chore: adding sanity testing to CI + resolving error checks

.github/workflows/ansible-test.yml

@@ -0,0 +1,16 @@
+name: Run ansible-test
+on:
+  push:
+  pull_request:
+
+jobs:
+  sanity-test:
+    runs-on: ubuntu-latest
+    steps:
+        - name: Perform testing
+          uses: ansible-community/ansible-test-gh-action@release/v1
+          with:
+            testing-type: sanity
+            python-version: 3.11
+            ansible-core-version: stable-2.14
+

README.md

@@ -157,9 +157,11 @@ If the signature verification did not result in an error, the deployment of RHTA
 
 ## Contributing
 
-### Linting
+### Testing locally
 
-This repository contains GitHub actions that will test PRs that come in with `ansible-lint`. To run `ansible-lint` locally:
+This repository contains GitHub actions that will test PRs that come in with `ansible-lint` and `sanity-test` to enforce good code quality and practices. 
+
+To run `ansible-lint` locally:
 
 ```shell
 python3 -m venv venv
@@ -168,6 +170,23 @@ pip install -r requirements-testing.txt
 ansible-lint
 ```
 
+To run `sanity-test` locally:
+
+The `ansible-test` command relies on a specific directory structure for collections to function correctly. This structure follows the format:
+
+`{...}/ansible_collections/{namespace}/{collection}/`
+
+To enable testing, make sure your local machine adheres to this format, which you can achieve by copying, symlinking, moving or cloning a repo into this structure.
+`namespace` and `collection` names are not critical, as long as the overall format is kept, and no illegal characters are used such as `-`.
+The `collection` refers to the current repository `artifact-signer-ansible`, while the namespace can be anything you want.
+
+A valid path for our collection would be:
+`{...}/ansible_collections/redhat/artifact_signer_ansible/`
+
+When this is achieved, you can run sanity checks by executing
+
+`ansible-test sanity`
+
 ### Testing Deployment on a VM
 
 The [vm-testing/README.md](vm-testing/README.md) file contains instructions on testing the deployment on a VM. Right now, only OpenStack is supported as testing VM provisioner.

roles/tas_single_node/templates/manifests/ctlog/ctlog.yaml

@@ -20,7 +20,7 @@ spec:
     spec:
       containers:
         - name: ctlog
-          image: {{ tas_single_node_ct_server_image }}
+          image: "{{ tas_single_node_ct_server_image }}"
           imagePullPolicy: IfNotPresent
           livelinessProbe:
             failureThreshold: 3

roles/tas_single_node/templates/manifests/fulcio/fulcio-server.yaml

@@ -33,12 +33,12 @@ spec:
             - --fileca-cert
             - /var/run/fulcio-secrets/cert.pem
             - --fileca-key-passwd
-            - {{ tas_single_node_fulcio_ca_passphrase  }}
-            - --ct-log-url=http://ctlog-pod:6962/{{ tas_single_node_ct_logprefix }}
+            - "{{ tas_single_node_fulcio_ca_passphrase }}"
+            - --ct-log-url="http://ctlog-pod:6962/{{ tas_single_node_ct_logprefix }}"
           env:
             - name: SSL_CERT_DIR
               value: /certs
-          image: {{ tas_single_node_fulcio_server_image }}
+          image: "{{ tas_single_node_fulcio_server_image }}"
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 5555

roles/tas_single_node/templates/manifests/nginx/nginx.yaml

@@ -18,7 +18,7 @@ spec:
       containers:
         - name: nginx
           # 1.20
-          image: {{ tas_single_node_nginx_image }}
+          image: "{{ tas_single_node_nginx_image }}"
           args:
             - nginx
             - -g
@@ -48,4 +48,4 @@ spec:
         - name: nginx-config
           configMap:
             defaultMode: 420
-            name: nginx-config
+            name: nginx-config

roles/tas_single_node/templates/manifests/rekor/redis-server.yaml

@@ -32,7 +32,7 @@ spec:
             - 0.0.0.0
             - --appendonly
             - "yes"
-          image: {{ tas_single_node_redis_image }}
+          image: "{{ tas_single_node_redis_image }}"
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 6379

roles/tas_single_node/templates/manifests/rekor/rekor-server.yaml

@@ -48,7 +48,7 @@ spec:
             - --trillian_log_server.tlog_id={{ trillian_tree_id }}
             - --enable_attestation_storage
             - --attestation_storage_bucket=file:///var/run/attestations
-          image: {{ tas_single_node_rekor_image }}
+          image: "{{ tas_single_node_rekor_image }}"
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3000
@@ -72,4 +72,3 @@ spec:
         - name: storage
           persistentVolumeClaim:
             claimName: rekor-server
-

