[QT-436] Pseudo random artifact test scenarios (#18056)

Introducing a new approach to testing Vault artifacts before merge
and after merge/notorization/signing. Rather than run a few static
scenarios across the artifacts, we now have the ability to run a
pseudo random sample of scenarios across many different build artifacts.

We've added 20 possible scenarios for the AMD64 and ARM64 binary
bundles, which we've broken into five test groups. On any given push to
a pull request branch, we will now choose a random test group and
execute its corresponding scenarios against the resulting build
artifacts. This gives us greater test coverage but lets us split the
verification across many different pull requests.

The post-merge release testing pipeline behaves in a similar fashion,
however, the artifacts that we use for testing have been notarized and
signed prior to testing. We've also reduce the number of groups so that
we run more scenarios after merge to a release branch.

We intend to take what we've learned building this in Github Actions and
roll it into an easier to use feature that is native to Enos. Until then,
we'll have to manually add scenarios to each matrix file and manually
number the test group. It's important to note that Github requires every
matrix to include at least one vector, so every artifact that is being
tested must include a single scenario in order for all workflows to pass
and thus satisfy branch merge requirements.

* Add support for different artifact types to enos-run
* Add support for different runner type to enos-run
* Add arm64 scenarios to build matrix
* Expand build matrices to include different variants
* Update Consul versions in Enos scenarios and matrices
* Refactor enos-run environment
* Add minimum version filtering support to enos-run. This allows us to
  automatically exclude scenarios that require a more recent version of
  Vault
* Add maximum version filtering support to enos-run. This allows us to
  automatically exclude scenarios that require an older version of
  Vault
* Fix Node 12 deprecation warnings
* Rename enos-verify-stable to enos-release-testing-oss
* Convert artifactory matrix into enos-release-testing-oss matrices
* Add all Vault editions to Enos scenario matrices
* Fix verify version with complex Vault edition metadata
* Rename the crt-builder to ci-helper
* Add more version helpers to ci-helper and Makefile
* Update CODEOWNERS for quality team
* Add support for filtering matrices by group and version constraints
* Add support for pseudo random test scenario execution

Signed-off-by: Ryan Cragun <me@ryan.ec>

.github/enos-run-matrices/artifactory-ent.json

@@ -1,44 +0,0 @@
-{
-  "include": [
-    {
-      "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:ent seal:awskms artifact_type:bundle",
-      "aws_region": "us-east-1"
-    },
-    {
-      "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:ubuntu edition:ent seal:shamir artifact_type:bundle",
-      "aws_region": "us-east-2"
-    },
-    {
-      "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:ubuntu edition:ent seal:awskms artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:rhel edition:ent seal:shamir artifact_type:bundle",
-      "aws_region": "us-west-2"
-    },
-    {
-      "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:consul consul_version:1.12.5 distro:ubuntu edition:ent seal:shamir artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:ent seal:awskms artifact_type:bundle",
-      "aws_region": "us-west-2"
-    },
-    {
-      "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:raft consul_version:1.12.5 distro:rhel edition:ent seal:shamir artifact_type:bundle",
-      "aws_region": "us-east-1"
-    },
-    {
-      "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:raft consul_version:1.13.2 distro:ubuntu edition:ent seal:awskms artifact_type:bundle",
-      "aws_region": "us-east-2"
-    },
-    {
-      "scenario": "autopilot arch:amd64 artifact_source:artifactory distro:ubuntu edition:ent seal:awskms artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "autopilot arch:arm64 artifact_source:artifactory distro:rhel edition:ent seal:shamir artifact_type:bundle",
-      "aws_region": "us-west-2"
-    }
-  ]
-}

.github/enos-run-matrices/artifactory-oss.json

@@ -1,36 +0,0 @@
-{
-  "include": [
-    {
-      "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:oss seal:awskms artifact_type:bundle",
-      "aws_region": "us-east-1"
-    },
-    {
-      "scenario": "smoke arch:amd64 artifact_source:artifactory backend:consul consul_version:1.12.5 distro:ubuntu edition:oss seal:shamir artifact_type:bundle",
-      "aws_region": "us-east-2"
-    },
-    {
-      "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:ubuntu edition:oss seal:awskms artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "smoke arch:arm64 artifact_source:artifactory backend:raft consul_version:1.11.10 distro:rhel edition:oss seal:shamir artifact_type:bundle",
-      "aws_region": "us-west-2"
-    },
-    {
-      "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:consul consul_version:1.11.10 distro:ubuntu edition:oss seal:shamir artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:consul consul_version:1.13.2 distro:rhel edition:oss seal:awskms artifact_type:bundle",
-      "aws_region": "us-west-2"
-    },
-    {
-      "scenario": "upgrade arch:arm64 artifact_source:artifactory backend:raft consul_version:1.12.5 distro:rhel edition:oss seal:shamir artifact_type:bundle",
-      "aws_region": "us-east-1"
-    },
-    {
-      "scenario": "upgrade arch:amd64 artifact_source:artifactory backend:raft consul_version:1.13.2 distro:ubuntu edition:oss seal:awskms artifact_type:bundle",
-      "aws_region": "us-east-2"
-    }
-  ]
-}

