luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

[QT-506] Use enos scenario samples for testing (#22641) (#22933)

Browse source 
Replace our prior implementation of Enos test groups with the new Enos
sampling feature. With this feature we're able to describe which
scenarios and variant combinations are valid for a given artifact and
allow enos to create a valid sample field (a matrix of all compatible
scenarios) and take an observation (select some to run) for us. This
ensures that every valid scenario and variant combination will
now be a candidate for testing in the pipeline. See QT-504[0] for further
details on the Enos sampling capabilities.

Our prior implementation only tested the amd64 and arm64 zip artifacts,
as well as the Docker container. We now include the following new artifacts
in the test matrix:
* CE Amd64 Debian package
* CE Amd64 RPM package
* CE Arm64 Debian package
* CE Arm64 RPM package

Each artifact includes a sample definition for both pre-merge/post-merge
(build) and release testing.

Changes:
* Remove the hand crafted `enos-run-matrices` ci matrix targets and replace
  them with per-artifact samples.
* Use enos sampling to generate different sample groups on all pull
  requests.
* Update the enos scenario matrices to handle HSM and FIPS packages.
* Simplify enos scenarios by using shared globals instead of
  cargo-culted locals.

Note: This will require coordination with vault-enterprise to ensure a
smooth migration to the new system. Integrating new scenarios or
modifying existing scenarios/variants should be much smoother after this
initial migration.

[0] https://github.com/hashicorp/enos/pull/102

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
This commit is contained in:
hc-github-team-secure-vault-core 2023-09-08 15:31:09 -04:00 committed by GitHub
parent f0cfec5bca
commit f52a686b91
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 602 additions and 688 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
.github/enos-run-matrices/build-github-oss-linux-amd64-zip.json vendored
View file

@ -1,54 +0,0 @@
{
"include": [
{
"scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 3
},
{
"scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 4
},
{
"scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 1
},
{
"scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 5
},
{
"scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 3
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 5
},
{
"scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 4
},
{
"scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
}
]
}

54
.github/enos-run-matrices/build-github-oss-linux-arm64-zip.json vendored
View file

@ -1,54 +0,0 @@
{
"include": [
{
"scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 3
},
{
"scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 4
},
{
"scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 5
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 1
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 2
},
{
"scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 3
},
{
"scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 4
},
{
"scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 5
}
]
}

54
.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-amd64-zip.json vendored
View file

@ -1,54 +0,0 @@
{
"include": [
{
"scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
}
]
}

54
.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-arm64-zip.json vendored
View file

@ -1,54 +0,0 @@
{
"include": [
{
"scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 1
},
{
"scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 2
},
{
"scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 1
},
{
"scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 2
},
{
"scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-east-1",
"test_group": 1
},
{
"scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
"aws_region": "us-west-2",
"test_group": 2
}
]
}

10
.github/workflows/build-vault-oss.yml vendored
View file

@ -9,9 +9,6 @@ name: build_vault
on: on:
workflow_call: workflow_call:
inputs: inputs:
bundle-path:
required: false
type: string
cgo-enabled: cgo-enabled:
type: string type: string
default: 0 default: 0
@ -35,12 +32,7 @@ on:
web-ui-cache-key: web-ui-cache-key:
type: string type: string
required: true required: true
vault-base-version:
type: string
required: true
vault-prerelease-version:
type: string
required: true
jobs: jobs:
build: build:
runs-on: custom-linux-xl-vault-latest runs-on: custom-linux-xl-vault-latest

40
.github/workflows/build.yml vendored
View file

@ -34,13 +34,10 @@ jobs:
outputs: outputs:
build-date: ${{ steps.get-metadata.outputs.build-date }} build-date: ${{ steps.get-metadata.outputs.build-date }}
filepath: ${{ steps.generate-metadata-file.outputs.filepath }} filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
matrix-test-group: ${{ steps.get-metadata.outputs.matrix-test-group }}
package-name: ${{ steps.get-metadata.outputs.package-name }} package-name: ${{ steps.get-metadata.outputs.package-name }}
vault-revision: ${{ steps.get-metadata.outputs.vault-revision }} vault-revision: ${{ steps.get-metadata.outputs.vault-revision }}
vault-version: ${{ steps.set-product-version.outputs.product-version }} vault-version: ${{ steps.set-product-version.outputs.product-version }}
vault-base-version: ${{ steps.set-product-version.outputs.base-product-version }} vault-version-package: ${{ steps.get-metadata.outputs.vault-version-package }}
vault-prerelease-version: ${{ steps.set-product-version.outputs.prerelease-product-version }}
vault-minor-version: ${{ steps.set-product-version.outputs.minor-product-version }}
steps: steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Ensure Go modules are cached - name: Ensure Go modules are cached
@ -55,17 +52,13 @@ jobs:
- name: Get metadata - name: Get metadata
id: get-metadata id: get-metadata
env: env:
# MATRIX_MAX_TEST_GROUPS is required to determine the randomly selected
# test group. It should be set to the highest test_group used in the
# enos-run-matrices.
MATRIX_MAX_TEST_GROUPS: 5
VAULT_VERSION: ${{ steps.set-product-version.outputs.product-version }} VAULT_VERSION: ${{ steps.set-product-version.outputs.product-version }}
run: | run: |
# shellcheck disable=SC2129 # shellcheck disable=SC2129
echo "build-date=$(make ci-get-date)" >> "$GITHUB_OUTPUT" echo "build-date=$(make ci-get-date)" >> "$GITHUB_OUTPUT"
echo "matrix-test-group=$(make ci-get-matrix-group-id)" >> "$GITHUB_OUTPUT"
echo "package-name=vault" >> "$GITHUB_OUTPUT" echo "package-name=vault" >> "$GITHUB_OUTPUT"
echo "vault-revision=$(make ci-get-revision)" >> "$GITHUB_OUTPUT" echo "vault-revision=$(make ci-get-revision)" >> "$GITHUB_OUTPUT"
echo "vault-version-package=$(make ci-get-version-package)" >> "$GITHUB_OUTPUT"
- uses: hashicorp/actions-generate-metadata@v1 - uses: hashicorp/actions-generate-metadata@v1
id: generate-metadata-file id: generate-metadata-file
with: with:
@ -134,8 +127,6 @@ jobs:
package-name: ${{ needs.product-metadata.outputs.package-name }} package-name: ${{ needs.product-metadata.outputs.package-name }}
web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }}
vault-version: ${{ needs.product-metadata.outputs.vault-version }} vault-version: ${{ needs.product-metadata.outputs.vault-version }}
vault-base-version: ${{ needs.product-metadata.outputs.vault-base-version }}
vault-prerelease-version: ${{ needs.product-metadata.outputs.vault-prerelease-version }}
secrets: inherit secrets: inherit
build-linux: build-linux:
@ -156,8 +147,6 @@ jobs:
package-name: ${{ needs.product-metadata.outputs.package-name }} package-name: ${{ needs.product-metadata.outputs.package-name }}
web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }}
vault-version: ${{ needs.product-metadata.outputs.vault-version }} vault-version: ${{ needs.product-metadata.outputs.vault-version }}
vault-base-version: ${{ needs.product-metadata.outputs.vault-base-version }}
vault-prerelease-version: ${{ needs.product-metadata.outputs.vault-prerelease-version }}
secrets: inherit secrets: inherit
build-darwin: build-darwin:
@ -179,8 +168,6 @@ jobs:
package-name: ${{ needs.product-metadata.outputs.package-name }} package-name: ${{ needs.product-metadata.outputs.package-name }}
web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }}
vault-version: ${{ needs.product-metadata.outputs.vault-version }} vault-version: ${{ needs.product-metadata.outputs.vault-version }}
vault-base-version: ${{ needs.product-metadata.outputs.vault-base-version }}
vault-prerelease-version: ${{ needs.product-metadata.outputs.vault-prerelease-version }}
secrets: inherit secrets: inherit
build-docker: build-docker:
@ -199,7 +186,7 @@ jobs:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: hashicorp/actions-docker-build@v1 - uses: hashicorp/actions-docker-build@v1
with: with:
version: "${{ env.version }}" version: ${{ env.version }}
target: default target: default
arch: ${{ matrix.arch }} arch: ${{ matrix.arch }}
zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip
@ -227,6 +214,7 @@ jobs:
target: ubi target: ubi
arch: ${{ matrix.arch }} arch: ${{ matrix.arch }}
zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip
# The redhat_tag differs on CE and ENT editions. Be mindful when resolving merge conflicts.
redhat_tag: quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ env.version }}-ubi redhat_tag: quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ env.version }}-ubi
test: test:
@ -248,19 +236,25 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
include: include:
- matrix-file-name: build-github-oss-linux-amd64-zip - sample-name: build_oss_linux_amd64_deb
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_amd64.deb
- sample-name: build_oss_linux_arm64_deb
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_arm64.deb
- sample-name: build_oss_linux_amd64_rpm
build-artifact-name: vault-${{ needs.product-metadata.outputs.vault-version-package }}-1.x86_64.rpm
- sample-name: build_oss_linux_arm64_rpm
build-artifact-name: vault-${{ needs.product-metadata.outputs.vault-version-package }}-1.aarch64.rpm
- sample-name: build_oss_linux_amd64_zip
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip
- matrix-file-name: build-github-oss-linux-arm64-zip - sample-name: build_oss_linux_arm64_zip
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip
with: with:
build-artifact-name: ${{ matrix.build-artifact-name }} build-artifact-name: ${{ matrix.build-artifact-name }}
matrix-file-name: ${{ matrix.matrix-file-name }} sample-max: 1
matrix-test-group: ${{ needs.product-metadata.outputs.matrix-test-group }} sample-name: ${{ matrix.sample-name }}
vault-edition: oss
vault-revision: ${{ needs.product-metadata.outputs.vault-revision }}
ssh-key-name: ${{ github.event.repository.name }}-ci-ssh-key ssh-key-name: ${{ github.event.repository.name }}-ci-ssh-key
vault-revision: ${{ needs.product-metadata.outputs.vault-revision }}
vault-version: ${{ needs.product-metadata.outputs.vault-version }} vault-version: ${{ needs.product-metadata.outputs.vault-version }}
vault-minor-version: ${{ needs.product-metadata.outputs.vault-minor-version }}
secrets: inherit secrets: inherit
test-docker-k8s: test-docker-k8s:

