VAULT-28146: Add IPV6 support to enos scenarios (#27884)

* VAULT-28146: Add IPV6 support to enos scenarios Add support for testing all raft storage scenarios and variants when running Vault with IPV6 networking. We retain our previous support for IPV4 and create a new variant `ip_version` which can be used to configure the IP version that we wish to test with. It's important to note that the VPC in IPV6 mode is technically mixed and that target machines still associate public IPV6 addresses. That allows us to execute our resources against them from IPV4 networks like developer machines and CI runners. Despite that, we've taken care to ensure that only IPV6 addresses are used in IPV6 mode. Because we previously had assumed the IP Version, Vault address, and listener ports in so many places, this PR is essentially a rewrite and removal of those assumptions. There are also a few places where improvements to scenarios have been included as I encountered them while working on the IPV6 changes. Signed-off-by: Ryan Cragun <me@ryan.ec>
2025-10-30 02:02:43 +00:00 · 2024-07-30 11:00:27 -06:00
parent 7049424c16
commit 174da88b9d
102 changed files with 2406 additions and 1605 deletions
--- a/enos/enos-scenario-proxy.hcl
+++ b/enos/enos-scenario-proxy.hcl
@@ -1,5 +1,5 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: BUSL-1.1
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1

 scenario "proxy" {
  description = <<-EOF
@@ -28,32 +28,39 @@ scenario "proxy" {
    consul_version  = global.consul_versions
    distro          = global.distros
    edition         = global.editions
+    ip_version      = global.ip_versions
    seal            = global.seals

-    # Our local builder always creates bundles
+    // Our local builder always creates bundles
    exclude {
      artifact_source = ["local"]
      artifact_type   = ["package"]
    }

-    # PKCS#11 can only be used on ent.hsm and ent.hsm.fips1402.
+    // PKCS#11 can only be used on ent.hsm and ent.hsm.fips1402.
    exclude {
      seal    = ["pkcs11"]
      edition = [for e in matrix.edition : e if !strcontains(e, "hsm")]
    }

-    # arm64 AMIs are not offered for Leap
+    // arm64 AMIs are not offered for Leap
    exclude {
      distro = ["leap"]
      arch   = ["arm64"]
    }

-    # softhsm packages not available for leap/sles. Enos support for softhsm on amzn2 is
-    # not implemented yet.
+    // softhsm packages not available for leap/sles. Enos support for softhsm on amzn2 is
+    // not implemented yet.
    exclude {
      seal   = ["pkcs11"]
      distro = ["amzn2", "leap", "sles"]
    }
+
+    // Testing in IPV6 mode is currently implemented for integrated Raft storage only
+    exclude {
+      ip_version = ["6"]
+      backend    = ["consul"]
+    }
  }

  terraform_cli = terraform_cli.default
@@ -116,6 +123,7 @@ scenario "proxy" {

    variables {
      common_tags = global.tags
+      ip_version  = matrix.ip_version
    }
  }

@@ -223,12 +231,12 @@ scenario "proxy" {
    variables {
      cluster_name    = step.create_vault_cluster_backend_targets.cluster_name
      cluster_tag_key = global.backend_tag_key
+      hosts           = step.create_vault_cluster_backend_targets.hosts
      license         = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
      release = {
        edition = matrix.consul_edition
        version = matrix.consul_version
      }
-      target_hosts = step.create_vault_cluster_backend_targets.hosts
    }
  }

@@ -260,6 +268,8 @@ scenario "proxy" {
      quality.vault_config_log_level,
      quality.vault_init,
      quality.vault_license_required_ent,
+      quality.vault_listener_ipv4,
+      quality.vault_listener_ipv6,
      quality.vault_service_start,
      quality.vault_storage_backend_consul,
      quality.vault_storage_backend_raft,
@@ -290,7 +300,9 @@ scenario "proxy" {
        version = matrix.consul_version
      } : null
      enable_audit_devices = var.vault_enable_audit_devices
+      hosts                = step.create_vault_cluster_targets.hosts
      install_dir          = global.vault_install_dir[matrix.artifact_type]
+      ip_version           = matrix.ip_version
      license              = matrix.edition != "ce" ? step.read_vault_license.license : null
      local_artifact_path  = local.artifact_path
      manage_service       = local.manage_service
@@ -298,7 +310,6 @@ scenario "proxy" {
      seal_attributes      = step.create_seal_key.attributes
      seal_type            = matrix.seal
      storage_backend      = matrix.backend
-      target_hosts         = step.create_vault_cluster_targets.hosts
    }
  }

