feat(lab-06): FreeIPA production -- privileged HA deployment, full IT… #13

Workflow file for this run

	name: CI

	on:
	push:
	branches: [main, develop, 'feature/', 'bugfix/']
	pull_request:
	branches: [main, develop]

	permissions:
	contents: read
	security-events: write

	jobs:
	validate:
	name: Validate Configuration
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Validate Docker Compose files
	run: \|
	echo "Validating: docker/docker-compose.standalone.yml"
	docker compose -f docker/docker-compose.standalone.yml config -q
	echo "OK: docker/docker-compose.standalone.yml"
	echo "Validating: docker/docker-compose.lan.yml"
	docker compose -f docker/docker-compose.lan.yml config -q
	echo "OK: docker/docker-compose.lan.yml"
	for f in docker/docker-compose.advanced.yml docker/docker-compose.sso.yml; do
	echo "Checking scaffold: $f"
	docker compose -f "$f" config --no-interpolate -q 2>&1 && echo "OK: $f" \
	\|\| echo "WARN: $f has placeholder variables (scaffold — not yet built out)"
	done
	echo "Validating: docker/docker-compose.integration.yml"
	docker compose -f docker/docker-compose.integration.yml config -q
	echo "OK: docker/docker-compose.integration.yml"
	echo "Validating: docker/docker-compose.production.yml"
	docker compose -f docker/docker-compose.production.yml config -q
	echo "OK: docker/docker-compose.production.yml"

	- name: ShellCheck — lab test scripts
	run: \|
	sudo apt-get install -y shellcheck -qq
	shellcheck tests/labs/*.sh

	- name: Validate module manifest
	run: \|
	python3 -c "
	import sys, re
	with open('it-stack-freeipa.yml') as f:
	content = f.read()
	required = ['module:', 'version:', 'phase:', 'category:', 'ports:']
	missing = [k for k in required if k not in content]
	if missing:
	print('Missing fields:', missing); sys.exit(1)
	print('Manifest valid')
	"

	security-scan:
	name: Security Scan
	runs-on: ubuntu-latest
	needs: validate
	steps:
	- uses: actions/checkout@v4

	- name: Trivy — scan Dockerfile
	uses: aquasecurity/trivy-action@0.28.0
	with:
	scan-type: config
	scan-ref: .
	exit-code: '0'
	severity: CRITICAL,HIGH

	- name: Trivy — SARIF output
	uses: aquasecurity/trivy-action@0.28.0
	with:
	scan-type: config
	scan-ref: .
	format: sarif
	output: trivy-results.sarif

	- name: Upload SARIF to GitHub Security
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: trivy-results.sarif

	lab-01-smoke:
	name: Lab 01 — Smoke Test
	runs-on: ubuntu-latest
	needs: validate
	continue-on-error: true # scaffold stubs; full lab runs on real VMs
	steps:
	- uses: actions/checkout@v4

	# FreeIPA requires privileged/systemd — full lab only runs on dedicated VMs.
	# CI smoke test validates compose structure and checks the image pulls cleanly.
	- name: Validate FreeIPA standalone compose and pull image
	run: \|
	docker compose -f docker/docker-compose.standalone.yml pull --quiet
	echo "FreeIPA image available: $(docker images freeipa/freeipa-server --format '{{.Repository}}:{{.Tag}}' \| head -1)"
	echo "Standalone compose is valid and image is pullable."
	echo "Note: Full Lab 01-01 test requires privileged mode on a dedicated VM."
	echo " Run: bash tests/labs/test-lab-01-01.sh (expects 10-20 min install time)"

	- name: Collect logs on failure
	if: failure()
	run: docker compose -f docker/docker-compose.standalone.yml logs

	- name: Cleanup
	if: always()
	run: docker compose -f docker/docker-compose.standalone.yml down -v

	lab-02-smoke:
	name: Lab 02 — LDAP Client Integration
	runs-on: ubuntu-latest
	needs: validate
	continue-on-error: true
	steps:
	- uses: actions/checkout@v4

	- name: Validate LAN compose (privileged — pull images only)
	run: \|
	echo "NOTE: FreeIPA requires privileged mode; full test runs on real VMs"
	docker compose -f docker/docker-compose.lan.yml pull --quiet
	echo "Images pulled OK"

