From 9b3f8f826f13080b38c183a75a872807c9bb7852 Mon Sep 17 00:00:00 2001 From: sjat Date: Wed, 17 Jun 2026 16:11:02 +0200 Subject: [PATCH] test(base): molecule coverage for the mesh concern (manage-off no-op) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Converge enables mesh with base__mesh_manage:false (+ dummy key) so the include path runs hermetically; verify asserts netbird is not installed — proving the concern is a clean no-op when the live actions are gated off. Existing firewall/ ssh/fail2ban assertions unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) --- roles/base/molecule/default/converge.yml | 5 +++++ roles/base/molecule/default/verify.yml | 13 +++++++++++++ 2 files changed, 18 insertions(+) diff --git a/roles/base/molecule/default/converge.yml b/roles/base/molecule/default/converge.yml index 66c9ebe..59a1284 100644 --- a/roles/base/molecule/default/converge.yml +++ b/roles/base/molecule/default/converge.yml @@ -6,6 +6,11 @@ vars: base__firewall_apply: false base__firewall_control_addr: 10.10.0.99 # test control-node LAN address + # Exercise the mesh concern's include path with the live actions gated off, so it + # runs hermetically (no coordinator/key needed) and must be a clean no-op. + base__mesh_enabled: true + base__mesh_manage: false + base__mesh_setup_key: "dummy-molecule-key" firewall_zones: lan: 10.30.0.0/24 srv: 10.20.0.0/24 diff --git a/roles/base/molecule/default/verify.yml b/roles/base/molecule/default/verify.yml index 1b1fa30..d1e0551 100644 --- a/roles/base/molecule/default/verify.yml +++ b/roles/base/molecule/default/verify.yml @@ -57,3 +57,16 @@ - name: Fail2ban sshd jail configured ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local changed_when: false + + # mesh concern: enabled but manage=false must be a clean no-op (no install/enrol) + - name: Check whether netbird got installed + ansible.builtin.command: which netbird + register: _nb + changed_when: false + failed_when: false + - name: Assert mesh manage=false installed nothing + ansible.builtin.assert: + that: + - _nb.rc != 0 + fail_msg: "netbird must not be installed when base__mesh_manage is false" + success_msg: "mesh concern is a clean no-op under manage=false"