37
.github/workflows/enos-release-testing-oss.yml vendored
View file

@ -12,28 +12,23 @@ jobs:
if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }} if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
matrix-test-group: ${{ steps.get-metadata.outputs.matrix-test-group }}
vault-revision: ${{ steps.get-metadata.outputs.vault-revision }} vault-revision: ${{ steps.get-metadata.outputs.vault-revision }}
vault-version: ${{ steps.set-product-version.outputs.product-version }} vault-version: ${{ steps.set-product-version.outputs.product-version }}
vault-base-version: ${{ steps.set-product-version.outputs.base-product-version }} vault-version-package: ${{ steps.get-metadata.outputs.vault-version-package }}
vault-prerelease-version: ${{ steps.set-product-version.outputs.prerelease-product-version }}
vault-minor-version: ${{ steps.set-product-version.outputs.minor-product-version }}
steps: steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
# Check out the repository at the same Git SHA that was used to create # Check out the repository at the same Git SHA that was used to create
# the artifacts to get the correct metadata. # the artifacts to get the correct metadata.
ref: ${{ github.event.client_payload.payload.sha }} ref: ${{ github.event.client_payload.payload.sha }}
- name: Set Product version
id: set-product-version
uses: hashicorp/actions-set-product-version@v1
- id: get-metadata - id: get-metadata
env:
# MATRIX_MAX_TEST_GROUPS is required to determine the randomly selected
# test group. It should be set to the highest test_group used in the
# enos-run-matrices.
MATRIX_MAX_TEST_GROUPS: 2
run: | run: |
# shellcheck disable=SC2129 # shellcheck disable=SC2129
echo "matrix-test-group=$(make ci-get-matrix-group-id)" >> "$GITHUB_OUTPUT"
echo "vault-revision=$(make ci-get-revision)" >> "$GITHUB_OUTPUT" echo "vault-revision=$(make ci-get-revision)" >> "$GITHUB_OUTPUT"
echo "vault-version-package=$(echo ${{ steps.set-product-version.outputs.product-version }} | awk '{ gsub("-","~",$1); print $1 }')" >> "$GITHUB_OUTPUT"
# Get the workflow summary similar to CRT workflows # Get the workflow summary similar to CRT workflows
- name: Release Artifact Info - name: Release Artifact Info
run: | run: |
@ -43,10 +38,6 @@ jobs:
echo "__Commit:__ ${{ github.event.client_payload.payload.sha }}" >> "$GITHUB_STEP_SUMMARY" echo "__Commit:__ ${{ github.event.client_payload.payload.sha }}" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY" echo "" >> "$GITHUB_STEP_SUMMARY"
echo "[Build Workflow](https://github.com/${{github.event.client_payload.payload.org}}/${{github.event.client_payload.payload.repo}}/actions/runs/${{github.event.client_payload.payload.buildworkflowid}})" >> "$GITHUB_STEP_SUMMARY" echo "[Build Workflow](https://github.com/${{github.event.client_payload.payload.org}}/${{github.event.client_payload.payload.repo}}/actions/runs/${{github.event.client_payload.payload.buildworkflowid}})" >> "$GITHUB_STEP_SUMMARY"
- name: Set Product version
id: set-product-version
uses: hashicorp/actions-set-product-version@v1
test: test:
name: Test ${{ matrix.build-artifact-name }} name: Test ${{ matrix.build-artifact-name }}
@ -57,18 +48,24 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
include: include:
- matrix-file-name: enos_release_testing_oss-artifactory-oss-linux-amd64-zip - sample-name: release_oss_linux_amd64_deb
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_amd64.deb
- sample-name: release_oss_linux_arm64_deb
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_arm64.deb
- sample-name: release_oss_linux_amd64_rpm
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1.x86_64.rpm
- sample-name: release_oss_linux_arm64_rpm
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1.aarch64.rpm
- sample-name: release_oss_linux_amd64_zip
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip
- matrix-file-name: enos_release_testing_oss-artifactory-oss-linux-arm64-zip - sample-name: release_oss_linux_arm64_zip
build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip
with: with:
build-artifact-name: ${{ matrix.build-artifact-name }} build-artifact-name: ${{ matrix.build-artifact-name }}
matrix-file-name: ${{ matrix.matrix-file-name }} sample-max: 2
matrix-test-group: ${{ needs.product-metadata.outputs.matrix-test-group }} sample-name: ${{ matrix.sample-name }}
vault-edition: oss
vault-revision: ${{ needs.product-metadata.outputs.vault-revision }} vault-revision: ${{ needs.product-metadata.outputs.vault-revision }}
vault-version: ${{ needs.product-metadata.outputs.vault-version }} vault-version: ${{ needs.product-metadata.outputs.vault-version }}
vault-minor-version: ${{ needs.product-metadata.outputs.vault-minor-version }}
secrets: inherit secrets: inherit
save-metadata: save-metadata:

