Révision bd5145ab
Add basic configuration validation acceptance test (#38)
- Add basic configuration validation acceptance test
It is not possible to start the nftables service within docker so
the service is altered to only validate the service
configuration resulting from concat constructed files and nft inclusions.
| .github/workflows/ci.yml | ||
|---|---|---|
| 45 | 45 |
bundler-cache: true |
| 46 | 46 |
- name: Run tests |
| 47 | 47 |
run: bundle exec rake |
| 48 |
|
|
| 49 |
acceptance: |
|
| 50 |
needs: setup_matrix |
|
| 51 |
runs-on: ubuntu-latest |
|
| 52 |
env: |
|
| 53 |
BUNDLE_WITHOUT: development:test:release |
|
| 54 |
strategy: |
|
| 55 |
fail-fast: false |
|
| 56 |
matrix: |
|
| 57 |
setfile: ${{fromJson(needs.setup_matrix.outputs.beaker_setfiles)}}
|
|
| 58 |
puppet: ${{fromJson(needs.setup_matrix.outputs.puppet_major_versions)}}
|
|
| 59 |
name: ${{ matrix.puppet.name }} - ${{ matrix.setfile.name }}
|
|
| 60 |
steps: |
|
| 61 |
- name: Enable IPv6 on docker |
|
| 62 |
run: | |
|
| 63 |
echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json
|
|
| 64 |
sudo service docker restart |
|
| 65 |
- uses: actions/checkout@v2 |
|
| 66 |
- name: Setup ruby |
|
| 67 |
uses: ruby/setup-ruby@v1 |
|
| 68 |
with: |
|
| 69 |
ruby-version: '2.7' |
|
| 70 |
bundler-cache: true |
|
| 71 |
- name: Run tests |
|
| 72 |
run: bundle exec rake beaker |
|
| 73 |
env: |
|
| 74 |
BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }}
|
|
| 75 |
BEAKER_setfile: ${{ matrix.setfile.value }}
|
|
| .sync.yml | ||
|---|---|---|
| 1 | 1 |
--- |
| 2 | 2 |
spec/spec_helper.rb: |
| 3 | 3 |
mock_with: ':mocha' |
| 4 |
|
|
| 5 |
spec/spec_helper_acceptance.rb: |
|
| 6 |
unmanaged: false |
|
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper_acceptance' |
|
| 2 |
|
|
| 3 |
describe 'nftables class' do |
|
| 4 |
context 'configure default nftables service' do |
|
| 5 |
it 'works idempotently with no errors' do |
|
| 6 |
pp = <<-EOS |
|
| 7 |
# default mask of firewalld service fails if service is not installed. |
|
| 8 |
# https://tickets.puppetlabs.com/browse/PUP-10814 |
|
| 9 |
class { 'nftables':
|
|
| 10 |
firewalld_enable => false, |
|
| 11 |
} |
|
| 12 |
# nftables cannot be started in docker so replace service with a validation only. |
|
| 13 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
|
| 14 |
ensure => present, |
|
| 15 |
unit => "nftables.service", |
|
| 16 |
content => [ |
|
| 17 |
"[Service]", |
|
| 18 |
"ExecStart=", |
|
| 19 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 20 |
"ExecReload=", |
|
| 21 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 22 |
"", |
|
| 23 |
].join("\n"),
|
|
| 24 |
notify => Service["nftables"], |
|
| 25 |
} |
|
| 26 |
# Puppet 5 only to ensure ordering. |
|
| 27 |
Class['systemd::systemctl::daemon_reload'] -> Service['nftables'] |
|
| 28 |
EOS |
|
| 29 |
# Run it twice and test for idempotency |
|
| 30 |
apply_manifest(pp, catch_failures: true) |
|
| 31 |
apply_manifest(pp, catch_changes: true) |
|
| 32 |
end |
|
| 33 |
|
|
| 34 |
describe package('nftables') do
|
|
| 35 |
it { is_expected.to be_installed }
|
|
| 36 |
end |
|
| 37 |
|
|
| 38 |
describe service('nftables') do
|
|
| 39 |
it { is_expected.to be_running }
|
|
| 40 |
it { is_expected.to be_enabled }
|
|
| 41 |
end |
|
| 42 |
|
|
| 43 |
describe file('/etc/nftables/puppet.nft') do
|
|
| 44 |
it { is_expected.to be_file }
|
|
| 45 |
end |
|
| 46 |
|
|
| 47 |
describe file('/etc/nftables/puppet') do
|
|
| 48 |
it { is_expected.to be_directory }
|
|
| 49 |
end |
|
| 50 |
end |
|
| 51 |
end |
|
| spec/spec_helper_acceptance.rb | ||
|---|---|---|
| 1 |
# This file is completely managed via modulesync |
|
| 2 |
require 'voxpupuli/acceptance/spec_helper_acceptance' |
|
| 3 |
|
|
| 4 |
configure_beaker |
|
| 5 |
|
|
| 6 |
Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f }
|
|
Formats disponibles : Unified diff