.github/enos-run-matrices/build-github-oss-linux-amd64-zip.json

@@ -0,0 +1,54 @@
+{
+  "include": [
+    {
+      "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 3
+    },
+    {
+      "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 4
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 1
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 5
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 3
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 5
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 4
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    }
+  ]
+}

.github/enos-run-matrices/build-github-oss-linux-arm64-zip.json

@@ -0,0 +1,54 @@
+{
+  "include": [
+    {
+      "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 3
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 4
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 5
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 1
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 3
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 4
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:arm64 artifact_source:crt edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 5
+    }
+  ]
+}

.github/enos-run-matrices/crt-ent.json

@@ -1,24 +0,0 @@
-{
-  "include": [
-    {
-      "scenario": "smoke backend:consul consul_version:1.13.2 distro:ubuntu seal:awskms arch:amd64 artifact_source:crt edition:ent artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "smoke backend:raft consul_version:1.13.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:ent artifact_type:bundle",
-      "aws_region": "us-west-2"
-    },
-    {
-      "scenario": "upgrade backend:raft consul_version:1.12.5 distro:rhel seal:shamir arch:amd64 artifact_source:crt edition:ent artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "upgrade backend:consul consul_version:1.12.5 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:ent artifact_type:bundle",
-      "aws_region": "us-west-2"
-    },
-    {
-      "scenario": "autopilot distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:ent artifact_type:bundle",
-      "aws_region": "us-west-1"
-    }
-  ]
-}

.github/enos-run-matrices/crt-oss.json

@@ -1,20 +0,0 @@
-{
-  "include": [
-    {
-      "scenario": "smoke backend:consul consul_version:1.13.2 distro:ubuntu seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "smoke backend:raft consul_version:1.13.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
-      "aws_region": "us-west-2"
-    },
-    {
-      "scenario": "upgrade backend:raft consul_version:1.12.5 distro:rhel seal:shamir arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
-      "aws_region": "us-west-1"
-    },
-    {
-      "scenario": "upgrade backend:consul consul_version:1.12.5 distro:rhel seal:awskms arch:amd64 artifact_source:crt edition:oss artifact_type:bundle",
-      "aws_region": "us-west-2"
-    }
-  ]
-}

.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-amd64-zip.json

@@ -0,0 +1,54 @@
+{
+  "include": [
+    {
+      "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    }
+  ]
+}

.github/enos-run-matrices/enos_release_testing_oss-artifactory-oss-linux-arm64-zip.json

@@ -0,0 +1,54 @@
+{
+  "include": [
+    {
+      "scenario": "smoke backend:raft consul_version:1.13.4 distro:rhel seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "smoke backend:raft consul_version:1.14.2 distro:ubuntu seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.12.7 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 1
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "smoke backend:consul consul_version:1.13.4 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 1
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.12.7 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 2
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.13.4 distro:ubuntu seal:shamir arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-1",
+      "test_group": 1
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.14.2 distro:rhel seal:awskms arch:amd64 artifact_source:artifactory edition:oss artifact_type:bundle",
+      "aws_region": "us-west-2",
+      "test_group": 2
+    }
+  ]
+}

.github/workflows/build-vault-oss.yml

@@ -2,7 +2,7 @@
 name: build_vault
 
 # This workflow is intended to be called by the build workflow for each Vault
-# binary that needs to be built and packaged. The crt make targets that are
+# binary that needs to be built and packaged. The ci make targets that are
 # utilized automatically determine build metadata and handle building and
 # packing vault.
 
@@ -51,23 +51,23 @@ jobs:
           cache: yarn
           cache-dependency-path: ui/yarn.lock
       - name: Build UI
-        run: make crt-build-ui
+        run: make ci-build-ui
       - name: Build Vault
         env:
           CGO_ENABLED: ${{ inputs.cgo-enabled }}
           GOARCH: ${{ inputs.goarch }}
           GOOS: ${{ inputs.goos }}
           GO_TAGS: ${{ inputs.go-tags }}
-        run: make crt-build
+        run: make ci-build
       - name: Determine artifact basename
         env:
           GOARCH: ${{ inputs.goarch }}
           GOOS: ${{ inputs.goos }}
-        run: echo "ARTIFACT_BASENAME=$(make crt-get-artifact-basename)" >> $GITHUB_ENV
+        run: echo "ARTIFACT_BASENAME=$(make ci-get-artifact-basename)" >> $GITHUB_ENV
       - name: Bundle Vault
         env:
           BUNDLE_PATH: out/${{ env.ARTIFACT_BASENAME }}.zip
-        run: make crt-bundle
+        run: make ci-bundle
       - uses: actions/upload-artifact@v3
         with:
           name: ${{ env.ARTIFACT_BASENAME }}.zip