roles/tas_single_node/templates/manifests/trillian/trillian-logserver.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
         - name: trillian-trillian-logserver
-          image: {{ tas_single_node_trillian_log_server_image }}
+          image: "{{ tas_single_node_trillian_log_server_image }}"
           imagePullPolicy: IfNotPresent
           args:
             - --storage_system=mysql
@@ -49,9 +49,9 @@ spec:
                   key: mysql-database
                   name: trillian-mysql
             - name: MYSQL_HOSTNAME
-              value: {{ tas_single_node_trillian.mysql.host }}
+              value: "{{ tas_single_node_trillian.mysql.host }}"
             - name: MYSQL_PORT
-              value: "{{ tas_single_node_trillian.mysql.port | quote }})"
+              value: "{{ tas_single_node_trillian.mysql.port | quote }}"
           ports:
             - containerPort: 8091
               protocol: TCP
@@ -62,7 +62,7 @@ spec:
           terminationMessagePolicy: File
       initContainers:
         - name: wait-for-trillian-db
-          image: {{ tas_single_node_netcat_image }}
+          image: "{{ tas_single_node_netcat_image }}"
           imagePullPolicy: IfNotPresent
           command: ["sh", "-c", "until nc -z -w 10 trillian-mysql-pod 3306; do echo waiting for trillian-mysql; sleep 5; done;"]
           resources: {}

roles/tas_single_node/templates/manifests/trillian/trillian-logsigner.yaml

@@ -26,15 +26,15 @@ spec:
     spec:
       initContainers:
         - name: wait-for-trillian-db
-          image: {{ tas_single_node_netcat_image}}
+          image: "{{ tas_single_node_netcat_image}}"
           imagePullPolicy: IfNotPresent
           command: ["sh", "-c", "until nc -z -w 10 trillian-mysql-pod 3306; do echo waiting for trillian-mysql-pod; sleep 5; done;"]
           resources: {}
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
       containers:
         - name: trillian-trillian-logsigner
-          image: {{ tas_single_node_trillian_logsigner_image }}
+          image: "{{ tas_single_node_trillian_logsigner_image }}"
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8191
@@ -64,7 +64,7 @@ spec:
                   key: mysql-database
                   name: trillian-mysql
             - name: MYSQL_HOSTNAME
-              value: {{ tas_single_node_trillian.mysql.host }}
+              value: "{{ tas_single_node_trillian.mysql.host }}"
             - name: MYSQL_PORT
               value: "{{ tas_single_node_trillian.mysql.port | quote }})"
           resources: {}

roles/tas_single_node/templates/manifests/trillian/trillian-mysql.yaml

@@ -26,7 +26,7 @@ spec:
     spec:
       containers:
         - name: trillian-mysql
-          image: {{ tas_single_node_trillian_db_image }}
+          image: "{{ tas_single_node_trillian_db_image }}"
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3306

roles/tas_single_node/templates/manifests/tuf/tuf.yaml

@@ -26,7 +26,7 @@ spec:
     spec:
       containers:
         - name: tuf
-          image: {{ tas_single_node_tuf_image }}
+          image: "{{ tas_single_node_tuf_image }}"
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8082

vm-testing/destroy.sh

@@ -1,11 +1,11 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 if [ -z "$1" ]; then
   echo "Please provide a cloud provider to use - currently only openstack is available"
   exit 1
 fi
 
-cd $1
+cd "$1"
 tofu destroy -var-file=terraform.tfvars
 
 cat << EOF

vm-testing/provision.sh

@@ -1,24 +1,23 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 if [ -z "$1" ]; then
   echo "Please provide a cloud provider to use - currently only openstack is available"
   exit 1
 fi
 
-cd $1
+cd "$1"
 tofu init
 tofu apply -var-file=terraform.tfvars
 
 if [ "$1" == "openstack" ]; then
-  ip_address=$(tofu state show openstack_compute_instance_v2.ansible-test[0] | grep access_ip_v4 | awk '{print $3}' | tr -d '"')
+  ip_address="$(tofu state show openstack_compute_instance_v2.ansible-test[0] | grep access_ip_v4 | awk '{print $3}' | tr -d '"')"
   vm_username=cloud-user
 else
   echo "Only openstack provider is currently supported"
   exit 1
 fi
 
