paths = Dir.glob("/hab/pkgs/core/openssl/*/*/bin/openssl").sort | ||
| openssl_bin = openssl_paths.last | ||
|
|
||
| ca_file = "/etc/ssl_test/my_ca.crt" | ||
| cert_file = "/etc/ssl_test/my_signed_cert.crt" | ||
|
|
||
| # Currently community test kitchen is still used to run kitchen tests on linux VMs, so we need to use omnibus path there | ||
| # We will to do this until test-kitchen-enterprise supports other platforms and drivers. | ||
| if !openssl_bin || !File.exist?(openssl_bin) | ||
| openssl_bin = "/opt/chef/embedded/bin/openssl" | ||
| end | ||
| end | ||
|
|
||
| cmd = "#{openssl_bin} verify -CAfile #{ca_file} #{cert_file}" | ||
| describe command(cmd) do |
There was a problem hiding this comment.
This can be simplified to:
| if os.windows? | |
| openssl_paths = Dir.glob("C:/hab/pkgs/core/openssl/*/*/bin/openssl.exe").sort | |
| openssl_bin = openssl_paths.last | |
| ca_file = "C:\\ssl_test\\my_ca.crt" | |
| cert_file = "C:\\ssl_test\\my_signed_cert.crt" | |
| # Currently community test kitchen is still used to run kitchen tests on windows, so we need to use omnibus path there | |
| # We will to do this until test-kitchen-enterprise supports other platforms and drivers. | |
| if !openssl_bin || !File.exist?(openssl_bin) | |
| openssl_bin = "C:\\opscode\\chef\\embedded\\bin\\openssl.exe" | |
| end | |
| else | |
| openssl_paths = Dir.glob("/hab/pkgs/core/openssl/*/*/bin/openssl").sort | |
| openssl_bin = openssl_paths.last | |
| ca_file = "/etc/ssl_test/my_ca.crt" | |
| cert_file = "/etc/ssl_test/my_signed_cert.crt" | |
| # Currently community test kitchen is still used to run kitchen tests on linux VMs, so we need to use omnibus path there | |
| # We will to do this until test-kitchen-enterprise supports other platforms and drivers. | |
| if !openssl_bin || !File.exist?(openssl_bin) | |
| openssl_bin = "/opt/chef/embedded/bin/openssl" | |
| end | |
| end | |
| cmd = "#{openssl_bin} verify -CAfile #{ca_file} #{cert_file}" | |
| describe command(cmd) do | |
| seperator = File::ALT_SEPARATOR || File::SEPARATOR | |
| openssl_path = File.join("#{os.windows? ? 'C:/hab' : '/hab'}", "pkgs", "core", "openssl", "*", "*", "bin", "openssl#{'.exe' if os.windows?}") | |
| openssl_bin = Dir.glob(openssl_path).sort.last.split("/").join(seperator) | |
| ca_file = ["#{os.windows? ? 'C:' : '/etc'}", 'ssl_test', 'my_ca.crt'].join(seperator) | |
| cert_file = ["#{os.windows? ? 'C:' : '/etc'}", 'ssl_test', 'my_signed_cert.crt'].join(seperator) | |
| # Currently community test-kitchen is still used to run kitchen tests on VMs, so we need to use omnibus path there | |
| # We will need to do this until test-kitchen-enterprise supports other platforms and drivers | |
| unless File.exist?(openssl_bin) | |
| openssl_bin = ["#{os.windows? ? 'C:\\opscode' : '/opt'}", 'chef', 'embedded', 'bin', "openssl#{'.exe' if os.windows?}"].join(seperator) | |
| end | |
| describe command("#{openssl_bin} verify -CAfile #{ca_file} #{cert_file}") do |
There was a problem hiding this comment.