.github/workflows/build.yml

@@ -19,6 +19,7 @@ jobs:
       build-date: ${{ steps.get-metadata.outputs.build-date }}
       filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
       go-version: ${{ steps.get-metadata.outputs.go-version }}
+      matrix-test-group: ${{ steps.get-metadata.outputs.matrix-test-group }}
       package-name: ${{ steps.get-metadata.outputs.package-name }}
       vault-revision: ${{ steps.get-metadata.outputs.vault-revision }}
       vault-version: ${{ steps.get-metadata.outputs.vault-version }}
@@ -27,13 +28,19 @@ jobs:
       - uses: actions/checkout@v3
       - name: Get metadata
         id: get-metadata
+        env:
+          # MATRIX_MAX_TEST_GROUPS is required to determine the randomly selected
+          # test group. It should be set to the highest test_group used in the
+          # enos-run-matrices.
+          MATRIX_MAX_TEST_GROUPS: 5
         run: |
-          echo "build-date=$(make crt-get-date)" >> $GITHUB_OUTPUT
+          echo "build-date=$(make ci-get-date)" >> $GITHUB_OUTPUT
-          echo "package-name=${{ env.PKG_NAME }}" >> $GITHUB_OUTPUT
           echo "go-version=$(cat ./.go-version)" >> $GITHUB_OUTPUT
-          echo "vault-base-version=$(make crt-get-version-base)" >> $GITHUB_OUTPUT
+          echo "matrix-test-group=$(make ci-get-matrix-group-id)" >> $GITHUB_OUTPUT
-          echo "vault-revision=$(make crt-get-revision)" >> $GITHUB_OUTPUT
+          echo "package-name=${{ env.PKG_NAME }}" >> $GITHUB_OUTPUT
-          echo "vault-version=$(make crt-get-version)" >> $GITHUB_OUTPUT
+          echo "vault-base-version=$(make ci-get-version-base)" >> $GITHUB_OUTPUT
+          echo "vault-revision=$(make ci-get-revision)" >> $GITHUB_OUTPUT
+          echo "vault-version=$(make ci-get-version)" >> $GITHUB_OUTPUT
       - uses: hashicorp/actions-generate-metadata@v1
         id: generate-metadata-file
         with:
@@ -154,8 +161,8 @@ jobs:
           zip_artifact_name: ${{ env.PKG_NAME }}_${{ needs.product-metadata.outputs.vault-version }}_linux_${{ matrix.arch }}.zip
           redhat_tag: quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ env.version }}-ubi
 
-  enos:
+  test:
-    name: Enos
+    name: Test ${{ matrix.build-artifact-name }}
     # Only run the Enos workflow against branches that are created from the
     # hashicorp/vault repository. This has the effect of limiting execution of
     # Enos scenarios to branches that originate from authors that have write
@@ -167,16 +174,24 @@ jobs:
       - product-metadata
       - build-linux
     uses: ./.github/workflows/enos-run.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - matrix-file-name: build-github-oss-linux-amd64-zip
+            build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip
+          - matrix-file-name: build-github-oss-linux-arm64-zip
+            build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip
     with:
-      artifact-build-date: ${{ needs.product-metadata.outputs.build-date }}
+      build-artifact-name: ${{ matrix.build-artifact-name }}
-      artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip
+      matrix-file-name: ${{ matrix.matrix-file-name }}
-      artifact-revision: ${{ needs.product-metadata.outputs.vault-revision }}
+      matrix-test-group: ${{ needs.product-metadata.outputs.matrix-test-group }}
-      artifact-source: crt
+      vault-edition: oss
-      artifact-version: ${{ needs.product-metadata.outputs.vault-version }}
+      vault-revision: ${{ needs.product-metadata.outputs.vault-revision }}
     secrets: inherit
 
-  enos-docker-k8s:
+  test-docker-k8s:
-    name: Enos Docker K8s
+    name: Test Docker K8s
     # Only run the Enos workflow against branches that are created from the
     # hashicorp/vault repository. This has the effect of limiting execution of
     # Enos scenarios to branches that originate from authors that have write
@@ -203,7 +218,7 @@ jobs:
       - build-darwin
       - build-docker
       - build-ubi
-      - enos
+      - test
-      - enos-docker-k8s
+      - test-docker-k8s
     steps:
-      - run: echo "All build and integration workflows have succeeded!"
+      - run: echo "All build and test workflows have succeeded!"

