Commit graph

85 commits

Author SHA1 Message Date
Josh Brand c2ae1f1654
Add automated CI account cleanup & monitoring (#18659)
This uses aws-nuke and awslimitchecker to monitor the new vault CI account to clean up and prevent resource quota exhaustion.  AWS-nuke will scan all regions of the accounts for lingering resources enos/terraform didn't clean up, and if they don't match exclusion criteria, delete them every night.  By default, we exclude corp-sec created resources, our own CI resources, and when possible, anything created within the past 72 hours. Because this account is dedicated to CI, users should not expect resources to persist beyond this without additional configuration.
2023-01-11 17:24:08 -05:00
Jaymala 929391b09b
Save release testing metadata only when tests are run (#18540)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-12-23 14:06:42 -05:00
Jaymala e740844789
Persist metadata post release tests (#18531)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-12-22 22:20:05 +00:00
Luis (LT) Carbonell c1a4a1150f
Add GitHub action to check for a milestone (#18406)
* Add GitHub action to check for a milestone

* Update comment

* Cleanup

* Add config

* move config to own directory
2022-12-19 12:38:41 -06:00
Jaymala 360eaeb865
Fix the checkout sha for enos-run workflow (#18445)
- enos-run workflow will checkout the `main` branch by default, which would pass incorrect metadata to the workflow
so we use the `revision` passed by the calling workflow to checkout the sha and get the relavant metadata`

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-12-16 15:19:10 -05:00
Ryan Cragun ebbbcf7e5e
test: normalize job and steps between build and release test workflows (#18425)
Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-12-15 16:10:49 -07:00
Ryan Cragun 3051100e0a
test: pass build artifact name to release testing workflow (#18411)
Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-12-15 11:47:14 -07:00
Sarah Thompson 8940880efd
Revert "Create test-reusable.yml" (#18371)
This reverts commit 131bf240293b0de1c22394b555b3e9878720738f.
2022-12-15 16:01:15 +00:00
Sarah Thompson 55b21f2012
Create test-reusable.yml 2022-12-14 15:27:56 +00:00
Ryan Cragun 0a884689a0
test: add build artifacts to release testing workflow (#18336)
Add build artifacts to release testing workflow

Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-12-13 12:00:58 -07:00
Mike Baum 5b07829941
Fix role name in CI bootstrap workflow (#18330)
Fixed role name in ci bootstrap workflow
2022-12-13 09:20:49 -05:00
Ryan Cragun 0899c4153a
test: fix release testing workflows (#18322)
* Use the correct runner
* Fix indentation

Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-12-12 16:07:16 -07:00
Ryan Cragun bd5d738ad7
[QT-436] Pseudo random artifact test scenarios (#18056)
Introducing a new approach to testing Vault artifacts before merge
and after merge/notorization/signing. Rather than run a few static
scenarios across the artifacts, we now have the ability to run a
pseudo random sample of scenarios across many different build artifacts.

We've added 20 possible scenarios for the AMD64 and ARM64 binary
bundles, which we've broken into five test groups. On any given push to
a pull request branch, we will now choose a random test group and
execute its corresponding scenarios against the resulting build
artifacts. This gives us greater test coverage but lets us split the
verification across many different pull requests.

The post-merge release testing pipeline behaves in a similar fashion,
however, the artifacts that we use for testing have been notarized and
signed prior to testing. We've also reduce the number of groups so that
we run more scenarios after merge to a release branch.

We intend to take what we've learned building this in Github Actions and
roll it into an easier to use feature that is native to Enos. Until then,
we'll have to manually add scenarios to each matrix file and manually
number the test group. It's important to note that Github requires every
matrix to include at least one vector, so every artifact that is being
tested must include a single scenario in order for all workflows to pass
and thus satisfy branch merge requirements.

* Add support for different artifact types to enos-run
* Add support for different runner type to enos-run
* Add arm64 scenarios to build matrix
* Expand build matrices to include different variants
* Update Consul versions in Enos scenarios and matrices
* Refactor enos-run environment
* Add minimum version filtering support to enos-run. This allows us to
  automatically exclude scenarios that require a more recent version of
  Vault
* Add maximum version filtering support to enos-run. This allows us to
  automatically exclude scenarios that require an older version of
  Vault
* Fix Node 12 deprecation warnings
* Rename enos-verify-stable to enos-release-testing-oss
* Convert artifactory matrix into enos-release-testing-oss matrices
* Add all Vault editions to Enos scenario matrices
* Fix verify version with complex Vault edition metadata
* Rename the crt-builder to ci-helper
* Add more version helpers to ci-helper and Makefile
* Update CODEOWNERS for quality team
* Add support for filtering matrices by group and version constraints
* Add support for pseudo random test scenario execution

Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-12-12 13:46:04 -07:00
mcollao-hc 4245c6e51f
Update security-scan.yml 2022-12-06 10:13:57 -06:00
mcollao-hc 009af4458d
Update security-scan.yml 2022-12-06 09:34:06 -06:00
mcollao-hc cbc2ef31f8
Update security-scan.yml 2022-12-05 17:13:52 -06:00
mcollao-hc 571a61af01
Update security-scan.yml 2022-12-05 16:23:37 -06:00
mcollao-hc c660bbc03d
Update security-scan.yml 2022-12-05 16:00:36 -06:00
mcollao-hc a672ebb751
Delete codeql-analysis.yml 2022-12-05 14:28:07 -06:00
Mike Baum cdb6303c4d
[QT-318] Add workflow dispatch trigger for bootstrap workflow, update ssh key name (#18174)
* Added a workflow dispatch trigger for bootstrap workflow, updated ssh key name
* Ensure the bootstrap workflow is only run for PRs that change the bootstrapping code
2022-12-02 14:29:20 -05:00
mcollao-hc 495c503b11
Update security-scan.yml (#18180) 2022-12-01 13:05:21 -06:00
Mike Baum b03da5157e
[QT-318] Add Vault CI bootstrap scenarios (#17907) 2022-11-30 12:44:02 -05:00
mcollao-hc 4129f8a5d0
update semgrep exludes (#18090) 2022-11-22 16:19:35 -05:00
Ryan Cragun 275479cdd9
[QT-353] Use a different approach to branch restrictions (#17998)
Create a new workflow job that is only triggered when all build and
integration workflows have completed. This will allow us to require
branch restrictions on a single workflow.

Of note, we tried to allow docs branches to bypass testing using the
method suggested by Github[0], however, the `branches-ignore`
functionality did not work for the `pull_request` event type. Therefore,
bypassing build and integration workflows for docs branches is no longer
supported.

[0] https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks

Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-11-18 14:43:55 -07:00
mcollao-hc 35adc70f92
pin security-scanner workflow (#18048)
* pin security-scanner workflow

* updated to post-squash commit
2022-11-18 14:04:23 -06:00
mcollao-hc 5ec0d57313
PSP-256 - Add security-scanner tool (#17988)
Add security-scanner tool and github workflow
2022-11-17 17:12:03 -06:00
Hamid Ghaf 13de7e9844
removing setup-go in build.yml as it is unnecessary (#17968) 2022-11-16 13:41:12 -05:00
Ryan Cragun 4c4798417f
[QT-358] Unify CRT and local builder workflows (#17766)
Here we make the following major changes:

* Centralize CRT builder logic into a script utility so that we can share the
  logic for building artifacts in CI or locally.
* Simplify the build workflow by calling a reusable workflow many times
  instead of repeating the contents.
* Create a workflow that validates whether or not the build workflow and all
  child workflows have succeeded to allow for merge protection.

Motivation

* We need branch requirements for the build workflow and all subsequent
  integration tests (QT-353)
* We need to ensure that the Enos local builder works (QT-558)
* Debugging build failures can be difficult because one has to hand craft the
  steps to recreate the build
* Merge conflicts between Vault OSS and Vault ENT build workflows are quite
  painful. As the build workflow must be the same file and name we'll reduce
  what is contained in each that is unique. Implementations of building
  will be unique per edition so we don't have to worry about conflict
  resolution.
* Since we're going to be touching the build workflow to do the first two
  items we might as well try and improve those other issues at the same time
  to reduce the overhead of backports and conflicts.

Considerations

* Build logic for Vault OSS and Vault ENT differs
* The Enos local builder was duplicating a lot of what we did in the CRT build
  workflow
* Version and other artifact metadata has been an issue before. Debugging it
  has been tedious and error prone.
* The build workflow is full of brittle copy and paste that is hard to
  understand, especially for all of the release editions in Vault Enterprise
* Branch check requirements for workflows are incredibly painful to use for
  workflows that are dynamic or change often. The required workflows have to be
  configured in Github settings by administrators. They would also prevent us
  from having simple docs PRs since required integration workflows always have
  to run to satisfy branch requirements.
* Doormat credentials requirements that are coming will require us to modify
  which event types trigger workflows. This changes those ahead of time since
  we're doing so much to build workflow. The only noticeable impact will be
  that the build workflow no longer runs on pushes to non-main or release
  branches. In order to test other branches it requires a workflow_dispatch
  from the Actions tab or a pull request.

