autonomic-bot
41ede13042
Per operator-2026-05-28 SSO-dep plan (plan-sso-dep-testing.md). Substantial orchestrator
restructuring:
NEW LIFECYCLE ORDER:
1. Recipe deploy ALONE (no deps).
2. install / upgrade / backup / restore — recipe-only generic tiers.
3. setup_custom_tests step (NEW):
a. Deploy each declared dep + provision realm/client/test-user via harness.sso.
b. Write $CCCI_DEPS_FILE in dict shape {dep_recipe: {domain, realm, client_id, client_secret,
admin_user, admin_password, discovery_url, token_url, ...}}.
c. Run tests/<recipe>/setup_custom_tests.sh hook (jq-readable; wires OIDC env via abra
secret insert + .env edits + in-place 'abra app deploy --force --chaos').
4. CUSTOM tier with deps-ready flag; @pytest.mark.requires_deps tests skip with
'deps-not-ready: <reason>' when setup_custom_tests fails. NON-deps custom tests still run
normally — FAILURE ISOLATION (a DoD item per plan).
5. Teardown: recipe first, deps in reverse declaration order.
Harness changes:
- runner/run_recipe_ci.py: deps deploy moves from BEFORE recipe deploy to AFTER restore tier.
Adds _enrich_deps_with_sso() + _run_setup_custom_tests_hook(). DG4.1 generalised to
'one abra app new per app' (recipe + each dep); in-place redeploys (\--force) don't count.
- runner/harness/deps.py: write_run_state + load_run_state accept dict OR list shape;
deps_as_dict() coerces either to a recipe→entry map.
- runner/harness/sso.py: admin_password_inside() public re-export.
- tests/conftest.py: deps_creds fixture (full creds dict); deps_apps fixture flattens to
recipe→domain string. pytest_collection_modifyitems hook skips
\@pytest.mark.requires_deps tests when CCCI_DEPS_READY=0.
pytest_configure registers the marker.
Recipe content:
- tests/lasuite-docs/setup_custom_tests.sh: NEW hook reads $CCCI_DEPS_FILE via jq;
inserts oidc_rpcs secret at BUMPED version (v1→v2) since abra app new -S generates v1 first
and Swarm forbids overwriting; updates SECRET_OIDC_RPCS_VERSION in .env; writes 9 OIDC env
vars (REALM/DISCOVERY/AUTH/TOKEN/USERINFO/LOGOUT/JWKS/CLIENT_ID/SCOPES); ensures trailing
newline on .env so writes don't concatenate (caught a 'TIMEOUT=900OIDC_REALM=...' bug);
triggers in-place 'abra app deploy --force --chaos --no-input'.
- tests/lasuite-docs/functional/test_oidc_with_keycloak.py: refactored to consume deps_creds
fixture (no longer calls setup_keycloak_realm itself — the orchestrator does it in
setup_custom_tests). Marked \@pytest.mark.requires_deps.
Cold-verifiable on cc-ci (log /root/ccci-refactor-lasuite-r5.log):
RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py
install: PASS, custom: 3 PASS incl. test_oidc_password_grant_against_dep_keycloak.
deploy-count = 2 (expect 2) — DG4.1 generalised holds.
Smoke regression: RECIPE=custom-html STAGES=install,custom → 5 PASS, deploy-count=1.
Closes DEFERRED.md #5 (lasuite-docs OIDC parity ports via this plan).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
156 lines
6.4 KiB
Python
156 lines
6.4 KiB
Python
"""Shared pytest fixtures for recipe CI (plan §4.3).
