Merge pull request #721 from kabir/kabirplay

Initial scripts for QS testing on OpenShift CI

.ci/openshift-ci/build-root/Dockerfile

@@ -0,0 +1,46 @@
+# Use the centos image as the base image
+FROM quay.io/centos/centos:stream8
+
+# Install additional tooling, see https://github.com/openshift/release/blob/master/clusters/app.ci/supplemental-ci-images/ci-tools-build-root.yaml#L338
+RUN INSTALL_PKGS="git java-17-openjdk.x86_64 httpd-tools jq" && \
+    dnf install -y $INSTALL_PKGS && \
+    rpm -V $INSTALL_PKGS && \
+    dnf clean all && \
+    touch /os-build-image
+
+# Downloading and installing Maven
+ARG MAVEN_VERSION=3.8.8
+ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries
+
+RUN mkdir -p /usr/share/maven /usr/share/maven/ref \
+  && echo "Downlaoding maven" \
+  && curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  \
+  && echo "Unziping maven" \
+  && tar -xzf /tmp/apache-maven.tar.gz -C /usr/share/maven --strip-components=1 \
+  \
+  && echo "Cleaning and setting links" \
+  && rm -f /tmp/apache-maven.tar.gz \
+  && ln -s /usr/share/maven/bin/mvn /usr/bin/mvn
+
+ENV MAVEN_HOME /usr/share/maven
+ENV MAVEN_CONFIG "$USER_HOME_DIR/.m2"
+
+# Env vars to downloading and install the OpenShift + Helm CLIs.
+ENV OC_PKG=https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.12/openshift-client-linux.tar.gz \
+      OC_HOME=/usr/oc/oc-4.1.2 \
+      HELM_PKG=https://get.helm.sh/helm-v3.12.3-linux-amd64.tar.gz \
+      HELM_HOME=/usr/helm/helm-3.12.3
+
+RUN set -eux; \
+      # Install oc CLI
+      curl -L --output /tmp/oc.tgz "$OC_PKG"; \
+      mkdir -p "$OC_HOME"; \
+      tar --extract --file /tmp/oc.tgz --directory "$OC_HOME"; \
+      ln -s "$OC_HOME"/oc /usr/bin/oc; \
+      curl -L --output /tmp/helm.tgz "$HELM_PKG"; \
+      # Install helm CLI
+      mkdir -p "$HELM_HOME"; \
+      tar --extract --file /tmp/helm.tgz --directory "$HELM_HOME"; \
+      ls -alR "$HELM_HOME"; \
+      ln -s "$HELM_HOME"/linux-amd64/helm /usr/bin/helm;

