Commit Graph

25 Commits

Author SHA1 Message Date
Sarah Thompson 2ae56bd4ac
cherrypick of a9a4b0b9ff (#22813) 2023-09-06 18:24:39 +01:00
hc-github-team-secure-vault-core 98cb94ba69
backport of commit a2993878f19f1d1f0042f04c36d292634ac26852 (#21219)
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
2023-06-14 15:41:54 +01:00
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
Ryan Cragun bd5d738ad7
[QT-436] Pseudo random artifact test scenarios (#18056)
Introducing a new approach to testing Vault artifacts before merge
and after merge/notorization/signing. Rather than run a few static
scenarios across the artifacts, we now have the ability to run a
pseudo random sample of scenarios across many different build artifacts.

We've added 20 possible scenarios for the AMD64 and ARM64 binary
bundles, which we've broken into five test groups. On any given push to
a pull request branch, we will now choose a random test group and
execute its corresponding scenarios against the resulting build
artifacts. This gives us greater test coverage but lets us split the
verification across many different pull requests.

The post-merge release testing pipeline behaves in a similar fashion,
however, the artifacts that we use for testing have been notarized and
signed prior to testing. We've also reduce the number of groups so that
we run more scenarios after merge to a release branch.

We intend to take what we've learned building this in Github Actions and
roll it into an easier to use feature that is native to Enos. Until then,
we'll have to manually add scenarios to each matrix file and manually
number the test group. It's important to note that Github requires every
matrix to include at least one vector, so every artifact that is being
tested must include a single scenario in order for all workflows to pass
and thus satisfy branch merge requirements.

* Add support for different artifact types to enos-run
* Add support for different runner type to enos-run
* Add arm64 scenarios to build matrix
* Expand build matrices to include different variants
* Update Consul versions in Enos scenarios and matrices
* Refactor enos-run environment
* Add minimum version filtering support to enos-run. This allows us to
  automatically exclude scenarios that require a more recent version of
  Vault
* Add maximum version filtering support to enos-run. This allows us to
  automatically exclude scenarios that require an older version of
  Vault
* Fix Node 12 deprecation warnings
* Rename enos-verify-stable to enos-release-testing-oss
* Convert artifactory matrix into enos-release-testing-oss matrices
* Add all Vault editions to Enos scenario matrices
* Fix verify version with complex Vault edition metadata
* Rename the crt-builder to ci-helper
* Add more version helpers to ci-helper and Makefile
* Update CODEOWNERS for quality team
* Add support for filtering matrices by group and version constraints
* Add support for pseudo random test scenario execution

Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-12-12 13:46:04 -07:00
Jaymala 787e315004
Add Artifactory build to the matrix (#17353)
* Add Artifactory build to the matrix

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update test scenarios

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix Terraform format

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Updates with verification

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Integrate variables from CRT inputs

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Latest update to add Artifactory support

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review feedback

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Enable Enos run in CRT workflow

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Remove unused variables

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update Artifactory module

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review feedback

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-17 19:47:37 -04:00
Mariano Asselborn 3c6c6df6c9
Enable Iron Bank integration (#17482) 2022-10-11 10:25:58 -04:00
Meggie 9b6dfa4194
Updating the release slack channel (#16949)
* Updating the release slack channel.

* Updating comment too
2022-08-31 13:55:24 -04:00
claire labry eed4bdb050
add a note clarifying to leave website event in oss only (#16687) 2022-08-11 14:41:15 -05:00
Michele Degges 5c4b1cc4ac
[CI-only] Use pattern matching for release_branches (#16375)
Pattern matching was [recently added](https://github.com/hashicorp/crt-orchestrator/pull/51) so that teams no longer have to explicitly list every branch that should trigger the CRT pipeline. This simplifies release preparation- anytime a new release branch is created, it will produce releasable artifacts and exercise the full pipeline.
2022-08-10 11:25:10 -07:00
claire labry 326936b1ef
introduces the post publish website event (#16328) 2022-08-08 16:51:03 +01:00
Chris Capurso 3929d47147
Prep for 1.12 (#15612)
* set sdk version to 1.12.0