.github/workflows/enos-release-testing-oss.yml

@@ -0,0 +1,43 @@
+name: enos-release-testing-oss
+
+on:
+  repository_dispatch:
+    types:
+      - enos-release-testing-oss
+      - enos-release-testing-oss::*
+
+jobs:
+  metadata:
+    if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }}
+    runs-on: ubuntu-default
+    outputs:
+      matrix-test-group: ${{ steps.matrix-group.outputs.matrix-test-group }}
+     steps:
+      - uses: actions/checkout@v3
+      - id: matrix-group
+        env:
+          # MATRIX_MAX_TEST_GROUPS is required to determine the randomly selected
+          # test group. It should be set to the highest test_group used in the
+          # enos-run-matrices.
+          MATRIX_MAX_TEST_GROUPS: 2
+        run: echo "matrix-test-group=$(make ci-get-matrix-group-id)" >> $GITHUB_OUTPUT
+
+  test:
+    name: Test ${{ matrix.matrix-file-name }}
+    if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }}
+    needs: metadata
+    uses: ./.github/workflows/enos-run.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - matrix-file-name: enos_release_testing_oss-artifactory-oss-linux-amd64-zip
+            test-name: Linux AMD64 Zip
+          - matrix-file-name: enos_release_testing_oss-artifactory-oss-linux-arm64-zip
+            test-name: Linux ARM64 Zip
+    with:
+      matrix-file-name: ${{ matrix.test-name }}
+      matrix-test-group: ${{ needs.metadata.outputs.matrix-test-group }}
+      vault-edition: oss
+      vault-revision: ${{ github.event.client_payload.payload.sha }}
+    secrets: inherit

.github/workflows/enos-run.yml

@@ -2,69 +2,114 @@
 name: enos
 
 on:
-  # Only trigger this working using workflow_call. It assumes that secrets are
+  # Only trigger this working using workflow_call. This workflow requires many
-  # being inherited from the caller.
+  # secrets that must be inherited from the caller workflow.
   workflow_call:
     inputs:
-      artifact-build-date:
+      # The name of the artifact that we're going to use for testing. This should
+      # match exactly to build artifacts uploaded to Github and Artifactory.
+      build-artifact-name:
+        required: true
+        type: string
+      # The base name of the file in ./github/enos-run-matrices that we use to
+      # determine which scenarios to run for the build artifact.
+      #
+      # They are named in the format of:
+      #   $caller_workflow_name-$artifact_source-$vault_edition-$platform-$arch-$packing_type
+      #
+      # Where each are:
+      #   caller_workflow_name: the Github Actions workflow that is calling
+      #     this one
+      #   artifact_source: where we're getting the artifact from. Either
+      #     "github" or "artifactory"
+      #   vault_edition: which edition of vault that we're testing. e.g. "oss"
+      #     or "ent"
+      #   platform: the vault binary target platform, e.g. "linux" or "macos"
+      #   arch: the vault binary target architecture, e.g. "arm64" or "amd64"
+      #   packing_type: how vault binary is packaged, e.g. "zip", "deb", "rpm"
+      #
+      # Examples:
+      #   build-github-oss-linux-amd64-zip
+      matrix-file-name:
+        required: true
+        type: string
+      # The test group we want to run. This corresponds to the test_group attribute
+      # defined in the enos-run-matrices files.
+      matrix-test-group:
+        default: 0
+        type: string
+      runs-on:
+        # NOTE: The value should be JSON encoded as that's the only way we can
+        # pass arrays with workflow_call.
+        type: string
         required: false
+        default: '"ubuntu-latest"'
+      ssh-key-name:
         type: string
-      artifact-name:
+        default: enos-ci-ssh-key
+      # Which edition of Vault we're using. e.g. "oss", "ent", "ent.hsm.fips1402"
+      vault-edition:
         required: true
         type: string
-      artifact-revision:
+      # The Git commit SHA used as the revision when building vault
+      vault-revision:
         required: true
         type: string
-      artifact-source:
-        required: false
-        type: string
-      artifact-version:
-        required: true
-        type: string
-
-env:
-  PKG_NAME: vault
-  ARTIFACT_BUILD_DATE: ${{ inputs.artifact-build-date }}
-  ARTIFACT_NAME: ${{ inputs.artifact-name }}
-  ARTIFACT_REVISION: ${{ inputs.artifact-revision }}
-  ARTIFACT_SOURCE: ${{ inputs.artifact-source }}
-  ARTIFACT_VERSION: ${{ inputs.artifact-version }}
 