.ci/openshift-ci/build-root/e2e-test.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+
+#!/usr/bin/env bash
+# exit immediately when a command fails
+set -e
+# avoid exiting with non-zero if any of the pipeline commands fail because we need retries for oc login
+#set -o pipefail
+# error on unset variables
+set -u
+# print each command before executing it
+set -x
+
+whoami
+printenv KUBECONFIG
+printenv KUBEADMIN_PASSWORD_FILE
+
+oc get node
+oc config view
+
+export TEST_CLUSTER_URL=$(oc whoami --show-server)
+
+export SYSADMIN_USERNAME=kubeadmin
+export SYSADMIN_PASSWORD=$(cat "${KUBEADMIN_PASSWORD_FILE}")
+
+# note that for some reason it takes a few minutes for this to be loaded by OCP and authentication start working
+export TEST_ADMIN_USERNAME=tadmin
+export TEST_ADMIN_PASSWORD=adminpwd
+export TEST_USER_USERNAME=tuser
+export TEST_USER_PASSWORD=userpwd
+export HTPASSWD_FILE=users.htpasswd
+
+htpasswd -c -B -b $HTPASSWD_FILE $TEST_ADMIN_USERNAME $TEST_ADMIN_PASSWORD
+htpasswd -b $HTPASSWD_FILE $TEST_USER_USERNAME $TEST_USER_PASSWORD
+
+cat $HTPASSWD_FILE
+
+oc create secret generic htpass-secret --from-file=htpasswd=$HTPASSWD_FILE -n openshift-config
+oc patch OAuth cluster -p '{"spec": {"identityProviders": [{"htpasswd": {"fileData": {"name": "htpass-secret"}},"mappingMethod": "claim","name": "my_htpasswd_provider","type": "HTPasswd"}]}}' --type=merge
+
+# wait until authentication operator updates auth
+sleep 45 # wait until operator notices changes
+counter=0
+while [ "$(oc get clusteroperator authentication -o custom-columns=STATUS:.status.conditions[1].status | tail -1)" == "True" ]; do
+  sleep 5
+  echo Waiting for authentication operator to finish processing
+  ((counter=counter+1))
+  if [ "$counter" == "200" ]; then
+    echo "Timeout waiting for authentication operator."
+    exit 1
+  fi
+done
+
+counter=0
+until [[ "$(oc login --insecure-skip-tls-verify ${TEST_CLUSTER_URL} -u ${TEST_ADMIN_USERNAME} -p ${TEST_ADMIN_PASSWORD})" =~ "Login successful" ]] || [[ counter++ -ge 80 ]]
+do
+  sleep 5
+done
+export ADMIN_TOKEN=$(oc whoami -t)
+
+counter=0
+until [[ "$(oc login --insecure-skip-tls-verify ${TEST_CLUSTER_URL} -u ${TEST_USER_USERNAME} -p ${TEST_USER_PASSWORD})" =~ "Login successful" ]] || [[ counter++ -ge 80 ]]
+do
+  sleep 5
+done
+export USER_TOKEN=$(oc whoami -t)
+
+oc login --insecure-skip-tls-verify "${TEST_CLUSTER_URL}" -u ${SYSADMIN_USERNAME} -p "${SYSADMIN_PASSWORD}"
+oc adm policy add-cluster-role-to-user cluster-admin ${TEST_ADMIN_USERNAME}
+# We need to do this since InfinispanOperatorProvisionerTest would fail unless the master account is made
+# cluster-admin as well, see https://github.com/Intersmash/intersmash/issues/48
+oc adm policy add-cluster-role-to-user cluster-admin ${TEST_USER_USERNAME}
+
+export TEST_NAMESPACE=quickstart-com
+
+mkdir .local-maven-repository
+export QS_MAVEN_REPOSITORY="-Dmaven.repo.local=$(pwd)/.local-maven-repository"
+export QS_UNSIGNED_SERVER_CERT="1"
+# export QS_HELM_INSTALL_TIMEOUT="20m0s"
+
+helm repo add wildfly https://docs.wildfly.org/wildfly-charts/
+helm repo update
+
+echo "===== Environment:"
+env
+echo "=================="
+
+echo "Calling script runner....."
+
+# Script path is relative to checkout folder
+.ci/openshift-ci/build-root/scripts/openshift-test-runner.sh

