feat(fips): update packaging tests

newrelic · Jan 8, 2025 · d25f367 · d25f367
1 parent c53421f
commit d25f367
Show file tree

Hide file tree

Showing 8 changed files with 161 additions and 112 deletions.
diff --git a/test/packaging/ansible/README.md b/test/packaging/ansible/README.md
@@ -9,7 +9,8 @@ localhost ansible_connection=local
 
 [testing_hosts]
 amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 
-amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python 
+amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python
+amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512'
 ```
 
 ## Playbooks

diff --git a/test/packaging/ansible/agent-upgrade.yml b/test/packaging/ansible/agent-upgrade.yml
@@ -14,6 +14,8 @@
 
   tasks:
     - name: agent upgrade tests suite
+      # TODO: https://new-relic.atlassian.net/browse/NR-355851 Update when two releases with FIPS are done
+      # Also add FIPS tests
       vars:
         target_agent_version: "1.57.1"
 

diff --git a/test/packaging/ansible/installation-pinned.yml b/test/packaging/ansible/installation-pinned.yml
@@ -1,13 +1,12 @@
 ---
-
-- name: installation-pinned
+- name: Installation-pinned
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -18,16 +17,26 @@
         target_agent_version: "1.57.1" # minimum version for ubuntu sles 15.6
 
       block:
-
-        - name: install agent
-          include_role:
+        - name: Install agent
+          # when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             target_version: "{{ target_agent_version }}"
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
+        # TODO: https://new-relic.atlassian.net/browse/NR-355845 Uncomment when FIPS version is available for the minimum version
+        # - name: Install agent - FIPS
+        #   when: "'-fips' in inventory_hostname"
+        #   ansible.builtin.include_role:
+        #     name: caos.ansible_roles.infra_agent
+        #   vars:
+        #     target_version: "{{ target_agent_version }}"
+        #     repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+        #     fips_enabled: true
+
         - name: Assert version
-          include_role:
+          ansible.builtin.include_role:
             name: caos.ansible_roles.assert_version
           vars:
             target_versions:

diff --git a/test/packaging/ansible/installation-privileged.yml b/test/packaging/ansible/installation-privileged.yml
@@ -1,13 +1,12 @@
 ---
-
-- name: installation-privileged
+- name: Installation-privileged
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -21,30 +20,38 @@
           NRIA_MODE: PRIVILEGED
 
       block:
+        - name: Install agent
+          when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
-      - name: install agent
-        include_role:
-          name: caos.ansible_roles.infra_agent
-        vars:
-          repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+        - name: Install agent - FIPS
+          when: "'-fips' in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+            fips_enabled: true
 
-      - name: assert privileged caps
-        include_role:
-          name: caos.ansible_roles.assert_privileged_caps
-        vars:
-          executable: "/usr/bin/newrelic-infra"
-          caps:
-            - cap_dac_read_search
-            - cap_sys_ptrace.ep
+        - name: Assert privileged caps
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_privileged_caps
+          vars:
+            executable: "/usr/bin/newrelic-infra"
+            caps:
+              - cap_dac_read_search
+              - cap_sys_ptrace.ep
 
-      - name: Assert rootless
-        include_role:
-          name: caos.ansible_roles.assert_files
-        vars:
-          processes:
-            - name: newrelic-infra-service
-              owner: "{{ agent_user }}"
-          files:
-            - name: /usr/bin/newrelic-infra
-              permissions: "{{ bin_mode }}"
+        - name: Assert rootless
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_files
+          vars:
+            processes:
+              - name: newrelic-infra-service
+                owner: "{{ agent_user }}"
+            files:
+              - name: /usr/bin/newrelic-infra
+                permissions: "{{ bin_mode }}"
 ...
diff --git a/test/packaging/ansible/installation-root.yml b/test/packaging/ansible/installation-root.yml
@@ -1,13 +1,13 @@
 ---
 
-- name: installation-root
+- name: Installation-root
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -20,14 +20,23 @@
 
       block:
 
-        - name: install agent
-          include_role:
+        - name: Install agent
+          when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
+        - name: Install agent - FIPS
+          when: "'-fips' in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+            fips_enabled: true
+
         - name: Assert root
-          include_role:
+          ansible.builtin.include_role:
             name: caos.ansible_roles.assert_files
           vars:
             processes:

diff --git a/test/packaging/ansible/installation-unprivileged.yml b/test/packaging/ansible/installation-unprivileged.yml
@@ -1,13 +1,12 @@
 ---
-
-- name: installation-unprivileged
+- name: Installation-unprivileged
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -21,28 +20,36 @@
           NRIA_MODE: UNPRIVILEGED
 
       block:
+        - name: Install agent
+          when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
-      - name: install agent
-        include_role:
-          name: caos.ansible_roles.infra_agent
-        vars:
-          repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+        - name: Install agent - FIPS
+          when: "'-fips' in inventory_hostname"
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.infra_agent
+          vars:
+            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+            fips_enabled: true
 
-      - name: assert no privileged caps
-        include_role:
-          name: caos.ansible_roles.assert_privileged_caps
-        vars:
-          executable: "/usr/bin/newrelic-infra"
-          caps: []
+        - name: Assert no privileged caps
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_privileged_caps
+          vars:
+            executable: "/usr/bin/newrelic-infra"
+            caps: []
 
-      - name: Assert rootless
-        include_role:
-          name: caos.ansible_roles.assert_files
-        vars:
-          processes:
-            - name: newrelic-infra-service
-              owner: "{{ agent_user }}"
-          files:
-            - name: /usr/bin/newrelic-infra
-              permissions: "{{ bin_mode }}"
+        - name: Assert rootless
+          ansible.builtin.include_role:
+            name: caos.ansible_roles.assert_files
+          vars:
+            processes:
+              - name: newrelic-infra-service
+                owner: "{{ agent_user }}"
+            files:
+              - name: /usr/bin/newrelic-infra
+                permissions: "{{ bin_mode }}"
 ...