From 9fa592d2fb002f7cd62b762a0a3aab29e1c3e01d Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 24 Apr 2018 14:21:48 +0300
Subject: Change: support building from non-master branch of ick

---
 ci-vars.yml                                       |  4 +++-
 group_vars/ick.yml                                |  2 ++
 roles/apt_repository/files/process-incoming       |  5 +++--
 roles/ick-artifact-store/tasks/main.yml           |  2 +-
 roles/ick-controller/tasks/main.yml               |  2 +-
 roles/ick-worker/defaults/main.yml                |  7 +++++++
 roles/ick-worker/tasks/main.yml                   |  2 +-
 roles/ick-worker/templates/worker_manager.yaml.j2 |  1 +
 roles/letsencrypt/defaults/main.yml               |  3 +++
 roles/letsencrypt/tasks/main.yml                  | 17 +++++++++++++++++
 test-ick                                          | 19 +++++++++++++------
 11 files changed, 52 insertions(+), 12 deletions(-)
 create mode 100644 roles/ick-worker/defaults/main.yml

diff --git a/ci-vars.yml b/ci-vars.yml
index c03a44c..8472110 100644
--- a/ci-vars.yml
+++ b/ci-vars.yml
@@ -1,6 +1,8 @@
+letsencrypt: no
+verify_tls: no
 sources_lists:
   - repo: "deb http://code.liw.fi/debian stretch main"
     keyring_package: code.liw.fi-keyring
     signing_key: "{{ code_liw_fi_signing_key }}"
-  - repo: "deb http://ci-prod-apt.vm.liw.fi/debian unstable-ci main"
+  - repo: "deb http://ci-prod-apt.vm.liw.fi/debian {{ ci_dist }} main"
     signing_key: "{{ ci_prod_apt_signing_key }}"
diff --git a/group_vars/ick.yml b/group_vars/ick.yml
index f277ce3..90544bc 100644
--- a/group_vars/ick.yml
+++ b/group_vars/ick.yml
@@ -33,3 +33,5 @@ apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}"
 apt_signing_key_fingerprint: |
   {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }}
 apt_admin_email: liw@liw.fi
+
+ick_prefix: ""
diff --git a/roles/apt_repository/files/process-incoming b/roles/apt_repository/files/process-incoming
index 1ae7ff7..ebb3952 100644
--- a/roles/apt_repository/files/process-incoming
+++ b/roles/apt_repository/files/process-incoming
@@ -2,5 +2,6 @@
 
 # sleep for a few seconds so that dput has time to chmod the uploaded
 # file.
-sleep 3
-reprepro -b /srv/apt processincoming default
+sleep 10
+reprepro -b /srv/apt processincoming default >> /srv/apt/reprepro.log
+
diff --git a/roles/ick-artifact-store/tasks/main.yml b/roles/ick-artifact-store/tasks/main.yml
index c0d15a9..dd9e858 100644
--- a/roles/ick-artifact-store/tasks/main.yml
+++ b/roles/ick-artifact-store/tasks/main.yml
@@ -2,7 +2,7 @@
   apt:
     name: "{{ item }}"
   with_items:
-    - ick2
+    - "{{ ick_prefix }}ick2"
 
 - name: create config dirs
   file:
diff --git a/roles/ick-controller/tasks/main.yml b/roles/ick-controller/tasks/main.yml
index 8c8cf6f..bbcae08 100644
--- a/roles/ick-controller/tasks/main.yml
+++ b/roles/ick-controller/tasks/main.yml
@@ -2,7 +2,7 @@
   apt:
     name: "{{ item }}"
   with_items:
-    - ick2
+    - "{{ ick_prefix }}ick2"
     - curl
     - psmisc
     - less
diff --git a/roles/ick-worker/defaults/main.yml b/roles/ick-worker/defaults/main.yml
new file mode 100644
index 0000000..32a3e70
--- /dev/null
+++ b/roles/ick-worker/defaults/main.yml
@@ -0,0 +1,7 @@
+# Should worker manager be configured to check the TLS certificate of
+# the APIs it uses? Default to yes, but if installed from CI builds,
+# for testing, Let's Encrypt might not be suitable, due to limits, and
+# it's necessary to use self-signed certificates, and thus it's better
+# to not check certificates in that situation.
+
+verify_tls: yes
diff --git a/roles/ick-worker/tasks/main.yml b/roles/ick-worker/tasks/main.yml
index b9b351d..0e1dec4 100644
--- a/roles/ick-worker/tasks/main.yml
+++ b/roles/ick-worker/tasks/main.yml
@@ -2,7 +2,7 @@
   apt:
     name: "{{ item }}"
   with_items:
-    - ick2
+    - "{{ ick_prefix }}ick2"
     - debootstrap
     - jq
     - less
diff --git a/roles/ick-worker/templates/worker_manager.yaml.j2 b/roles/ick-worker/templates/worker_manager.yaml.j2
index 11c08b2..fd1bec2 100644
--- a/roles/ick-worker/templates/worker_manager.yaml.j2
+++ b/roles/ick-worker/templates/worker_manager.yaml.j2
@@ -7,3 +7,4 @@ config:
   log-max: 10M
   log-keep: 10
   workspace: /var/lib/ick/workspace
+  verify-tls: {{ verify_tls }}
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
index 5f8c438..ce1a2d3 100644
--- a/roles/letsencrypt/defaults/main.yml
+++ b/roles/letsencrypt/defaults/main.yml
@@ -1,3 +1,6 @@
+# Enable letsencrypt?
+letsencrypt: yes
+
 # Specify a properly configured and functional domain name
 letsencrypt_domain: FIXME
 