87
.github/workflows/test-run-enos-scenario-matrix.yml vendored
View file

@ -11,33 +11,15 @@ on:
build-artifact-name: build-artifact-name:
required: true required: true
type: string type: string
# The base name of the file in ./github/enos-run-matrices that we use to # The maximum number of scenarios to include in the test sample.
# determine which scenarios to run for the build artifact. sample-max:
# default: 1
# They are named in the format of: type: number
# $caller_workflow_name-$artifact_source-$vault_edition-$platform-$arch-$packing_type # The name of the enos scenario sample that defines compatible scenarios we can
# # can test with.
# Where each are: sample-name:
# caller_workflow_name: the Github Actions workflow that is calling
# this one
# artifact_source: where we're getting the artifact from. Either
# "github" or "artifactory"
# vault_edition: which edition of vault that we're testing. e.g. "oss"
# or "ent"
# platform: the vault binary target platform, e.g. "linux" or "macos"
# arch: the vault binary target architecture, e.g. "arm64" or "amd64"
# packing_type: how vault binary is packaged, e.g. "zip", "deb", "rpm"
#
# Examples:
# build-github-oss-linux-amd64-zip
matrix-file-name:
required: true required: true
type: string type: string
# The test group we want to run. This corresponds to the test_group attribute
# defined in the enos-run-matrices files.
matrix-test-group:
default: 0
type: string
runs-on: runs-on:
# NOTE: The value should be JSON encoded as that's the only way we can # NOTE: The value should be JSON encoded as that's the only way we can
# pass arrays with workflow_call. # pass arrays with workflow_call.
@ -47,16 +29,9 @@ on:
ssh-key-name: ssh-key-name:
type: string type: string
default: ${{ github.event.repository.name }}-ci-ssh-key default: ${{ github.event.repository.name }}-ci-ssh-key
# Which edition of Vault we're using. e.g. "oss", "ent", "ent.hsm.fips1402"
vault-edition:
required: true
type: string
vault-version: vault-version:
required: true required: true
type: string type: string
vault-minor-version:
required: true
type: string
# The Git commit SHA used as the revision when building vault # The Git commit SHA used as the revision when building vault
vault-revision: vault-revision:
required: true required: true
@ -67,37 +42,34 @@ jobs:
runs-on: ${{ fromJSON(inputs.runs-on) }} runs-on: ${{ fromJSON(inputs.runs-on) }}
outputs: outputs:
build-date: ${{ steps.metadata.outputs.build-date }} build-date: ${{ steps.metadata.outputs.build-date }}
matrix: ${{ steps.metadata.outputs.matrix }} sample: ${{ steps.metadata.outputs.sample }}
env:
# Pass the vault edition as VAULT_METADATA so the CI make targets can create
# values that consider the edition.
VAULT_METADATA: ${{ inputs.vault-edition }}
VAULT_VERSION: ${{ inputs.vault-version }}
VAULT_MINOR_VERSION: ${{ inputs.vault-minor-version }}
# Pass in the matrix and matrix group for filtering
MATRIX_FILE: ./.github/enos-run-matrices/${{ inputs.matrix-file-name }}.json
MATRIX_TEST_GROUP: ${{ inputs.matrix-test-group }}
steps: steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with: with:
ref: ${{ inputs.vault-revision }} ref: ${{ inputs.vault-revision }}
- uses: hashicorp/action-setup-enos@v1
with:
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
- id: metadata - id: metadata
run: | run: |
echo "build-date=$(make ci-get-date)" >> "$GITHUB_OUTPUT" echo "build-date=$(make ci-get-date)" >> "$GITHUB_OUTPUT"
filtered="$(make ci-filter-matrix)" sample="$(enos scenario sample observe ${{ inputs.sample-name }} --chdir ./enos --min 1 --max ${{ inputs.sample-max }} --seed "$(date +%s%N)" --format json | jq -c ".observation.elements")"
echo "matrix=$filtered" >> "$GITHUB_OUTPUT" echo "sample=$sample"
echo "sample=$sample" >> "$GITHUB_OUTPUT"
# Run the Enos test scenarios # Run the Enos test scenario(s)
run: run:
needs: metadata needs: metadata
name: run ${{ matrix.scenario.id.filter }}
strategy: strategy:
fail-fast: false # don't fail as that can skip required cleanup steps for jobs fail-fast: false # don't fail as that can skip required cleanup steps for jobs
matrix: ${{ fromJson(needs.metadata.outputs.matrix) }} matrix:
runs-on: ubuntu-latest include: ${{ fromJSON(needs.metadata.outputs.sample) }}
runs-on: ${{ fromJSON(inputs.runs-on) }}
env: env:
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
# Pass in enos variables # Pass in enos variables
ENOS_VAR_aws_region: ${{ matrix.aws_region }} ENOS_VAR_aws_region: ${{ matrix.attributes.aws_region }}
ENOS_VAR_aws_ssh_keypair_name: ${{ inputs.ssh-key-name }} ENOS_VAR_aws_ssh_keypair_name: ${{ inputs.ssh-key-name }}
ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }} ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
@ -121,7 +93,7 @@ jobs:
with: with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
aws-region: ${{ matrix.aws_region }} aws-region: ${{ matrix.attributes.aws_region }}
role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }} role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
role-skip-session-tagging: true role-skip-session-tagging: true
role-duration-seconds: 3600 role-duration-seconds: 3600
@ -135,12 +107,12 @@ jobs:
echo "${{ secrets.SSH_KEY_PRIVATE_CI }}" > "./enos/support/private_key.pem" echo "${{ secrets.SSH_KEY_PRIVATE_CI }}" > "./enos/support/private_key.pem"
chmod 600 "./enos/support/private_key.pem" chmod 600 "./enos/support/private_key.pem"
echo "debug_data_artifact_name=enos-debug-data_$(echo "${{ matrix.scenario }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')" >> "$GITHUB_OUTPUT" echo "debug_data_artifact_name=enos-debug-data_$(echo "${{ matrix.scenario }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')" >> "$GITHUB_OUTPUT"
- if: contains(inputs.matrix-file-name, 'github') - if: contains(inputs.sample-name, 'build')
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
name: ${{ inputs.build-artifact-name }} name: ${{ inputs.build-artifact-name }}
path: ./enos/support/downloads path: ./enos/support/downloads
- if: contains(inputs.matrix-file-name, 'ent') - if: contains(inputs.sample-name, 'ent')
name: Configure Vault license name: Configure Vault license
run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
- name: Run Enos scenario - name: Run Enos scenario
@ -148,12 +120,11 @@ jobs:
# Continue once and retry to handle occasional blips when creating # Continue once and retry to handle occasional blips when creating
# infrastructure. # infrastructure.
continue-on-error: true continue-on-error: true
run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
- name: Retry Enos scenario if necessary - name: Retry Enos scenario if necessary
id: run_retry id: run_retry
if: steps.run.outcome == 'failure' if: steps.run.outcome == 'failure'
continue-on-error: true run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
- name: Upload Debug Data - name: Upload Debug Data
if: failure() if: failure()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
@ -169,7 +140,7 @@ jobs:
# With Enos version 0.0.11 the destroy step returns an error if the infrastructure # With Enos version 0.0.11 the destroy step returns an error if the infrastructure
# is already destroyed by enos run. So temporarily setting it to continue on error in GHA # is already destroyed by enos run. So temporarily setting it to continue on error in GHA
continue-on-error: true continue-on-error: true
run: enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} run: enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
- name: Clean up Enos runtime directories - name: Clean up Enos runtime directories
id: cleanup id: cleanup
if: ${{ always() }} if: ${{ always() }}
@ -182,7 +153,7 @@ jobs:
# There is an incoming webhook set up on the "Enos Vault Failure Bot" Slackbot https://api.slack.com/apps/A05E31CH1LG/incoming-webhooks # There is an incoming webhook set up on the "Enos Vault Failure Bot" Slackbot https://api.slack.com/apps/A05E31CH1LG/incoming-webhooks
- name: Send Slack notification on Enos run failure - name: Send Slack notification on Enos run failure
uses: hashicorp/actions-slack-status@v1 uses: hashicorp/actions-slack-status@v1
if: ${{ always() }} if: ${{ always() && ! cancelled() }}
with: with:
failure-message: "An Enos scenario `run` failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`" failure-message: "An Enos scenario `run` failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
status: ${{ steps.run.outcome }} status: ${{ steps.run.outcome }}
@ -190,7 +161,7 @@ jobs:
# Send a Slack notification to #feed-vault-enos-failures if the 'run_retry' step fails. # Send a Slack notification to #feed-vault-enos-failures if the 'run_retry' step fails.
- name: Send Slack notification on Enos run_retry failure - name: Send Slack notification on Enos run_retry failure
uses: hashicorp/actions-slack-status@v1 uses: hashicorp/actions-slack-status@v1
if: ${{ always() }} if: ${{ always() && ! cancelled() }}
with: with:
failure-message: "An Enos scenario `run_retry` failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`" failure-message: "An Enos scenario `run_retry` failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
status: ${{ steps.run_retry.outcome }} status: ${{ steps.run_retry.outcome }}
@ -198,7 +169,7 @@ jobs:
# Send a Slack notification to #feed-vault-enos-failures if the 'destroy' step fails. # Send a Slack notification to #feed-vault-enos-failures if the 'destroy' step fails.
- name: Send Slack notification on Enos destroy failure - name: Send Slack notification on Enos destroy failure
uses: hashicorp/actions-slack-status@v1 uses: hashicorp/actions-slack-status@v1
if: ${{ always() }} if: ${{ always() && ! cancelled() }}
with: with:
failure-message: "An Enos scenario `destroy` failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`" failure-message: "An Enos scenario `destroy` failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
status: ${{ steps.destroy.outcome }} status: ${{ steps.destroy.outcome }}