 jobs:
-  # Read Enos scenario matrix file based on artifact-name input to test
+  metadata:
-  read-enos-matrix:
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
-    runs-on: ubuntu-latest
     outputs:
-      enos-scenarios: ${{ steps.enos-matrix.outputs.matrix }}
+      build-date: ${{ steps.metadata.outputs.build-date }}
+      matrix: ${{ steps.metadata.outputs.matrix }}
+      version: ${{ steps.metadata.outputs.version }}
+      version-minor: ${{ steps.metadata.outputs.matrix }}
+    env:
+      # Pass the vault edition as VAULT_METADATA so the CI make targets can create
+      # values that consider the edition.
+      VAULT_METADATA: ${{ inputs.vault-edition }}
+      # Pass in the matrix and matrix group for filtering
+      MATRIX_FILE: ./.github/enos-run-matrices/${{ inputs.matrix-file-name }}.json
+      MATRIX_TEST_GROUP: ${{ inputs.matrix-test-group }}
     steps:
-      - name: Checkout
+      - uses: actions/checkout@v3
-        uses: actions/checkout@v3
+      - id: metadata
-      - name: Create Enos scenario matrix
-        id: enos-matrix
         run: |
-          [[ ${{ env.ARTIFACT_NAME }} == *"ent"* ]] && scenarioFile=$(cat ./.github/enos-run-matrices/${{ env.ARTIFACT_SOURCE }}-ent.json |jq -c .) || scenarioFile=$(cat ./.github/enos-run-matrices/${{ env.ARTIFACT_SOURCE }}-oss.json |jq -c .)
+          echo "build-date=$(make ci-get-date)" >> $GITHUB_OUTPUT
-          echo "matrix=$scenarioFile" >> $GITHUB_OUTPUT
+          echo "version=$(make ci-get-version)" >> $GITHUB_OUTPUT
-  # Run Integration tests on Enos scenario matrix
+          filtered=$(make ci-filter-matrix)
-  enos:
+          echo "matrix=$(echo $filtered)}" >> $GITHUB_OUTPUT
-    name: Integration
+
-    needs: read-enos-matrix
+  # Run the Enos test scenarios
+  run:
+    needs: metadata
     strategy:
       fail-fast: false # don't fail as that can skip required cleanup steps for jobs
-      matrix: ${{ fromJson(needs.read-enos-matrix.outputs.enos-scenarios) }}
+      matrix: ${{ fromJson(needs.metadata.outputs.matrix) }}
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      # Pass in enos variables
+      ENOS_VAR_aws_region: ${{ matrix.aws_region }}
+      ENOS_VAR_aws_ssh_keypair_name: ${{ inputs.ssh-key-name }}
+      ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
+      ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
+      ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+      ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }}
+      ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache
+      ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
+      ENOS_VAR_vault_product_version: ${{ needs.metadata.outputs.version }}
+      ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
+      ENOS_VAR_vault_bundle_path: ./support/downloads/${{ inputs.build-artifact-name }}
+      ENOS_VAR_vault_license_path: ./support/vault.hclic
     steps:
-      - name: Checkout
+      - uses: actions/checkout@v3
-        uses: actions/checkout@v3
+      - uses: hashicorp/setup-terraform@v2
-      - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
         with:
           # the Terraform wrapper will break Terraform execution in Enos because
           # it changes the output to text when we expect it to be JSON.
           terraform_wrapper: false
-      - name: Configure AWS credentials
+      - uses: aws-actions/configure-aws-credentials@v1-node16
-        uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -72,87 +117,39 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-skip-session-tagging: true
           role-duration-seconds: 3600
-      - name: Set up Enos
+      - uses: hashicorp/action-setup-enos@v1
-        uses: hashicorp/action-setup-enos@v1
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-      - name: Set up AWS SSH private key
+      - name: Prepare scenario dependencies
         run: |
-          mkdir -p ./enos/support
+          mkdir -p ./enos/support/terraform-plugin-cache
           echo "${{ secrets.ENOS_CI_SSH_KEY }}" > ./enos/support/private_key.pem
           chmod 600 ./enos/support/private_key.pem
-      - name: Download Linux AMD64 Vault bundle
+      - if: contains(inputs.matrix-file-name, 'github')
-        if: ${{ env.ARTIFACT_SOURCE == 'crt' }}
-        id: download
         uses: actions/download-artifact@v3
         with:
-          name: ${{ inputs.artifact-name }}
+          name: ${{ inputs.build-artifact-name }}
           path: ./enos/support/downloads
-      - name: unzip Downloaded Vault bundle
+      - if: contains(inputs.matrix-file-name, 'ent')
-        if: ${{ env.ARTIFACT_SOURCE == 'crt' }}
+        name: Configure Vault license
-        run: |
+        run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
-          unzip ${{steps.download.outputs.download-path}}/*.zip -d enos/support
-          mv ${{steps.download.outputs.download-path}}/*.zip enos/support/vault.zip
-      - name: Prepare for scenario execution
-        run: |
-          mkdir -p enos/support/terraform-plugin-cache
-          [[ ${{ env.ARTIFACT_NAME }} == *"ent"* ]] && echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
       - name: Run Enos scenario
         id: run
         # Continue once and retry to handle occasional blips when creating
         # infrastructure.
         continue-on-error: true
-        env:
+        run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
-          ENOS_VAR_aws_region: ${{ matrix.aws_region }}
+      - name: Retry Enos scenario if necessary
-          ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key
-          ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
-          ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
-          ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-          ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }}
-          ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }}
-          ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }}
-          ENOS_VAR_vault_revision: ${{ env.ARTIFACT_REVISION }}
-          ENOS_VAR_vault_bundle_path: ./support/vault.zip
-        run: |
-          enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
-      - name: Retry Enos scenario
         id: run_retry
         if: steps.run.outcome == 'failure'
-        env:
+        run: enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
-          ENOS_VAR_aws_region: ${{ matrix.aws_region }}
+      - name: Ensure scenario has been destroyed
-          ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key
-          ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
-          ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
-          ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-          ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }}
-          ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }}
-          ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }}
-          ENOS_VAR_vault_revision: ${{ env.ARTIFACT_REVISION }}
-          ENOS_VAR_vault_bundle_path: ./support/vault.zip
-        run: |
-          enos scenario run --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
-      - name: Destroy Enos scenario
         if: ${{ always() }}
         # With Enos version 0.0.11 the destroy step returns an error if the infrastructure
         # is already destroyed by enos run. So temporarily setting it to continue on error in GHA
         continue-on-error: true
-        env:
+        run: enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
-          ENOS_VAR_aws_region: ${{ matrix.aws_region }}
+      - name: Clean up Enos runtime directories
-          ENOS_VAR_aws_ssh_keypair_name: enos-ci-ssh-key
-          ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
-          ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
-          ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-          ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }}
-          ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }}
-          ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }}
-          ENOS_VAR_vault_revision: ${{ env.ARTIFACT_REVISION }}
-          ENOS_VAR_vault_bundle_path: ./support/vault.zip
-        run: |
-          enos scenario destroy --timeout 60m0s --chdir ./enos ${{ matrix.scenario }}
-      - name: Cleanup Enos runtime directories
         if: ${{ always() }}
         run: |
           rm -rf /tmp/enos*

