diff --git a/roles/ceems_lb/defaults/main.yml b/roles/ceems_lb/defaults/main.yml index 4912005..323da27 100644 --- a/roles/ceems_lb/defaults/main.yml +++ b/roles/ceems_lb/defaults/main.yml @@ -1,5 +1,5 @@ --- -ceems_lb_version: "0.1.0-rc.4" +ceems_lb_version: "0.1.0-rc.5" ceems_lb_binary_local_dir: "" ceems_lb_binary_url: https://github.com/{{ _ceems_lb_repo }}/releases/download/v{{ ceems_lb_version }}/ceems-{{ ceems_lb_version }}.linux-{{ go_arch }}.tar.gz ceems_lb_checksums_url: https://github.com/{{ _ceems_lb_repo }}/releases/download/v{{ ceems_lb_version }}/sha256sums.txt @@ -17,5 +17,5 @@ ceems_lb_db_path: "" ceems_lb_cli_args: [] ceems_lb_env_vars: {} ceems_lb_binary_install_dir: /usr/local/bin -ceems_lb_system_group: ceemslb +ceems_lb_system_group: ceems ceems_lb_system_user: "{{ ceems_lb_system_group }}" diff --git a/roles/ceems_lb/meta/argument_specs.yml b/roles/ceems_lb/meta/argument_specs.yml index 25fa478..bf7322b 100644 --- a/roles/ceems_lb/meta/argument_specs.yml +++ b/roles/ceems_lb/meta/argument_specs.yml @@ -35,6 +35,7 @@ argument_specs: - Each element is a dict with url and skip_tls_verify keys. type: list elements: dict + required: true ceems_lb_strategy: description: - Load Balancer strategy. @@ -67,7 +68,7 @@ argument_specs: ceems_lb_system_group: description: - I(Advanced) - - System group for batch job stats server + - System group for CEEMS load balancer default: ceemslb ceems_lb_system_user: description: diff --git a/roles/ceems_lb/molecule/alternative/molecule.yml b/roles/ceems_lb/molecule/alternative/molecule.yml index 3a15474..dc34e38 100644 --- a/roles/ceems_lb/molecule/alternative/molecule.yml +++ b/roles/ceems_lb/molecule/alternative/molecule.yml @@ -3,21 +3,19 @@ provisioner: inventory: group_vars: all: - ceems_api_server_web_listen_address: 127.0.0.1:8080 - - ceems_api_server_tls_server_config: - cert_file: /etc/ceems_api_server/tls.cert - key_file: /etc/ceems_api_server/tls.key - ceems_api_server_http_server_config: + ceems_lb_web_listen_address: 127.0.0.1:8080 + ceems_lb_backends: + - url: http://localhost:9090 + skip_tls_verify: true + ceems_lb_tls_server_config: + cert_file: /etc/ceems_lb/tls.cert + key_file: /etc/ceems_lb/tls.key + ceems_lb_http_server_config: http2: true - ceems_api_server_basic_auth_users: + ceems_lb_basic_auth_users: randomuser: examplepassword go_arch: amd64 - ceems_api_server_data_backup_path: /tmp/ceems_api_server - ceems_api_server_admin_users: - - adm1 - - adm2 - ceems_api_server_cli_args: - - --web.max.query.period=30d - ceems_api_server_env_vars: + ceems_lb_cli_args: + - --log.level=debug + ceems_lb_env_vars: foo: bar diff --git a/roles/ceems_lb/molecule/alternative/prepare.yml b/roles/ceems_lb/molecule/alternative/prepare.yml index d37d730..4e065cf 100644 --- a/roles/ceems_lb/molecule/alternative/prepare.yml +++ b/roles/ceems_lb/molecule/alternative/prepare.yml @@ -27,9 +27,9 @@ hosts: all any_errors_fatal: true tasks: - - name: Create ceems_api_server cert dir + - name: Create ceems_lb cert dir ansible.builtin.file: - path: "{{ ceems_api_server_tls_server_config.cert_file | dirname }}" + path: "{{ ceems_lb_tls_server_config.cert_file | dirname }}" state: directory owner: root group: root @@ -42,6 +42,6 @@ mode: "{{ item.mode | default('0644') }}" loop: - src: /tmp/tls.cert - dest: "{{ ceems_api_server_tls_server_config.cert_file }}" + dest: "{{ ceems_lb_tls_server_config.cert_file }}" - src: /tmp/tls.key - dest: "{{ ceems_api_server_tls_server_config.key_file }}" + dest: "{{ ceems_lb_tls_server_config.key_file }}" diff --git a/roles/ceems_lb/molecule/alternative/tests/test_alternative.py b/roles/ceems_lb/molecule/alternative/tests/test_alternative.py index 7eaf7d0..bc23e0f 100644 --- a/roles/ceems_lb/molecule/alternative/tests/test_alternative.py +++ b/roles/ceems_lb/molecule/alternative/tests/test_alternative.py @@ -10,8 +10,7 @@ @pytest.mark.parametrize("dir", [ - "/var/lib/ceems_lb", - "/tmp/ceems_lb" + "/etc/ceems_lb", ]) def test_directories(host, dir): d = host.file(dir) @@ -22,6 +21,7 @@ def test_directories(host, dir): @pytest.mark.parametrize("file", [ "/etc/systemd/system/ceems_lb.service", "/etc/ceems_lb/config.yaml", + "/etc/ceems_lb/web-config.yaml", "/usr/local/bin/ceems_lb" ]) def test_files(host, file): @@ -45,10 +45,10 @@ def test_permissions_didnt_change(host, file): def test_user(host): - assert host.group("ceemslb").exists - assert "ceemslb" in host.user("ceemslb").groups - assert host.user("ceemslb").shell == "/usr/sbin/nologin" - assert host.user("ceemslb").home == "/" + assert host.group("ceems").exists + assert "ceems" in host.user("ceems").groups + assert host.user("ceems").shell == "/usr/sbin/nologin" + assert host.user("ceems").home == "/" def test_service(host): @@ -72,7 +72,7 @@ def test_systemd_properties(host): @pytest.mark.parametrize("socket", [ - "tcp://127.0.0.1:9030", + "tcp://127.0.0.1:8080", ]) def test_socket(host, socket): s = host.socket(socket) diff --git a/roles/ceems_lb/molecule/default/molecule.yml b/roles/ceems_lb/molecule/default/molecule.yml index e019629..1098d28 100644 --- a/roles/ceems_lb/molecule/default/molecule.yml +++ b/roles/ceems_lb/molecule/default/molecule.yml @@ -3,4 +3,7 @@ provisioner: inventory: group_vars: all: - ceems_api_server_web_listen_address: 127.0.0.1:9020 + ceems_lb_web_listen_address: 127.0.0.1:9030 + ceems_lb_backends: + - url: http://localhost:9090 + skip_tls_verify: true diff --git a/roles/ceems_lb/molecule/default/tests/test_default.py b/roles/ceems_lb/molecule/default/tests/test_default.py index ac9039d..f724dfd 100644 --- a/roles/ceems_lb/molecule/default/tests/test_default.py +++ b/roles/ceems_lb/molecule/default/tests/test_default.py @@ -10,7 +10,7 @@ @pytest.mark.parametrize("dir", [ - "/var/lib/ceems_lb", + "/etc/ceems_lb", ]) def test_directories(host, dir): d = host.file(dir) @@ -44,10 +44,10 @@ def test_permissions_didnt_change(host, file): def test_user(host): - assert host.group("ceemslb").exists - assert "ceemslb" in host.user("ceemslb").groups - assert host.user("ceemslb").shell == "/usr/sbin/nologin" - assert host.user("ceemslb").home == "/" + assert host.group("ceems").exists + assert "ceems" in host.user("ceems").groups + assert host.user("ceems").shell == "/usr/sbin/nologin" + assert host.user("ceems").home == "/" def test_service(host): diff --git a/roles/ceems_lb/molecule/latest/molecule.yml b/roles/ceems_lb/molecule/latest/molecule.yml index 797c126..7f13112 100644 --- a/roles/ceems_lb/molecule/latest/molecule.yml +++ b/roles/ceems_lb/molecule/latest/molecule.yml @@ -3,4 +3,7 @@ provisioner: inventory: group_vars: all: - ceems_api_server_version: latest + ceems_lb_version: latest + ceems_lb_backends: + - url: http://localhost:9090 + skip_tls_verify: true diff --git a/roles/ceems_lb/molecule/latest/tests/test_latest.py b/roles/ceems_lb/molecule/latest/tests/test_latest.py index dc2c81a..f724dfd 100644 --- a/roles/ceems_lb/molecule/latest/tests/test_latest.py +++ b/roles/ceems_lb/molecule/latest/tests/test_latest.py @@ -10,7 +10,7 @@ @pytest.mark.parametrize("dir", [ - "/var/lib/ceems_lb", + "/etc/ceems_lb", ]) def test_directories(host, dir): d = host.file(dir) @@ -29,14 +29,14 @@ def test_files(host, file): assert f.is_file -@pytest.mark.parametrize("dir", [ +@pytest.mark.parametrize("file", [ "/etc", "/root", "/usr", "/var" ]) -def test_permissions_didnt_change(host, dir): - f = host.file(dir) +def test_permissions_didnt_change(host, file): + f = host.file(file) assert f.exists assert f.is_directory assert f.user == "root" @@ -44,10 +44,10 @@ def test_permissions_didnt_change(host, dir): def test_user(host): - assert host.group("ceemslb").exists - assert "ceemslb" in host.user("ceemslb").groups - assert host.user("ceemslb").shell == "/usr/sbin/nologin" - assert host.user("ceemslb").home == "/" + assert host.group("ceems").exists + assert "ceems" in host.user("ceems").groups + assert host.user("ceems").shell == "/usr/sbin/nologin" + assert host.user("ceems").home == "/" def test_service(host): @@ -70,7 +70,7 @@ def test_protecthome_property(host): @pytest.mark.parametrize("socket", [ - "tcp://127.0.0.1:9030", + "tcp://127.0.0.1:9030" ]) def test_socket(host, socket): s = host.socket(socket) diff --git a/roles/ceems_lb/templates/ceems_lb.service.j2 b/roles/ceems_lb/templates/ceems_lb.service.j2 index 4427439..7da7ab7 100644 --- a/roles/ceems_lb/templates/ceems_lb.service.j2 +++ b/roles/ceems_lb/templates/ceems_lb.service.j2 @@ -23,20 +23,13 @@ Restart=always RestartSec=1 StartLimitInterval=0 -{% set ns = namespace(protect_home = 'yes', caps = ['CAP_SETUID', 'CAP_SETGID']) %} +{% set ns = namespace(protect_home = 'yes') %} {% for m in ansible_mounts if m.mount.startswith('/home') %} {% set ns.protect_home = 'read-only' %} {% endfor %} ProtectHome={{ ns.protect_home }} -ReadWritePaths={{ ceems_lb_data_path }} {{ ceems_lb_data_backup_path }} -WorkingDirectory={{ ceems_lb_data_path }} -{% if ns.caps %} -AmbientCapabilities={{ ns.caps | unique | join(' ') }} -CapabilityBoundingSet={{ ns.caps | unique | join(' ') }} -{% else %} NoNewPrivileges=yes -{% endif %} {% if ceems_lb_env_vars | length > 0 %} {% for k, v in ceems_lb_env_vars.items() %} diff --git a/tests/integration/targets/molecule-ceems_lb-alternative/runme.sh b/tests/integration/targets/molecule-ceems_lb-alternative/runme.sh new file mode 100755 index 0000000..d094c3e --- /dev/null +++ b/tests/integration/targets/molecule-ceems_lb-alternative/runme.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +collection_root=$(pwd | grep -oP ".+\/ansible_collections\/\w+?\/\w+") +source "$collection_root/tests/integration/molecule.sh" diff --git a/tests/integration/targets/molecule-ceems_lb-default/runme.sh b/tests/integration/targets/molecule-ceems_lb-default/runme.sh new file mode 100755 index 0000000..d094c3e --- /dev/null +++ b/tests/integration/targets/molecule-ceems_lb-default/runme.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +collection_root=$(pwd | grep -oP ".+\/ansible_collections\/\w+?\/\w+") +source "$collection_root/tests/integration/molecule.sh"