42
Makefile
View file

@ -300,34 +300,26 @@ ci-build:
ci-build-ui: ci-build-ui:
@$(CURDIR)/scripts/ci-helper.sh build-ui @$(CURDIR)/scripts/ci-helper.sh build-ui
.PHONY: ci-filter-matrix .PHONY: ci-bundle
ci-filter-matrix: ci-bundle:
@$(CURDIR)/scripts/ci-helper.sh matrix-filter-file @$(CURDIR)/scripts/ci-helper.sh bundle
.PHONY: ci-get-date
ci-get-date:
@$(CURDIR)/scripts/ci-helper.sh date
.PHONY: ci-get-matrix-group-id
ci-get-matrix-group-id:
@$(CURDIR)/scripts/ci-helper.sh matrix-group-id
.PHONY: ci-get-revision
ci-get-revision:
@$(CURDIR)/scripts/ci-helper.sh revision
.PHONY: ci-prepare-legal
ci-prepare-legal:
@$(CURDIR)/scripts/ci-helper.sh prepare-legal
.PHONY: ci-get-version-package
ci-get-version-package:
@$(CURDIR)/scripts/ci-helper.sh version-package
.PHONY: ci-get-artifact-basename .PHONY: ci-get-artifact-basename
ci-get-artifact-basename: ci-get-artifact-basename:
@$(CURDIR)/scripts/ci-helper.sh artifact-basename @$(CURDIR)/scripts/ci-helper.sh artifact-basename
.PHONY: ci-bundle .PHONY: ci-get-date
ci-bundle: ci-get-date:
@$(CURDIR)/scripts/ci-helper.sh bundle @$(CURDIR)/scripts/ci-helper.sh date
.PHONY: ci-get-revision
ci-get-revision:
@$(CURDIR)/scripts/ci-helper.sh revision
.PHONY: ci-get-version-package
ci-get-version-package:
@$(CURDIR)/scripts/ci-helper.sh version-package
.PHONY: ci-prepare-legal
ci-prepare-legal:
@$(CURDIR)/scripts/ci-helper.sh prepare-legal

32
enos/enos-globals.hcl Normal file
View file

@ -0,0 +1,32 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
globals {
backend_tag_key = "VaultStorage"
build_tags = {
"oss" = ["ui"]
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
}
packages = ["jq"]
sample_attributes = {
aws_region = ["us-east-1", "us-west-2"]
}
tags = merge({
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
}
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
}

142
enos/enos-samples-oss-build.hcl Normal file
View file

@ -0,0 +1,142 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
sample "build_oss_linux_amd64_deb" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
}
sample "build_oss_linux_arm64_deb" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
}
sample "build_oss_linux_arm64_rpm" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
}
sample "build_oss_linux_amd64_rpm" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["amd64"]
artifact_source = ["crt"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
}
sample "build_oss_linux_amd64_zip" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["crt"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["crt"]
edition = ["oss"]
}
}
}
sample "build_oss_linux_arm64_zip" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["bundle"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["arm64"]
artifact_source = ["crt"]
artifact_type = ["bundle"]
edition = ["oss"]
}
}
}

142
enos/enos-samples-oss-release.hcl Normal file
View file

@ -0,0 +1,142 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
sample "release_oss_linux_amd64_deb" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
}
sample "release_oss_linux_arm64_deb" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["ubuntu"]
edition = ["oss"]
}
}
}
sample "release_oss_linux_arm64_rpm" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
}
sample "release_oss_linux_amd64_rpm" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["amd64"]
artifact_source = ["artifactory"]
artifact_type = ["package"]
distro = ["rhel"]
edition = ["oss"]
}
}
}
sample "release_oss_linux_amd64_zip" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["artifactory"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["amd64"]
artifact_type = ["bundle"]
artifact_source = ["artifactory"]
edition = ["oss"]
}
}
}
sample "release_oss_linux_arm64_zip" {
attributes = global.sample_attributes
subset "smoke" {
matrix {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["bundle"]
edition = ["oss"]
}
}
subset "upgrade" {
matrix {
arch = ["arm64"]
artifact_source = ["artifactory"]
artifact_type = ["bundle"]
edition = ["oss"]
}
}
}

