patch

LukasAud · LukasAud · commit dcee86754f39 · 2025-09-29T15:21:05.000+01:00
diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml
@@ -115,7 +115,7 @@ jobs:
     - name: Classify PE Master with pe_repo::platform (via RBAC token)
       env:
         BOLT_GEM: "1"
-        # Optional: override if your plan uses a different admin password
+        # If your install plan sets a different admin password, override here:
         PE_ADMIN_PASSWORD: "Puppetlabs123!"
       shell: bash
       run: |
@@ -124,44 +124,69 @@ jobs:
         if [[ -z "$MASTER" ]]; then echo "Empty master target"; exit 1; fi
 
         # Map matrix platform -> PE platform tag -> class suffix
-        INPUT="${{ matrix.platform }}"           # ubuntu-2204-lts
+        INPUT="${{ matrix.platform }}"           # e.g. ubuntu-2204-lts
         OS="${INPUT%%-*}"                        # ubuntu
         VER="${INPUT#*-}" ; VER="${VER%-lts}"    # 2204
         TAG="${OS}-${VER:0:2}.${VER:2:2}-amd64"  # ubuntu-22.04-amd64
         SUFFIX="${TAG//-/_}" ; SUFFIX="${SUFFIX//./}"   # ubuntu_2204_amd64
         CLASS="pe_repo::platform::${SUFFIX}"
-        echo "Classifying master with: ${CLASS} for tag ${TAG}"
+        echo "Classifying master with: ${CLASS} (platform tag: ${TAG})"
 
+        # Run remotely under Bash so we can use pipefail and here-strings
         bundle exec bolt command run "/bin/bash -lc '
           set -euo pipefail
           export PATH=/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin:\$PATH
+          CACERT=\$(/opt/puppetlabs/bin/puppet config print localcacert)
 
-          # Obtain/refresh an RBAC token (retry a few times while services settle)
+          # Acquire RBAC token via API (retry while services come up)
+          LOGIN_PAYLOAD=\$(ruby -e \"puts({login: \\\"admin\\\", password: \\\"${PE_ADMIN_PASSWORD}\\\", lifetime: \\\"30m\\\"}.to_json)\")
           for i in {1..10}; do
-            if /opt/puppetlabs/bin/puppet-access show >/dev/null 2>&1; then
-              break
-            fi
-            /opt/puppetlabs/bin/puppet-access login \
-              --lifetime 30m \
-              -u admin -p \"${PE_ADMIN_PASSWORD}\" && break || sleep 6
+            RESP=\$(curl -sS --fail-with-body --cacert \"\$CACERT\" \
+              -H \"Content-Type: application/json\" \
+              -d \"\$LOGIN_PAYLOAD\" \
+              https://localhost:4433/rbac-api/v1/auth/token) || true
+            TOKEN=\$(ruby -rjson -e \"j=STDIN.read; puts(JSON.parse(j)[\\\"token\\\"] rescue '')\" <<< \"\$RESP\")
+            [[ -n \"\$TOKEN\" ]] && break
+            echo \"Waiting for RBAC to issue token... (\$i/10)\" >&2
+            sleep 6
           done
-          TOKEN=\$(/opt/puppetlabs/bin/puppet-access show || true)
           if [[ -z \"\$TOKEN\" ]]; then
-            echo \"Failed to obtain RBAC token\" >&2
+            echo \"Failed to obtain RBAC token; last response:\" >&2
+            echo \"\$RESP\" >&2
             exit 1
           fi
-
-          # Fetch PE Master group id
-          GROUPS=\$(curl -sS -k -H \"X-Authentication: \$TOKEN\" https://localhost:4433/classifier-api/v1/groups)
-          ID=\$(ruby -rjson -e \"g=JSON.parse(STDIN.read); pe=g.find{|x| x['name']=='PE Master'} or abort('PE Master group not found'); puts pe['id']\" <<< \"\$GROUPS\")
-
-          # Merge class into group
-          CURR=\$(curl -sS -k -H \"X-Authentication: \$TOKEN\" https://localhost:4433/classifier-api/v1/groups/\$ID)
-          UPDATED=\$(CLASS=\"${CLASS}\" ruby -rjson -e \"g=JSON.parse(STDIN.read); g['classes']||={}; g['classes'][ENV['CLASS']]||={}; puts({'id'=>g['id'],'classes'=>g['classes']}.to_json)\" <<< \"\$CURR\")
-          curl -sS -k -X POST -H \"X-Authentication: \$TOKEN\" -H 'Content-Type: application/json' \
-               -d \"\$UPDATED\" https://localhost:4433/classifier-api/v1/groups/\$ID >/dev/null
+          echo \"RBAC token acquired\"
+
+          # Find the PE Master group id
+          GROUPS=\$(curl -sS --fail-with-body --cacert \"\$CACERT\" \
+            -H \"X-Authentication: \$TOKEN\" \
+            https://localhost:4433/classifier-api/v1/groups)
+          ID=\$(
+            ruby -rjson -e \"g=JSON.parse(STDIN.read); pe=g.find{|x| x['name']=='PE Master'} or abort('PE Master group not found'); puts pe['id']\" \
+              <<< \"\$GROUPS\"
+          )
+          echo \"PE Master group id: \$ID\"
+
+          # Merge the platform class into the group's classes
+          CURR=\$(curl -sS --fail-with-body --cacert \"\$CACERT\" \
+            -H \"X-Authentication: \$TOKEN\" \
+            https://localhost:4433/classifier-api/v1/groups/\$ID)
+          UPDATED=\$(
+            CLASS=\"${CLASS}\" ruby -rjson -e \"g=JSON.parse(STDIN.read); g['classes']||={}; g['classes'][ENV['CLASS']]||={}; print({id: g['id'], classes: g['classes']}.to_json)\" \
+              <<< \"\$CURR\"
+          )
+
+          # POST the partial update (merge) back to the group
+          curl -sS --fail-with-body --cacert \"\$CACERT\" \
+            -H \"X-Authentication: \$TOKEN\" \
+            -H \"Content-Type: application/json\" \
+            -X POST -d \"\$UPDATED\" \
+            https://localhost:4433/classifier-api/v1/groups/\$ID >/dev/null
+
+          echo \"Class ${CLASS} merged into PE Master group\"
         '" -i spec/fixtures/litmus_inventory.yaml --targets "$MASTER"
 
+
     # 3) Converge master again so pe_repo materializes platform content
     - name: Converge PE master (stabilize services & pe_repo)
       env:
