feat(fips): update packaging tests

newrelic · Jan 6, 2025 · ef9463a · ef9463a
1 parent 7f36493
commit ef9463a
Show file tree

Hide file tree

Showing 6 changed files with 142 additions and 104 deletions.
diff --git a/test/packaging/ansible/README.md b/test/packaging/ansible/README.md
@@ -9,7 +9,8 @@ localhost ansible_connection=local
 
 [testing_hosts]
 amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 
-amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python 
+amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python
+amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512'
 ```
 
 ## Playbooks

diff --git a/test/packaging/ansible/installation-privileged.yml b/test/packaging/ansible/installation-privileged.yml
@@ -1,13 +1,12 @@
 ---
-
-- name: installation-privileged
+- name: Installation-privileged
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -21,30 +20,38 @@
           NRIA_MODE: PRIVILEGED
 
       block:
+        - name: Install agent
+          when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
-      - name: install agent
-        include_role:
-          name: caos.ansible_roles.infra_agent
-        vars:
-          repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+        - name: Install agent - FIPS
+          when: "'-fips' in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+            fips_enabled: true
 
-      - name: assert privileged caps
-        include_role:
-          name: caos.ansible_roles.assert_privileged_caps
-        vars:
-          executable: "/usr/bin/newrelic-infra"
-          caps:
-            - cap_dac_read_search
-            - cap_sys_ptrace.ep
+        - name: Assert privileged caps
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_privileged_caps
+          vars:
+            executable: "/usr/bin/newrelic-infra"
+            caps:
+              - cap_dac_read_search
+              - cap_sys_ptrace.ep
 
-      - name: Assert rootless
-        include_role:
-          name: caos.ansible_roles.assert_files
-        vars:
-          processes:
-            - name: newrelic-infra-service
-              owner: "{{ agent_user }}"
-          files:
-            - name: /usr/bin/newrelic-infra
-              permissions: "{{ bin_mode }}"
+        - name: Assert rootless
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_files
+          vars:
+            processes:
+              - name: newrelic-infra-service
+                owner: "{{ agent_user }}"
+            files:
+              - name: /usr/bin/newrelic-infra
+                permissions: "{{ bin_mode }}"
 ...
diff --git a/test/packaging/ansible/installation-root.yml b/test/packaging/ansible/installation-root.yml
@@ -1,13 +1,13 @@
 ---
 
-- name: installation-root
+- name: Installation-root
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -20,14 +20,23 @@
 
       block:
 
-        - name: install agent
-          include_role:
+        - name: Install agent
+          when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
+        - name: Install agent - FIPS
+          when: "'-fips' in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+            fips_enabled: true
+
         - name: Assert root
-          include_role:
+          ansible.builtin.include_role:
             name: caos.ansible_roles.assert_files
           vars:
             processes:

diff --git a/test/packaging/ansible/installation-unprivileged.yml b/test/packaging/ansible/installation-unprivileged.yml
@@ -1,13 +1,12 @@
 ---
-
-- name: installation-unprivileged
+- name: Installation-unprivileged
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -21,28 +20,36 @@
           NRIA_MODE: UNPRIVILEGED
 
       block:
+        - name: Install agent
+          when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
-      - name: install agent
-        include_role:
-          name: caos.ansible_roles.infra_agent
-        vars:
-          repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+        - name: Install agent - FIPS
+          when: "'-fips' in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+            fips_enabled: true
 
-      - name: assert no privileged caps
-        include_role:
-          name: caos.ansible_roles.assert_privileged_caps
-        vars:
-          executable: "/usr/bin/newrelic-infra"
-          caps: []
+        - name: Assert no privileged caps
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_privileged_caps
+          vars:
+            executable: "/usr/bin/newrelic-infra"
+            caps: []
 
-      - name: Assert rootless
-        include_role:
-          name: caos.ansible_roles.assert_files
-        vars:
-          processes:
-            - name: newrelic-infra-service
-              owner: "{{ agent_user }}"
-          files:
-            - name: /usr/bin/newrelic-infra
-              permissions: "{{ bin_mode }}"
+        - name: Assert rootless
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_files
+          vars:
+            processes:
+              - name: newrelic-infra-service
+                owner: "{{ agent_user }}"
+            files:
+              - name: /usr/bin/newrelic-infra
+                permissions: "{{ bin_mode }}"
 ...
