Commit Graph

15 Commits

Author SHA1 Message Date
Ryan Cragun b19617d955
enos: fix licensing on backported files (#24162)
Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-11-16 12:59:47 -07:00
hc-github-team-secure-vault-core eb1376dc13
backport of commit a46def288f06cff8176399f239f87a2a49ba5dd9 (#23869)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-10-26 21:36:50 +00:00
hc-github-team-secure-vault-core 15e85d26df
backport of commit 1b321e3e7ecf487741e722b1c9b224cbe1f3146e (#23413)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-09-28 23:33:24 +00:00
Ryan Cragun d2db7fbcdd
Backport [QT-602] Run `proxy` and `agent` test scenarios (#23176) into release/1.14.x (#23302)
* [QT-602] Run `proxy` and `agent` test scenarios (#23176)

Update our `proxy` and `agent` scenarios to support new variants and
perform baseline verification and their scenario specific verification.
We integrate these updated scenarios into the pipeline by adding them
to artifact samples.

We've also improved the reliability of the `autopilot` and `replication`
scenarios by refactoring our IP address gathering. Previously, we'd ask
vault for the primary IP address and use some Terraform logic to determine
followers. The leader IP address gathering script was also implicitly
responsible for ensuring that a found leader was within a given group of
hosts, and thus waiting for a given cluster to have a leader, and also for
doing some arithmetic and outputting `replication` specific output data.
We've broken these responsibilities into individual modules, improved their
error messages, and fixed various races and bugs, including:
* Fix a race between creating the file audit device and installing and starting
  vault in the `replication` scenario.
* Fix how we determine our leader and follower IP addresses. We now query
  vault instead of a prior implementation that inferred the followers and sometimes
  did not allow all nodes to be an expected leader.
* Fix a bug where we'd always always fail on the first wrong condition
  in the `vault_verify_performance_replication` module.

We also performed some maintenance tasks on Enos scenarios  byupdating our
references from `oss` to `ce` to handle the naming and license changes. We
also enabled `shellcheck` linting for enos module scripts.

* Rename `oss` to `ce` for license and naming changes.
* Convert template enos scripts to scripts that take environment
  variables.
* Add `shellcheck` linting for enos module scripts.
* Add additional `backend` and `seal` support to `proxy` and `agent`
  scenarios.
* Update scenarios to include all baseline verification.
* Add `proxy` and `agent` scenarios to artifact samples.
* Remove IP address verification from the `vault_get_cluster_ips`
  modules and implement a new `vault_wait_for_leader` module.
* Determine follower IP addresses by querying vault in the
  `vault_get_cluster_ips` module.
* Move replication specific behavior out of the `vault_get_cluster_ips`
  module and into it's own `replication_data` module.
* Extend initial version support for the `upgrade` and `autopilot`
  scenarios.

We also discovered an issue with undo_logs that has been described in
the VAULT-20259. As such, we've disabled the undo_logs check until
it has been fixed.

* actions: fix actionlint error and linting logic (#23305)

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-09-27 10:53:12 -06:00
Ryan Cragun 9da2fc4b8b
test: wait for nc to be listening before enabling auditor (#23142) (#23150)
Rather than assuming a short sleep will work, we instead wait until netcat is listening of the socket. We've also configured the netcat listener to persist after the first connection, which allows Vault and us to check the connection without the process closing.

As we implemented this we also ran into AWS issues in us-east-1 and us-west-2, so we've changed our deploy regions until those issues are resolved.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-09-18 15:10:37 -06:00
hc-github-team-secure-vault-core f52a686b91
[QT-506] Use enos scenario samples for testing (#22641) (#22933)
Replace our prior implementation of Enos test groups with the new Enos
sampling feature. With this feature we're able to describe which
scenarios and variant combinations are valid for a given artifact and
allow enos to create a valid sample field (a matrix of all compatible
scenarios) and take an observation (select some to run) for us. This
ensures that every valid scenario and variant combination will
now be a candidate for testing in the pipeline. See QT-504[0] for further
details on the Enos sampling capabilities.