45
enos/enos-scenario-agent.hcl
View file

@ -7,6 +7,18 @@ scenario "agent" {
artifact_source = ["local", "crt", "artifactory"] artifact_source = ["local", "crt", "artifactory"]
distro = ["ubuntu", "rhel"] distro = ["ubuntu", "rhel"]
edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
# Our local builder always creates bundles
exclude {
artifact_source = ["local"]
artifact_type = ["package"]
}
# HSM and FIPS 140-2 are only supported on amd64
exclude {
arch = ["arm64"]
edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
@ -18,38 +30,19 @@ scenario "agent" {
] ]
locals { locals {
build_tags = {
"oss" = ["ui"]
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
}
enos_provider = { enos_provider = {
rhel = provider.enos.rhel rhel = provider.enos.rhel
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
install_artifactory_artifact = local.bundle_path == null install_artifactory_artifact = local.bundle_path == null
packages = ["jq"]
tags = merge({
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
} }
step "build_vault" { step "build_vault" {
module = "build_${matrix.artifact_source}" module = "build_${matrix.artifact_source}"
variables { variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition] build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
bundle_path = local.bundle_path bundle_path = local.bundle_path
goarch = matrix.arch goarch = matrix.arch
goos = "linux" goos = "linux"
@ -74,7 +67,7 @@ scenario "agent" {
module = module.create_vpc module = module.create_vpc
variables { variables {
common_tags = local.tags common_tags = global.tags
} }
} }
@ -83,7 +76,7 @@ scenario "agent" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.vault_license_path file_name = global.vault_license_path
} }
} }
@ -96,10 +89,10 @@ scenario "agent" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -123,7 +116,7 @@ scenario "agent" {
install_dir = var.vault_install_dir install_dir = var.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.bundle_path local_artifact_path = local.bundle_path
packages = local.packages packages = global.packages
storage_backend = "raft" storage_backend = "raft"
target_hosts = step.create_vault_cluster_targets.hosts target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = "shamir" unseal_method = "shamir"

64
enos/enos-scenario-autopilot.hcl
View file

@ -10,17 +10,17 @@ scenario "autopilot" {
edition = ["ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] edition = ["ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
seal = ["awskms", "shamir"] seal = ["awskms", "shamir"]
# Packages are not offered for the oss, ent.fips1402, and ent.hsm.fips1402 editions
exclude {
edition = ["oss", "ent.fips1402", "ent.hsm.fips1402"]
artifact_type = ["package"]
}
# Our local builder always creates bundles # Our local builder always creates bundles
exclude { exclude {
artifact_source = ["local"] artifact_source = ["local"]
artifact_type = ["package"] artifact_type = ["package"]
} }
# HSM and FIPS 140-2 are only supported on amd64
exclude {
arch = ["arm64"]
edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
@ -32,42 +32,21 @@ scenario "autopilot" {
] ]
locals { locals {
build_tags = { artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
}
enos_provider = { enos_provider = {
rhel = provider.enos.rhel rhel = provider.enos.rhel
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
packages = ["jq"] manage_service = matrix.artifact_type == "bundle"
tags = merge({ vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
}
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : local.vault_install_dir_packages[matrix.distro]
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
} }
step "build_vault" { step "build_vault" {
module = "build_${matrix.artifact_source}" module = "build_${matrix.artifact_source}"
variables { variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition] build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
bundle_path = local.bundle_path artifact_path = local.artifact_path
goarch = matrix.arch goarch = matrix.arch
goos = "linux" goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
@ -91,7 +70,7 @@ scenario "autopilot" {
module = module.create_vpc module = module.create_vpc
variables { variables {
common_tags = local.tags common_tags = global.tags
} }
} }
@ -99,7 +78,7 @@ scenario "autopilot" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.vault_license_path file_name = global.vault_license_path
} }
} }
@ -112,10 +91,10 @@ scenario "autopilot" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -136,7 +115,7 @@ scenario "autopilot" {
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
install_dir = local.vault_install_dir install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null license = matrix.edition != "oss" ? step.read_license.license : null
packages = local.packages packages = global.packages
release = var.vault_autopilot_initial_release release = var.vault_autopilot_initial_release
storage_backend = "raft" storage_backend = "raft"
storage_backend_addl_config = { storage_backend_addl_config = {
@ -205,9 +184,9 @@ scenario "autopilot" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
common_tags = local.tags common_tags = global.tags
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
@ -235,8 +214,9 @@ scenario "autopilot" {
initialize_cluster = false initialize_cluster = false
install_dir = local.vault_install_dir install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.bundle_path local_artifact_path = local.artifact_path
packages = local.packages manage_service = local.manage_service
packages = global.packages
root_token = step.create_vault_cluster.root_token root_token = step.create_vault_cluster.root_token
shamir_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null shamir_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null
storage_backend = "raft" storage_backend = "raft"

35
enos/enos-scenario-proxy.hcl
View file

@ -18,32 +18,11 @@ scenario "proxy" {
] ]
locals { locals {
backend_tag_key = "VaultStorage"
build_tags = {
"oss" = ["ui"]
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
}
enos_provider = { enos_provider = {
rhel = provider.enos.rhel rhel = provider.enos.rhel
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
install_artifactory_artifact = local.bundle_path == null
packages = ["jq"]
tags = merge({
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
} }
step "get_local_metadata" { step "get_local_metadata" {
@ -55,7 +34,7 @@ scenario "proxy" {
module = "build_${matrix.artifact_source}" module = "build_${matrix.artifact_source}"
variables { variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition] build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
bundle_path = local.bundle_path bundle_path = local.bundle_path
goarch = matrix.arch goarch = matrix.arch
goos = "linux" goos = "linux"
@ -80,7 +59,7 @@ scenario "proxy" {
module = module.create_vpc module = module.create_vpc
variables { variables {
common_tags = local.tags common_tags = global.tags
} }
} }
@ -89,7 +68,7 @@ scenario "proxy" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.vault_license_path file_name = global.vault_license_path
} }
} }
@ -102,10 +81,10 @@ scenario "proxy" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -129,7 +108,7 @@ scenario "proxy" {
install_dir = var.vault_install_dir install_dir = var.vault_install_dir
license = matrix.edition != "oss" ? step.read_license.license : null license = matrix.edition != "oss" ? step.read_license.license : null
local_artifact_path = local.bundle_path local_artifact_path = local.bundle_path
packages = local.packages packages = global.packages
storage_backend = "raft" storage_backend = "raft"
target_hosts = step.create_vault_cluster_targets.hosts target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = "shamir" unseal_method = "shamir"

