Skip to content

Splitting CI images into separate ones #712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 10, 2023
Merged

Splitting CI images into separate ones #712

merged 6 commits into from
Oct 10, 2023

Conversation

@blizzz
Copy link
Member

@blizzz blizzz commented Apr 5, 2023
edited
Loading

Resolves #688 and should make it easier to maintain

Far from ready, contains temporary code (e.g. concurring drone.yml and MSGH Action)

TODOs in the commit message while in draft

@blizzz blizzz force-pushed the tebt/noid/split-ci branch 22 times, most recently from 1e70ec0 to c99f80d Compare April 13, 2023 18:18
@blizzz blizzz force-pushed the tebt/noid/split-ci branch 5 times, most recently from de2b031 to c902aea Compare April 21, 2023 17:30
@blizzz
Copy link
Member Author

blizzz commented Apr 21, 2023

Progress! Env tests passing!

@blizzz blizzz mentioned this pull request May 11, 2023
Merged
@blizzz blizzz self-assigned this May 15, 2023
@blizzz blizzz force-pushed the tebt/noid/split-ci branch 3 times, most recently from 974dc76 to 6da38f8 Compare September 11, 2023 16:34
@SystemKeeper
Copy link

Posting here, but some infos are also related to nextcloud/docker-ci#535

  • Host is wrong in attribute-filter.xml, should be <PolicyRequirementRule xsi:type="Requester" value="http://localhost:8080/index.php/apps/user_saml/saml/metadata" /> (port is missing)
  • Comment out all imports in /opt/shibboleth-idp/conf/attributes/default-rules.xml, otherwise we will see duplicated attributes (which is a result of using v3 files in v4, see https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631499/ReleaseNotes#Attribute-Related-Changes for details). Alternatively look how the new AttributeRegistry works...
  • In nextcloud.xml we are also missing the port in <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/index.php/apps/user_saml/saml/acs" index="1"/>
  • /opt/shibboleth-idp/conf/oidc-credentials.xml needs to exist and should look like:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd                            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd                            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy">
  <!-- This file contains default oidc signing credentials. This file should be imported to credentials.xml -->
  <!-- The list of ALL of your OP's ID Token / UserInfo response signing credentials for the default security configuration. 
        If you define additional signing credentials, for example for new supported signing algorithms, make sure to include them 
        within this list. -->
  <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" id="shibboleth.oidc.PEMSigningCredential" p:certificateResource="%{idp.signing.cert}" p:entityId-ref="issuer" p:keyNames="Signing" p:privateKeyResource="%{idp.signing.key}"/>
  <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" id="shibboleth.oidc.PEMEncryptionCredential" p:certificateResource="%{idp.encryption.cert}" p:entityId-ref="issuer" p:keyNames="Encryption" p:privateKeyResource="%{idp.encryption.key}"/>
  <util:list id="shibboleth.oidc.SigningCredentials">
    <ref bean="shibboleth.oidc.PEMSigningCredential"/>
  </util:list>
  <!-- The list of ALL of your OP's Request Object decryption credentials for the default security configuration. If you 
        define additional decryption credentials, for example to support new algorithm, make sure to include them within 
        this list. -->
  <util:list id="shibboleth.oidc.EncryptionCredentials">
    <ref bean="shibboleth.oidc.PEMEncryptionCredential"/>
  </util:list>
  <!-- If you need to publish key set different from shibboleth.oidc.EncryptionCredentials, define a list named as shibboleth.oidc.EncryptionCredentialsToPublish -->
  <alias name="shibboleth.oidc.EncryptionCredentials" alias="shibboleth.oidc.EncryptionCredentialsToPublish"/>
  <!--
    Example of case having two active encryption credentials but then stop publishing the second before removing it from active configuration.
    <util:list id="shibboleth.oidc.EncryptionCredentialsToPublish">
        <ref bean="shibboleth.oidc.OnlyNewDefaultRSAEncryptionCredential" />
    </util:list>
    -->
  <!-- If you need to publish key set different from shibboleth.oidc.SigningCredentials, define a list named as shibboleth.oidc.SigningCredentialsToPublish -->
  <alias name="shibboleth.oidc.SigningCredentials" alias="shibboleth.oidc.SigningCredentialsToPublish"/>
  <!--
    Example of case publishing signing credential before taking it to active configuration: 
    