* remove 1.7.x and add 1.11.x branches in ci.hcl
2022-05-25 16:18:41 -04:00
Alexander Scheel bd3658912b
Fix value of VAULT_DISABLE_FILE_PERMISSIONS_CHECK (#15438)
This variable doesn't use ParseBool and thus strictly requires "true" as
the value.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 09:43:01 -04:00
Alexander Scheel e6ad072542
UBI Containerfile - CRT Enablement (#15272)
* Copy UBI Dockerfile into Vault

This Dockerfile was modeled off of the existing Alpine Dockerfile (in
this repo) and the external Dockerfile from the docker-vault repo:

> https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile

We also import the UBI-specific docker-entrypoint.sh, as certain
RHEL/Alpine changes (like interpreter) require a separate entry script.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add UBI build to CRT pipeline

Also adds workflow_dispatch to the CRT pipeline, to allow manually
triggering CRT from PRs, when desired.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update Dockerfile

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>

* Update Dockerfile

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>

* Update Dockerfile

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>

* Update Dockerfile

* Update Dockerfile

* Update build.yml

Allow for both push to arbitrary branch plus workflow dispatch, per Newsletter article.

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
2022-05-13 11:21:15 -04:00
Jeanne Angeles Franco 6745d79669
Add release metadata config key (#15270) 2022-05-03 20:34:29 -07:00
Michele Degges f731e55c19
[RelAPI Onboarding] Add release API metadata file (#14679)
👋  This PR adds a `.release/release-metadata.hcl` file to the repo. This contains static metadata that will be processed and sent as part of the payload in RelAPI POST requests, which will be sent when staging and production releases are triggered.  

This can be merged now, but will not have any effect until after the RelAPI launch. This will need to be backported to all active release branches, as well. Similar additions are being added across all projects that publish to releases.hashicorp.com.
2022-03-24 18:30:52 -07:00
Michele Degges 528a6847a4
Temporarily turn nvd sec scanning off (#14466) 2022-03-14 10:06:06 -07:00
Ricky Grassmuck dac2a02570
Set service type to notify in systemd unit. (#14385)
Updates the systemd service shipped with Linux packages to `Type=notify`
2022-03-09 08:13:45 -05:00
Hridoy Roy 679b563027
update ci.hcl to remove 1.6.x and add in 1.10.x (#14310) 2022-02-28 15:58:42 -08:00
Sarah Thompson a0d0442dd8
Adding promotion and post publish events to the ci.hcl. (#14128) 2022-02-25 17:12:16 +00:00
mickael-hc 987c846edc
Remove --privileged recommendation from entrypoint script message (#14027)
The use of the `--privileged` [flag](https://docs.docker.com/engine/reference/commandline/run/#options) is not recommended, as it does not adhere to the principle of least privilege.
2022-02-18 16:52:21 -05:00
Sarah Thompson e3304380f4
Turning off binary secret scanning to allow builds to be processed until https://github.com/hashicorp/security-scanner/issues/166 is addressed. (#13920) 2022-02-07 15:31:18 +00:00
hghaf099 b3eb31b4d6
turning go modules to false until jwt cve issue fixed (#13888) 2022-02-03 13:57:47 -05:00
claire labry 2d2e116e1e
add security-scan for CRT (#13627)
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
2022-01-31 11:35:25 -05:00
Michele Degges ce163e36bb
Fix for `main`: Add vault revision to --version cmd (#13428) 2021-12-15 11:38:20 -08:00
claire labry b59f8b8b4c
adding CRT to main branch (#13088)
* adding CRT to main branch

* cleanup

* um i dont know how that got removed but heres the fix

* add vault.service

Co-authored-by: Kyle Penfound <kpenfound11@gmail.com>
2021-12-06 11:06:22 -05:00