Commit graph

198 commits

Author SHA1 Message Date
hc-github-team-secure-vault-core eb1376dc13
backport of commit a46def288f06cff8176399f239f87a2a49ba5dd9 (#23869)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-10-26 21:36:50 +00:00
hc-github-team-secure-vault-core cdfe226c03
backport of commit 146653dfef6a5ce45189e473716f1a56b9dbee1d (#23732)
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-10-19 13:19:24 +00:00
hc-github-team-secure-vault-core b7bc7959fb
backport of commit 832c78ee6e950b07646484070691576131c68c38 (#23671) 2023-10-16 16:42:55 +00:00
Hamid Ghaf 1834611e66
adding testonly CI test job (#22439) (#23423)
* adding testonly CI test job

* small instance for testonly tests

* feedback

* shopt

* disable glob expansion

* revert back to a large instance

* fix a mistake
2023-10-09 12:23:43 -07:00
hc-github-team-secure-vault-core 64c865eb26
backport of commit 7d800b1af20de24149817fd735e2001403446ab1 (#23520)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-10-04 14:44:02 -06:00
hc-github-team-secure-vault-core 7624576e39
backport of commit 9afd5e52ae31d6c3b7ab6833836647392bb318e6 (#23478)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-10-03 19:29:40 +00:00
hc-github-team-secure-vault-core 92997859cd
[VAULT-20630] CI: Use 'ref' (not 'base_ref') as a default git reference to check out code in the test-go GHA workflow (#23458) (#23469)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-10-03 17:47:44 +00:00
hc-github-team-secure-vault-core 86159f0382
[VAULT-20630] CI: Fix the CI workflow issue where we check out base ref instead of the ref that triggered the workflow run (#23453) (#23456)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-10-03 14:29:31 +01:00
hc-github-team-secure-vault-core fb88d3e4ec
backport of commit 7725117846a47dbd4faeecefa03c181251cbb371 (#23326)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-09-27 12:59:02 -06:00
Ryan Cragun d2db7fbcdd
Backport [QT-602] Run proxy and agent test scenarios (#23176) into release/1.14.x (#23302)
* [QT-602] Run `proxy` and `agent` test scenarios (#23176)

Update our `proxy` and `agent` scenarios to support new variants and
perform baseline verification and their scenario specific verification.
We integrate these updated scenarios into the pipeline by adding them
to artifact samples.

We've also improved the reliability of the `autopilot` and `replication`
scenarios by refactoring our IP address gathering. Previously, we'd ask
vault for the primary IP address and use some Terraform logic to determine
followers. The leader IP address gathering script was also implicitly
responsible for ensuring that a found leader was within a given group of
hosts, and thus waiting for a given cluster to have a leader, and also for
doing some arithmetic and outputting `replication` specific output data.
We've broken these responsibilities into individual modules, improved their
error messages, and fixed various races and bugs, including:
* Fix a race between creating the file audit device and installing and starting
  vault in the `replication` scenario.
* Fix how we determine our leader and follower IP addresses. We now query
  vault instead of a prior implementation that inferred the followers and sometimes
  did not allow all nodes to be an expected leader.
* Fix a bug where we'd always always fail on the first wrong condition
  in the `vault_verify_performance_replication` module.

We also performed some maintenance tasks on Enos scenarios  byupdating our
references from `oss` to `ce` to handle the naming and license changes. We
also enabled `shellcheck` linting for enos module scripts.

* Rename `oss` to `ce` for license and naming changes.
* Convert template enos scripts to scripts that take environment
  variables.
* Add `shellcheck` linting for enos module scripts.
* Add additional `backend` and `seal` support to `proxy` and `agent`
  scenarios.
* Update scenarios to include all baseline verification.
* Add `proxy` and `agent` scenarios to artifact samples.
* Remove IP address verification from the `vault_get_cluster_ips`
  modules and implement a new `vault_wait_for_leader` module.
* Determine follower IP addresses by querying vault in the
  `vault_get_cluster_ips` module.
* Move replication specific behavior out of the `vault_get_cluster_ips`
  module and into it's own `replication_data` module.
* Extend initial version support for the `upgrade` and `autopilot`
  scenarios.

We also discovered an issue with undo_logs that has been described in
the VAULT-20259. As such, we've disabled the undo_logs check until
it has been fixed.