diff --git a/test/packaging/ansible/shutdown-and-terminate.yml b/test/packaging/ansible/shutdown-and-terminate.yml
@@ -1,47 +1,57 @@
 ---
 
-- name: install agent linux (HNR)
+- name: Install agent linux (HNR)
   hosts: testing_hosts_linux
-  gather_facts: yes
+  gather_facts: true
   become: true
   vars:
     agent_user: root
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
 
   tasks:
-    - name: install agent
-      include_role:
+    - name: Install agent
+      when: "'-fips' not in inventory_hostname"
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         display_name: "{{ iid }}:{{ inventory_hostname }}"
         repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
-- name: install agent windows  (HNR)
+    - name: Install agent - FIPS
+      when: "'-fips' in inventory_hostname"
+      ansible.builtin.include_role:
+        name: caos.ansible_roles.infra_agent
+      vars:
+        display_name: "{{ iid }}:{{ inventory_hostname }}"
+        repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+        fips_enabled: true
+
+- name: Install agent windows  (HNR)
   hosts: testing_hosts_windows
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
 
   tasks:
-    - name: install agent
-      include_role:
+    - name: Install agent
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         display_name: "{{ iid }}:{{ inventory_hostname }}"
 
 
-- name: test agent behaviour on host shutdown
+- name: Test agent behaviour on host shutdown
   hosts: testing_hosts
   vars:
     # Add here hosts of the instances that doesn't support Smart HNR (shutdown detection) e.g. - "amd64:ubuntu14.04"
@@ -56,80 +66,80 @@
       }}
 
   tasks:
-    - name: pause a bit to let the agent send some data
-      pause:
+    - name: Pause a bit to let the agent send some data
+      ansible.builtin.pause:
         minutes: 1
 
-    - name: restart the agent
-      include_role:
+    - name: Restart the agent
+      ansible.builtin.include_role:
         name: caos.ansible_roles.service_status
       vars:
         service_name: "newrelic-infra"
         action: "restart"
 
-    - name: pause for a bit to let the agent initialize
-      pause:
+    - name: Pause for a bit to let the agent initialize
+      ansible.builtin.pause:
         seconds: 30
 
     - name: Get entity id
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent_get_entity_id
 
-    - name: assert agent restart don't trigger shutdown event
-      include_role:
+    - name: Assert agent restart don't trigger shutdown event
+      ansible.builtin.include_role:
         name: caos.ansible_roles.assert_host_status_event
       vars:
         host_status: "shutdown"
         expect_change_event: false
         since_sec_ago: 30
 
-    - name: stop instances
-      include_role:
+    - name: Stop instances
+      ansible.builtin.include_role:
         name: caos.ansible_roles.ec2_instance
       vars:
         action: stop
         instance_id: "{{ iid }}"
 
-    - name: pause for a bit to let the event fire
-      pause:
+    - name: Pause for a bit to let the event fire
+      ansible.builtin.pause:
         seconds: 30
 
-    - name: assert that the agent detecteded host shutdown and disconnected from the backend (only on hosts that support shutdown detection)
-      include_role:
+    - name: Assert that the agent detecteded host shutdown and disconnected from the backend (only on hosts that support shutdown detection)
+      ansible.builtin.include_role:
         name: caos.ansible_roles.assert_host_status_event
       vars:
         host_status: "shutdown"
         expect_change_event: "{{ host_supports_shutdown_detection }}"
         timestamp_ref: "{{ ec2_stop_time_sec | int }}"
 
-    - name: start instances
-      include_role:
+    - name: Start instances
+      ansible.builtin.include_role:
         name: caos.ansible_roles.ec2_instance
       vars:
         action: start
         instance_id: "{{ iid }}"
 
-    - name: assert the agent performed connect to the backend (only on hosts that support shutdown detection)
-      include_role:
+    - name: Assert the agent performed connect to the backend (only on hosts that support shutdown detection)
+      ansible.builtin.include_role:
         name: caos.ansible_roles.assert_host_status_event
       vars:
         host_status: "running"
         expect_change_event: "{{ host_supports_shutdown_detection }}"
         timestamp_ref: "{{ ec2_start_time_sec | int }}"
 
-    - name: terminate instances
-      include_role:
+    - name: Terminate instances
+      ansible.builtin.include_role:
         name: caos.ansible_roles.ec2_instance
       vars:
         action: terminate
         instance_id: "{{ iid }}"
 
-    - name: pause for a bit to let the event fire
-      pause:
+    - name: Pause for a bit to let the event fire
+      ansible.builtin.pause:
         seconds: 30
 
-    - name: assert that the agent detecteded host termination and disconnected from the backend (only on hosts that support shutdown detection)
-      include_role:
+    - name: Assert that the agent detecteded host termination and disconnected from the backend (only on hosts that support shutdown detection)
+      ansible.builtin.include_role:
         name: caos.ansible_roles.assert_host_status_event
       vars:
         host_status: "shutdown"