.ci/openshift-ci/build-root/scripts/InstallCert/InstallCert.java

@@ -0,0 +1,252 @@
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   - Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *
+ *   - Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *
+ *   - Neither the name of Sun Microsystems nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * Originally from:
+ * http://blogs.sun.com/andreas/resource/InstallCert.java
+ * Use:
+ * java InstallCert hostname
+ * Example:
+ *% java InstallCert ecc.fedora.redhat.com
+ */
+
+import java.net.Proxy;
+import java.net.Socket;
+import java.net.InetSocketAddress;
+import javax.net.ssl.*;
+import java.io.*;
+import java.security.KeyStore;
+import java.security.MessageDigest;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * Class used to add the server's certificate to the KeyStore
+ * with your trusted certificates.
+ */
+public class InstallCert {
+
+    public static void main(String[] args) throws Exception {
+
+        String host       = null;
+        int    port       = -1;
+        char[] passphrase = null;
+
+        // proxy
+        boolean           useProxy   = false;
+        String            proxyHost  = null;
+        int               proxyPort  = -1;
+        InetSocketAddress proxyAddr  = null;
+        Socket            underlying = null;
+
+        int numArg = 0;
+        int nbArgs = args.length;
+        boolean invalidArgs = false;
+        boolean isQuiet = false;
+        while (numArg < nbArgs) {
+            String arg = args[numArg++];
+            if (arg.startsWith("--proxy=")) {
+                String proxy = arg.substring("--proxy=".length());
+                useProxy = true;
+                String[] c = proxy.split(":");
+                proxyHost = c[0];
+                proxyPort = Integer.parseInt(c[1]);  // proxy port is mandatory (we don't default to 8080)
+            }
+            else if (arg.startsWith("--quiet")) {
+                isQuiet = true;
+            }
+            else if (host == null) {  // 1st argument is the "host:port"
+                String[] c = arg.split(":");
+                host = c[0];
+                port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
+            }
+            else if (passphrase == null) {  //  2nd argument is the keystore passphrase
+                passphrase = arg.toCharArray();
+            }
+            else {
+                invalidArgs = true;  // too many args
+            }
+        }
+
+        if (host == null) {
+            invalidArgs = true;
+        }
+
+        if (invalidArgs) {
+            System.out.println("Usage: java InstallCert [--proxy=proxyHost:proxyPort] host[:port] [passphrase] [--quiet]");
+            return;
+        }
+
+        // default values
+        if (port       == -1  ) { port       = 443; }
+        if (passphrase == null) { passphrase = "changeit".toCharArray(); }
+
+        File file = new File("jssecacerts");
+        if (file.isFile() == false) {
+            char SEP = File.separatorChar;
+            File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");
+            file = new File(dir, "jssecacerts");
+            if (file.isFile() == false) {
+                file = new File(dir, "cacerts");
+            }
+        }
+        System.out.println("Loading KeyStore " + file + "...");
+        InputStream in = new FileInputStream(file);
+        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+        ks.load(in, passphrase);
+        in.close();
+
+        if (useProxy) {
+            proxyAddr = new InetSocketAddress(proxyHost, proxyPort);
+            underlying = new Socket(new Proxy(Proxy.Type.HTTP, proxyAddr));
+        }
+
+        SSLContext context = SSLContext.getInstance("TLS");
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(ks);
+        X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
+        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
+        context.init(null, new TrustManager[]{tm}, null);
+        SSLSocketFactory factory = context.getSocketFactory();
+
+        System.out.println("Opening connection to " + host + ":" + port + (useProxy ? (" via proxy "+proxyHost+":"+proxyPort) : "") + " ...");
+        SSLSocket socket;
+        if (useProxy) {
+            underlying.connect(new InetSocketAddress(host, port));
+            socket = (SSLSocket) factory.createSocket(underlying, host, port, true);
+        } else {
+            socket = (SSLSocket) factory.createSocket(host, port);
+        }
+        socket.setSoTimeout(10000);
+        try {
+            System.out.println("Starting SSL handshake...");
+            socket.startHandshake();
+            socket.close();
+            System.out.println();
+            System.out.println("No errors, certificate is already trusted");
+        } catch (SSLException e) {
+            System.out.println();
+            e.printStackTrace(System.out);
+        }
+
+        X509Certificate[] chain = tm.chain;
+        if (chain == null) {
+            System.out.println("Could not obtain server certificate chain");
+            return;
+        }
+
+        BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
+
+        System.out.println();
+        System.out.println("Server sent " + chain.length + " certificate(s):");
+        System.out.println();
+        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
+        MessageDigest md5 = MessageDigest.getInstance("MD5");
+        for (int i = 0; i < chain.length; i++) {
+            X509Certificate cert = chain[i];
+            System.out.println(" " + (i + 1) + " Subject " + cert.getSubjectDN());
+            System.out.println("   Issuer  " + cert.getIssuerDN());
+            sha1.update(cert.getEncoded());
+            System.out.println("   sha1    " + toHexString(sha1.digest()));
+            md5.update(cert.getEncoded());
+            System.out.println("   md5     " + toHexString(md5.digest()));
+            System.out.println();
+        }
+
+        int k;
+        if (isQuiet) {
+            System.out.println("Adding first certificate to trusted keystore");
+            k = 0;
+        }
+        else {
+            System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
+            String line = reader.readLine().trim();
+            try {
+                k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
+            } catch (NumberFormatException e) {
+                System.out.println("KeyStore not changed");
+                return;
+            }
+        }
+
+        X509Certificate cert = chain[k];
+        String alias = host + "-" + (k + 1);
+        ks.setCertificateEntry(alias, cert);
+
+        OutputStream out = new FileOutputStream("jssecacerts");
+        ks.store(out, passphrase);
+        out.close();
+
+        System.out.println();
+        System.out.println(cert);
+        System.out.println();
+        System.out.println("Added certificate to keystore 'jssecacerts' using alias '" + alias + "'");
+    }
+
+    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
+
+    private static String toHexString(byte[] bytes) {
+        StringBuilder sb = new StringBuilder(bytes.length * 3);
+        for (int b : bytes) {
+            b &= 0xff;
+            sb.append(HEXDIGITS[b >> 4]);
+            sb.append(HEXDIGITS[b & 15]);
+            sb.append(' ');
+        }
+        return sb.toString();
+    }
+
+    private static class SavingTrustManager implements X509TrustManager {
+
+        private final X509TrustManager tm;
+        private X509Certificate[] chain;
+
+        SavingTrustManager(X509TrustManager tm) {
+            this.tm = tm;
+        }
+
+        public X509Certificate[] getAcceptedIssuers() {
+            // This change has been done due to the following resolution advised for Java 1.7+
+            // http://infposs.blogspot.kr/2013/06/installcert-and-java-7.html
+            return new X509Certificate[0];
+            //throw new UnsupportedOperationException();
+        }
+
+        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+            throw new UnsupportedOperationException();
+        }
+
+        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+            this.chain = chain;
+            tm.checkServerTrusted(chain, authType);
+        }
+    }
+
+}