Update CI setup

Updates CI to test out sanity on both 2.18 and 2.19 now that devel has been bumped to a new version. Include the new sanity ignore file for 2.19 and fix up the cert generation for the LDAPS CA certificate.
ansible-collections · Oct 30, 2024 · 1523806 · 1523806
1 parent 2a2ebe7
commit 1523806
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 55 deletions.
diff --git a/.azure-pipelines/azure-pipelines.yml b/.azure-pipelines/azure-pipelines.yml
@@ -78,6 +78,20 @@ stages:
               test: units
             - name: Lint
               test: lint
+  - stage: Ansible_2_18
+    displayName: Ansible 2.18
+    dependsOn:
+      - Dependencies
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: "{0}"
+          testFormat: "2.18/{0}"
+          targets:
+            - name: Sanity
+              test: sanity
+            - name: Units
+              test: units
   - stage: Ansible_2_17
     displayName: Ansible 2.17
     dependsOn:
@@ -146,6 +160,7 @@ stages:
     condition: succeededOrFailed()
     dependsOn:
       - Ansible_devel
+      - Ansible_2_18
       - Ansible_2_17
       - Ansible_2_16
       - Ansible_2_15

diff --git a/tests/integration/targets/inventory_ldap/roles/setup_certificate/files/generate_cert.sh b/tests/integration/targets/inventory_ldap/roles/setup_certificate/files/generate_cert.sh
@@ -5,65 +5,18 @@ set -o pipefail -eux
 TARGET="${1}"
 PASSWORD="${2}"
 
-generate () {
-    NAME="${1}"
-    SUBJECT="${2}"
-    KEY="${3}"
-    CA_NAME="${4}"
-    CA_OPTIONS=("-CA" "${CA_NAME}.pem" "-CAkey" "${CA_NAME}.key" "-CAcreateserial")
-
-    cat > openssl.conf << EOL
+echo "Generating CA certificate"
+cat > openssl.conf << EOL
 distinguished_name = req_distinguished_name
 
 [req_distinguished_name]
-
-[req]
-basicConstraints = CA:FALSE
-keyUsage = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth
-subjectAltName = DNS:${SUBJECT}
+[v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, keyCertSign
 EOL
 
-    echo "Generating ${NAME} signed cert"
-    openssl req \
-        -new \
-        "-${KEY}" \
-        -subj "/CN=${SUBJECT}" \
-        -newkey rsa:2048 \
-        -keyout "${NAME}.key" \
-        -out "${NAME}.csr" \
-        -config openssl.conf \
-        -reqexts req \
-        -passin pass:"${PASSWORD}" \
-        -passout pass:"${PASSWORD}"
-
-    openssl x509 \
-        -req \
-        -in "${NAME}.csr" \
-        "-${KEY}" \
-        -out "${NAME}.pem" \
-        -days 365 \
-        -extfile openssl.conf \
-        -extensions req \
-        -passin pass:"${PASSWORD}" \
-        "${CA_OPTIONS[@]}"
-
-    # PBE-SHA1-3DES/nomac is used for compatibility with Server 2016 and older
-    openssl pkcs12 \
-        -export \
-        -out "${NAME}.pfx" \
-        -inkey "${NAME}.key" \
-        -in "${NAME}.pem" \
-        -keypbe PBE-SHA1-3DES \
-        -certpbe PBE-SHA1-3DES \
-        -nomac \
-        -passin pass:"${PASSWORD}" \
-        -passout pass:"${PASSWORD}"
-
-    rm openssl.conf
-}
-
-echo "Generating CA certificate"
 openssl genrsa \
     -aes256 \
     -out ca.key \
@@ -74,9 +27,62 @@ openssl req \
     -x509 \
     -days 365 \
     -key ca.key \
+    -config openssl.conf \
+    -extensions v3_ca \
     -out ca.pem \
     -subj "/CN=microsoft.ad root" \
     -passin pass:"${PASSWORD}"
 
 echo "Generating ${TARGET} LDAPS certificate"
-generate ldaps "${TARGET}" sha256 ca
+cat > openssl.conf << EOL
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[req]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature,keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+subjectAltName = DNS:${TARGET}
+EOL
+
+openssl req \
+    -new \
+    -sha256 \
+    -subj "/CN=${TARGET}" \
+    -newkey rsa:2048 \
+    -keyout "ldaps.key" \
+    -out "ldaps.csr" \
+    -passin pass:"${PASSWORD}" \
+    -passout pass:"${PASSWORD}"
+
+openssl x509 \
+    -req \
+    -in "ldaps.csr" \
+    -sha256 \
+    -out "ldaps.pem" \
+    -days 365 \
+    -extfile openssl.conf \
+    -extensions req \
+    -passin pass:"${PASSWORD}" \
+    -CA "ca.pem" \
+    -CAkey "ca.key" \
+    -CAcreateserial
+
+# PBE-SHA1-3DES/nomac is used for compatibility with Server 2016 and older
+openssl pkcs12 \
+    -export \
+    -out "ldaps.pfx" \
+    -inkey "ldaps.key" \
+    -in "ldaps.pem" \
+    -keypbe PBE-SHA1-3DES \
+    -certpbe PBE-SHA1-3DES \
+    -nomac \
+    -passin pass:"${PASSWORD}" \
+    -passout pass:"${PASSWORD}"
+
+rm ca.srl
+rm ldaps.csr
+rm openssl.conf
diff --git a/tests/sanity/ignore-2.19.txt b/tests/sanity/ignore-2.19.txt