122
enos/enos-scenario-replication.hcl
View file

@ -17,17 +17,17 @@ scenario "replication" {
secondary_backend = ["raft", "consul"] secondary_backend = ["raft", "consul"]
secondary_seal = ["awskms", "shamir"] secondary_seal = ["awskms", "shamir"]
# Packages are not offered for the oss, ent.fips1402, and ent.hsm.fips1402 editions
exclude {
edition = ["ent.fips1402", "ent.hsm.fips1402"]
artifact_type = ["package"]
}
# Our local builder always creates bundles # Our local builder always creates bundles
exclude { exclude {
artifact_source = ["local"] artifact_source = ["local"]
artifact_type = ["package"] artifact_type = ["package"]
} }
# HSM and FIPS 140-2 are only supported on amd64
exclude {
arch = ["arm64"]
edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
@ -39,45 +39,21 @@ scenario "replication" {
] ]
locals { locals {
# The path to the backend license file (Consul Enterprise) artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
backend_license_path = abspath(var.backend_license_path != null ? var.backend_license_path : joinpath(path.root, "./support/consul.hclic"))
backend_tag_key = "VaultStorage"
build_tags = {
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
}
bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
enos_provider = { enos_provider = {
rhel = provider.enos.rhel rhel = provider.enos.rhel
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
packages = ["jq"] manage_service = matrix.artifact_type == "bundle"
tags = merge({ vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
}
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : local.vault_install_dir_packages[matrix.distro]
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
} }
step "build_vault" { step "build_vault" {
module = "build_${matrix.artifact_source}" module = "build_${matrix.artifact_source}"
variables { variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition] build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
bundle_path = local.bundle_path artifact_path = local.artifact_path
goarch = matrix.arch goarch = matrix.arch
goos = "linux" goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
@ -101,7 +77,7 @@ scenario "replication" {
module = module.create_vpc module = module.create_vpc
variables { variables {
common_tags = local.tags common_tags = global.tags
} }
} }
@ -112,7 +88,7 @@ scenario "replication" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.backend_license_path file_name = global.backend_license_path
} }
} }
@ -136,10 +112,10 @@ scenario "replication" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -157,8 +133,8 @@ scenario "replication" {
variables { variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"] ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -175,11 +151,11 @@ scenario "replication" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_name = step.create_primary_cluster_targets.cluster_name cluster_name = step.create_primary_cluster_targets.cluster_name
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -193,10 +169,10 @@ scenario "replication" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -212,8 +188,8 @@ scenario "replication" {
variables { variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"] ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -230,7 +206,7 @@ scenario "replication" {
variables { variables {
cluster_name = step.create_primary_cluster_backend_targets.cluster_name cluster_name = step.create_primary_cluster_backend_targets.cluster_name
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = var.backend_edition
@ -256,7 +232,7 @@ scenario "replication" {
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
backend_cluster_name = step.create_primary_cluster_backend_targets.cluster_name backend_cluster_name = step.create_primary_cluster_backend_targets.cluster_name
backend_cluster_tag_key = local.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
cluster_name = step.create_primary_cluster_targets.cluster_name cluster_name = step.create_primary_cluster_targets.cluster_name
consul_release = matrix.primary_backend == "consul" ? { consul_release = matrix.primary_backend == "consul" ? {
@ -266,8 +242,9 @@ scenario "replication" {
enable_file_audit_device = var.vault_enable_file_audit_device enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.bundle_path local_artifact_path = local.artifact_path
packages = local.packages manage_service = local.manage_service
packages = global.packages
storage_backend = matrix.primary_backend storage_backend = matrix.primary_backend
target_hosts = step.create_primary_cluster_targets.hosts target_hosts = step.create_primary_cluster_targets.hosts
unseal_method = matrix.primary_seal unseal_method = matrix.primary_seal
@ -286,7 +263,7 @@ scenario "replication" {
variables { variables {
cluster_name = step.create_secondary_cluster_backend_targets.cluster_name cluster_name = step.create_secondary_cluster_backend_targets.cluster_name
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = var.backend_edition
@ -312,7 +289,7 @@ scenario "replication" {
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
backend_cluster_name = step.create_secondary_cluster_backend_targets.cluster_name backend_cluster_name = step.create_secondary_cluster_backend_targets.cluster_name
backend_cluster_tag_key = local.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
consul_license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.secondary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
cluster_name = step.create_secondary_cluster_targets.cluster_name cluster_name = step.create_secondary_cluster_targets.cluster_name
consul_release = matrix.secondary_backend == "consul" ? { consul_release = matrix.secondary_backend == "consul" ? {
@ -322,8 +299,9 @@ scenario "replication" {
enable_file_audit_device = var.vault_enable_file_audit_device enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.bundle_path local_artifact_path = local.artifact_path
packages = local.packages manage_service = local.manage_service
packages = global.packages
storage_backend = matrix.secondary_backend storage_backend = matrix.secondary_backend
target_hosts = step.create_secondary_cluster_targets.hosts target_hosts = step.create_secondary_cluster_targets.hosts
unseal_method = matrix.secondary_seal unseal_method = matrix.secondary_seal
@ -553,25 +531,27 @@ scenario "replication" {
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
backend_cluster_name = step.create_primary_cluster_backend_targets.cluster_name backend_cluster_name = step.create_primary_cluster_backend_targets.cluster_name
backend_cluster_tag_key = local.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_primary_cluster_targets.cluster_name cluster_name = step.create_primary_cluster_targets.cluster_name
consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.primary_backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.primary_backend == "consul" ? { consul_release = matrix.primary_backend == "consul" ? {
edition = var.backend_edition edition = var.backend_edition
version = matrix.consul_version version = matrix.consul_version
} : null } : null
force_unseal = matrix.primary_seal == "shamir" enable_file_audit_device = var.vault_enable_file_audit_device
initialize_cluster = false force_unseal = matrix.primary_seal == "shamir"
install_dir = local.vault_install_dir initialize_cluster = false
license = matrix.edition != "oss" ? step.read_vault_license.license : null install_dir = local.vault_install_dir
local_artifact_path = local.bundle_path license = matrix.edition != "oss" ? step.read_vault_license.license : null
packages = local.packages local_artifact_path = local.artifact_path
root_token = step.create_primary_cluster.root_token manage_service = local.manage_service
shamir_unseal_keys = matrix.primary_seal == "shamir" ? step.create_primary_cluster.unseal_keys_hex : null packages = global.packages
storage_backend = matrix.primary_backend root_token = step.create_primary_cluster.root_token
storage_node_prefix = "newprimary_node" shamir_unseal_keys = matrix.primary_seal == "shamir" ? step.create_primary_cluster.unseal_keys_hex : null
target_hosts = step.create_primary_cluster_additional_targets.hosts storage_backend = matrix.primary_backend
unseal_method = matrix.primary_seal storage_node_prefix = "newprimary_node"
target_hosts = step.create_primary_cluster_additional_targets.hosts
unseal_method = matrix.primary_seal
} }
} }

71
enos/enos-scenario-smoke.hcl
View file

@ -12,17 +12,17 @@ scenario "smoke" {
edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
seal = ["awskms", "shamir"] seal = ["awskms", "shamir"]
# Packages are not offered for the oss, ent.fips1402, and ent.hsm.fips1402 editions
exclude {
edition = ["oss", "ent.fips1402", "ent.hsm.fips1402"]
artifact_type = ["package"]
}
# Our local builder always creates bundles # Our local builder always creates bundles
exclude { exclude {
artifact_source = ["local"] artifact_source = ["local"]
artifact_type = ["package"] artifact_type = ["package"]
} }
# HSM and FIPS 140-2 are only supported on amd64
exclude {
arch = ["arm64"]
edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
}
} }
terraform_cli = terraform_cli.default terraform_cli = terraform_cli.default
@ -34,37 +34,13 @@ scenario "smoke" {
] ]
locals { locals {
backend_license_path = abspath(var.backend_license_path != null ? var.backend_license_path : joinpath(path.root, "./support/consul.hclic")) artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
backend_tag_key = "VaultStorage"
build_tags = {
"oss" = ["ui"]
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
}
enos_provider = { enos_provider = {
rhel = provider.enos.rhel rhel = provider.enos.rhel
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
packages = ["jq"] manage_service = matrix.artifact_type == "bundle"
tags = merge({ vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
}
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : local.vault_install_dir_packages[matrix.distro]
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
} }
step "get_local_metadata" { step "get_local_metadata" {
@ -76,8 +52,8 @@ scenario "smoke" {
module = "build_${matrix.artifact_source}" module = "build_${matrix.artifact_source}"
variables { variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition] build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
bundle_path = local.bundle_path artifact_path = local.artifact_path
goarch = matrix.arch goarch = matrix.arch
goos = "linux" goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
@ -101,7 +77,7 @@ scenario "smoke" {
module = module.create_vpc module = module.create_vpc
variables { variables {
common_tags = local.tags common_tags = global.tags
} }
} }
@ -112,7 +88,7 @@ scenario "smoke" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.backend_license_path file_name = global.backend_license_path
} }
} }
@ -121,7 +97,7 @@ scenario "smoke" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.vault_license_path file_name = global.vault_license_path
} }
} }
@ -134,10 +110,10 @@ scenario "smoke" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -153,8 +129,8 @@ scenario "smoke" {
variables { variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"] ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -171,7 +147,7 @@ scenario "smoke" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = var.backend_edition
@ -197,7 +173,7 @@ scenario "smoke" {
artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name
backend_cluster_tag_key = local.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
@ -207,8 +183,9 @@ scenario "smoke" {
enable_file_audit_device = var.vault_enable_file_audit_device enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null license = matrix.edition != "oss" ? step.read_vault_license.license : null
local_artifact_path = local.bundle_path local_artifact_path = local.artifact_path
packages = local.packages manage_service = local.manage_service
packages = global.packages
storage_backend = matrix.backend storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts target_hosts = step.create_vault_cluster_targets.hosts
unseal_method = matrix.seal unseal_method = matrix.seal