@@ -318,15 +329,17 @@ scenario "proxy" {
    ]

    variables {
-      timeout           = 120 # seconds
-      vault_hosts       = step.create_vault_cluster_targets.hosts
+      hosts             = step.create_vault_cluster_targets.hosts
+      ip_version        = matrix.ip_version
+      timeout           = 120 // seconds
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
      vault_root_token  = step.create_vault_cluster.root_token
    }
  }

  step "start_vault_proxy" {
-    module = "vault_proxy"
+    module = module.vault_proxy
    depends_on = [
      step.build_vault,
      step.create_vault_cluster,
@@ -343,8 +356,10 @@ scenario "proxy" {
    ]

    variables {
+      hosts             = step.create_vault_cluster_targets.hosts
+      ip_version        = matrix.ip_version
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
-      vault_instances   = step.create_vault_cluster_targets.hosts
      vault_root_token  = step.create_vault_cluster.root_token
    }
  }
@@ -365,7 +380,9 @@ scenario "proxy" {
    ]

    variables {
-      vault_hosts       = step.create_vault_cluster_targets.hosts
+      hosts             = step.create_vault_cluster_targets.hosts
+      ip_version        = matrix.ip_version
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
      vault_root_token  = step.create_vault_cluster.root_token
    }
@@ -387,7 +404,8 @@ scenario "proxy" {
    ]

    variables {
-      vault_instances       = step.create_vault_cluster_targets.hosts
+      hosts                 = step.create_vault_cluster_targets.hosts
+      vault_addr            = step.create_vault_cluster.api_addr_localhost
      vault_edition         = matrix.edition
      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
      vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
@@ -413,8 +431,9 @@ scenario "proxy" {
    ]

    variables {
+      hosts             = step.create_vault_cluster_targets.hosts
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
-      vault_instances   = step.create_vault_cluster_targets.hosts
    }
  }

@@ -438,9 +457,9 @@ scenario "proxy" {
    ]

    variables {
-      leader_public_ip  = step.get_vault_cluster_ips.leader_public_ip
-      leader_private_ip = step.get_vault_cluster_ips.leader_private_ip
-      vault_instances   = step.create_vault_cluster_targets.hosts
+      hosts             = step.create_vault_cluster_targets.hosts
+      leader_host       = step.get_vault_cluster_ips.leader_host
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
      vault_root_token  = step.create_vault_cluster.root_token
    }
@@ -459,8 +478,10 @@ scenario "proxy" {
    verifies = quality.vault_raft_voters

    variables {
+      hosts             = step.create_vault_cluster_targets.hosts
+      ip_version        = matrix.ip_version
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
-      vault_instances   = step.create_vault_cluster_targets.hosts
      vault_root_token  = step.create_vault_cluster.root_token
    }
  }
@@ -481,9 +502,9 @@ scenario "proxy" {
    ]

    variables {
-      vault_edition     = matrix.edition
-      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
-      vault_instances   = step.create_vault_cluster_targets.hosts
+      hosts         = step.create_vault_cluster_targets.hosts
+      vault_addr    = step.create_vault_cluster.api_addr_localhost
+      vault_edition = matrix.edition
    }
  }

@@ -502,7 +523,8 @@ scenario "proxy" {
    verifies = quality.vault_secrets_kv_read

    variables {
-      node_public_ips   = step.get_vault_cluster_ips.follower_public_ips
+      hosts             = step.get_vault_cluster_ips.follower_hosts
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
    }
  }
@@ -519,7 +541,8 @@ scenario "proxy" {
    verifies = quality.vault_ui_assets

    variables {
-      vault_instances = step.create_vault_cluster_targets.hosts
+      hosts      = step.create_vault_cluster_targets.hosts
+      vault_addr = step.create_vault_cluster.api_addr_localhost
    }
  }

@@ -535,7 +558,7 @@ scenario "proxy" {

  output "hosts" {
    description = "The Vault cluster target hosts"
-    value       = step.create_vault_cluster.target_hosts
+    value       = step.create_vault_cluster.hosts
  }

  output "private_ips" {