	- name: Validate compose config is well-formed
	run: docker compose -f docker/docker-compose.lan.yml config -q

	- name: Verify test script syntax
	run: bash -n tests/labs/test-lab-01-02.sh

	- name: ShellCheck test script
	run: \|
	sudo apt-get install -y shellcheck -qq
	shellcheck tests/labs/test-lab-01-02.sh

	lab-03-smoke:
	name: Lab 03 — Sudo Rules + HBAC + Password Policy
	runs-on: ubuntu-latest
	needs: validate
	continue-on-error: true
	steps:
	- uses: actions/checkout@v4

	- name: Validate advanced compose (privileged — pull images only)
	run: \|
	echo "NOTE: FreeIPA requires privileged mode; full test runs on real VMs"
	docker compose -f docker/docker-compose.advanced.yml pull --quiet
	echo "Images pulled OK"

	- name: Validate compose config
	run: docker compose -f docker/docker-compose.advanced.yml config -q

	- name: Verify test script syntax
	run: bash -n tests/labs/test-lab-01-03.sh

	- name: ShellCheck test script
	run: \|
	sudo apt-get install -y shellcheck -qq
	shellcheck tests/labs/test-lab-01-03.sh

	lab-04-smoke:
	name: Lab 04 — Keycloak LDAP Federation (syntax check only)
	runs-on: ubuntu-latest
	needs: validate
	continue-on-error: true
	steps:
	- uses: actions/checkout@v4

	- name: Validate SSO compose (pull images only — FreeIPA is privileged)
	run: \|
	echo "NOTE: FreeIPA Lab 04 requires privileged + full IPA init (~5min); runs on real VMs"
	docker compose -f docker/docker-compose.sso.yml pull --quiet
	echo "Images pulled OK"

	- name: Validate compose config
	run: docker compose -f docker/docker-compose.sso.yml config -q

	- name: Verify test script syntax
	run: bash -n tests/labs/test-lab-01-04.sh

	- name: ShellCheck test script
	run: \|
	sudo apt-get install -y shellcheck -qq
	shellcheck tests/labs/test-lab-01-04.sh

	lab-05-smoke:
	name: Lab 05 -- FreeIPA+KC+PG+Redis integration (syntax check only)
	runs-on: ubuntu-latest
	needs: validate
	continue-on-error: true
	steps:
	- uses: actions/checkout@v4

	- name: Validate integration compose (pull images -- FreeIPA is privileged)
	run: \|
	echo "NOTE: FreeIPA Lab 05 requires privileged + full IPA init (~5min); runs on real VMs"
	docker compose -f docker/docker-compose.integration.yml pull --quiet
	echo "Images pulled OK"

	- name: Validate compose config
	run: docker compose -f docker/docker-compose.integration.yml config -q

	- name: Verify test script syntax
	run: bash -n tests/labs/test-lab-01-05.sh

	- name: ShellCheck test script
	run: \|
	sudo apt-get install -y shellcheck -qq
	shellcheck tests/labs/test-lab-01-05.sh

	lab-06-smoke:
	name: Lab 06 — FreeIPA Production HA (privileged — syntax check only)
	runs-on: ubuntu-latest
	needs: validate
	continue-on-error: true
	steps:
	- uses: actions/checkout@v4

	- name: Validate production compose (pull images — FreeIPA is privileged)
	run: \|
	echo "NOTE: FreeIPA Lab 06 requires privileged + full IPA init (~5min); runs on real VMs"
	docker compose -f docker/docker-compose.production.yml pull --quiet
	echo "Images pulled OK"

	- name: Validate compose config
	run: docker compose -f docker/docker-compose.production.yml config -q

	- name: Verify test script syntax
	run: bash -n tests/labs/test-lab-01-06.sh

	- name: ShellCheck test script
	run: \|
	sudo apt-get install -y shellcheck -qq
	shellcheck tests/labs/test-lab-01-06.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(lab-06): FreeIPA production -- privileged HA deployment, full IT… #13

Workflow file

feat(lab-06): FreeIPA production -- privileged HA deployment, full IT… #13

Uh oh!

Workflow file for this run