Solutions

* Centralize the logic that determines build metadata and creates releasable
  Vault artifacts. Instead of cargo-culting logic multiple times in the build
  workflow and the Enos local modules, we now have a crt-builder script which
  determines build metadata and also handles building the UI, Vault, and the
  package bundle. There are make targets for all of the available sub-commands.
  Now what we use in the pipeline is the same thing as the local builder, and
  it can be executed locally by developers. The crt-builder script works in OSS
  and Enterprise so we will never have to deal with them being divergent or with
  special casing things in the build workflow.
* Refactor the bulk of the Vault building into a reusable workflow that we can
  call multiple times. This allows us to define Vault builds in a much simpler
  manner and makes resolving merge conflicts much easier.
* Rather than trying to maintain a list and manually configure the branch check
  requirements for build, we'll trigger a single workflow that uses the github
  event system to determine if the build workflow (all of the sub-workflows
  included) have passed. We'll then create branch restrictions on that single
  workflow down the line.

Signed-off-by: Ryan Cragun me@ryan.ec
2022-11-11 13:14:43 -07:00
Nick Cabatoff f1c92200b2
Reduce number of places where go version is set (#17762)
Reduce go version references to two: .go_version and @executors.yml.
2022-11-01 15:37:13 -04:00
Mike Baum a7020b3c19
[QT-182] Fix broken k8s workflow for vault-enterprise (#17629) 2022-10-20 16:58:09 -04:00
Jaymala cd5a93fc28
Enos verify stable needs Artifactory variables (#17618)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-20 13:35:11 -04:00
Michele Degges a9440d052c
[CI-only] Update RedHat registry tag (#17610)
* [CI-only] Update RedHat registry tag

There are a few changes being made to RedHat's registry on October 20, 2022 that affect the way images need to be tagged prior to being pushed to the registry. This PR changes the tag to conform to the new standard. 

We have other work queued up in crt-workflows-common and actions-docker-build to support the other required changes. 

This PR should be merged to `main` and all release branches on or after October 20, 2022, and MUST be merged before your next production release. Otherwise, the automation to push to the RedHat registry will not work.

----

A detailed list of changes shared from RedHat (as an FYI):

The following changes will occur for container certification projects that leverage the Red Hat hosted registry [[registry.connect.redhat.com](http://registry.connect.redhat.com/)] for image distribution:

- All currently published images are migrating to a NEW, Red Hat hosted quay registry. Partners do not have to do anything for this migration, and this will not impact customers. The registry will still utilize [registry.connect.redhat.com](http://registry.connect.redhat.com/) as the registry URL.

- The registry URL currently used to push, tag, and certify images, as well as the registry login key, will change. You can see these changes under the “Images” tab of the container certification project. You will now see a [quay.io](http://quay.io/) address and will no longer see [scan.connect.redhat.com](http://scan.connect.redhat.com/).

- Partners will have the opportunity to auto-publish images by selecting “Auto-publish” in the Settings tab of your certification project. This will automatically publish images that pass all certification tests.

- For new container image projects, partners will have the option to host within their own chosen image registry while using [registry.connect.redhat.com](http://registry.connect.redhat.com/) as a proxy address. This means the end user can authenticate to the Red Hat registry to pull a partner image without having to provide additional authentication to the partner’s registry.

* docker: update redhat_tag

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
2022-10-20 10:32:06 -07:00
Heather Simon e658babb3c
Create remove-labels.yml (#17611) 2022-10-19 12:46:38 -07:00
Mike Baum b4da17a01c
Add an enos scenario to test vault docker images using k8s/kind/helm (#17515)
* Added a scenario to test docker artifacts using the vault helm chart and a kind cluster
* Addedt enos-k8s github workflow
2022-10-19 14:26:31 -04:00
Jaymala 0285dccfd1
Download Enos test artifact only for CRT runs (#17603)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-19 12:01:38 -04:00
Jaymala f7fcf0fa7f
Enos verify updates (#17586)
* Enos verify updates

- Update repo dispatch types
- Run Enos verify only on release branches

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update as per review

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-18 15:14:18 -04:00
Jaymala 787e315004
Add Artifactory build to the matrix (#17353)
* Add Artifactory build to the matrix

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update test scenarios

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix Terraform format

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Updates with verification

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Integrate variables from CRT inputs

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Latest update to add Artifactory support

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review feedback

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Enable Enos run in CRT workflow

