# Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 --- version: 2.1 parameters: commit: type: string default: "" description: "Commit to run load tests against" references: paths: test-results: &TEST_RESULTS_DIR /tmp/test-results environment: &ENVIRONMENT TEST_RESULTS_DIR: *TEST_RESULTS_DIR EMAIL: noreply@hashicorp.com GIT_AUTHOR_NAME: circleci-consul GIT_COMMITTER_NAME: circleci-consul S3_ARTIFACT_BUCKET: consul-dev-artifacts-v2 BASH_ENV: .circleci/bash_env.sh GO_VERSION: 1.20.1 envoy-versions: &supported_envoy_versions - &default_envoy_version "1.22.7" - "1.23.4" - "1.24.2" - "1.25.1" nomad-versions: &supported_nomad_versions - &default_nomad_version "1.3.3" - "1.2.10" - "1.1.16" vault-versions: &supported_vault_versions - &default_vault_version "1.12.2" - "1.11.6" - "1.10.9" - "1.9.10" consul-versions: &consul_versions - "1.14" - "1.15" images: # When updating the Go version, remember to also update the versions in the # workflows section for go-test-lib jobs. go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.20.1 ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:16-browsers ubuntu: &UBUNTU_CI_IMAGE ubuntu-2004:202201-02 cache: yarn: &YARN_CACHE_KEY consul-ui-v9-{{ checksum "ui/yarn.lock" }} steps: install-gotestsum: &install-gotestsum name: install gotestsum environment: GOTESTSUM_RELEASE: 1.9.0 command: | ARCH=`uname -m` if [[ "$ARCH" == "aarch64" ]]; then ARCH="arm64" else ARCH="amd64" fi url=https://github.com/gotestyourself/gotestsum/releases/download curl -sSL "${url}/v${GOTESTSUM_RELEASE}/gotestsum_${GOTESTSUM_RELEASE}_linux_${ARCH}.tar.gz" | \ sudo tar -xz --overwrite -C /usr/local/bin gotestsum get-aws-cli: &get-aws-cli run: name: download and install AWS CLI command: | curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" echo -e "${AWS_CLI_GPG_KEY}" | gpg --import curl -o awscliv2.sig https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig gpg --verify awscliv2.sig awscliv2.zip unzip awscliv2.zip sudo ./aws/install # This step MUST be at the end of any set of steps due to the 'when' condition notify-slack-failure: ¬ify-slack-failure name: notify-slack-failure when: on_fail command: | if [[ $CIRCLE_BRANCH == "main" ]]; then CIRCLE_ENDPOINT="https://app.circleci.com/pipelines/github/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}?branch=${CIRCLE_BRANCH}" GITHUB_ENDPOINT="https://github.com/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/commit/${CIRCLE_SHA1}" COMMIT_MESSAGE=$(git log -1 --pretty=%B | head -n1) SHORT_REF=$(git rev-parse --short "${CIRCLE_SHA1}") curl -X POST -H 'Content-type: application/json' \ --data \ "{ \ \"attachments\": [ \ { \ \"fallback\": \"CircleCI job failed!\", \ \"text\": \"❌ Failed: \`${CIRCLE_USERNAME}\`'s <${CIRCLE_BUILD_URL}|${CIRCLE_STAGE}> job failed for commit <${GITHUB_ENDPOINT}|${SHORT_REF}> on \`${CIRCLE_BRANCH}\`!\n\n- <${COMMIT_MESSAGE}\", \ \"footer\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\", \ \"ts\": \"$(date +%s)\", \ \"color\": \"danger\" \ } \ ] \ }" "${FEED_CONSUL_GH_URL}" else echo "Not posting slack failure notifications for non-main branch" fi commands: assume-role: description: "Assume role to an ARN" parameters: access-key: type: env_var_name default: AWS_ACCESS_KEY_ID secret-key: type: env_var_name default: AWS_SECRET_ACCESS_KEY role-arn: type: env_var_name default: ROLE_ARN steps: # Only run the assume-role command for the main repo. The AWS credentials aren't available for forks. - run: | if [[ "${CIRCLE_BRANCH%%/*}/" != "pull/" ]]; then export AWS_ACCESS_KEY_ID="${<< parameters.access-key >>}" export AWS_SECRET_ACCESS_KEY="${<< parameters.secret-key >>}" export ROLE_ARN="${<< parameters.role-arn >>}" # assume role has duration of 15 min (the minimum allowed) CREDENTIALS="$(aws sts assume-role --duration-seconds 900 --role-arn ${ROLE_ARN} --role-session-name build-${CIRCLE_SHA1} | jq '.Credentials')" echo "export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.AccessKeyId')" >> $BASH_ENV echo "export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.SecretAccessKey')" >> $BASH_ENV echo "export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.SessionToken')" >> $BASH_ENV fi run-go-test-full: parameters: go_test_flags: type: string default: "" steps: - attach_workspace: at: /home/circleci/go/bin - run: go mod download - run: name: go test command: | mkdir -p $TEST_RESULTS_DIR /tmp/jsonfile PACKAGE_NAMES=$(go list -tags "$GOTAGS" ./... | circleci tests split --split-by=timings --timings-type=classname) echo "Running $(echo $PACKAGE_NAMES | wc -w) packages" echo $PACKAGE_NAMES # some tests expect this umask, and arm images have a different default umask 0022 << parameters.go_test_flags >> gotestsum \ --format=short-verbose \ --jsonfile /tmp/jsonfile/go-test-${CIRCLE_NODE_INDEX}.log \ --debug \ --rerun-fails=3 \ --rerun-fails-max-failures=40 \ --rerun-fails-report=/tmp/gotestsum-rerun-fails \ --packages="$PACKAGE_NAMES" \ --junitfile $TEST_RESULTS_DIR/gotestsum-report.xml -- \ -tags="$GOTAGS" -p 2 \ ${GO_TEST_FLAGS-} \ -cover -coverprofile=coverage.txt - store_test_results: path: *TEST_RESULTS_DIR - store_artifacts: path: *TEST_RESULTS_DIR - store_artifacts: path: /tmp/jsonfile - run: &rerun-fails-report name: "Re-run fails report" command: | .circleci/scripts/rerun-fails-report.sh /tmp/gotestsum-rerun-fails - run: *notify-slack-failure jobs: check-go-mod: docker: - image: *GOLANG_IMAGE environment: <<: *ENVIRONMENT steps: - checkout - run: go mod tidy - run: | if [[ -n $(git status -s) ]]; then echo "Git directory has changes" git status -s exit 1 fi - run: *notify-slack-failure # build is a templated job for build-x build-distros: &build-distros docker: - image: *GOLANG_IMAGE resource_class: large environment: &build-env <<: *ENVIRONMENT steps: - checkout - run: name: Build command: | for os in $XC_OS; do target="./pkg/bin/${GOOS}_${GOARCH}/" GOOS="$os" CGO_ENABLED=0 go build -o "${target}" -ldflags "${GOLDFLAGS}" -tags "${GOTAGS}" done # save dev build to CircleCI - store_artifacts: path: ./pkg/bin - run: *notify-slack-failure # create a development build dev-build: docker: - image: *GOLANG_IMAGE resource_class: large environment: <<: *ENVIRONMENT steps: - checkout - attach_workspace: # this normally runs as the first job and has nothing to attach; only used in main branch after rebuilding UI at: . - run: name: Build command: | make dev mkdir -p /home/circleci/go/bin cp ./bin/consul /home/circleci/go/bin/consul # save dev build to pass to downstream jobs - persist_to_workspace: root: /home/circleci/go/bin paths: - consul - run: *notify-slack-failure # upload development build to s3 dev-upload-s3: docker: - image: *GOLANG_IMAGE environment: <<: *ENVIRONMENT steps: - checkout - *get-aws-cli - assume-role: access-key: AWS_ACCESS_KEY_ID_S3_UPLOAD secret-key: AWS_SECRET_ACCESS_KEY_S3_UPLOAD role-arn: ROLE_ARN_S3_UPLOAD # get consul binary - attach_workspace: at: bin/ - run: name: package binary command: zip -j consul.zip bin/consul - run: name: Upload to s3 command: | if [ -n "${S3_ARTIFACT_PATH}" ]; then aws s3 cp \ --metadata "CIRCLECI=${CIRCLECI},CIRCLE_BUILD_URL=${CIRCLE_BUILD_URL},CIRCLE_BRANCH=${CIRCLE_BRANCH}" \ "consul.zip" "s3://${S3_ARTIFACT_BUCKET}/${S3_ARTIFACT_PATH}/${CIRCLE_SHA1}.zip" --acl public-read else echo "CircleCI - S3_ARTIFACT_PATH was not set" exit 1 fi - run: *notify-slack-failure # upload dev docker image dev-upload-docker: docker: - image: *GOLANG_IMAGE # use a circleci image so the attach_workspace step works (has ca-certs installed) environment: <<: *ENVIRONMENT steps: - checkout # get consul binary - attach_workspace: at: bin/ - setup_remote_docker - run: make ci.dev-docker - run: *notify-slack-failure nomad-integration-test: &NOMAD_TESTS docker: - image: docker.mirror.hashicorp.services/cimg/go:1.20 parameters: nomad-version: type: enum enum: *supported_nomad_versions default: *default_nomad_version environment: <<: *ENVIRONMENT NOMAD_WORKING_DIR: &NOMAD_WORKING_DIR /home/circleci/go/src/github.com/hashicorp/nomad NOMAD_VERSION: << parameters.nomad-version >> steps: &NOMAD_INTEGRATION_TEST_STEPS - run: git clone https://github.com/hashicorp/nomad.git --branch v${NOMAD_VERSION} ${NOMAD_WORKING_DIR} # get consul binary - attach_workspace: at: /home/circleci/go/bin # make dev build of nomad - run: command: make pkg/linux_amd64/nomad working_directory: *NOMAD_WORKING_DIR - run: *install-gotestsum # run integration tests - run: name: go test command: | mkdir -p $TEST_RESULTS_DIR gotestsum \ --format=short-verbose \ --junitfile $TEST_RESULTS_DIR/results.xml -- \ ./command/agent/consul -run TestConsul working_directory: *NOMAD_WORKING_DIR # store test results for CircleCI - store_test_results: path: *TEST_RESULTS_DIR - store_artifacts: path: *TEST_RESULTS_DIR - run: *notify-slack-failure compatibility-integration-test: machine: image: *UBUNTU_CI_IMAGE docker_layer_caching: true parallelism: 1 steps: - checkout # Get go binary from workspace - attach_workspace: at: . # Build the consul:local image from the already built binary - run: command: | sudo rm -rf /usr/local/go wget https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz sudo tar -C /usr/local -xzvf go${GO_VERSION}.linux-amd64.tar.gz environment: <<: *ENVIRONMENT - run: *install-gotestsum - run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile . - run: name: Compatibility Integration Tests command: | mkdir -p /tmp/test-results/ cd ./test/integration/consul-container docker run --rm consul:local consul version gotestsum \ --raw-command \ --format=short-verbose \ --debug \ --rerun-fails=3 \ --packages="./..." \ -- \ go test \ -p=4 \ -timeout=30m \ -json \ `go list ./... | grep -v upgrade` \ --target-image consul \ --target-version local \ --latest-image consul \ --latest-version latest ls -lrt environment: # this is needed because of incompatibility between RYUK container and circleci GOTESTSUM_JUNITFILE: /tmp/test-results/results.xml GOTESTSUM_FORMAT: standard-verbose COMPOSE_INTERACTIVE_NO_CLI: 1 # tput complains if this isn't set to something. TERM: ansi - store_test_results: path: *TEST_RESULTS_DIR - store_artifacts: path: *TEST_RESULTS_DIR - run: *notify-slack-failure upgrade-integration-test: machine: image: *UBUNTU_CI_IMAGE docker_layer_caching: true parallelism: 3 resource_class: large parameters: consul-version: type: enum enum: *consul_versions environment: CONSUL_VERSION: << parameters.consul-version >> steps: - checkout # Get go binary from workspace - attach_workspace: at: . # Build the consul:local image from the already built binary - run: command: | sudo rm -rf /usr/local/go wget https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz sudo tar -C /usr/local -xzvf go${GO_VERSION}.linux-amd64.tar.gz environment: <<: *ENVIRONMENT - run: *install-gotestsum - run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile . - run: name: Upgrade Integration Tests command: | mkdir -p /tmp/test-results/ cd ./test/integration/consul-container docker run --rm consul:local consul version gotestsum \ --raw-command \ --format=short-verbose \ --debug \ --rerun-fails=3 \ --packages="./..." \ -- \ go test \ -p=4 \ -tags "${GOTAGS}" \ -timeout=30m \ -json \ ./.../upgrade/ \ --target-image consul \ --target-version local \ --latest-image consul \ --latest-version $CONSUL_VERSION ls -lrt environment: # this is needed because of incompatibility between RYUK container and circleci GOTESTSUM_JUNITFILE: /tmp/test-results/results.xml GOTESTSUM_FORMAT: standard-verbose COMPOSE_INTERACTIVE_NO_CLI: 1 # tput complains if this isn't set to something. TERM: ansi - store_test_results: path: *TEST_RESULTS_DIR - store_artifacts: path: *TEST_RESULTS_DIR - run: *notify-slack-failure envoy-integration-test: &ENVOY_TESTS machine: image: *UBUNTU_CI_IMAGE parallelism: 4 resource_class: medium parameters: envoy-version: type: enum enum: *supported_envoy_versions default: *default_envoy_version xds-target: type: enum enum: ["server", "client"] default: "server" environment: ENVOY_VERSION: << parameters.envoy-version >> XDS_TARGET: << parameters.xds-target >> AWS_LAMBDA_REGION: us-west-2 steps: &ENVOY_INTEGRATION_TEST_STEPS - checkout - assume-role: access-key: AWS_ACCESS_KEY_ID_LAMBDA secret-key: AWS_SECRET_ACCESS_KEY_LAMBDA role-arn: ROLE_ARN_LAMBDA # Get go binary from workspace - attach_workspace: at: . - run: *install-gotestsum # Build the consul:local image from the already built binary - run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile . - run: name: Envoy Integration Tests command: | subtests=$(ls -d test/integration/connect/envoy/*/ | xargs -n 1 basename | circleci tests split) echo "Running $(echo $subtests | wc -w) subtests" echo "$subtests" subtests_pipe_sepr=$(echo "$subtests" | xargs | sed 's/ /|/g') mkdir -p /tmp/test-results/ gotestsum -- -timeout=30m -tags integration ./test/integration/connect/envoy -run="TestEnvoy/($subtests_pipe_sepr)" environment: GOTESTSUM_JUNITFILE: /tmp/test-results/results.xml GOTESTSUM_FORMAT: standard-verbose COMPOSE_INTERACTIVE_NO_CLI: 1 LAMBDA_TESTS_ENABLED: "true" # tput complains if this isn't set to something. TERM: ansi - store_artifacts: path: ./test/integration/connect/envoy/workdir/logs destination: container-logs - store_test_results: path: *TEST_RESULTS_DIR - store_artifacts: path: *TEST_RESULTS_DIR - run: *notify-slack-failure # run integration tests for the connect ca providers with vault vault-integration-test: docker: - image: *GOLANG_IMAGE parameters: vault-version: type: enum enum: *supported_vault_versions default: *default_vault_version environment: <<: *ENVIRONMENT VAULT_BINARY_VERSION: << parameters.vault-version >> steps: &VAULT_INTEGRATION_TEST_STEPS - run: name: Install vault command: | wget -q -O /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_BINARY_VERSION}/vault_${VAULT_BINARY_VERSION}_linux_amd64.zip sudo unzip -d /usr/local/bin /tmp/vault.zip rm -rf /tmp/vault* vault version - checkout - run: go mod download - run: name: go test command: | mkdir -p $TEST_RESULTS_DIR make test-connect-ca-providers - store_test_results: path: *TEST_RESULTS_DIR - run: *notify-slack-failure # The noop job is a used as a very fast job in the verify-ci workflow because every workflow # requires at least one job. It does nothing. noop: docker: - image: docker.mirror.hashicorp.services/alpine:latest steps: - run: "echo ok" workflows: test-integrations: jobs: - dev-build: &filter-ignore-non-go-branches filters: branches: ignore: - stable-website - /^docs\/.*/ - /^ui\/.*/ - /^mktg-.*/ # Digital Team Terraform-generated branches' prefix - /^backport\/docs\/.*/ - /^backport\/ui\/.*/ - /^backport\/mktg-.*/ - dev-upload-s3: &dev-upload requires: - dev-build filters: branches: ignore: - /^pull\/.*$/ # only push dev builds from non forks - main # all main dev uploads will include a UI rebuild in build-distros - dev-upload-docker: <<: *dev-upload context: consul-ci - nomad-integration-test: requires: - dev-build matrix: parameters: nomad-version: *supported_nomad_versions - vault-integration-test: matrix: parameters: vault-version: *supported_vault_versions <<: *filter-ignore-non-go-branches - envoy-integration-test: requires: - dev-build matrix: parameters: envoy-version: *supported_envoy_versions xds-target: ["server", "client"] - compatibility-integration-test: requires: - dev-build - upgrade-integration-test: requires: - dev-build matrix: parameters: consul-version: *consul_versions - noop