.github/workflows/enos-verify-stable.yml

@@ -1,19 +0,0 @@
-name: enos-verify-stable
-
-on:
-  repository_dispatch:
-    types:
-      - enos-verify-stable
-      - enos-verify-stable::*
-
-jobs:
-  enos-verify-stable:
-    name: Enos verify stable artifact
-    if: ${{ startsWith(github.event.client_payload.payload.branch, 'release/') }}
-    uses: ./.github/workflows/enos-run.yml
-    with:
-      artifact-source: artifactory
-      artifact-name: ${{ github.event.client_payload.payload.product }}_${{ github.event.client_payload.payload.version }}_linux_amd64.zip
-      artifact-revision: ${{ github.event.client_payload.payload.sha }}
-      artifact-version: ${{ github.event.client_payload.payload.version }}
-    secrets: inherit

.release/ci.hcl

@@ -175,18 +175,19 @@ event "verify" {
   }
 }
 
-event "enos-verify-stable" {
+event "enos-release-testing-oss" {
   depends = ["verify"]
-  action "enos-verify-stable" {
+  action "enos-release-testing-oss" {
     organization = "hashicorp"
     repository = "vault"
-    workflow = "enos-verify-stable"
+    workflow = "enos-release-testing-oss"
   }
 
   notification {
     on = "fail"
   }
 }
+
 ## These events are publish and post-publish events and should be added to the end of the file
 ## after the verify event stanza.
 

CODEOWNERS

@@ -39,5 +39,9 @@
 /ui/app/routes/vault/cluster/oidc-*.js @austingebauer
 
 # Release config; service account is required for automation tooling.
-/.release/                              @hashicorp/release-engineering @hashicorp/github-secure-vault-core
+/.release/                    @hashicorp/release-engineering @hashicorp/github-secure-vault-core @hashicorp/quality-team
-/.github/workflows/build.yml            @hashicorp/release-engineering @hashicorp/github-secure-vault-core
+/.github/workflows/build.yml  @hashicorp/release-engineering @hashicorp/github-secure-vault-core @hashicorp/quality-team
+
+# Quality engineering
+/.github/  @hashicorp/quality-team
+/enos/     @hashicorp/quality-team

Makefile

@@ -254,48 +254,72 @@ ci-verify:
 
