(puppetlabsGH-1535) Create container infrastructure for WinRM testing

This creates a Windows container in the Github Actions Windows testing
environment to run WinRM and windows-based tests against. This allows us
to test actual WinRM connections rather than having the GH Action
environment connect to itself.

Additionally, it removes unnecessary steps from our GH Action workflows,
as Docker and docker-compose are already installed in GH Action
environments.

Author: lucywyman

.github/workflows/linux.yaml

@@ -38,12 +38,10 @@ jobs:
         run: bundle install --jobs 4 --retry 3
       - name: Pre-test setup
         run: |
-          sudo curl -L https://github.com/docker/compose/releases/download/1.23.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
-          sudo chmod +x /usr/local/bin/docker-compose
           echo 'runner:runner' | sudo chpasswd
           sudo sh -c "echo 'Defaults authenticate' >> /etc/sudoers"
           sudo sh -c "echo 'runner  ALL=(ALL) PASSWD:ALL' >> /etc/sudoers"
-          docker-compose -f spec/docker-compose.yml build --parallel ubuntu_node puppet_5_node puppet_6_node
+          docker-compose -f spec/docker-compose.yml build ubuntu_node puppet_5_node puppet_6_node
           docker-compose -f spec/docker-compose.yml up -d ubuntu_node puppet_5_node puppet_6_node
           bundle exec r10k puppetfile install
       - name: Run tests with minimal container infrastructure
@@ -74,9 +72,7 @@ jobs:
         run: bundle install --jobs 4 --retry 3
       - name: Pre-test setup
         run: |
-          sudo curl -L https://github.com/docker/compose/releases/download/1.23.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
-          sudo chmod +x /usr/local/bin/docker-compose
-          docker-compose -f spec/docker-compose.yml build --parallel
+          docker-compose -f spec/docker-compose.yml build
           docker-compose -f spec/docker-compose.yml up -d
           bundle exec r10k puppetfile install
       - name: Run tests with expensive containers

.github/workflows/windows.yaml

@@ -55,6 +55,8 @@ jobs:
       - name: Pre-test setup
         shell: powershell
         run: |
+          docker-compose -f spec\docker-compose-windev.yml build
+          docker-compose -f spec\docker-compose-windev.yml up -d
           . scripts\ci.ps1
           Set-ActiveRubyFromPuppet
       - name: Run tests
@@ -97,7 +99,10 @@ jobs:
         run: bundle exec r10k puppetfile install
       - name: Pre-test setup
         shell: powershell
-        run: '& scripts\ci.ps1'
+        run: |
+          docker-compose -f spec\docker-compose-windev.yml build
+          docker-compose -f spec\docker-compose-windev.yml up -d
+          . scripts\ci.ps1
       - name: Run tests
         shell: powershell
         run: bundle exec rake windows_ci

scripts/ci.ps1

@@ -71,24 +71,24 @@ function Install-Certificate($path, $password)
   return (Import-PfxCertificate @importArgs)
 }
 
-function Grant-WinRMHttpsAccess($certThumbprint)
-{
-  $winRMArgs = @{
-    ResourceURI = 'winrm/config/Listener'
-    SelectorSet = @{ Address = '*'; Transport = 'HTTPS'; }
-    ValueSet    = @{ Hostname = 'boltserver'; CertificateThumbprint = $certThumbprint }
-  }
-  $instance = Set-WSManInstance @winRMArgs
-  Write-Information ($instance | Format-List | Out-String)
-}
-
-function Set-WinRMHostConfiguration
-{
-  # configure WinRM to use cert.pfx for SSL
-  $cert = Install-Certificate -Path 'spec/fixtures/ssl/cert.pfx' -Password 'bolt'
-  Write-Information ($cert | Format-List | Out-String)
-  Grant-WinRMHttpsAccess -CertThumbprint $cert.Thumbprint
-}
+#function Grant-WinRMHttpsAccess($certThumbprint)
+#{
+#  $winRMArgs = @{
+#    ResourceURI = 'winrm/config/Listener'
+#    SelectorSet = @{ Address = '*'; Transport = 'HTTPS'; }
+#    ValueSet    = @{ Hostname = 'boltserver'; CertificateThumbprint = $certThumbprint }
+#  }
+#  $instance = Set-WSManInstance @winRMArgs
+#  Write-Information ($instance | Format-List | Out-String)
+#}
+
+#function Set-WinRMHostConfiguration
+#{
+#  # configure WinRM to use cert.pfx for SSL
+#  $cert = Install-Certificate -Path 'spec/fixtures/ssl/cert.pfx' -Password 'bolt'
+#  Write-Information ($cert | Format-List | Out-String)
+#  Grant-WinRMHttpsAccess -CertThumbprint $cert.Thumbprint
+#}
 
 function Invoke-ScriptBlockWithRetry([ScriptBlock]$script, $failMessage, $successMessage, $retries = 15, $timeout = 1)
 {
@@ -112,28 +112,28 @@ function Invoke-ScriptBlockWithRetry([ScriptBlock]$script, $failMessage, $succes
 