    <util:list id="shibboleth.oidc.SigningCredentialsToPublish">
        <ref bean="shibboleth.oidc.DefaultRSSigningCredential" />
        <ref bean="shibboleth.oidc.DefaultESSigningCredential" />
        <ref bean="shibboleth.oidc.UpcomingDefaultRSSigningCredential" />
    </util:list>
    -->
</beans>

(from https://github.com/CSCfi/shibboleth-idp-dockerized/blob/master/opt/shibboleth-idp/conf/credentials-oidc.xml, haven't compared, but should be the same I guess, note the order, the file in the container is called credentials-oidc.xml, but we need oidc-credentials.xml! See import in credentials.xml).

After that:

8 scenarios (8 passed)
119 steps (119 passed)
0m27.67s (10.09Mb)

😎

@blizzz
Copy link
Member Author

blizzz commented Oct 2, 2023

@SystemKeeper muchos gracias! Some changes i had already locally like that, but you also saved me some more digging ❤️

@blizzz
Copy link
Member Author

blizzz commented Oct 10, 2023

Screenshot_20231010_121007

happy

@blizzz blizzz mentioned this pull request Oct 10, 2023
Merged
blizzz and others added 4 commits October 10, 2023 12:22
@blizzz
WIP: Split integrations into single images and turn to GH action
caf0951 
- adds integration.yml for integration tests
- …where 389ds is added as service container and initialized in a later
  step after checkout
- …and where a shibboleth server is also added service container

TODOS:
- [ ] double check integration tests config/paths/etc (was copy paste)

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@juliusknorr @blizzz
try with prod ini file
0f81170 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@blizzz
fix(events): use our generic event type, not symfony's
2a89de7 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz
debug(behat): force HTTP/1.1
8e89104 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz blizzz force-pushed the tebt/noid/split-ci branch from 024b0d7 to 91254f1 Compare October 10, 2023 10:22
@blizzz blizzz marked this pull request as ready for review October 10, 2023 10:22
@blizzz
tests(integration): use pre-build ldap container image
27e75f9 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz blizzz force-pushed the tebt/noid/split-ci branch from 91254f1 to 27e75f9 Compare October 10, 2023 10:38
@blizzz
Copy link
Member Author

blizzz commented Oct 10, 2023

will remove require on drone once it's merged – there are no tests for drone anymore and the file was removed.

juliusknorr
juliusknorr approved these changes Oct 10, 2023
View reviewed changes
Copy link
Member

@juliusknorr juliusknorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good 👍

Long way but nice work 🥳

@blizzz
ci(integration): run on Github runners only for now
7d7f161 
- garm runners often run into host system issues and render the test
  unreliable
  (Error response from daemon: symlink /proc/mounts/var/lib/docker/fuse-overlayfs/$hash-init/merged/etc/mtab: file exists)

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz blizzz merged commit 69d1ece into master Oct 10, 2023
@blizzz blizzz deleted the tebt/noid/split-ci branch October 10, 2023 18:43
@blizzz
Copy link
Member Author

blizzz commented Oct 11, 2023

/backport to stable-5.2

@backportbot-nextcloud
Copy link

The backport to stable-5.2 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable-5.2
git pull origin stable-5.2

# Create the new backport branch
git checkout -b fix/foo-stable-5.2

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable-5.2

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@blizzz blizzz mentioned this pull request Oct 11, 2023
Merged
@blizzz blizzz changed the title Splitting CI images into seperate ones Splitting CI images into separate ones Oct 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr approved these changes

@SystemKeeper SystemKeeper Awaiting requested review from SystemKeeper

Assignees

@blizzz blizzz

Labels

3. to review technical debt

Projects

📝 Office team
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update CI continuous-integration-user_saml_shibboleth-php8.0 image for master

5 participants

@blizzz @juliusknorr @SystemKeeper @Superjamp