|
|
|
|
A run is parameterized by env: RECIPE, REF (PR head sha), PR, SRC (head repo). The harness
|
|
computes a unique app domain per run so concurrent runs never collide, and GUARANTEES teardown
|
|
(undeploy + volume + secret removal) via a finalizer, even on failure.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
import sys
|
|
|
|
import pytest
|
|
|
|
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "runner"))
|
|
from harness import deps as deps_mod, lifecycle, naming # noqa: E402
|
|
|
|
|
|
def _short(s: str, n: int = 8) -> str:
|
|
return "".join(c for c in s if c.isalnum())[:n] or "local"
|
|
|
|
|
|
def _recipe_meta(recipe: str) -> dict:
|
|
"""Optional per-recipe config so enrolling a recipe needs NO shared-harness change (D5).
|
|
A recipe may ship tests/<recipe>/recipe_meta.py with any of: HEALTH_PATH (str),
|
|
HEALTH_OK (tuple of status codes), DEPLOY_TIMEOUT (int), HTTP_TIMEOUT (int)."""
|
|
path = os.path.join(os.path.dirname(__file__), recipe, "recipe_meta.py")
|
|
meta = {
|
|
"HEALTH_PATH": "/",
|
|
"HEALTH_OK": (200, 301, 302),
|
|
"DEPLOY_TIMEOUT": 600,
|
|
"HTTP_TIMEOUT": 300,
|
|
}
|
|
if os.path.exists(path):
|
|
ns: dict = {}
|
|
with open(path) as fh:
|
|
exec(compile(fh.read(), path, "exec"), ns) # noqa: S102 (trusted, in-repo)
|
|
for k in meta:
|
|
if k in ns:
|
|
meta[k] = ns[k]
|
|
return meta
|
|
|
|
|
|
@pytest.fixture(scope="session")
|
|
def recipe() -> str:
|
|
return os.environ.get("RECIPE", "custom-html")
|
|
|
|
|
|
@pytest.fixture(scope="session")
|
|
def app_domain(recipe) -> str:
|
|
# Docker swarm config/secret names = <stackname>_<res>_<ver> must be <= 64 chars, and
|
|
# stackname is the sanitized domain. ".ci.commoninternet.net" alone is 22 chars, so the
|
|
# subdomain label must stay short. Use <recipe[:4]>-<6hex(recipe|pr|ref)> — unique per run,
|
|
# collision-safe across recipes (full recipe in the hash), readable context lives in the
|
|
# Drone build params + PR comment. (Deviation from plan §4.0 long name; see DECISIONS.md.)
|
|
return naming.app_domain(recipe, os.environ.get("PR", "0"), os.environ.get("REF"))
|
|
|
|
|
|
@pytest.fixture(scope="session")
|
|
def meta(recipe) -> dict:
|
|
return _recipe_meta(recipe)
|
|
|
|
|
|
@pytest.fixture(scope="session")
|
|
def live_app() -> str:
|
|
"""Phase 1d shared-deployment contract: the orchestrator deploys ONCE and runs each tier
|
|
(generic or overlay) as its own pytest invocation against that single live deployment, passing
|
|
its domain in CCCI_APP_DOMAIN. Tiers are assertion-only (and lifecycle ops mutate in place) —
|
|
they NEVER deploy or tear down. This guarantees one deploy + one teardown per run (DG4.1)."""
|
|
domain = os.environ.get("CCCI_APP_DOMAIN")
|
|
assert domain, "CCCI_APP_DOMAIN not set — a tier must run under the deploy-once orchestrator"
|
|
return domain
|
|
|
|
|
|
@pytest.fixture(scope="session")
|
|
def deps_apps() -> dict[str, str]:
|
|
"""Phase 2 Q2.3 dependency-resolver contract (refined operator-2026-05-28 SSO-dep plan §1):
|
|
when a recipe declares `DEPS = [...]` in its `recipe_meta.py`, the orchestrator deploys each
|
|
dep AFTER the generic tiers (between RESTORE and CUSTOM) and persists their per-run identity
|
|
+ SSO creds to `$CCCI_DEPS_FILE`. Tests access the dep's per-run domain via this fixture.
|
|
For full SSO creds (realm/client/secret/admin) use the `deps_creds` fixture instead.
|
|
|
|
Returns `{dep_recipe: domain}` (str→str). Empty when no deps declared OR deps-not-ready."""
|
|
state = deps_mod.deps_as_dict(deps_mod.load_run_state())
|
|
return {r: e["domain"] for r, e in state.items() if e.get("domain")}
|
|
|
|
|
|
@pytest.fixture(scope="session")
|
|
def deps_creds() -> dict[str, dict]:
|
|
"""Full SSO-creds dict for each declared dep (operator-2026-05-28 SSO-dep plan §1).
|
|
`deps_creds["keycloak"]` returns the entry written by setup_custom_tests with keys
|
|
domain/realm/client_id/client_secret/user/password/email/admin_user/admin_password/
|
|
discovery_url/token_url/.... Use this in `@pytest.mark.requires_deps` tests that need to
|
|
authenticate via OIDC."""
|
|
return deps_mod.deps_as_dict(deps_mod.load_run_state())
|
|
|
|
|
|
def pytest_collection_modifyitems(config, items):
|
|
"""SSO-dep plan §4: tests marked `@pytest.mark.requires_deps` are skipped with reason
|
|
`deps-not-ready: <captured-err>` when the orchestrator's setup_custom_tests step failed
|
|
(orchestrator sets CCCI_DEPS_READY=0 in env). Non-deps custom tests are unaffected.
|
|
|
|
This is failure-isolation per plan §1 — generic tiers cannot break the SSO-marked tests'
|
|
skip status, and an SSO-setup failure cannot break the generic tiers (they run first)."""
|
|
deps_ready_env = os.environ.get("CCCI_DEPS_READY", "1")
|
|
if deps_ready_env == "1":
|
|
return
|
|
reason = os.environ.get("CCCI_DEPS_NOT_READY_REASON", "(no reason given)")
|
|
skip_mark = pytest.mark.skip(reason=f"deps-not-ready: {reason}")
|
|
for item in items:
|
|
if "requires_deps" in item.keywords:
|
|
item.add_marker(skip_mark)
|
|
|
|
|
|
def pytest_configure(config):
|
|
"""Register the `requires_deps` marker so pytest doesn't warn about it."""
|
|
config.addinivalue_line(
|
|
"markers",
|
|
"requires_deps: test requires DEPS-declared services + setup_custom_tests success.",
|
|
)
|
|
|
|
|
|
def _wait_healthy(domain, meta):
|
|
lifecycle.wait_healthy(
|
|
domain,
|
|
ok_codes=tuple(meta["HEALTH_OK"]),
|
|
path=meta["HEALTH_PATH"],
|
|
deploy_timeout=meta["DEPLOY_TIMEOUT"],
|
|
http_timeout=meta["HTTP_TIMEOUT"],
|
|
)
|
|
|
|
|
|
@pytest.fixture
|
|
def deployed(recipe, app_domain, meta, request):
|
|
"""Function-scoped: deploy the current/$REF version healthy, guaranteed teardown after.
|
|
Used by stages that start from current (install/backup)."""
|
|
version = os.environ.get("VERSION") or None
|
|
lifecycle.janitor()
|
|
request.addfinalizer(lambda: lifecycle.teardown_app(app_domain))
|
|
lifecycle.deploy_app(recipe, app_domain, version=version)
|
|
_wait_healthy(app_domain, meta)
|
|
return app_domain
|
|
|
|
|
|
@pytest.fixture(scope="session")
|
|
def deployed_app(recipe, app_domain, meta):
|
|
"""Install stage: deploy the recipe and wait until healthy; tear down at session end."""
|
|
version = os.environ.get("VERSION") or None
|
|
lifecycle.janitor() # sweep orphans from crashed runs first
|
|
try:
|
|
lifecycle.deploy_app(recipe, app_domain, version=version, secrets=True)
|
|
_wait_healthy(app_domain, meta)
|
|
yield app_domain
|
|
finally:
|
|
lifecycle.teardown_app(app_domain)
|