diff --git a/.github/enos-run-matrices/artifactory-ent.json b/.github/enos-run-matrices/artifactory-ent.json deleted file mode 100644 index abbea6eb08..0000000000 --- a/.github/enos-run-matrices/artifactory-ent.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "include": [ - { - "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:ent seal:awskms artifact_type:bundle", - "aws_region": "us-east-1" - }, - { - "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:ubuntu edition:ent seal:shamir artifact_type:bundle", - "aws_region": "us-east-2" - }, - { - "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:ubuntu edition:ent seal:awskms artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:rhel edition:ent seal:shamir artifact_type:bundle", - "aws_region": "us-west-2" - }, - { - "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:consul consul_version:1.12.5 distro:ubuntu edition:ent seal:shamir artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:ent seal:awskms artifact_type:bundle", - "aws_region": "us-west-2" - }, - { - "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:raft consul_version:1.12.5 distro:rhel edition:ent seal:shamir artifact_type:bundle", - "aws_region": "us-east-1" - }, - { - "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:raft consul_version:1.13.2 distro:ubuntu edition:ent seal:awskms artifact_type:bundle", - "aws_region": "us-east-2" - }, - { - "scenario": "autopilot arch:amd64 artifact_source:artifactory distro:ubuntu edition:ent seal:awskms artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "autopilot arch:arm64 artifact_source:artifactory distro:rhel edition:ent seal:shamir artifact_type:bundle", - "aws_region": "us-west-2" - } - ] -} diff --git a/.github/enos-run-matrices/artifactory-oss.json b/.github/enos-run-matrices/artifactory-oss.json deleted file mode 100644 index 1a4cf2d0f8..0000000000 --- a/.github/enos-run-matrices/artifactory-oss.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "include": [ - { - "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:oss seal:awskms artifact_type:bundle", - "aws_region": "us-east-1" - }, - { - "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.12.5 distro:ubuntu edition:oss seal:shamir artifact_type:bundle", - "aws_region": "us-east-2" - }, - { - "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:ubuntu edition:oss seal:awskms artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:rhel edition:oss seal:shamir artifact_type:bundle", - "aws_region": "us-west-2" - }, - { - "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:consul consul_version:1.11.10 distro:ubuntu edition:oss seal:shamir artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:oss seal:awskms artifact_type:bundle", - "aws_region": "us-west-2" - }, - { - "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:raft consul_version:1.12.5 distro:rhel edition:oss seal:shamir artifact_type:bundle", - "aws_region": "us-east-1" - }, - { - "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:raft consul_version:1.13.2 distro:ubuntu edition:oss seal:awskms artifact_type:bundle", - "aws_region": "us-east-2" - } - ] -} diff --git a/.github/enos-run-matrices/build-github-oss-linux-amd64-zip.json b/.github/enos-run-matrices/build-github-oss-linux-amd64-zip.json new file mode 100644 index 0000000000..ab09a413ba --- /dev/null +++ b/.github/enos-run-matrices/build-github-oss-linux-amd64-zip.json @@ -0,0 +1,54 @@ +{ + "include": [ + { + "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 3 + }, + { + "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 4 + }, + { + "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 1 + }, + { + "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 5 + }, + { + "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 3 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 5 + }, + { + "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 4 + }, + { + "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + } + ] +} diff --git a/.github/enos-run-matrices/build-github-oss-linux-arm64-zip.json b/.github/enos-run-matrices/build-github-oss-linux-arm64-zip.json new file mode 100644 index 0000000000..ec951fdd0a --- /dev/null +++ b/.github/enos-run-matrices/build-github-oss-linux-arm64-zip.json @@ -0,0 +1,54 @@ +{ + "include": [ + { + "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 3 + }, + { + "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 4 + }, + { + "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 5 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 1 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 2 + }, + { + "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 3 + }, + { + "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 4 + }, + { + "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 5 + } + ] +} diff --git a/.github/enos-run-matrices/crt-ent.json b/.github/enos-run-matrices/crt-ent.json deleted file mode 100644 index 1f61898efe..0000000000 --- a/.github/enos-run-matrices/crt-ent.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "include": [ - { - "scenario": "smoke backend:consul consul_version:1.13.2 distro:ubuntu seal:awskms arch:amd64 artifact_source:crt edition:ent artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "smoke backend:raft consul_version:1.13.