[WFLY-18476] helloworld-mutual-ssl Quickstart Common Enhancements CY2023Q3 #727
Conversation
|
Hi @PrarthonaPaul. Thanks for your PR. I'm waiting for a wildfly member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
from
32b3ffd
to
0cea65f
Compare
There was a problem hiding this comment.
Besides changes pointed in PR please change also the following:
- this should use property named "version.bom.ee"
quickstart/helloworld-mutual-ssl/pom.xml
Line 118 in 0cea65f
...-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java
Outdated
Show resolved
Hide resolved
...-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,15 @@ | |||
| name: WildFly helloworld-mutual-ssl Quickstart CI | |||
There was a problem hiding this comment.
The filename should be "quickstart_helloworld-mutual-ssl_ci.yml" and this Quickstart actually requires additional functionality in the abstract reused quickstart_ci.yml, which I will add later ( https://issues.redhat.com/browse/WFLY-18612 ), for now please use the following code:
name: WildFly helloworld-mutual-ssl Quickstart CI
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- helloworld-mutual-ssl/**'
# Only run the latest job
concurrency:
group: '${{ github.workflow }} @ ${{ github.ref || github.run_id }}'
cancel-in-progress: true
jobs:
Test-build-default-matrix:
name: BUILD DEFAULT - JDK${{ matrix.jdk }} - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
jdk: [11, 17]
os: [ubuntu-20.04, windows-latest]
steps:
- uses: actions/checkout@v4
with:
path: quickstarts
- name: Set up JDK ${{ matrix.jdk }}
uses: actions/setup-java@v3
with:
java-version: ${{ matrix.jdk }}
distribution: 'temurin'
cache: 'maven'
- name: Build ${{ inputs.QUICKSTART_PATH }} Quickstart for Release
run: |
cd quickstarts
cd helloworld-mutual-ssl
mvn -U -B -fae clean install -Drelease
shell: bash
- name: Build, run & test helloworld-mutual-ssl Quickstart with provisioned-server profile
run: |
cd quickstarts
cd helloworld-mutual-ssl
echo "Building provisioned server..."
mvn -U -B -fae clean package -Pprovisioned-server
echo "Starting provisioned server..."
mvn -U -B -fae wildfly:start -DjbossHome=target/server -Dstartup-timeout=120
# echo "Testing provisioned server..."
# mvn -U -B -fae verify -Dserver.host=https://localhost:8080 -Pintegration-testing
echo "Shutting down provisioned server..."
mvn -U -B -fae wildfly:shutdown
shell: bash
- name: Build helloworld-mutual-ssl Quickstart with openshift profile
run: |
cd quickstarts
cd helloworld-mutual-ssl
mvn -U -B -fae clean package -Popenshift
shell: bash
- uses: actions/upload-artifact@v3
if: failure()
with:
name: surefire-reports-JDK${{ matrix.jdk }}-${{ matrix.os }}
path: 'quickstarts/helloworld-mutual-ssl/**/surefire-reports/*.txt'
Test-build-with-deps-matrix:
name: BUILD WITH DEPS - JDK${{ matrix.jdk }} - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
jdk: [11, 17]
os: [ubuntu-20.04, windows-latest]
steps:
- uses: actions/checkout@v4
with:
repository: wildfly/wildfly
ref: ${{ github.base_ref }}
path: wildfly
- uses: actions/checkout@v4
with:
path: quickstarts
- name: Set up JDK ${{ matrix.jdk }}
uses: actions/setup-java@v3
with:
java-version: ${{ matrix.jdk }}
distribution: 'temurin'
cache: 'maven'
- name: Build Server
run: |
cd wildfly
mvn -U -B -fae -DskipTests clean install
shell: bash
- name: Get Server Version
run: |
cd wildfly
echo "VERSION_SERVER=$(mvn -N org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV
shell: bash
- name: Build Quickstart for Release with built Server version
run: |
cd quickstarts
cd helloworld-mutual-ssl
mvn -U -B -fae clean package -Drelease -Dversion.server=${{ env.VERSION_SERVER }}
shell: bash
- name: Build, run & test helloworld-mutual-ssl Quickstart with provisioned-server profile, and built Server version
run: |
cd quickstarts
cd helloworld-mutual-ssl
echo "Building provisioned server..."
mvn -U -B -fae clean package -Pprovisioned-server -Dversion.server=${{ env.VERSION_SERVER }}
echo "Starting provisioned server..."
mvn -U -B -fae wildfly:start -DjbossHome=target/server -Dstartup-timeout=120
# echo "Testing provisioned server..."
# mvn -U -B -fae verify -Dserver.host=http://localhost:8080 -Pintegration-testing
echo "Shutting down provisioned server..."
mvn -U -B -fae wildfly:shutdown
shell: bash
- name: Build helloworld-mutual-ssl Quickstart with openshift profile, and built Server version
run: |
cd quickstarts
cd helloworld-mutual-ssl
mvn -U -B -fae clean package -Popenshift -Dversion.server=${{ env.VERSION_SERVER }}
shell: bash
- uses: actions/upload-artifact@v3
if: failure()
with:
name: surefire-reports-JDK${{ matrix.jdk }}-${{ matrix.os }}
path: 'quickstarts/**/surefire-reports/*.txt'
There was a problem hiding this comment.
all features this QS needs are now available, so please change this file to:
name: WildFly helloworld-mutual-ssl Quickstart CI
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- 'helloworld-mutual-ssl/**'
- '.github/workflows/quickstart_ci.yml'
jobs:
call-quickstart_ci:
uses: ./.github/workflows/quickstart_ci.yml
with:
QUICKSTART_PATH: helloworld-mutual-ssl
SERVER_PROVISIONING_SERVER_HOST: https://localhost:8443/
TEST_PROVISIONED_SERVER: true
TEST_OPENSHIFT: false
There was a problem hiding this comment.
for the ci, we may need to add the path to server config directory using the -Djboss.server.config.dir=path/to/standalone/configuration param. Would this be part of this script?
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
2 times, most recently
from
ffbf7e4
to
9522501
Compare
|
No, in such case you may skip the whole cloud enhancements (helm chart,
openshift maven profile, the readme instructions), and remove the build of
the openshift profile on your CI workflow yml.
…On Tue, 10 Oct 2023 at 20:00, Prarthona Paul ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In
helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java
<#727 (comment)>:
> + */
+public class BasicRuntimeIT {
+
+ private static final String DEFAULT_SERVER_HOST = "http://localhost:8080";
+
+ @test
+ public void testHTTPEndpointIsAvailable() throws IOException, InterruptedException, URISyntaxException {
+ String serverHost = System.getenv("SERVER_HOST");
+ if (serverHost == null) {
+ serverHost = System.getProperty("server.host");
+ }
+ if (serverHost == null) {
+ serverHost = DEFAULT_SERVER_HOST;
+ }
+ final HttpRequest request = HttpRequest.newBuilder()
+ .uri(new URI(serverHost+"/"))
I have tested it with both .uri(new URI(serverHost+"/")) and .uri(new
URI(serverHost+"/HelloWorld")) and the former seems to pass the tests
while the latter gives the following errors:
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.217 s <<< FAILURE! - in org.jboss.as.quickstarts.helloworld_mutual_ssl.BasicRuntimeIT
[ERROR] testHTTPEndpointIsAvailable(org.jboss.as.quickstarts.helloworld_mutual_ssl.BasicRuntimeIT) Time elapsed: 0.196 s <<< FAILURE!
java.lang.AssertionError: expected:<200> but was:<500>
at org.jboss.as.quickstarts.helloworld_mutual_ssl.BasicRuntimeIT.testHTTPEndpointIsAvailable(BasicRuntimeIT.java:57)
When I ran the quickstart following the README file, I saw that
https://localhost:8443/helloworld-mutual-ssl redirects to
https://localhost:8443/helloworld-mutual-ssl/HelloWorld, so I am not sure
why the tests are giving 500 error.
If you have any suggestions, please feel free to let me know.
Or if leaving it at .uri(new URI(serverHost+"/")) works, then I can
change it to that too.