* actions: fix actionlint error and linting logic (#23305)

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-09-27 10:53:12 -06:00
hc-github-team-secure-vault-core 0ce888e5a4
backport of commit 9a7de066a9013e13c5c38eb7f30aae5544b28089 (#22983)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-09-11 21:23:55 +00:00
Ryan Cragun 3b5636d911
test: don't use actions-set-product-version in release testing (#22948) (#22951)
Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-09-08 16:57:15 -06:00
hc-github-team-secure-vault-core f52a686b91
[QT-506] Use enos scenario samples for testing (#22641) (#22933)
Replace our prior implementation of Enos test groups with the new Enos
sampling feature. With this feature we're able to describe which
scenarios and variant combinations are valid for a given artifact and
allow enos to create a valid sample field (a matrix of all compatible
scenarios) and take an observation (select some to run) for us. This
ensures that every valid scenario and variant combination will
now be a candidate for testing in the pipeline. See QT-504[0] for further
details on the Enos sampling capabilities.

Our prior implementation only tested the amd64 and arm64 zip artifacts,
as well as the Docker container. We now include the following new artifacts
in the test matrix:
* CE Amd64 Debian package
* CE Amd64 RPM package
* CE Arm64 Debian package
* CE Arm64 RPM package

Each artifact includes a sample definition for both pre-merge/post-merge
(build) and release testing.

Changes:
* Remove the hand crafted `enos-run-matrices` ci matrix targets and replace
  them with per-artifact samples.
* Use enos sampling to generate different sample groups on all pull
  requests.
* Update the enos scenario matrices to handle HSM and FIPS packages.
* Simplify enos scenarios by using shared globals instead of
  cargo-culted locals.

Note: This will require coordination with vault-enterprise to ensure a
smooth migration to the new system. Integrating new scenarios or
modifying existing scenarios/variants should be much smoother after this
initial migration.

[0] https://github.com/hashicorp/enos/pull/102

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-09-08 13:31:09 -06:00
Sarah Thompson 2ae56bd4ac
cherrypick of a9a4b0b9ff (#22813) 2023-09-06 18:24:39 +01:00
hc-github-team-secure-vault-core 8e4c660726
backport of commit a0217ad0174e565d8d33a8d3280a13018198605b (#22548)
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-08-24 13:19:12 +00:00
hc-github-team-secure-vault-core a08253d94b
backport of commit 76d8ab6f4371c7920cb0b2e62d66c5e57c6cf46e (#22165)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-08-02 13:49:27 +00:00
hc-github-team-secure-vault-core 94dc0d67e0
backport of commit 437a7ab9340c9d5e6638570ac37a271e5c1342e5 (#22019)
Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
2023-07-21 17:34:53 +00:00
Hamid Ghaf 191aebca62
use verify changes for docs to skip tests (#21620) (#22017)
* use verify changes for docs to skip tests

* add verify-changes to the needed jobs

* skip go tests for doc/ui only changes

* fix a job ref

* change names, remove script

* remove ui conditions

* separate flags

* feedback
2023-07-21 10:15:14 -07:00
hc-github-team-secure-vault-core ca31f71966
backport of commit 8615b31598e094b1bf083242e76fff74a31daf9a (#22014)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-07-21 10:53:07 -06:00
hc-github-team-secure-vault-core cade65423c
backport of commit 02f43ecbc26ec79790f30826f49f97cecda987eb (#21587) (#21996)
* VAULT-17590 Add failure notifications for OSS builds

* VAULT-17590 Incur build failure for testing purposes

* VAULT-17590 head_ref for testing

* VAULT-17590 rework to rely on completed status checks

* VAULT-17590 Use slackapi/slack-github-action

* VAULT-17590 Remember dollar sign

* VAULT-17590 finalize PR

* VAULT-17590 add extra empty line

* Update .github/workflows/build.yml



* Update .github/workflows/ci.yml



* VAULT-17590 fix typo

* VAULT-17590 ent workflow

* VAULT-17590 typo

---------

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-07-21 08:50:26 -04:00
hc-github-team-secure-vault-core 83b95d3efe
backport of commit 1a46088afb0d5e442273350c6793d1216b6be4d1 (#21985)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-07-20 22:39:29 +00:00
hc-github-team-secure-vault-core 04eed0b14c
backport of commit 6b21994d76b18c91397247dfd69bb01e46c5de25 (#21981)
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-07-20 20:51:07 +00:00
hc-github-team-secure-vault-core 45af65da81
Backport of Limit number of tests in CI comment into release/1.14.x (#21971)
* backport of commit dc104898f700447f7764919445c7559baeb7e987 (#21853)

* fix multiline

* shellcheck, and success message for builds

* add full path

* cat the summary

* fix and faster

* fix if condition

* base64 in a separate step

* echo

* check against empty string

* add echo

* only use matrix ids

* only id

* echo matrix

* remove wrapping array

* tojson

* try echo again

* use jq to get packages

* don't quote

* only run binary tests once

* only run binary tests once

* test what's wrong with the binary

* separate file

* use matrix file

* failed test

* update comment on success

* correct variable name

* bae64 fix

* output to file

* use multiline

* fix

* fix formatting

* fix newline

* fix whitespace

* correct body, remove comma

* small fixes

* shellcheck

* another shellcheck fix

* fix deprecation checker

* only run comments for prs

* Update .github/workflows/test-go.yml

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* Update .github/workflows/test-go.yml