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Remove unused variables

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update Artifactory module

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review feedback

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-17 19:47:37 -04:00
Violet Hynes adc23f0a77
VAULT-8242 Add automerge functionality to backport (#17506)
* VAULT-8242 Add automerge functionality to backport

* VAULT-8242 remove extra space
2022-10-12 13:59:34 -04:00
Jaymala 2321226d82
Update Vault version verification integration test (#17377)
* Update Vault version verification integration test

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Refactor to validate artifact build date

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review comments

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix capitalization in variable descriptions

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-04 16:08:26 -04:00
Mike Palmiotto ff793895c9
build: Update VAULT_BUILD_DATE to use product-metadata job output (#17366)
* Temporarily continue on error retruned from Enos destroy

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
Co-authored-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-09-29 16:55:44 -04:00
Jaymala 2231f588a5
Refactor Enos scenario matrix generation (#17060)
* Refactor Enos scenario matrix generation

* Generate scenario matrix based on artifact edition to test
* Configure Vault license for testing Ent artifact
* Run Autopilot scenario for Ent

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Cleanup Enos runtime

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Fix syntax

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Use script to generate Enos scenario matrix

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Checkout repo to generate matrix

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Fix matrix syntax

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Fix json format

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Update Enos scenario license condition

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review feedback

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix syntax

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update json format for scenario matrix

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review comments

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-09-14 14:17:07 -04:00
Ryan Cragun b1bc8498e8
enos: don't fail fast in enos integration matrix (#16960)
Disable the fail-fast feature for the matrix strategy. This prevents a
single failure to cascade to all jobs in the matrix. This prevents cases
where other jobs fail before they're able to clean up resources.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2022-09-01 13:16:17 -06:00
Ryan Cragun 8407e1074b
[QTI-308] Add Enos integration tests (#16760)
Add our initial Enos integration tests to Vault. The Enos scenario
workflow will automatically be run on branches that are created from the
`hashicorp/vault` repository. See the README.md in ./enos a full description
of how to compose and execute scenarios locally.

* Simplify the metadata build workflow jobs
* Automatically determine the Go version from go.mod
* Add formatting check for Enos integration scenarios
* Add Enos smoke and upgrade integration scenarios
  * Add Consul backend matrix support
  * Add Ubuntu and RHEL distro support
  * Add Vault edition support
  * Add Vault architecture support
  * Add Vault builder support
  * Add Vault Shamir and awskms auto-unseal support
  * Add Raft storage support
  * Add Raft auto-join voter verification
  * Add Vault version verification
  * Add Vault seal verification
  * Add in-place upgrade support for all variants
* Add four scenario variants to CI. These test a maximal distribution of
  the aforementioned variants with the `linux/amd64` Vault install
  bundle.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Rebecca Willett <rwillett@hashicorp.com>
Co-authored-by: Jaymala <jaymalasinha@gmail.com>
2022-08-23 13:53:41 -06:00
Christopher Swenson c7c9abff32
Update OSS workflow so not all issues get put in the UI board (#16666)
If we don't guard against pull_request being null, we do a lot of extra
checkout and path filtering, and it ends up putting everything in the UI
board.

I tested this in another repo, and it seems to behave correctly.
2022-08-10 08:53:45 -07:00
Christopher Swenson 8b1a9da460
Update project auto-triage to use new token (#16660) 2022-08-09 19:29:39 -04:00
Christopher Swenson 18d336b16c
Add Open Source project workflow (#16653)
Add Open Source project workflow

This will help us triage open source issues into our various internal
project boards.

I tested this on a separate repo, and it seems to work.
2022-08-09 17:52:07 -04:00
Christopher Swenson 1068a1b528
Update Go to 1.18 (#16522)
Update Go to 1.18

From 1.17.12

1.18.5 was just released, but not all packages have been updated, so I
went with 1.18.4

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-08-02 10:36:12 -07:00
Steven Clark 101b4b4c1b
Update Go version changelog checker to indicate underscore is required (#16528)
- Bringing back mdlalow's work that was done in ENT to OSS updating our
   filename checks for Go version bumps in the changelog checker
2022-08-02 12:41:14 -04:00
Chris Capurso 3581811289
Update go to version 1.17.12 (#16336)
* update to go 1.17.12

* update changelog entry

* update readme
2022-07-18 16:28:47 -04:00
Steven Clark a97da32b4b
Update Go to 1.17.11 (#15818)
* Update Go to 1.17.11

 See https://go.dev/doc/devel/release#go1.17.minor for release notes
2022-06-06 13:18:24 -04:00