Our prior implementation only tested the amd64 and arm64 zip artifacts,
as well as the Docker container. We now include the following new artifacts
in the test matrix:
* CE Amd64 Debian package
* CE Amd64 RPM package
* CE Arm64 Debian package
* CE Arm64 RPM package

Each artifact includes a sample definition for both pre-merge/post-merge
(build) and release testing.

Changes:
* Remove the hand crafted `enos-run-matrices` ci matrix targets and replace
  them with per-artifact samples.
* Use enos sampling to generate different sample groups on all pull
  requests.
* Update the enos scenario matrices to handle HSM and FIPS packages.
* Simplify enos scenarios by using shared globals instead of
  cargo-culted locals.

Note: This will require coordination with vault-enterprise to ensure a
smooth migration to the new system. Integrating new scenarios or
modifying existing scenarios/variants should be much smoother after this
initial migration.

[0] https://github.com/hashicorp/enos/pull/102

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-09-08 13:31:09 -06:00
hc-github-team-secure-vault-core b4fa55858c
backport of commit 6654c425d2206624ff42cc7b7b92407a5e338311 (#22221)
Co-authored-by: Rebecca Willett <47540675+rebwill@users.noreply.github.com>
2023-08-08 11:11:03 -04:00
hc-github-team-secure-vault-core be67c16299
backport of commit 8d22142a3e9d13435b1a65685317fefba7e2f5b3 (#21421)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-06-22 22:14:22 +00:00
hc-github-team-secure-vault-core 7d024b4f4e
backport of commit 2ec5a28f51fe0b5095a0554627fb3295c7f2ccb4 (#21148)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-06-12 17:19:46 +00:00
hc-github-team-secure-vault-core 93af7c8756
backport of commit 27621e05d63ae14475e7a5ec8e8f23277d9eeb98 (#21137)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-06-12 16:46:11 +00:00
hc-github-team-secure-vault-core 354d49e4eb
backport of commit b0aa808baaf13ca85061bcd20165559c6e8e4553 (#21114)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-06-09 13:40:59 -06:00
hc-github-team-secure-vault-core 9a6d09e029
backport of commit 85128585837bcce2cf99f8e1f749c3a4aef204ca (#21032)
Co-authored-by: Jaymala <jaymala@hashicorp.com>
2023-06-06 17:34:55 -04:00
hc-github-team-secure-vault-core 69104f93b8
backport of commit dbe41c4fee5ce88a1f7ce83a64cc3a78116ab1b3 (#21007)
Co-authored-by: Mike Baum <mike.baum@hashicorp.com>
2023-06-06 07:11:15 -04:00
Mike Baum d323aa33df
Backport of audit file changes to release/1.14.x (#20985) 2023-06-05 11:46:59 -04:00
Ryan Cragun a19f7dbda5
[QT-525] enos: use spot instances for Vault targets (#20037)
The previous strategy for provisioning infrastructure targets was to use
the cheapest instances that could reliably perform as Vault cluster
nodes. With this change we introduce a new model for target node
infrastructure. We've replaced on-demand instances for a spot
fleet. While the spot price fluctuates based on dynamic pricing, 
capacity, region, instance type, and platform, cost savings for our
most common combinations range between 20-70%.

This change only includes spot fleet targets for Vault clusters.
We'll be updating our Consul backend bidding in another PR.

* Create a new `vault_cluster` module that handles installation,
  configuration, initializing, and unsealing Vault clusters.
* Create a `target_ec2_instances` module that can provision a group of
  instances on-demand.
* Create a `target_ec2_spot_fleet` module that can bid on a fleet of
  spot instances.
* Extend every Enos scenario to utilize the spot fleet target acquisition
  strategy and the `vault_cluster` module.
* Update our Enos CI modules to handle both the `aws-nuke` permissions
  and also the privileges to provision spot fleets.
* Only use us-east-1 and us-west-2 in our scenario matrices as costs are
  lower than us-west-1.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-04-13 15:44:43 -04:00