-cd ..
-sed -e "s/REMOTE_IP_ADDRESS/$ip_address/" -e "s/ANSIBLE_USER/$vm_username/" inventory-sample > inventory
+(sed -e "s/REMOTE_IP_ADDRESS/$ip_address/" -e "s/ANSIBLE_USER/$vm_username/" inventory-sample > inventory)
 
 cat << EOF
 Please add the following lines to your /etc/hosts:

vm-testing/test.sh

@@ -1,4 +1,5 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -e
 
 podman build test/ -f test/Containerfile -t fedora-cosign:latest
 
@@ -19,19 +20,19 @@ password=${password}
 
 EOF
 
-if  [ -z "${base_hostname}" -o -z "${ip_address}" -o -z "${oidc_url}" -o -z "${username}" -o -z "${password}" ]; then
+if  [ -z "${base_hostname}" ] || [ -z "${ip_address}" ] || [ -z "${oidc_url}" ] || [ -z "${username}" ] || [ -z "${password}" ]; then
   echo "Couldn't extract some testing parameters, see above and fix."
   exit 1
 fi
 
 podman run \
-  -v $(pwd)/test:/mnt:z \
+  -v "$(pwd)"/test:/mnt:z \
   -ti --rm \
-  --add-host fulcio.${base_hostname}:${ip_address} \
-  --add-host rekor.${base_hostname}:${ip_address} \
-  --add-host tuf.${base_hostname}:${ip_address} \
-  -e BASE_HOSTNAME=${base_hostname} \
-  -e USERNAME=${username} \
-  -e PASSWORD=${password} \
-  -e KEYCLOAK_URL=${oidc_url} \
+  --add-host fulcio."${base_hostname}":"${ip_address}" \
+  --add-host rekor."${base_hostname}":"${ip_address}" \
+  --add-host tuf."${base_hostname}":"${ip_address}" \
+  -e BASE_HOSTNAME="${base_hostname}" \
+  -e USERNAME="${username}" \
+  -e PASSWORD="${password}" \
+  -e KEYCLOAK_URL="${oidc_url}" \
   fedora-cosign:latest /bin/bash /mnt/test-sign-blob.sh

vm-testing/test/test-sign-blob.sh

@@ -1,13 +1,15 @@
-#!/bin/bash -ex
+#!/usr/bin/env bash
+set -ex
+
 # NOTE: this script requires BASE_HOSTNAME and KEYCLOAK_URL to be set
 
 # extract the root certificate and make it trusted
-openssl s_client -showcerts -connect rekor.${BASE_HOSTNAME}:443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
+openssl s_client -showcerts -connect rekor."${BASE_HOSTNAME}":443 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
 for cert in *.pem; do
-  newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
+  newname="$(openssl x509 -noout -subject -in "$cert" | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]')".pem
   echo "${newname}"; mv "${cert}" "${newname}" 
 done
-cp ${BASE_HOSTNAME}.pem /etc/pki/ca-trust/source/anchors/
+cp "${BASE_HOSTNAME}".pem /etc/pki/ca-trust/source/anchors/
 update-ca-trust
 
 # set up cosign env
@@ -27,12 +29,13 @@ export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER
 export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL
 export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL
 
-export TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=${USERNAME}" -d "password=${PASSWORD}" -d "grant_type=password" -d "scope=openid" -d "client_id=${KEYCLOAK_REALM}" ${OIDC_ISSUER_URL}/protocol/openid-connect/token |  sed -E 's/.*"access_token":"([^"]*).*/\1/')
+TOKEN="$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=${USERNAME}" -d "password=${PASSWORD}" -d "grant_type=password" -d "scope=openid" -d "client_id=${KEYCLOAK_REALM}" "${OIDC_ISSUER_URL}"/protocol/openid-connect/token |  sed -E 's/.*"access_token":"([^"]*).*/\1/')"
+export TOKEN
 
 env
 cosign initialize
 
 echo "testing" > to-sign
 
-cosign --verbose sign-blob to-sign --bundle signed.bundle --identity-token=${TOKEN}
-cosign verify-blob --certificate-identity=${USERNAME}@redhat.com --bundle signed.bundle to-sign
+cosign --verbose sign-blob to-sign --bundle signed.bundle --identity-token="${TOKEN}"
+cosign verify-blob --certificate-identity="${USERNAME}"@redhat.com --bundle signed.bundle to-sign