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* fixes

---------

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* backport of commit 3b00dde1ba4d479fbd67b1d0767e421e495d8cce (#21936)

* limit test comments

* remove unecessary tee

* fix go test condition

* fix

* fail test

* remove ailways entirely

* fix columns

* make a bunch of tests fail

* separate line

* include Failures:

* remove test fails

* fix whitespace

* backport of commit 245430215c00d80a38283020fca114bade022e0f (#21973)

* only add binary tests if they exist

* shellcheck

---------

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-07-20 15:07:20 +02:00
hc-github-team-secure-vault-core 17a6700f6c
backport of commit 4b15fb96b88d633db1ef294d7cc86483df060b2b (#21920)
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
2023-07-18 11:15:56 -07:00
hc-github-team-secure-vault-core 32433e9dd7
Go test failure summaries fixes and improvements (#21888) (#21892)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-07-17 16:13:15 +00:00
hc-github-team-secure-vault-core c08b05506f
backport of commit f3e9d159d325b9e2a3c80b7acf6705303ae04468 (#21891)
Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
2023-07-17 08:08:20 -07:00
hc-github-team-secure-vault-core ca1d99d3a7
backport of commit 384cdd791c5a473374fe1a0f7cb9b9d3f972bcf7 (#21845)
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
2023-07-13 18:22:15 -07:00
hc-github-team-secure-vault-core da49fe9db5
backport of commit 20675ccef0944571f17fd06969147fa476fc68ba (#21834)
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
2023-07-13 20:08:22 +00:00
hc-github-team-secure-vault-core a7232590e9
VAULT-12958 Add link to logs to the test failure summary in CI (#21736) (#21825)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-07-13 18:36:30 +00:00
hc-github-team-secure-vault-core e9ee08ec7d
backport of commit 2a05a48016150b4040067ae7b6dc8ab8ba8aa93a (#21816)
Co-authored-by: Rebecca Willett <47540675+rebwill@users.noreply.github.com>
2023-07-13 12:09:34 -04:00
hc-github-team-secure-vault-core ecec77f6f2
backport of commit 702c52148988fc6907b8ee6457accd1536a2c25f (#21781)
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-07-13 11:23:53 -04:00
hc-github-team-secure-vault-core d2bbc42fcb
backport of commit bfa93fdeda1a998dc9c2a91c5c14424456b6d1d7 (#21782) (#21786)
* use shas instead of versions and fix milestones

* remove trailing space

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2023-07-13 15:19:21 +02:00
hc-github-team-secure-vault-core 59cbdcda39
[QT-589] Use the go module cache between CI and build (#21764) (#21790)
In order to reliably store Go test times in the Github Actions cache we
need to reduce our cache thrashing by not using more than 10gb over all
of our caches. This change reduces our cache usage significantly by
sharing Go module cache between our Go CI workflows and our build
workflows. We lose our per-builder cache which will result in a bit of
performance hit, but we'll enable better automatic rebalancing of our CI
workflows. Overall we should see a per branch reduction in cache sizes
from ~17gb to ~850mb.

Some preliminary investigation into this new strategy:

Prior build workflow strategy on a cache miss:
  Download modules: ~20s
  Build Vault: ~40s
  Upload cache: ~30s
  Total: ~1m30s

Prior build workflow strategy on a cache hit:
  Download and decompress modules and build cache: ~12s
  Build Vault: ~15s
  Total: ~28s

New build workflow strategy on a cache miss:
  Download modules: ~20
  Build Vault: ~40s
  Upload cache: ~6s
  Total: ~1m6s

New build workflow strategy on a cache hit:
  Download and decompress modules: ~3s
  Build Vault: ~40s
  Total: ~43s

Expected time if we used no Go caching:
  Download modules: ~20
  Build Vault: ~40s
  Total: ~1m

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2023-07-12 19:26:00 +00:00
hc-github-team-secure-vault-core e1eb178f1e
backport of commit a29ba45a3a59626bf97e08a48ccac2a5dbd60f96 (#21754)
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2023-07-11 15:25:44 +00:00
hc-github-team-secure-vault-core 34964e05a9
backport of commit a053c616ba01291fcd3186d77ea63e3b5e4218c4 (#21692)
Co-authored-by: Rebecca Willett <47540675+rebwill@users.noreply.github.com>
2023-07-11 15:08:58 +00:00
hc-github-team-secure-vault-core be5249a6dd
backport of commit ece2995ee1df24341ec1dd0fdcc2fdedc6737806 (#21731)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-07-10 18:09:52 +00:00
hc-github-team-secure-vault-core d1210427d1
backport of commit 8c18f24b9da475c13f7908e609c5d4be24c773e6 (#21611) (#21615)
* combine into one checker