70
enos/enos-scenario-upgrade.hcl
View file

@ -12,10 +12,16 @@ scenario "upgrade" {
edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
seal = ["awskms", "shamir"] seal = ["awskms", "shamir"]
# Packages are not offered for the oss, ent.fips1402, and ent.hsm.fips1402 editions # Our local builder always creates bundles
exclude { exclude {
edition = ["oss", "ent.fips1402", "ent.hsm.fips1402"] artifact_source = ["local"]
artifact_type = ["package"] artifact_type = ["package"]
}
# HSM and FIPS 140-2 are only supported on amd64
exclude {
arch = ["arm64"]
edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
} }
} }
@ -28,37 +34,13 @@ scenario "upgrade" {
] ]
locals { locals {
backend_license_path = abspath(var.backend_license_path != null ? var.backend_license_path : joinpath(path.root, "./support/consul.hclic")) artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
backend_tag_key = "VaultStorage"
build_tags = {
"oss" = ["ui"]
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
}
bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
distro_version = {
"rhel" = var.rhel_distro_version
"ubuntu" = var.ubuntu_distro_version
}
enos_provider = { enos_provider = {
rhel = provider.enos.rhel rhel = provider.enos.rhel
ubuntu = provider.enos.ubuntu ubuntu = provider.enos.ubuntu
} }
packages = ["jq"] manage_service = matrix.artifact_type == "bundle"
tags = merge({ vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : global.vault_install_dir_packages[matrix.distro]
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_install_dir_packages = {
rhel = "/bin"
ubuntu = "/usr/bin"
}
vault_install_dir = matrix.artifact_type == "bundle" ? var.vault_install_dir : local.vault_install_dir_packages[matrix.distro]
vault_tag_key = "Type" // enos_vault_start expects Type as the tag key
} }
step "get_local_metadata" { step "get_local_metadata" {
@ -71,8 +53,8 @@ scenario "upgrade" {
module = "build_${matrix.artifact_source}" module = "build_${matrix.artifact_source}"
variables { variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : local.build_tags[matrix.edition] build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
bundle_path = local.bundle_path artifact_path = local.artifact_path
goarch = matrix.arch goarch = matrix.arch
goos = "linux" goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
@ -96,7 +78,7 @@ scenario "upgrade" {
module = module.create_vpc module = module.create_vpc
variables { variables {
common_tags = local.tags common_tags = global.tags
} }
} }
@ -107,7 +89,7 @@ scenario "upgrade" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.backend_license_path file_name = global.backend_license_path
} }
} }
@ -116,7 +98,7 @@ scenario "upgrade" {
module = module.read_license module = module.read_license
variables { variables {
file_name = local.vault_license_path file_name = global.vault_license_path
} }
} }
@ -129,10 +111,10 @@ scenario "upgrade" {
} }
variables { variables {
ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][local.distro_version[matrix.distro]] ami_id = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.vault_tag_key cluster_tag_key = global.vault_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -148,8 +130,8 @@ scenario "upgrade" {
variables { variables {
ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"] ami_id = step.ec2_info.ami_ids["arm64"]["ubuntu"]["22.04"]
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
common_tags = local.tags common_tags = global.tags
vpc_id = step.create_vpc.vpc_id vpc_id = step.create_vpc.vpc_id
} }
} }
@ -166,7 +148,7 @@ scenario "upgrade" {
variables { variables {
cluster_name = step.create_vault_cluster_backend_targets.cluster_name cluster_name = step.create_vault_cluster_backend_targets.cluster_name
cluster_tag_key = local.backend_tag_key cluster_tag_key = global.backend_tag_key
license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
release = { release = {
edition = var.backend_edition edition = var.backend_edition
@ -191,7 +173,7 @@ scenario "upgrade" {
variables { variables {
awskms_unseal_key_arn = step.create_vpc.kms_key_arn awskms_unseal_key_arn = step.create_vpc.kms_key_arn
backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name backend_cluster_name = step.create_vault_cluster_backend_targets.cluster_name
backend_cluster_tag_key = local.backend_tag_key backend_cluster_tag_key = global.backend_tag_key
consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null consul_license = (matrix.backend == "consul" && var.backend_edition == "ent") ? step.read_backend_license.license : null
cluster_name = step.create_vault_cluster_targets.cluster_name cluster_name = step.create_vault_cluster_targets.cluster_name
consul_release = matrix.backend == "consul" ? { consul_release = matrix.backend == "consul" ? {
@ -201,7 +183,7 @@ scenario "upgrade" {
enable_file_audit_device = var.vault_enable_file_audit_device enable_file_audit_device = var.vault_enable_file_audit_device
install_dir = local.vault_install_dir install_dir = local.vault_install_dir
license = matrix.edition != "oss" ? step.read_vault_license.license : null license = matrix.edition != "oss" ? step.read_vault_license.license : null
packages = local.packages packages = global.packages
release = var.vault_upgrade_initial_release release = var.vault_upgrade_initial_release
storage_backend = matrix.backend storage_backend = matrix.backend
target_hosts = step.create_vault_cluster_targets.hosts target_hosts = step.create_vault_cluster_targets.hosts
@ -259,7 +241,7 @@ scenario "upgrade" {
variables { variables {
vault_api_addr = "http://localhost:8200" vault_api_addr = "http://localhost:8200"
vault_instances = step.create_vault_cluster_targets.hosts vault_instances = step.create_vault_cluster_targets.hosts
vault_local_artifact_path = local.bundle_path vault_local_artifact_path = local.artifact_path
vault_artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null vault_artifactory_release = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
vault_install_dir = local.vault_install_dir vault_install_dir = local.vault_install_dir
vault_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null vault_unseal_keys = matrix.seal == "shamir" ? step.create_vault_cluster.unseal_keys_hex : null