 .NOTPARALLEL: ember-dist ember-dist-dev
 
-# These crt targets are used for release builds by .github/workflows/build.yml
+# These ci targets are used for used for building and testing in Github Actions
-# and for artifact_source:local Enos scenario variants.
+# workflows and for Enos scenarios.
-.PHONY: crt-build
+.PHONY: ci-build
-crt-build:
+ci-build:
-	@$(CURDIR)/scripts/crt-builder.sh build
+	@$(CURDIR)/scripts/ci-helper.sh build
 
-.PHONY: crt-build-ui
+.PHONY: ci-build-ui
-crt-build-ui:
+ci-build-ui:
-	@$(CURDIR)/scripts/crt-builder.sh build-ui
+	@$(CURDIR)/scripts/ci-helper.sh build-ui
 
-.PHONY: crt-bundle
+.PHONY: ci-bundle
-crt-bundle:
+ci-bundle:
-	@$(CURDIR)/scripts/crt-builder.sh bundle
+	@$(CURDIR)/scripts/ci-helper.sh bundle
 
-.PHONY: crt-get-artifact-basename
+.PHONY: ci-filter-matrix
-crt-get-artifact-basename:
+ci-filter-matrix:
-	@$(CURDIR)/scripts/crt-builder.sh artifact-basename
+	@$(CURDIR)/scripts/ci-helper.sh matrix-filter-file
 
-.PHONY: crt-get-date
+.PHONY: ci-get-artifact-basename
-crt-get-date:
+ci-get-artifact-basename:
-	@$(CURDIR)/scripts/crt-builder.sh date
+	@$(CURDIR)/scripts/ci-helper.sh artifact-basename
 
-.PHONY: crt-get-revision
+.PHONY: ci-get-date
-crt-get-revision:
+ci-get-date:
-	@$(CURDIR)/scripts/crt-builder.sh revision
+	@$(CURDIR)/scripts/ci-helper.sh date
 
-.PHONY: crt-get-version
+.PHONY: ci-get-matrix-group-id
-crt-get-version:
+ci-get-matrix-group-id:
-	@$(CURDIR)/scripts/crt-builder.sh version
+	@$(CURDIR)/scripts/ci-helper.sh matrix-group-id
 
-.PHONY: crt-get-version-base
+.PHONY: ci-get-revision
-crt-get-version-base:
+ci-get-revision:
-	@$(CURDIR)/scripts/crt-builder.sh version-base
+	@$(CURDIR)/scripts/ci-helper.sh revision
 
-.PHONY: crt-get-version-pre
+.PHONY: ci-get-version
-crt-get-version-pre:
+ci-get-version:
-	@$(CURDIR)/scripts/crt-builder.sh version-pre
+	@$(CURDIR)/scripts/ci-helper.sh version
 
-.PHONY: crt-get-version-meta
+.PHONY: ci-get-version-base
-crt-get-version-meta:
+ci-get-version-base:
-	@$(CURDIR)/scripts/crt-builder.sh version-meta
+	@$(CURDIR)/scripts/ci-helper.sh version-base
 
-.PHONY: crt-prepare-legal
+.PHONY: ci-get-version-major
-crt-prepare-legal:
+ci-get-version-major:
-	@$(CURDIR)/scripts/crt-builder.sh prepare-legal
+	@$(CURDIR)/scripts/ci-helper.sh version-major
+
+.PHONY: ci-get-version-meta
+ci-get-version-meta:
+	@$(CURDIR)/scripts/ci-helper.sh version-meta
+
+.PHONY: ci-get-version-minor
+ci-get-version-minor:
+	@$(CURDIR)/scripts/ci-helper.sh version-minor
+
+.PHONY: ci-get-version-package
+ci-get-version-package:
+	@$(CURDIR)/scripts/ci-helper.sh version-package
+
+.PHONY: ci-get-version-patch
+ci-get-version-patch:
+	@$(CURDIR)/scripts/ci-helper.sh version-patch
+
+.PHONY: ci-get-version-pre
+ci-get-version-pre:
+	@$(CURDIR)/scripts/ci-helper.sh version-pre
+
+.PHONY: ci-prepare-legal
+ci-prepare-legal:
+	@$(CURDIR)/scripts/ci-helper.sh prepare-legal

enos/enos-scenario-agent.hcl

@@ -3,7 +3,7 @@ scenario "agent" {
     arch            = ["amd64", "arm64"]
     artifact_source = ["local", "crt", "artifactory"]
     distro          = ["ubuntu", "rhel"]
-    edition         = ["oss", "ent"]
+    edition         = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
   }
 
   terraform_cli = terraform_cli.default
@@ -16,8 +16,11 @@ scenario "agent" {
 
   locals {
     build_tags = {
-      "oss" = ["ui"]
+      "oss"              = ["ui"]
-      "ent" = ["enterprise", "ent"]
+      "ent"              = ["ui", "enterprise", "ent"]
+      "ent.fips1402"     = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
+      "ent.hsm"          = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
+      "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
     }
     bundle_path             = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null
     dependencies_to_install = ["jq"]

enos/enos-scenario-autopilot.hcl

@@ -4,7 +4,7 @@ scenario "autopilot" {
     artifact_source = ["local", "crt", "artifactory"]
     artifact_type   = ["bundle", "package"]
     distro          = ["ubuntu", "rhel"]
-    edition         = ["ent"]
+    edition         = ["ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
     seal            = ["awskms", "shamir"]
   }
 
@@ -18,7 +18,10 @@ scenario "autopilot" {
 
   locals {
     build_tags = {
-      "ent" = ["enterprise", "ent"]
+      "ent"              = ["ui", "enterprise", "ent"]
+      "ent.fips1402"     = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
+      "ent.hsm"          = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
+      "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
     }
     bundle_path             = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null
     dependencies_to_install = ["jq"]

enos/enos-scenario-smoke.hcl

@@ -4,9 +4,9 @@ scenario "smoke" {
     backend         = ["consul", "raft"]
     artifact_source = ["local", "crt", "artifactory"]
     artifact_type   = ["bundle", "package"]
-    consul_version  = ["1.13.2", "1.12.5", "1.11.10"]
+    consul_version  = ["1.14.2", "1.13.4", "1.12.7"]
     distro          = ["ubuntu", "rhel"]
-    edition         = ["oss", "ent"]
+    edition         = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
     seal            = ["awskms", "shamir"]
 
     # Packages are not offered for the oss edition
@@ -26,8 +26,11 @@ scenario "smoke" {
 
   locals {
     build_tags = {
-      "oss" = ["ui"]
+      "oss"              = ["ui"]
-      "ent" = ["enterprise", "ent"]
+      "ent"              = ["ui", "enterprise", "ent"]
+      "ent.fips1402"     = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
+      "ent.hsm"          = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
+      "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
     }
     bundle_path             = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null
     dependencies_to_install = ["jq"]
@@ -115,11 +118,11 @@ scenario "smoke" {
     depends_on = [step.create_vpc]
 
     providers = {
-      enos = local.enos_provider[matrix.distro]
+      enos = provider.enos.ubuntu
     }
 
     variables {
-      ami_id      = step.create_vpc.ami_ids[matrix.distro][matrix.arch]
+      ami_id      = step.create_vpc.ami_ids["ubuntu"]["amd64"]
       common_tags = local.tags
       consul_release = {
         edition = var.backend_edition

enos/enos-scenario-upgrade.hcl

@@ -4,9 +4,9 @@ scenario "upgrade" {
     backend         = ["consul", "raft"]
     artifact_source = ["local", "crt", "artifactory"]
     artifact_type   = ["bundle", "package"]
-    consul_version  = ["1.13.2", "1.12.5", "1.11.10"]
+    consul_version  = ["1.14.2", "1.13.4", "1.12.7"]
     distro          = ["ubuntu", "rhel"]
-    edition         = ["oss", "ent"]
+    edition         = ["oss", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
     seal            = ["awskms", "shamir"]
 
     # Packages are not offered for the oss edition
@@ -27,8 +27,11 @@ scenario "upgrade" {
 
   locals {
     build_tags = {
-      "oss" = ["ui"]
+      "oss"              = ["ui"]
-      "ent" = ["enterprise", "ent"]
+      "ent"              = ["ui", "enterprise", "ent"]
+      "ent.fips1402"     = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
+      "ent.hsm"          = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
+      "ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
     }
     bundle_path             = matrix.artifact_source != "artifactory" ? abspath(var.vault_bundle_path) : null
     dependencies_to_install = ["jq"]

enos/modules/build_local/scripts/build.sh

@@ -8,5 +8,5 @@ export CGO_ENABLED=0
 
 root_dir="$(git rev-parse --show-toplevel)"
 pushd "$root_dir" > /dev/null
-make crt-build-ui crt-build crt-bundle
+make ci-build-ui ci-build ci-bundle
 popd > /dev/null

enos/modules/get_local_metadata/scripts/build_date.sh

@@ -2,5 +2,5 @@
 set -eu -o pipefail
 
 pushd "$(git rev-parse --show-toplevel)" > /dev/null
-make crt-get-date
+make ci-get-date
 popd > /dev/null

enos/modules/get_local_metadata/scripts/version.sh

@@ -2,5 +2,5 @@
 set -eu -o pipefail
 
 pushd "$(git rev-parse --show-toplevel)" > /dev/null
-make crt-get-version
+make ci-get-version
 popd > /dev/null

enos/modules/vault_verify_version/templates/verify-cluster-version.sh

@@ -1,15 +1,14 @@
 #!/usr/bin/env bash
 
-# The Vault smoke test to verify the Vault version installed
+# