-
Notifications
You must be signed in to change notification settings - Fork 0
237 lines (198 loc) · 8.22 KB
/
ci.yml
File metadata and controls
237 lines (198 loc) · 8.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
name: CI
on:
push:
branches: [main, develop, 'feature/**', 'bugfix/**']
pull_request:
branches: [main, develop]
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
validate:
name: Validate Configuration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate Docker Compose files
run: |
echo "Validating: docker/docker-compose.standalone.yml"
docker compose -f docker/docker-compose.standalone.yml config -q
echo "OK: docker/docker-compose.standalone.yml"
echo "Validating: docker/docker-compose.lan.yml"
docker compose -f docker/docker-compose.lan.yml config -q
echo "OK: docker/docker-compose.lan.yml"
for f in docker/docker-compose.advanced.yml docker/docker-compose.sso.yml; do
echo "Checking scaffold: $f"
docker compose -f "$f" config --no-interpolate -q 2>&1 && echo "OK: $f" \
|| echo "WARN: $f has placeholder variables (scaffold — not yet built out)"
done
echo "Validating: docker/docker-compose.integration.yml"
docker compose -f docker/docker-compose.integration.yml config -q
echo "OK: docker/docker-compose.integration.yml"
echo "Validating: docker/docker-compose.production.yml"
docker compose -f docker/docker-compose.production.yml config -q
echo "OK: docker/docker-compose.production.yml"
- name: ShellCheck — lab test scripts
run: |
sudo apt-get install -y shellcheck -qq
shellcheck --severity=error tests/labs/*.sh
- name: Validate module manifest
run: |
python3 -c "
import sys, re
with open('it-stack-freeipa.yml') as f:
content = f.read()
required = ['module:', 'version:', 'phase:', 'category:', 'ports:']
missing = [k for k in required if k not in content]
if missing:
print('Missing fields:', missing); sys.exit(1)
print('Manifest valid')
"
security-scan:
name: Security Scan
runs-on: ubuntu-latest
needs: validate
steps:
- uses: actions/checkout@v4
- name: Trivy — scan Dockerfile
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
scan-ref: .
exit-code: '0'
severity: CRITICAL,HIGH
- name: Trivy — SARIF output
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
scan-ref: .
format: sarif
output: trivy-results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
lab-01-smoke:
name: Lab 01 — Smoke Test
runs-on: ubuntu-latest
needs: validate
continue-on-error: true # scaffold stubs; full lab runs on real VMs
steps:
- uses: actions/checkout@v4
# FreeIPA requires privileged/systemd — full lab only runs on dedicated VMs.
# CI smoke test validates compose structure and checks the image pulls cleanly.
- name: Validate FreeIPA standalone compose and pull image
run: |
docker compose -f docker/docker-compose.standalone.yml pull --quiet
echo "FreeIPA image available: $(docker images freeipa/freeipa-server --format '{{.Repository}}:{{.Tag}}' | head -1)"
echo "Standalone compose is valid and image is pullable."
echo "Note: Full Lab 01-01 test requires privileged mode on a dedicated VM."
echo " Run: bash tests/labs/test-lab-01-01.sh (expects 10-20 min install time)"
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.standalone.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.standalone.yml down -v
lab-02-smoke:
name: Lab 02 — LDAP Client Integration
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Validate LAN compose (privileged — pull images only)
run: |
echo "NOTE: FreeIPA requires privileged mode; full test runs on real VMs"
docker compose -f docker/docker-compose.lan.yml pull --quiet
echo "Images pulled OK"
- name: Validate compose config is well-formed
run: docker compose -f docker/docker-compose.lan.yml config -q
- name: Verify test script syntax
run: bash -n tests/labs/test-lab-01-02.sh
- name: ShellCheck test script
run: |
sudo apt-get install -y shellcheck -qq
shellcheck --severity=error tests/labs/test-lab-01-02.sh
lab-03-smoke:
name: Lab 03 — Sudo Rules + HBAC + Password Policy
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Validate advanced compose (privileged — pull images only)
run: |
echo "NOTE: FreeIPA requires privileged mode; full test runs on real VMs"
docker compose -f docker/docker-compose.advanced.yml pull --quiet
echo "Images pulled OK"
- name: Validate compose config
run: docker compose -f docker/docker-compose.advanced.yml config -q
- name: Verify test script syntax
run: bash -n tests/labs/test-lab-01-03.sh
- name: ShellCheck test script
run: |
sudo apt-get install -y shellcheck -qq
shellcheck --severity=error tests/labs/test-lab-01-03.sh
lab-04-smoke:
name: Lab 04 — Keycloak LDAP Federation (syntax check only)
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Validate SSO compose (pull images only — FreeIPA is privileged)
run: |
echo "NOTE: FreeIPA Lab 04 requires privileged + full IPA init (~5min); runs on real VMs"
docker compose -f docker/docker-compose.sso.yml pull --quiet
echo "Images pulled OK"
- name: Validate compose config
run: docker compose -f docker/docker-compose.sso.yml config -q
- name: Verify test script syntax
run: bash -n tests/labs/test-lab-01-04.sh
- name: ShellCheck test script
run: |
sudo apt-get install -y shellcheck -qq
shellcheck --severity=error tests/labs/test-lab-01-04.sh
lab-05-smoke:
name: Lab 05 -- FreeIPA+KC+PG+Redis integration + FreePBX service account (INT-11 syntax check only)
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Validate integration compose (pull images -- FreeIPA is privileged)
run: |
echo "NOTE: FreeIPA Lab 05 requires privileged + full IPA init (~5min); runs on real VMs"
docker compose -f docker/docker-compose.integration.yml pull --quiet
echo "Images pulled OK"
- name: Validate compose config
run: docker compose -f docker/docker-compose.integration.yml config -q
- name: Verify test script syntax
run: bash -n tests/labs/test-lab-01-05.sh
- name: ShellCheck test script
run: |
sudo apt-get install -y shellcheck -qq
shellcheck --severity=error tests/labs/test-lab-01-05.sh
lab-06-smoke:
name: Lab 06 — FreeIPA Production HA (privileged — syntax check only)
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Validate production compose (pull images — FreeIPA is privileged)
run: |
echo "NOTE: FreeIPA Lab 06 requires privileged + full IPA init (~5min); runs on real VMs"
docker compose -f docker/docker-compose.production.yml pull --quiet
echo "Images pulled OK"
- name: Validate compose config
run: docker compose -f docker/docker-compose.production.yml config -q
- name: Verify test script syntax
run: bash -n tests/labs/test-lab-01-06.sh
- name: ShellCheck test script
run: |
sudo apt-get install -y shellcheck -qq
shellcheck --severity=error tests/labs/test-lab-01-06.sh