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
index 5606b60..b7d0df0 100644
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@@ -14,22 +14,36 @@
     owner: root
     group: root
     mode: 0755
+  when: letsencrypt
 
 - name: install certbot
   apt:
     name: certbot
     default_release: stretch-backports
+  when: letsencrypt
 
 - name: install haproxy
   apt:
     name: haproxy
 
+- name: install ssl-cert
+  apt:
+    name: ssl-cert
+  when: not letsencrypt
+
 - name: stop haproxy
   ignore_errors: true
   systemd:
     name: haproxy
     state: stopped
 
+- name: install snakeoil certificate for haproxy
+  shell:  |
+    cat /etc/ssl/certs/ssl-cert-snakeoil.pem \
+        /etc/ssl/private/ssl-cert-snakeoil.key \
+        > /etc/haproxy/haproxy.pem
+  when: not letsencrypt
+
 - name: fetch new certificate
   command: >
     certbot certonly
@@ -38,9 +52,11 @@
     --domain "{{ letsencrypt_domain }}"
     --email "{{ letsencrypt_email }}"
     --agree-tos
+  when: letsencrypt
 
 - name: install new cert for haproxy
   command: /usr/local/sbin/deploy_certs_haproxy
+  when: letsencrypt
 
 - name: start haproxy
   ignore_errors: true
@@ -60,3 +76,4 @@
       --quiet
       --pre-hook "systemctl stop haproxy"
       --post-hook "/usr/local/sbin/deploy_certs_haproxy && systemctl start haproxy"
+  when: letsencrypt
diff --git a/test-ick b/test-ick
index c7b89ec..3b46451 100755
--- a/test-ick
+++ b/test-ick
@@ -30,19 +30,26 @@ set -eu
 
 
 run_ansible="$1"
+ci_dist="$2"
+prefix="$3"
 
 ansible="$HOME/code/ick/ick2-ansible"
 rules="$HOME/code/ick/liw-ci"
-controller="https://ickdev-controller.vm.liw.fi"
+controller="https://ickdev2-controller.vm.liw.fi"
+
+tool()
+{
+    "$HOME/code/ick/ick2/icktool" -c "$controller" --no-verify-tls "$@"
+}
 
 build_status()
 {
-    icktool -c "$controller" status | awk -v "p=$1" '$1 == p { print $5 }'
+    tool status | awk -v "p=$1" '$1 == p { print $5 }'
 }
 
 current_log()
 {
-    icktool -c "$controller" status | awk -v "p=$1" '$1 == p { print $7 }'
+    tool status | awk -v "p=$1" '$1 == p { print $7 }'
 }
 
 wait_for_build_to_start()
@@ -91,7 +98,7 @@ build()
     local log="$(current_log "$project")"
 
     echo "Triggering $project"
-    icktool -c "$controller" trigger "$project"
+    tool trigger "$project"
     wait_for_build_to_start "$project" "$log"
     wait_for_build_to_finish "$project"
 }
@@ -100,10 +107,10 @@ build()
 if [ "$run_ansible" = yes ]
 then
     cd "$ansible"
-    ./run-cluster.sh hosts.ickdev -e @ci-vars.yml
+    ./run-cluster.sh hosts.ickdev -e "ick_prefix=$prefix" -e "ci_dist=$ci_dist" -e @ci-vars.yml
 fi
 
-icktool -c "$controller" make-it-so < "${rules}/ickdev.yaml"
+tool make-it-so < "${rules}/ickdev.yaml"
 
 build ick_stretch
 build ick2
-- 
cgit v1.2.1