Thank you for reviewing the PR :)
—
Reply to this email directly, view it on GitHub
<#727 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEDY6ARDQPWRGQLAWPKVATX6WLOFAVCNFSM6AAAAAA5WAIKHOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTMNRYGY3TANZWGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I will have a look at it tomorrow morning (in around 10h).
…On Tue, 10 Oct 2023 at 21:21, Eduardo Martins ***@***.***> wrote:
No, in such case you may skip the whole cloud enhancements (helm chart,
openshift maven profile, the readme instructions), and remove the build of
the openshift profile on your CI workflow yml.
On Tue, 10 Oct 2023 at 20:00, Prarthona Paul ***@***.***>
wrote:
> ***@***.**** commented on this pull request.
> ------------------------------
>
> In
> helloworld-mutual-ssl/src/test/java/org/jboss/as/quickstarts/helloworld_mutual_ssl/BasicRuntimeIT.java
> <#727 (comment)>:
>
> > + */
> +public class BasicRuntimeIT {
> +
> + private static final String DEFAULT_SERVER_HOST = "http://localhost:8080";
> +
> + @test
> + public void testHTTPEndpointIsAvailable() throws IOException, InterruptedException, URISyntaxException {
> + String serverHost = System.getenv("SERVER_HOST");
> + if (serverHost == null) {
> + serverHost = System.getProperty("server.host");
> + }
> + if (serverHost == null) {
> + serverHost = DEFAULT_SERVER_HOST;
> + }
> + final HttpRequest request = HttpRequest.newBuilder()
> + .uri(new URI(serverHost+"/"))
>
> I have tested it with both .uri(new URI(serverHost+"/")) and .uri(new
> URI(serverHost+"/HelloWorld")) and the former seems to pass the tests
> while the latter gives the following errors:
>
> [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.217 s <<< FAILURE! - in org.jboss.as.quickstarts.helloworld_mutual_ssl.BasicRuntimeIT
> [ERROR] testHTTPEndpointIsAvailable(org.jboss.as.quickstarts.helloworld_mutual_ssl.BasicRuntimeIT) Time elapsed: 0.196 s <<< FAILURE!
> java.lang.AssertionError: expected:<200> but was:<500>
> at org.jboss.as.quickstarts.helloworld_mutual_ssl.BasicRuntimeIT.testHTTPEndpointIsAvailable(BasicRuntimeIT.java:57)
>
> When I ran the quickstart following the README file, I saw that
> https://localhost:8443/helloworld-mutual-ssl redirects to
> https://localhost:8443/helloworld-mutual-ssl/HelloWorld, so I am not
> sure why the tests are giving 500 error.
> If you have any suggestions, please feel free to let me know.
> Or if leaving it at .uri(new URI(serverHost+"/")) works, then I can
> change it to that too.
> Thank you for reviewing the PR :)
>
> —
> Reply to this email directly, view it on GitHub
> <#727 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAEDY6ARDQPWRGQLAWPKVATX6WLOFAVCNFSM6AAAAAA5WAIKHOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTMNRYGY3TANZWGA>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
3 times, most recently
from
f70a7ee
to
c035ee5
Compare
There was a problem hiding this comment.
Besides the pointed issues, the QS is not working for me, even with standard dist. Anyway I think we all (including @fjuma) agreed that we should truly rework this one, for it to demo usage of the self signed and generated certificate, instead of repeating what we do on the "secured" version of the QS.
| private static final String DEFAULT_SERVER_HOST = "https://localhost:8443/helloworld-mutual-ssl"; | ||
|
|
||
| @Test | ||
| public void testHTTPEndpointIsAvailable() throws IOException, InterruptedException, URISyntaxException { |
There was a problem hiding this comment.
Don't we need certificates on this one too?
There was a problem hiding this comment.
Added the same test.
For now it is the same thing as helloworld-mutual-ssl-secured except the URL.
This QS uses https://localhost:8443/helloworld-mutual-ssl/HelloWorld
@emmartins or @fjuma please let me know how you would like this one to be different than the other QS.
Thanks!