46
enos/modules/vault_cluster/main.tf
View file

@ -66,23 +66,6 @@ locals {
vault_service_user = "vault" vault_service_user = "vault"
} }
resource "enos_remote_exec" "install_packages" {
for_each = {
for idx, host in var.target_hosts : idx => var.target_hosts[idx]
if length(var.packages) > 0
}
content = templatefile("${path.module}/templates/install-packages.sh", {
packages = join(" ", var.packages)
})
transport = {
ssh = {
host = each.value.public_ip
}
}
}
resource "enos_bundle_install" "consul" { resource "enos_bundle_install" "consul" {
for_each = { for_each = {
for idx, host in var.target_hosts : idx => var.target_hosts[idx] for idx, host in var.target_hosts : idx => var.target_hosts[idx]
@ -114,6 +97,26 @@ resource "enos_bundle_install" "vault" {
} }
} }
resource "enos_remote_exec" "install_packages" {
depends_on = [
enos_bundle_install.vault, // Don't race for the package manager locks with vault install
]
for_each = {
for idx, host in var.target_hosts : idx => var.target_hosts[idx]
if length(var.packages) > 0
}
content = templatefile("${path.module}/templates/install-packages.sh", {
packages = join(" ", var.packages)
})
transport = {
ssh = {
host = each.value.public_ip
}
}
}
resource "enos_consul_start" "consul" { resource "enos_consul_start" "consul" {
for_each = enos_bundle_install.consul for_each = enos_bundle_install.consul
@ -269,6 +272,7 @@ resource "enos_vault_unseal" "leader" {
# user on all nodes, since logging will only happen on the leader. # user on all nodes, since logging will only happen on the leader.
resource "enos_remote_exec" "create_audit_log_dir" { resource "enos_remote_exec" "create_audit_log_dir" {
depends_on = [ depends_on = [
enos_bundle_install.vault,
enos_vault_unseal.leader, enos_vault_unseal.leader,
] ]
for_each = toset([ for_each = toset([
@ -392,3 +396,11 @@ resource "enos_remote_exec" "vault_write_license" {
} }
} }
} }
resource "enos_local_exec" "wait_for_install_packages" {
depends_on = [
enos_remote_exec.install_packages,
]
inline = ["true"]
}

2
enos/modules/vault_get_cluster_ips/scripts/get-leader-private-ip.sh
View file

@ -18,7 +18,7 @@ retries=5
while :; do while :; do
# Find the leader private IP address # Find the leader private IP address
leader_private_ip=$($binpath status -format json | jq '.leader_address | rtrimstr(":8200") | ltrimstr("http://")') leader_private_ip=$($binpath status -format json | jq '.leader_address | rtrimstr(":8200") | ltrimstr("http://")')
match_ip=$(echo $instance_ips |jq -r --argjson ip $leader_private_ip 'map(select(. == $ip))') match_ip=$(echo "$instance_ips" |jq -r --argjson ip "$leader_private_ip" 'map(select(. == $ip))')
if [[ "$leader_private_ip" != 'null' ]] && [[ "$match_ip" != '[]' ]]; then if [[ "$leader_private_ip" != 'null' ]] && [[ "$match_ip" != '[]' ]]; then
echo "$leader_private_ip" | sed 's/\"//g' echo "$leader_private_ip" | sed 's/\"//g'

28
enos/modules/vault_verify_unsealed/templates/verify-vault-node-unsealed.sh
View file

@ -2,24 +2,36 @@
# Copyright (c) HashiCorp, Inc. # Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0 # SPDX-License-Identifier: MPL-2.0
set -e set -e
# shellcheck disable=SC2154
binpath=${vault_install_dir}/vault binpath=${vault_install_dir}/vault
fail() { fail() {
echo "$1" 1>&2 echo "$1" 1>&2
return 1 exit 1
} }
test -x "$binpath" || fail "unable to locate vault binary at $binpath" test -x "$binpath" || fail "unable to locate vault binary at $binpath"
export VAULT_ADDR='http://127.0.0.1:8200' export VAULT_ADDR='http://127.0.0.1:8200'
health_status=$(curl http://127.0.0.1:8200/v1/sys/health |jq '.') count=0
unseal_status=$($binpath status -format json | jq -Mr --argjson expected "false" '.sealed == $expected') retries=4
if [[ "$unseal_status" != 'true' ]]; then while :; do
fail "expected ${vault_cluster_addr} to be unsealed, got unseal status: $unseal_status" health_status=$(curl http://127.0.0.1:8200/v1/sys/health |jq '.')
fi unseal_status=$($binpath status -format json | jq -Mr --argjson expected "false" '.sealed == $expected')
if [[ "$unseal_status" == 'true' ]]; then
echo "$health_status"
exit 0
fi
echo $health_status wait=$((2 ** count))
count=$((count + 1))
if [ "$count" -lt "$retries" ]; then
sleep "$wait"
else
# shellcheck disable=SC2154
fail "expected ${vault_cluster_addr} to be unsealed, got unseal status: $unseal_status"
fi
done

59
scripts/ci-helper.sh
View file

@ -85,6 +85,8 @@ function build() {
: "${GO_TAGS:=""}" : "${GO_TAGS:=""}"
: "${REMOVE_SYMBOLS:=""}" : "${REMOVE_SYMBOLS:=""}"
(unset GOOS; unset GOARCH; go generate ./...)
# Build our ldflags # Build our ldflags
msg="--> Building Vault revision $revision, built $build_date" msg="--> Building Vault revision $revision, built $build_date"
@ -127,53 +129,10 @@ function prepare_legal() {
popd popd
} }
# Determine the matrix group number that we'll select for execution. If the # Package version converts a vault version string into a compatible representation for system
# MATRIX_TEST_GROUP environment variable has set then it will always return # packages.
# that value. If has not been set, we will randomly select a number between 1 function version_package() {
# and the value of MATRIX_MAX_TEST_GROUPS. awk '{ gsub("-","~",$1); print $1 }' <<< "$VAULT_VERSION"
function matrix_group_id() {
: "${MATRIX_TEST_GROUP:=""}"
if [ -n "$MATRIX_TEST_GROUP" ]; then
echo "$MATRIX_TEST_GROUP"
return
fi
: "${MATRIX_MAX_TEST_GROUPS:=1}"
awk -v min=1 -v max=$MATRIX_MAX_TEST_GROUPS 'BEGIN{srand(); print int(min+rand()*(max-min+1))}'
}
# Filter matrix file reads in the contents of MATRIX_FILE and filters out
# scenarios that are not in the current test group and/or those that have not
# met minimux or maximum version requirements.
function matrix_filter_file() {
: "${MATRIX_FILE:=""}"
if [ -z "$MATRIX_FILE" ]; then
echo "You must specify the MATRIX_FILE variable for this command" >&2
exit 1
fi
: "${VAULT_MINOR_VERSION:=""}"
if [ -z "$VAULT_MINOR_VERSION" ]; then
echo "You must specify the VAULT_MINOR_VERSION variable for this command" >&2
exit 1
fi
: "${MATRIX_TEST_GROUP:=$(matrix_group_id)}"
local path
local matrix
path=$(readlink -f $MATRIX_FILE)
matrix=$(cat "$path" | jq ".include |
map(. |
select(
((.min_minor_version == null) or (.min_minor_version <= $VAULT_MINOR_VERSION)) and
((.max_minor_version == null) or (.max_minor_version >= $VAULT_MINOR_VERSION)) and
((.test_group == null) or (.test_group == $MATRIX_TEST_GROUP))
)
)"
)
echo "{\"include\":$matrix}" | jq -c .
} }
# Run the CI Helper # Run the CI Helper
@ -197,12 +156,6 @@ function main() {
prepare-legal) prepare-legal)
prepare_legal prepare_legal
;; ;;
matrix-filter-file)
matrix_filter_file
;;
matrix-group-id)
matrix_group_id
;;
revision) revision)
build_revision build_revision
;; ;;