I tested this to work on both windows and linux
|
@neha-p6 when troubleshooting that openssl_bin issue I found puts statements don't get printed but if you change it to raise you can get the output in the exception that gets created when testing. The suggested update I have above I did test it to work on both windows and linux VMs. |
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
d257111 to
8043be1
Compare
| uses: actions/checkout@v4 | ||
| - name: Install chef-test-kitchen-enterprise | ||
| env: | ||
| HAB_AUTH_TOKEN: ${{ secrets.HAB_AUTH_TOKEN }} |
There was a problem hiding this comment.
we can't use Github Secrets as this breaks community forks and PR jobs fail for them as they don't have access to our secrets. This is the same reason why we had to hard code a chef-client free license into kitchen.yml files vs using github actions secrets.
There was a problem hiding this comment.
You can sometimes, fwiw. LIke this will work:
name: DCO Check
steps:
- name: Get PR Commits
uses: tim-actions/get-pr-commits@master
id: 'get-pr-commits'
with:
token: ${{ secrets.GITHUB_TOKEN }}
I'm a bit unclear when it does and does not work though.
There was a problem hiding this comment.
GITHUB_TOKEN only works as that's autogenerated for the specific GHA workflow action that is running and has limited access. Custom secrets such as this one needed to connect to public habitat builder to download the chef-test-kitchen-enterprise habitat package doesn't work with forks as that'd be a security issue for the secret.
There was a problem hiding this comment.
Ah indeed. Yeah, that's right - static secrets vs session secrets.
Windows, Mac and linux on vagrant will be tested using legacy test-kitchen(license validation will be skipped) whereas linux docker containers will be tested using test-kitchen-enterprise (license will be validated) 1. Rename kitchen-fips workflow as wndows-fips as it is not a test-kitchen in reality 2. Install chef/chef-cli from unstable channel as there's none in stable, pin to version 6.1.6 as latest version has ruby package 404 error 3. Install specific version of gcc and use that to fix bundle install issues at run time 4. Modify OpenSSL integration test being run using test-kitchen so that it picks up habitat openSSL binary on docker images and falls back to omnibus binary path of openssl to support community test-kitchen runs in pipelines on mac, windows and linux VMs (until test-kitchen-enterprise starts supporting those plaforms) 5. Fix unit tests to correctly use habitat binary path of Infra client instead of omnibus path, update specs to stub the method calls 6. Temporarily update linux recipes being tested in test-kitchen pipeline which test resources that have `chef_binary_path` property. Since the default value is now habitat path for infra client binary, vagrant boxes on which these recipes are run will fail since they use omnibus package with community test-kitchen * Fetching binary path to Infra client's habitat installation: 1.Add a new constant in chef-utils to signify hab package name 2.Create a new path helper which will traverse through the directories to fetch the executable path 3. Use the path in resources to set the `chef_binary_path` property's default value Signed-off-by: Neha Pansare <neha.pansare@progress.com> Try diff trial license key Signed-off-by: Neha Pansare <neha.pansare@progress.com>
neha-p6
force-pushed
the
neha-p6/CHEF-17588_kitchen_tests
branch
from
87432fe to
3758f26
Compare
|
|
@neha-p6 closing as assuming this is superseded by recent work |
8 participants
Description
Chef-19 has introduced licensing so kitchen tests need some changes. This is phase 1 of those changes.
There is a forked version of test-kitchen now available
chef-test-kitchen-enterprisewhich is a habitat package that can handle licensing. But the RC1 release of it currently supportskitchen-dokkendriver on Linux x86_64 platforms only. So we will use it only for docker testing on linux machines under Github Actions (GHA)To continue doing end-to-end recipe testing of Chef, for now on rest of the platforms kitchen testing will be done using legacy
test-kitchen(corresponding jobs are named aslegacyto signify the same) so that the code under a PR continues to get recipe tested.In future when
chef-test-kitchen-enterprisewill add support for new drivers and platforms, things will be modified under GHA to incorporate them.Renamed
kitchen-fipsworkflow aswindows-fipsas it does not use test-kitchen in any form but is only to test FIPS enablement on windows. The name causes confusion about its function.There are few resources with a property's default value pointing to binary path of Infra client's executable. Since Chef 19 is now habitat executable instead of omnibus, all those properties and also rspec tests are now fixed here to point to habitat binary path of Infra Client.
Related Issue
Types of changes
Checklist:
Gemfile.lockhas changed, I have used--conservativeto do it and included the full output in the Description above.