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
4 times, most recently
from
ef578e2
to
134947c
Compare
helloworld-mutual-ssl/pom.xml
Outdated
| <properties> | ||
| <!-- the version for the Server --> | ||
| <version.server>30.0.0.Beta1</version.server> | ||
| <!-- The versions for BOMs, Packs and Plugins --> |
There was a problem hiding this comment.
The indentation in this block looks off.
| @@ -0,0 +1,18 @@ | |||
| #configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. | |||
There was a problem hiding this comment.
I think the same comments I mentioned in the helloworld-mutual-ssl-secured quickstart apply here as well.
| # Export the certificate to a file called clientCert.crt | ||
| /subsystem=elytron/key-store=clientKS:export-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true) | ||
|
|
||
| # Create a the server's truststore |
| # Create a the server's truststore | ||
| /subsystem=elytron/key-store=serverTS:add(path=server.truststore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) | ||
|
|
||
| # Import a certificate into the server's truststore |
There was a problem hiding this comment.
s/a certificate/the client's certificate
| /subsystem=elytron/trust-manager=qsTrustManager:add(key-store=qsTrustStore) | ||
|
|
||
| # Update the default server-ssl-context to reference the new trust-manager and require client auth | ||
| /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=trust-manager, value=qsTrustManager) | ||
| /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=need-client-auth, value=true) | ||
|
|
||
| #generate the key pair that the server would use for its keystore |
There was a problem hiding this comment.
The comments in this file should be updated too.
There was a problem hiding this comment.
fixed!
Thanks for reviewing!
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
from
134947c
to
fe3de9c
Compare
| @@ -0,0 +1,18 @@ | |||
| # Configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. | |||
There was a problem hiding this comment.
Just to make it more clear that this is just for the client's cert, maybe can reword to:
Configure the client's keystore. This will be used to generate the client's certificate. The path to the keystore file doesn’t actually have to exist yet
| # Generate a new key pair for the client. We'll use an RSA key of size 2048 and we'll use CN=quickstartUser | ||
| /subsystem=elytron/key-store=clientKS:generate-key-pair(alias=quickstartUser, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=secret}, distinguished-name="cn=quickstartUser") | ||
|
|
||
| # Export the certificate to a file called clientCert.crt |
There was a problem hiding this comment.
s/the certificate/the client's certificate
| @@ -0,0 +1,18 @@ | |||
| # Configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. | |||
There was a problem hiding this comment.
Just minor, but configure-client-certs.cli could be renamed to just configure-client-cert.cli.
There was a problem hiding this comment.
FIxed!
Thank you!
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
2 times, most recently
from
71e7166
to
83d5ac2
Compare
|
WFLY 31.0.0.Beta1 has been released, please rebase this PR with upstream/main branch, and update:
|
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
from
743c174
to
29d854f
Compare
|
Hi @emmartins |
… use a CLI script instead of keytool
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-enhancement
branch
from
29d854f
to
6b83c27
Compare
| ---- | ||
| $ cd __{jbossHomeName}__/standalone/configuration/ | ||
| ---- | ||
| == Set Up the Client Keystore |
There was a problem hiding this comment.
this section should be moved to after server is started
| if (serverHost == null) { | ||
| serverHost = DEFAULT_SERVER_HOST; | ||
| } | ||
| String serverDir = System.getenv("SERVER_HOME"); |
There was a problem hiding this comment.
The need for this extra property is not documented in the README, and IMHO it's a bit confusing, I think jbossHome property (matching what is used by the wildfly plugin when starting the server) would be an improvement but if possible wouldn't be simpler to generate the client.keystore.P12 in the user dir, and have the test assume it's at user.dir... if not possible perhaps an extra step to copy client.keystore.P12 to the user.dir?
| <dependency> | ||
| <groupId>org.apache.httpcomponents</groupId> | ||
| <artifactId>httpclient</artifactId> | ||
| <version>4.5.13</version> |
There was a problem hiding this comment.
Please remove version, it's managed by our BOM, and add test scope.
There was a problem hiding this comment.
It looks like these changes have been addressed already.
Thanks @emmartins !
https://issues.redhat.com/browse/WFLY-18476