loading...

Test a Million Supported Systems with Molecule + GitHub Actions Matrix

artis3n profile image Ari Kalfus ・3 min read

From a comment on the announcement article:

For this contest, you'll only be able to submit projects that you started after this announcement post was published.

Well, I guess I am disqualified. But, leaving this post up as a resource for anyone that may like it.

My Workflow

I am a big fan of Tailscale for a Wireguard VPN mesh. Some months ago, someone requested that Tailscale support an Ansible Galaxy role to set up a Tailscale node. I saw the help wanted tag and knew what I must do.

However, Tailscale supports a large number of operating systems, and I wanted my Tailscale Ansible role to support everything that Tailscale supports. I needed a CI workflow that would test all those systems in parallel whenever I created a new PR.

I still have a few operating systems to add support for (dreading Windows and OSX for the CI difficulties they present), but I currently run tests against 10 operating systems in parallel using a GitHub Action workflow to spawn dynamic Action jobs that each run Molecule against a single system. This leverages a GitHub Action matrix.

Submission Category:

Maintainer Must-Haves

Yaml File or Link to Code

GitHub logo artis3n / ansible-role-tailscale

Ansible role to install and enable a Tailscale node.

artis3n.tailscale

GitHub Workflow Status (branch) GitHub release (latest SemVer including pre-releases) GitHub last commit GitHub GitHub followers Twitter Follow

This role initializes a Tailscale node.

Find supported operating systems on this role's Ansible Galaxy page.

Requirements

You must supply a tailscale_auth_key variable, which can be generated under your Tailscale account at https://login.tailscale.com/admin/authkeys.

Role Variables

tailscale_auth_key

Required

An ansible-vault encrypted variable containing a Tailscale Node Authorization auth key.

A Node Authorization auth key can be generated under your Tailscale account at https://login.tailscale.com/admin/authkeys.

Encrypt this variable with the following command:

ansible-vault encrypt_string --vault-id tailscale@.ci-vault-pass '[AUTH KEY VALUE HERE]' --name 'tailscale_auth_key'

See Ansible's documentation for an explanation of the ansible-vault encrypt_string command syntax.

release_stability

Default: stable

Whether to use the Tailscale stable or unstable track.

stable:

Stable releases. If you're not sure which track to use, pick this one.

unstable:

The bleeding edge. Pushed early and often. Expect rough edges!

tailscale_args

Pass any additional command-line arguments to tailscale up.

Note…

The Ansible role can be found on Ansible Galaxy here.

The key for this GitHub Action matrix workflow to work is the following setup in my molecule.yml file:

platforms:
  - name: instance
    image: ${MOLECULE_DISTRO:-geerlingguy/docker-centos7-ansible:latest}

From there, I can set up which systems to run Molecule against with a matrix:

jobs:
  molecule:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        distros:
          - geerlingguy/docker-centos7-ansible:latest
          - geerlingguy/docker-centos8-ansible:latest
          - geerlingguy/docker-amazonlinux2-ansible:latest
          - geerlingguy/docker-ubuntu2004-ansible:latest
          - geerlingguy/docker-ubuntu1804-ansible:latest
          - geerlingguy/docker-ubuntu1604-ansible:latest
          - geerlingguy/docker-debian10-ansible:latest
          - geerlingguy/docker-debian9-ansible:latest
          - geerlingguy/docker-fedora31-ansible:latest
          - artis3n/docker-arch-ansible:latest
      fail-fast: false

    steps:

Important! - You don't want to forget fail-fast: false.
This stops the action workflow from stopping whenever a single job fails. We want each spawned job to run in isolation from the others, so we can independently see which systems are good and which have issues.

Then, we just need a single job definition that uses the distro matrix variable. GitHub Actions will automatically spawn a job for each item in the matrix.

- name: Molecule
        run: echo "${{ secrets.VAULT_PASS }}" > /home/runner/work/_temp/.vault-ci-pass && ANSIBLE_VAULT_PASSWORD_FILE=/home/runner/work/_temp/.vault-ci-pass pipenv run molecule test
        env:
          MOLECULE_DISTRO: "${{ matrix.distros }}"

This spawns a job for each matrix distribution:

Actions workflow 10 spawned jobs

Additional Resources / Info

Posted on by:

artis3n profile

Ari Kalfus

@artis3n

Penetration tester and security engineer. @artis3n

Discussion

pic
Editor guide