* combine and simplify ci checks

* add to test package list

* remove testing test

* only run deprecations check

* only run deprecations check

* remove unneeded repo check

* fix bash options

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2023-07-10 17:05:20 +02:00
hc-github-team-secure-vault-core f881304cc5
backport of commit 5919645a70a12e2675331e0a7ad43238c823738e (#21707)
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2023-07-10 10:58:05 +00:00
hc-github-team-secure-vault-core 03e6898cfc
backport of commit d18242dae4192b11784e539ef862bcfaf654ec69 (#21698)
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-07-07 20:35:32 +00:00
hc-github-team-secure-vault-core cfa1e9d363
backport of commit 87d37fecb775a5ae82d264f0fc08b613dd733c7c (#21688)
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-07-07 19:56:05 +00:00
hc-github-team-secure-vault-core 9d1592cc93
backport of commit 34d1d200ee5e5547779ee8424c52bb7cf4dcb772 (#21676)
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-07-07 15:35:57 -04:00
hc-github-team-secure-vault-core 93d2fc099f
VAULT-17592 Extract failed Go test results across runners (#21625) (#21672)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-07-07 18:52:01 +01:00
hc-github-team-secure-vault-core f3f97c9658
backport of commit 95b44add74807bed971638928599b18d302a2ae2 (#21667)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-07-07 16:43:07 +00:00
Ryan Cragun d1e9b99233
[QT-576] Optimize build workflow (#21486) (#21601)
Improve our build workflow execution time by using custom runners,
improved caching and conditional Web UI builds.

Runners
-------
We improve our build times[0] by using larger custom runners[1] when
building the UI and Vault.

Caching
-------
We improve Vault caching by keeping a cache for each build job. This
strategy has the following properties which should result in faster
build times when `go.sum` hasn't been changed from prior builds, or
when a pull request is retried or updated after a prior successful
build:

* Builds will restore cached Go modules and Go build cache according to
  the Go version, platform, architecture, go tags, and hash of `go.sum`
  that relates to each individual build workflow. This reduces the
  amount of time it will take to download the cache on hits and upload
  the cache on misses.
* Parallel build workflows won't clobber each others build cache. This
  results in much faster compile times after cache hits because the Go
  compiler can reuse the platform, architecture, and tag specific build
  cache that it created on prior runs.
* Older modules and build cache will not be uploaded when creating a new
  cache. This should result in lean cache sizes on an ongoing basis.
* On cache misses we will have to upload our compressed module and build
  cache. This will slightly extend the build time for pull requests that
  modify `go.sum`.

Web UI
------
We no longer build the web UI in every build workflow. Instead we separate
the UI building into its own workflow and cache the resulting assets.
The same UI assets are restored from cache during build worklows. This
strategy has the following properties:

* If the `ui` directory has not changed from prior builds we'll restore
  `http/web_ui` from cache and skip building the UI for no reason.
* We continue to use the built-in `yarn` caching functionality in
  `action/setup-node`. The default mode saves the `yarn` global cache.
  to improve UI build times if the cache has not been modified.

Changes
-------
* Add per platform/archicture Go module and build caching
* Move UI building into a separate job and cache the result
* Restore UI cache during build
* Pin workflows

Notes
-----
[0] https://hashicorp.atlassian.net/browse/QT-578
[1] https://github.com/hashicorp/vault/actions/runs/5415830307/jobs/9844829929

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-07-05 15:19:49 -06:00
hc-github-team-secure-vault-core a2b98398e1
backport of commit eecae3a827f523a25359068ad6714af8f28c6ced (#21550) (#21556)
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2023-07-04 17:07:05 +02:00
hc-github-team-secure-vault-core 96f1478944
backport of commit f1c6ab41fc6d90811d1a268465f4d9eb712a58b5 (#21535)
Co-authored-by: Rebecca Willett <47540675+rebwill@users.noreply.github.com>
2023-06-30 15:51:51 -04:00
hc-github-team-secure-vault-core 1c44b797b2
backport of commit 30aac443d0037852b0a5e4b50d59a9bedc5e4445 (#21324)
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2023-06-16 13:10:36 -04:00
hc-github-team-secure-vault-core 92e2ae8897
backport of commit a1fdf105b3cc2e88483f3fca27729fa06bfbfa7f (#21312)
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-06-16 14:41:28 +00:00
hc-github-team-secure-vault-core 6da06be1cf
backport of commit 567917efacd62639103133a7a07efd3076be713b (#21205)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-06-13 21:07:38 +00:00
Marc Boudreau 6ef35feeb9
update security-scanner version to latest to pickup changes that eliminate use of deprecated GitHub Actions commands (#20690) 2023-05-25 12:09:43 -04:00