 }
 
-function Test-WinRMConfiguration($userName, $password, $retries = 15, $timeout = 1)
-{
-  $retryArgs = @{
-    FailMessage    = 'Failed to establish WinRM connection over SSL'
-    SuccessMessage = "Successfully established WinRM connection with $userName"
-    Retries        = $retries
-    Timeout        = $timeout
-    Script         = {
-      $pass = ConvertTo-SecureString $password -AsPlainText -Force
-      $sessionArgs = @{
-        ComputerName = 'localhost'
-        Credential   = New-Object System.Management.Automation.PSCredential ($userName, $pass)
-        UseSSL       = $true
-        SessionOption = New-PSSessionOption -SkipRevocationCheck -SkipCACheck
-      }
-
-      if (New-PSSession @sessionArgs) { return $true }
-    }
-  }
-
-  Invoke-ScriptBlockWithRetry @retryArgs
-}
+#function Test-WinRMConfiguration($userName, $password, $retries = 15, $timeout = 1)
+#{
+#  $retryArgs = @{
+#    FailMessage    = 'Failed to establish WinRM connection over SSL'
+#    SuccessMessage = "Successfully established WinRM connection with $userName"
+#    Retries        = $retries
+#    Timeout        = $timeout
+#    Script         = {
+#      $pass = ConvertTo-SecureString $password -AsPlainText -Force
+#      $sessionArgs = @{
+#        ComputerName = 'localhost'
+#        Credential   = New-Object System.Management.Automation.PSCredential ($userName, $pass)
+#        UseSSL       = $true
+#        SessionOption = New-PSSessionOption -SkipRevocationCheck -SkipCACheck
+#      }
+#
+#      if (New-PSSession @sessionArgs) { return $true }
+#    }
+#  }
+#
+#  Invoke-ScriptBlockWithRetry @retryArgs
+#}
 
 # Ensure Puppet Ruby 5 / 6 takes precedence over system Ruby
 function Set-ActiveRubyFromPuppet
@@ -151,8 +151,8 @@ function Set-ActiveRubyFromPuppet
 $Pass = New-RandomPassword
 $User = @{ UserName = $ENV:BOLT_WINRM_USER; Password = $Pass }
 New-LocalAdmin @User
-Enable-PSRemoting
-Set-WSManQuickConfig -Force
-Set-WinRMHostConfiguration
-Test-WinRMConfiguration @User | Out-Null
-Write-Output "::set-env name=BOLT_WINRM_PASSWORD::$pass"
+#Enable-PSRemoting
+#Set-WSManQuickConfig -Force
+#Set-WinRMHostConfiguration
+#Test-WinRMConfiguration @User | Out-Null
+#Write-Output "::set-env name=BOLT_WINRM_PASSWORD::$pass"

spec/Dockerfile.windev

@@ -0,0 +1,6 @@
+FROM mcr.microsoft.com/windows/servercore:ltsc2019
+
+ADD fixtures/ssl/cert.pfx C:\cert.pfx
+ADD fixtures/scripts/windev/setup.ps1 C:\setup.ps1
+RUN powershell C:\setup.ps1
+# TODO: Remove file? Do we care?

spec/docker-compose-windev.yml

@@ -0,0 +1,11 @@
+version: "3"
+services:
+  windows_node:
+    build:
+      context: .
+      dockerfile: Dockerfile.windev
+    image: windows_node
+    ports:
+      - "25985:5985"
+      - "2455:455"
+    container_name: windows_node

spec/fixtures/scripts/windev/setup.ps1

@@ -0,0 +1,14 @@
+# add the bolt user account
+($user = New-LocalUser -Name bolt -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText)) | Format-List
+# add the bolt user to the 'Remote Management Users' group
+Add-LocalGroupMember -Group 'Remote Management Users' -Member $user
+Add-LocalGroupMember -Group 'Administrators' -Member $user
+
+# import the certificate to be used for the winrm-ssl
+($cert = Import-PfxCertificate -FilePath C:\\cert.pfx -CertStoreLocation cert:\\LocalMachine\\My -Password (ConvertTo-SecureString -String bolt -Force -AsPlainText)) | Format-List
+
+# add the winrm-ssl listener
+New-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address='*';Transport='HTTPS'} -ValueSet @{Hostname='boltserver';CertificateThumbprint=$cert.Thumbprint} | Format-List
+
+# add a firewall rule allowing access to the winrm-ssl port (TCP port 5986)
+New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow | Format-List