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:ent artifact_type:bundle", - "aws_region": "us-west-2" - }, - { - "scenario": "upgrade backend:raft consul_version:1.12.5 distro:rhel seal:shamir arch:amd64 artifact_source:crt edition:ent artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "upgrade backend:consul consul_version:1.12.5 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:ent artifact_type:bundle", - "aws_region": "us-west-2" - }, - { - "scenario": "autopilot distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:ent artifact_type:bundle", - "aws_region": "us-west-1" - } - ] -} diff --git a/.github/enos-run-matrices/crt-oss.json b/.github/enos-run-matrices/crt-oss.json deleted file mode 100644 index 29b303814f..0000000000 --- a/.github/enos-run-matrices/crt-oss.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "include": [ - { - "scenario": "smoke backend:consul consul_version:1.13.2 distro:ubuntu seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "smoke backend:raft consul_version:1.13.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", - "aws_region": "us-west-2" - }, - { - "scenario": "upgrade backend:raft consul_version:1.12.5 distro:rhel seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", - "aws_region": "us-west-1" - }, - { - "scenario": "upgrade backend:consul consul_version:1.12.5 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle", - "aws_region": "us-west-2" - } - ] -} diff --git a/.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-amd64-zip.json b/.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-amd64-zip.json new file mode 100644 index 0000000000..70e5ea1c3c --- /dev/null +++ b/.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-amd64-zip.json @@ -0,0 +1,54 @@ +{ + "include": [ + { + "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + } + ] +} diff --git a/.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-arm64-zip.json b/.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-arm64-zip.json new file mode 100644 index 0000000000..e6e9edb10f --- /dev/null +++ b/.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-arm64-zip.json @@ -0,0 +1,54 @@ +{ + "include": [ + { + "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 1 + }, + { + "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 2 + }, + { + "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 1 + }, + { + "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 2 + }, + { + "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-1", + "test_group": 1 + }, + { + "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle", + "aws_region": "us-west-2", + "test_group": 2 + } + ] +} diff --git a/.github/workflows/build-vault-oss.yml b/.github/workflows/build-vault-oss.yml index 9dbc363367..1805acb9ef 100644 --- a/.github/workflows/build-vault-oss.yml +++ b/.github/workflows/build-vault-oss.yml @@ -2,7 +2,7 @@ name: build_vault # This workflow is intended to be called by the build workflow for each Vault -# binary that needs to be built and packaged. The crt make targets that are +# binary that needs to be built and packaged. The ci make targets that are # utilized automatically determine build metadata and handle building and # packing vault. @@ -51,23 +51,23 @@ jobs: cache: yarn cache-dependency-path: ui/yarn.lock - name: Build UI - run: make crt-build-ui + run: make ci-build-ui - name: Build Vault env: CGO_ENABLED: ${{ inputs.cgo-enabled }} GOARCH: ${{ inputs.goarch }} GOOS: ${{ inputs.goos }} GO_TAGS: ${{ inputs.go-tags }} - run: make crt-build + run: make ci-build - name: Determine artifact basename env: GOARCH: ${{ inputs.goarch }} GOOS: ${{ inputs.goos }} - run: echo "ARTIFACT_BASENAME=$(make crt-get-artifact-basename)" >> $GITHUB_ENV + run: echo "ARTIFACT_BASENAME=$(make ci-get-artifact-basename)" >> $GITHUB_ENV - name: Bundle Vault env: BUNDLE_PATH: out/${{ env.ARTIFACT_BASENAME }}.zip - run: make crt-bundle + run: make ci-bundle - uses: actions/upload-artifact@v3 with: name: ${{ env.ARTIFACT_BASENAME }}.zip diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ecb086bf65..68c46b22eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,6 +19,7 @@ jobs: build-date: ${{ steps.get-metadata.outputs.build-date }} filepath: ${{ steps.generate-metadata-file.outputs.filepath }} go-version: ${{ steps.get-metadata.outputs.go-version }} + matrix-test-group: ${{ steps.get-metadata.outputs.matrix-test-group }} package-name: ${{ steps.get-metadata.outputs.package-name }} vault-revision: ${{ steps.get-metadata.outputs.vault-revision }} vault-version: ${{ steps.get-metadata.outputs.vault-version }} @@ -27,13 +28,19 @@ jobs: - uses: actions/checkout@v3 - name: Get metadata id: get-metadata + env: + # MATRIX_MAX_TEST_GROUPS is required to determine the randomly selected + # test group. It should be set to the highest test_group used in the + # enos-run-matrices. + MATRIX_MAX_TEST_GROUPS: 5 run: | - echo "build-date=$(make crt-get-date)" >> $GITHUB_OUTPUT - echo "package-name=${{ env.PKG_NAME }}" >> $GITHUB_OUTPUT + echo "build-date=$(make ci-get-date)" >> $GITHUB_OUTPUT echo "go-version=$(cat ./.go-version)" >> $GITHUB_OUTPUT - echo "vault-base-version=$(make crt-get-version-base)" >> $GITHUB_OUTPUT - echo "vault-revision=$(make crt-get-revision)" >> $GITHUB_OUTPUT - echo "vault-version=$(make crt-get-version)" >> $GITHUB_OUTPUT + echo "matrix-test-group=$(make ci-get-matrix-group-id)" >> $GITHUB_OUTPUT + echo "package-name=${{ env.PKG_NAME }}" >> $GITHUB_OUTPUT + echo "vault-base-version=$(make ci-get-version-base)" >> $GITHUB_OUTPUT + echo "vault-revision=$(make ci-get-revision)" >> $GITHUB_OUTPUT + echo "vault-version=$(make ci-get-version)" >> $GITHUB_OUTPUT - uses: hashicorp/actions-generate-metadata@v1 id: generate-metadata-file with: @@ -154,8 +161,8 @@ jobs: zip_artifact_name: ${{ env.PKG_NAME }}_${{ needs.product-metadata.outputs.vault-version }}_linux_${{ matrix.arch }}.zip redhat_tag: quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ env.version }}-ubi - enos: - name: Enos + test: + name: Test ${{ matrix.build-artifact-name }} # Only run the Enos workflow against branches that are created from the # hashicorp/vault repository. This has the effect of limiting execution of # Enos scenarios to branches that originate from authors that have write @@ -167,16 +174,24 @@ jobs: - product-metadata - build-linux uses: ./.github/workflows/enos-run.yml + strategy: + fail-fast: false + matrix: + include: + - matrix-file-name: build-github-oss-linux-amd64-zip + build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip + - matrix-file-name: build-github-oss-linux-arm64-zip + build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip with: - artifact-build-date: ${{ needs.product-metadata.outputs.build-date }} - artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip - artifact-revision: ${{ needs.product-metadata.outputs.vault-revision }} - artifact-source: crt - artifact-version: ${{ needs.product-metadata.outputs.vault-version }} + build-artifact-name: ${{ matrix.build-artifact-name }} + matrix-file-name: ${{ matrix.matrix-file-name }} + matrix-test-group: ${{ needs.product-metadata.outputs.matrix-test-group }} + vault-edition: oss + vault-revision: ${{ needs.product-metadata.outputs.vault-revision }} secrets: inherit - enos-docker-k8s: - name: Enos Docker K8s + test-docker-k8s: + name: Test Docker K8s # Only run the Enos workflow against branches that are created from the # hashicorp/vault repository. This has the effect of limiting execution of # Enos scenarios to branches that originate from authors that have write @@ -203,7 +218,7 @@ jobs: - build-darwin - build-docker - build-ubi - - enos - - enos-docker-k8s + - test + - test-docker-k8s steps: - - run: echo "All build and integration workflows have succeeded!" + - run: echo "All build and test workflows have succeeded!" diff --git a/.github/workflows/enos-release-testing-oss.yml b/.github/workflows/enos-release-testing-oss.yml new file mode 100644 index 0000000000..db02e0af34 --- /dev/null +++ b/.github/workflows/enos-release-testing-oss.yml @@ -0,0 +1,43 @@ +name: enos-release-testing-oss + +on: + repository_dispatch: + types: + - enos-release-testing-oss + - enos-release-testing-oss::* + +jobs: + metadata: + if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }} + runs-on: ubuntu-default + outputs: + matrix-test-group: ${{ steps.matrix-group.outputs.matrix-test-group }} + steps: + - uses: actions/checkout@v3 + - id: matrix-group + env: + # MATRIX_MAX_TEST_GROUPS is required to determine the randomly selected + # test group. It should be set to the highest test_group used in the + # enos-run-matrices. + MATRIX_MAX_TEST_GROUPS: 2 + run: echo "matrix-test-group=$(make ci-get-matrix-group-id)" >> $GITHUB_OUTPUT + + test: + name: Test ${{ matrix.matrix-file-name }} + if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }} + needs: metadata + uses: ./.github/workflows/enos-run.yml + strategy: + fail-fast: false + matrix: + include: + - matrix-file-name: enos_release_testing_oss-artifactory-oss-linux-amd64-zip + test-name: Linux AMD64 Zip + - matrix-file-name: enos_release_testing_oss-artifactory-oss-linux-arm64-zip + test-name: Linux ARM64 Zip + with: + matrix-file-name: ${{ matrix.test-name }} + matrix-test-group: ${{ needs.metadata.outputs.matrix-test-group }} + vault-edition: oss + vault-revision: ${{ github.event.client_payload.payload.sha }} + secrets: inherit diff --git a/.github/workflows/enos-run.yml b/.github/workflows/enos-run.yml index d934b98b3e..a6e02d08e9 100644 --- a/.github/workflows/enos-run.yml +++ b/.github/workflows/enos-run.yml @@ -2,69 +2,114 @@ name: enos on: - # Only trigger this working using workflow_call. It assumes that secrets are - # being inherited from the caller. + # Only trigger this working using workflow_call. This workflow requires many + # secrets that must be inherited from the caller workflow. workflow_call: inputs: - artifact-build-date: + # The name of the artifact that we're going to use for testing. This should + # match exactly to build artifacts uploaded to Github and Artifactory. + build-artifact-name: + required: true + type: string + # The base name of the file in ./github/enos-run-matrices that we use to + # determine which scenarios to run for the build artifact. + # + # They are named in the format of: + # $caller_workflow_name-$artifact_source-$vault_edition-$platform-$arch-$packing_type + # + # Where each are: + # caller_workflow_name: the Github Actions workflow that is calling + # this one + # artifact_source: where we're getting the artifact from. Either + # "github" or "artifactory" + # vault_edition: which edition of vault that we're testing. e.g. "oss" + # or "ent" + # platform: the vault binary target platform, e.g. "linux" or "macos" + # arch: the vault binary target architecture, e.g. "arm64" or "amd64" + # packing_type: how vault binary is packaged, e.g. "zip", "deb", "rpm" + # + # Examples: + # build-github-oss-linux-amd64-zip + matrix-file-name: + required: true + type: string + # The test group we want to run. This corresponds to the test_group attribute + # defined in the enos-run-matrices files. + matrix-test-group: + default: 0 + type: string + runs-on: + # NOTE: The value should be JSON encoded as that's the only way we can + # pass arrays with workflow_call. + type: string required: false + default: '"ubuntu-latest"' + ssh-key-name: type: string - artifact-name: + default: enos-ci-ssh-key + # Which edition of Vault we're using. e.g. "oss", "ent", "ent.hsm.fips1402" + vault-edition: required: true type: string - artifact-revision: + # The Git commit SHA used as the revision when building vault + vault-revision: required: true type: string - artifact-source: - required: false - type: string - artifact-version: - required: true - type: string - -env: - PKG_NAME: vault - ARTIFACT_BUILD_DATE: ${{ inputs.artifact-build-date }} - ARTIFACT_NAME: ${{ inputs.artifact-name }} - ARTIFACT_REVISION: ${{ inputs.artifact-revision }} - ARTIFACT_SOURCE: ${{ inputs.artifact-source }} - ARTIFACT_VERSION: ${{ inputs.artifact-version }} jobs: - # Read Enos scenario matrix file based on artifact-name input to test - read-enos-matrix: - runs-on: ubuntu-latest + metadata: + runs-on: ${{ fromJSON(inputs.runs-on) }} outputs: - enos-scenarios: ${{ steps.enos-matrix.outputs.matrix }} + build-date: ${{ steps.metadata.outputs.build-date }} + matrix: ${{ steps.metadata.outputs.matrix }} + version: ${{ steps.metadata.outputs.version }} + version-minor: ${{ steps.metadata.outputs.matrix }} + env: + # Pass the vault edition as VAULT_METADATA so the CI make targets can create + # values that consider the edition. + VAULT_METADATA: ${{ inputs.vault-edition }} + # Pass in the matrix and matrix group for filtering + MATRIX_FILE: ./.github/enos-run-matrices/${{ inputs.matrix-file-name }}.json + MATRIX_TEST_GROUP: ${{ inputs.matrix-test-group }} steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Create Enos scenario matrix - id: enos-matrix + - uses: actions/checkout@v3 + - id: metadata run: | - [[ ${{ env.ARTIFACT_NAME }} == *"ent"* ]] && scenarioFile=$(cat ./.github/enos-run-matrices/${{ env.ARTIFACT_SOURCE }}-ent.json |jq -c .) || scenarioFile=$(cat ./.github/enos-run-matrices/${{ env.ARTIFACT_SOURCE }}-oss.json |jq -c .) - echo "matrix=$scenarioFile" >> $GITHUB_OUTPUT - # Run Integration tests on Enos scenario matrix - enos: - name: Integration - needs: read-enos-matrix + echo "build-date=$(make ci-get-date)" >> $GITHUB_OUTPUT + echo "version=$(make ci-get-version)" >> $GITHUB_OUTPUT + filtered=$(make ci-filter-matrix) + echo "matrix=$(echo $filtered)}" >> $GITHUB_OUTPUT + + # Run the Enos test scenarios + run: + needs: metadata strategy: fail-fast: false # don't fail as that can skip required cleanup steps for jobs - matrix: ${{ fromJson(needs.read-enos-matrix.outputs.enos-scenarios) }} + matrix: ${{ fromJson(needs.metadata.outputs.matrix) }} runs-on: ubuntu-latest env: GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} + # Pass in enos variables + ENOS_VAR_aws_region: ${{ matrix.aws_region }} + ENOS_VAR_aws_ssh_keypair_name: ${{ inputs.ssh-key-name }} + ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem + ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }} + ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }} + ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache + ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }} + ENOS_VAR_vault_product_version: ${{ needs.metadata.outputs.version }} + ENOS_VAR_vault_revision: ${{ inputs.vault-revision }} + ENOS_VAR_vault_bundle_path: ./support/downloads/${{ inputs.build-artifact-name }} + ENOS_VAR_vault_license_path: ./support/vault.hclic steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Set up Terraform - uses: hashicorp/setup-terraform@v2 + - uses: actions/checkout@v3 + - uses: hashicorp/setup-terraform@v2 with: # the Terraform wrapper will break Terraform execution in Enos because # it changes the output to text when we expect it to be JSON. terraform_wrapper: false - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v1-node16 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -72,87 +117,39 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_ARN }} role-skip-session-tagging: true role-duration-seconds: 3600 - - name: Set up Enos - uses: hashicorp/action-setup-enos@v1 + - uses: hashicorp/action-setup-enos@v1 with: github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} - - name: Set up AWS SSH private key + - name: Prepare scenario dependencies run: | - mkdir -p ./enos/support + mkdir -p ./enos/support/terraform-plugin-cache echo "${{ secrets.ENOS_CI_SSH_KEY }}" > ./enos/support/private_key.pem chmod 600 ./enos/support/private_key.pem - - name: Download Linux AMD64 Vault bundle - if: ${{ env.ARTIFACT_SOURCE == 'crt' }} - id: download + - if: contains(inputs.matrix-file-name, 'github') uses: actions/download-artifact@v3 with: - name: ${{ inputs.artifact-name }} + name: ${{ inputs.build-artifact-name }} path: ./enos/support/downloads - - name: unzip Downloaded Vault bundle - if: ${{ env.ARTIFACT_SOURCE == 'crt' }} - run: | - unzip ${{steps.download.outputs.download-path}}/*.zip -d enos/support - mv ${{steps.download.outputs.download-path}}/*.zip enos/support/vault.zip - - name: Prepare for scenario execution - run: | - mkdir -p enos/support/terraform-plugin-cache - [[ ${{ env.ARTIFACT_NAME }} == *"ent"* ]] && echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true + - if: contains(inputs.matrix-file-name, 'ent') + name: Configure Vault license + run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true - name: Run Enos scenario id: run # Continue once and retry to handle occasional blips when creating # infrastructure. continue-on-error: true - env: - ENOS_VAR_aws_region: ${{ matrix.aws_region }} - ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key - ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem - ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }} - ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }} - ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache - ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }} - ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }} - ENOS_VAR_vault_revision: ${{ env.ARTIFACT_REVISION }} - ENOS_VAR_vault_bundle_path: ./support/vault.zip - run: | - enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} - - name: Retry Enos scenario + run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} + - name: Retry Enos scenario if necessary id: run_retry if: steps.run.outcome == 'failure' - env: - ENOS_VAR_aws_region: ${{ matrix.aws_region }} - ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key - ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem - ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }} - ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }} - ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache - ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }} - ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }} - ENOS_VAR_vault_revision: ${{ env.ARTIFACT_REVISION }} - ENOS_VAR_vault_bundle_path: ./support/vault.zip - run: | - enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} - - name: Destroy Enos scenario + run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} + - name: Ensure scenario has been destroyed if: ${{ always() }} # With Enos version 0.0.11 the destroy step returns an error if the infrastructure # is already destroyed by enos run. So temporarily setting it to continue on error in GHA continue-on-error: true - env: - ENOS_VAR_aws_region: ${{ matrix.aws_region }} - ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key - ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem - ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }} - ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }} - ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache - ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }} - ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }} - ENOS_VAR_vault_revision: ${{ env.ARTIFACT_REVISION }} - ENOS_VAR_vault_bundle_path: ./support/vault.zip - run: | - enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} - - name: Cleanup Enos runtime directories + run: enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario }} + - name: Clean up Enos runtime directories if: ${{ always() }} run: | rm -rf /tmp/enos* diff --git a/.github/workflows/enos-verify-stable.yml b/.github/workflows/enos-verify-stable.yml deleted file mode 100644 index 6c0bf19baa..0000000000 --- a/.github/workflows/enos-verify-stable.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: enos-verify-stable - -on: - repository_dispatch: - types: - - enos-verify-stable - - enos-verify-stable::* - -jobs: - enos-verify-stable: - name: Enos verify stable artifact - if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }} - uses: ./.github/workflows/enos-run.yml - with: - artifact-source: artifactory - artifact-name: ${{ github.event.client_payload.payload.product }}_${{ github.event.client_payload.payload.version }}_linux_amd64.zip - artifact-revision: ${{ github.event.client_payload.payload.sha }} - artifact-version: ${{ github.event.client_payload.payload.version }} - secrets: inherit diff --git a/.release/ci.hcl b/.release/ci.hcl index 64b5ff8d49..0be4e8ba9b 100644 --- a/.release/ci.hcl +++ b/.release/ci.hcl @@ -175,18 +175,19 @@ event "verify" { } } -event "enos-verify-stable" { +event "enos-release-testing-oss" { depends = ["verify"] - action "enos-verify-stable" { + action "enos-release-testing-oss" { organization = "hashicorp" repository = "vault" - workflow = "enos-verify-stable" + workflow = "enos-release-testing-oss" } notification { on = "fail" } } + ## These events are publish and post-publish events and should be added to the end of the file ## after the verify event stanza. @@ -267,7 +268,7 @@ event "promote-production-packaging" { } # The post-publish-website event should not be merged into the enterprise repo. -# It is for OSS use only. +# It is for OSS use only. event "post-publish-website" { depends = ["promote-production-packaging"] action "post-publish-website" { diff --git a/CODEOWNERS b/CODEOWNERS index 02b581708a..70be9b3ec4 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -39,5 +39,9 @@ /ui/app/routes/vault/cluster/oidc-*.js @austingebauer # Release config; service account is required for automation tooling. -/.release/ @hashicorp/release-engineering @hashicorp/github-secure-vault-core -/.github/workflows/build.yml @hashicorp/release-engineering @hashicorp/github-secure-vault-core +/.release/ @hashicorp/release-engineering @hashicorp/github-secure-vault-core @hashicorp/quality-team +/.github/workflows/build.yml @hashicorp/release-engineering @hashicorp/github-secure-vault-core @hashicorp/quality-team + +# Quality engineering +/.github/ @hashicorp/quality-team +/enos/ @hashicorp/quality-team diff --git a/Makefile b/Makefile index 8bb407b67d..56798035a8 100644 --- a/Makefile +++ b/Makefile @@ -254,48 +254,72 @@ ci-verify: .NOTPARALLEL: ember-dist ember-dist-dev -# These crt targets are used for release builds by .github/workflows/build.yml -# and for artifact_source:local Enos scenario variants. -.PHONY: crt-build -crt-build: - @$(CURDIR)/scripts/crt-builder.sh build +# These ci targets are used for used for building and testing in Github Actions +# workflows and for Enos scenarios. +.PHONY: ci-build +ci-build: + @$(CURDIR)/scripts/ci-helper.sh build -.PHONY: crt-build-ui -crt-build-ui: - @$(CURDIR)/scripts/crt-builder.sh build-ui +.PHONY: ci-build-ui +ci-build-ui: + @$(CURDIR)/scripts/ci-helper.sh build-ui -.PHONY: crt-bundle -crt-bundle: - @$(CURDIR)/scripts/crt-builder.sh bundle +.PHONY: ci-bundle +ci-bundle: + @$(CURDIR)/scripts/ci-helper.sh bundle -.PHONY: crt-get-artifact-basename -crt-get-artifact-basename: - @$(CURDIR)/scripts/crt-builder.sh artifact-basename +.PHONY: ci-filter-matrix +ci-filter-matrix: + @$(CURDIR)/scripts/ci-helper.sh matrix-filter-file -.PHONY: crt-get-date -crt-get-date: - @$(CURDIR)/scripts/crt-builder.sh date +.PHONY: ci-get-artifact-basename +ci-get-artifact-basename: + @$(CURDIR)/scripts/ci-helper.sh artifact-basename -.PHONY: crt-get-revision -crt-get-revision: - @$(CURDIR)/scripts/crt-builder.sh revision +.PHONY: ci-get-date +ci-get-date: + @$(CURDIR)/scripts/ci-helper.sh date -.PHONY: crt-get-version -crt-get-version: - @$(CURDIR)/scripts/crt-builder.sh version +.PHONY: ci-get-matrix-group-id +ci-get-matrix-group-id: + @$(CURDIR)/scripts/ci-helper.sh matrix-group-id -.PHONY: crt-get-version-base -crt-get-version-base: - @$(CURDIR)/scripts/crt-builder.sh version-base +.PHONY: ci-get-revision +ci-get-revision: + @$(CURDIR)/scripts/ci-helper.sh revision -.PHONY: crt-get-version-pre -crt-get-version-pre: - @$(CURDIR)/scripts/crt-builder.sh version-pre +.PHONY: ci-get-version +ci-get-version: + @$(CURDIR)/scripts/ci-helper.sh version -.PHONY: crt-get-version-meta -crt-get-version-meta: - @$(CURDIR)/scripts/crt-builder.sh version-meta +.PHONY: ci-get-version-base +ci-get-version-base: + @$(CURDIR)/scripts/ci-helper.sh version-base -.PHONY: crt-prepare-legal -crt-prepare-legal: - @$(CURDIR)/scripts/crt-builder.sh prepare-legal +.PHONY: ci-get-version-major +ci-get-version-major: + @$(CURDIR)/scripts/ci-helper.sh version-major + +.PHONY: ci-get-version-meta +ci-get-version-meta: + @$(CURDIR)/scripts/ci-helper.sh version-meta + +.PHONY: ci-get-version-minor +ci-get-version-minor: + @$(CURDIR)/scripts/ci-helper.sh version-minor + +.PHONY: ci-get-version-package +ci-get-version-package: + @$(CURDIR)/scripts/ci-helper.sh version-package + +.PHONY: ci-get-version-patch +ci-get-version-patch: + @$(CURDIR)/scripts/ci-helper.sh version-patch + +.PHONY: ci-get-version-pre +ci-get-version-pre: + @$(CURDIR)/scripts/ci-helper.sh version-pre + +.PHONY: ci-prepare-legal +ci-prepare-legal: + @$(CURDIR)/scripts/ci-helper.sh prepare-legal diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl index bccb51f507..aea7ba7376 100644 --- a/enos/enos-scenario-agent.hcl +++ b/enos/enos-scenario-agent.hcl @@ -3,7 +3,7 @@ scenario "agent" { arch = ["amd64", "arm64"] artifact_source = ["local", "crt", "artifactory"] distro = ["ubuntu", "rhel"] - edition = ["oss", "ent"] + edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] } terraform_cli = terraform_cli.default @@ -16,8 +16,11 @@ scenario "agent" { locals { build_tags = { - "oss" = ["ui"] - "ent" = ["enterprise", "ent"] + "oss" = ["ui"] + "ent" = ["ui", "enterprise", "ent"] + "ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"] + "ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"] + "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"] } bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null dependencies_to_install = ["jq"] diff --git a/enos/enos-scenario-autopilot.hcl b/enos/enos-scenario-autopilot.hcl index 815d28cc3b..996abf795b 100644 --- a/enos/enos-scenario-autopilot.hcl +++ b/enos/enos-scenario-autopilot.hcl @@ -4,7 +4,7 @@ scenario "autopilot" { artifact_source = ["local", "crt", "artifactory"] artifact_type = ["bundle", "package"] distro = ["ubuntu", "rhel"] - edition = ["ent"] + edition = ["ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] seal = ["awskms", "shamir"] } @@ -18,7 +18,10 @@ scenario "autopilot" { locals { build_tags = { - "ent" = ["enterprise", "ent"] + "ent" = ["ui", "enterprise", "ent"] + "ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"] + "ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"] + "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"] } bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null dependencies_to_install = ["jq"] diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl index e4aee61560..84e9dc886b 100644 --- a/enos/enos-scenario-smoke.hcl +++ b/enos/enos-scenario-smoke.hcl @@ -4,9 +4,9 @@ scenario "smoke" { backend = ["consul", "raft"] artifact_source = ["local", "crt", "artifactory"] artifact_type = ["bundle", "package"] - consul_version = ["1.13.2", "1.12.5", "1.11.10"] + consul_version = ["1.14.2", "1.13.4", "1.12.7"] distro = ["ubuntu", "rhel"] - edition = ["oss", "ent"] + edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] seal = ["awskms", "shamir"] # Packages are not offered for the oss edition @@ -26,8 +26,11 @@ scenario "smoke" { locals { build_tags = { - "oss" = ["ui"] - "ent" = ["enterprise", "ent"] + "oss" = ["ui"] + "ent" = ["ui", "enterprise", "ent"] + "ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"] + "ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"] + "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"] } bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null dependencies_to_install = ["jq"] @@ -115,11 +118,11 @@ scenario "smoke" { depends_on = [step.create_vpc] providers = { - enos = local.enos_provider[matrix.distro] + enos = provider.enos.ubuntu } variables { - ami_id = step.create_vpc.ami_ids[matrix.distro][matrix.arch] + ami_id = step.create_vpc.ami_ids["ubuntu"]["amd64"] common_tags = local.tags consul_release = { edition = var.backend_edition diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl index ab7904fdae..6457320a8e 100644 --- a/enos/enos-scenario-upgrade.hcl +++ b/enos/enos-scenario-upgrade.hcl @@ -4,9 +4,9 @@ scenario "upgrade" { backend = ["consul", "raft"] artifact_source = ["local", "crt", "artifactory"] artifact_type = ["bundle", "package"] - consul_version = ["1.13.2", "1.12.5", "1.11.10"] + consul_version = ["1.14.2", "1.13.4", "1.12.7"] distro = ["ubuntu", "rhel"] - edition = ["oss", "ent"] + edition = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"] seal = ["awskms", "shamir"] # Packages are not offered for the oss edition @@ -27,8 +27,11 @@ scenario "upgrade" { locals { build_tags = { - "oss" = ["ui"] - "ent" = ["enterprise", "ent"] + "oss" = ["ui"] + "ent" = ["ui", "enterprise", "ent"] + "ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"] + "ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"] + "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"] } bundle_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null dependencies_to_install = ["jq"] diff --git a/enos/modules/build_local/scripts/build.sh b/enos/modules/build_local/scripts/build.sh index 3478079c20..385a3af557 100755 --- a/enos/modules/build_local/scripts/build.sh +++ b/enos/modules/build_local/scripts/build.sh @@ -8,5 +8,5 @@ export CGO_ENABLED=0 root_dir="$(git rev-parse --show-toplevel)" pushd "$root_dir" > /dev/null -make crt-build-ui crt-build crt-bundle +make ci-build-ui ci-build ci-bundle popd > /dev/null diff --git a/enos/modules/get_local_metadata/scripts/build_date.sh b/enos/modules/get_local_metadata/scripts/build_date.sh index d0528554e7..917888eb1c 100755 --- a/enos/modules/get_local_metadata/scripts/build_date.sh +++ b/enos/modules/get_local_metadata/scripts/build_date.sh @@ -2,5 +2,5 @@ set -eu -o pipefail pushd "$(git rev-parse --show-toplevel)" > /dev/null -make crt-get-date +make ci-get-date popd > /dev/null diff --git a/enos/modules/get_local_metadata/scripts/version.sh b/enos/modules/get_local_metadata/scripts/version.sh index ef0b91f378..6921d772ea 100755 --- a/enos/modules/get_local_metadata/scripts/version.sh +++ b/enos/modules/get_local_metadata/scripts/version.sh @@ -2,5 +2,5 @@ set -eu -o pipefail pushd "$(git rev-parse --show-toplevel)" > /dev/null -make crt-get-version +make ci-get-version popd > /dev/null diff --git a/enos/modules/vault_verify_version/templates/verify-cluster-version.sh b/enos/modules/vault_verify_version/templates/verify-cluster-version.sh index 3cda18af62..3fd2102351 100644 --- a/enos/modules/vault_verify_version/templates/verify-cluster-version.sh +++ b/enos/modules/vault_verify_version/templates/verify-cluster-version.sh @@ -1,15 +1,14 @@ #!/usr/bin/env bash -# The Vault smoke test to verify the Vault version installed - +# Verify the Vault "version" includes the correct base version, build date, +# revision SHA, and edition metadata. set -e binpath=${vault_install_dir}/vault edition=${vault_edition} version=${vault_version} sha=${vault_revision} -builddate=${vault_build_date} -release="$version+$edition" +build_date=${vault_build_date} fail() { echo "$1" 1>&2 @@ -21,25 +20,20 @@ test -x "$binpath" || fail "unable to locate vault binary at $binpath" export VAULT_ADDR='http://127.0.0.1:8200' export VAULT_TOKEN='${vault_token}' -if [[ "$builddate" != "" ]]; then - build_date=$builddate -else - build_date=$("$binpath" status -format=json | jq -Mr .build_date) -fi - -if [[ "$(echo $version |awk -F'.' '{print $2}')" -ge 11 ]]; then +# Build date was added in 1.11 +if [[ "$(echo "$version" |awk -F'.' '{print $2}')" -ge 11 ]]; then version_expected="Vault v$version ($sha), built $build_date" else version_expected="Vault v$version ($sha)" fi -case "$release" in - *+oss) ;; - *+ent) ;; - *+ent.hsm) version_expected="$version_expected (cgo)";; - *+ent.fips1402) version_expected="$version_expected (cgo)" ;; - *+ent.hsm.fips1402) version_expected="$version_expected (cgo)" ;; - *) fail "($release) file doesn't match any known license types" +case "$edition" in + *oss) ;; + *ent) ;; + *ent.hsm) version_expected="$version_expected (cgo)";; + *ent.fips1402) version_expected="$version_expected (cgo)" ;; + *ent.hsm.fips1402) version_expected="$version_expected (cgo)" ;; + *) fail "Unknown Vault edition: ($edition)" ;; esac version_expected_nosha=$(echo "$version_expected" | awk '!($3="")' | sed 's/ / /' | sed -e 's/[[:space:]]*$//') diff --git a/scripts/build.sh b/scripts/build.sh index 5ee2ecc74e..1856389cc6 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -18,10 +18,10 @@ cd "$DIR" BUILD_TAGS="${BUILD_TAGS:-"vault"}" # Get the git commit -GIT_COMMIT="$("$SOURCE_DIR"/crt-builder.sh revision)" +GIT_COMMIT="$("$SOURCE_DIR"/ci-helper.sh revision)" GIT_DIRTY="$(test -n "`git status --porcelain`" && echo "+CHANGES" || true)" -BUILD_DATE="$("$SOURCE_DIR"/crt-builder.sh date)" +BUILD_DATE="$("$SOURCE_DIR"/ci-helper.sh date)" GOPATH=${GOPATH:-$(${GO_CMD} env GOPATH)} case $(uname) in diff --git a/scripts/crt-builder.sh b/scripts/ci-helper.sh similarity index 67% rename from scripts/crt-builder.sh rename to scripts/ci-helper.sh index 3747b8131e..585f89786c 100755 --- a/scripts/crt-builder.sh +++ b/scripts/ci-helper.sh @@ -1,8 +1,7 @@ #!/usr/bin/env bash -# The crt-builder is used to detemine build metadata and create Vault builds. -# We use it in build-vault.yml for building release artifacts with CRT. It is -# also used by Enos for artifact_source:local scenario variants. +# The ci-helper is used to determine build metadata, build Vault binaries, +# package those binaries into artifacts, and execute tests with those artifacts. set -euo pipefail @@ -43,6 +42,21 @@ function version_base() { awk '$1 == "Version" && $2 == "=" { gsub(/"/, "", $3); print $3 }' < "$VERSION_FILE" } +# Get the version major +function version_major() { + version_base | cut -d '.' -f 1 +} + +# Get the version minor +function version_minor() { + version_base | cut -d '.' -f 2 +} + +# Get the version patch +function version_patch() { + version_base | cut -d '.' -f 3 +} + # Get the version pre-release function version_pre() { : "${VAULT_PRERELEASE:=""}" @@ -60,7 +74,7 @@ function version_pre() { function version_metadata() { : "${VAULT_METADATA:=""}" - if [ -n "$VAULT_METADATA" ]; then + if [[ (-n "$VAULT_METADATA") && ("$VAULT_METADATA" != "oss") ]]; then echo "$VAULT_METADATA" return fi @@ -69,6 +83,11 @@ function version_metadata() { awk '$1 == "VersionMetadata" && $2 == "=" { gsub(/"/, "", $3); print $3 }' < "$VERSION_FILE" } +# Get the version formatted for Debian and RHEL packages +function version_package() { + version | awk '{ gsub("-","~",$1); print $1 }' +} + # Get the build date from the latest commit since it can be used across all # builds function build_date() { @@ -152,7 +171,7 @@ function build() { fi if [ -n "$metadata" ]; then - msg="${msg}, metadata ${VAULT_METADATA}" + msg="${msg}, metadata ${metadata}" ldflags="${ldflags} -X github.com/hashicorp/vault/version.VersionMetadata=$metadata" fi @@ -167,7 +186,7 @@ function build() { popd } -# Bundle the dist directory +# Bundle the dist directory into a zip function bundle() { : "${BUNDLE_PATH:=$(repo_root)/vault.zip}" echo "--> Bundling dist/* to $BUNDLE_PATH" @@ -188,7 +207,50 @@ function prepare_legal() { popd } -# Run the CRT Builder +# Determine the matrix group number that we'll select for execution. If the +# MATRIX_TEST_GROUP environment variable has set then it will always return +# that value. If has not been set, we will randomly select a number between 1 +# and the value of MATRIX_MAX_TEST_GROUPS. +function matrix_group_id() { + : "${MATRIX_TEST_GROUP:=""}" + if [ -n "$MATRIX_TEST_GROUP" ]; then + echo "$MATRIX_TEST_GROUP" + return + fi + + : "${MATRIX_MAX_TEST_GROUPS:=1}" + awk -v min=1 -v max=$MATRIX_MAX_TEST_GROUPS 'BEGIN{srand(); print int(min+rand()*(max-min+1))}' +} + +# Filter matrix file reads in the contents of MATRIX_FILE and filters out +# scenarios that are not in the current test group and/or those that have not +# met minimux or maximum version requirements. +function matrix_filter_file() { + : "${MATRIX_FILE:=""}" + if [ -z "$MATRIX_FILE" ]; then + echo "You must specify the MATRIX_FILE variable for this command" >&2 + exit 1 + fi + + : "${MATRIX_TEST_GROUP:=$(matrix_group_id)}" + + local path + local matrix + path=$(readlink -f $MATRIX_FILE) + matrix=$(cat "$path" | jq ".include | + map(. | + select( + ((.min_minor_version == null) or (.min_minor_version <= $(version_minor))) and + ((.max_minor_version == null) or (.max_minor_version >= $(version_minor))) and + ((.test_group == null) or (.test_group == $MATRIX_TEST_GROUP)) + ) + )" + ) + + echo "{\"include\":$matrix}" | jq -c . +} + +# Run the CI Helper function main() { case $1 in artifact-basename) @@ -209,6 +271,12 @@ function main() { prepare-legal) prepare_legal ;; + matrix-filter-file) + matrix_filter_file + ;; + matrix-group-id) + matrix_group_id + ;; revision) build_revision ;; @@ -221,9 +289,21 @@ function main() { version-pre) version_pre ;; + version-major) + version_major + ;; version-meta) version_metadata ;; + version-minor) + version_minor + ;; + version-package) + version_package + ;; + version-patch) + version_patch + ;; *) echo "unknown sub-command" >&2 exit 1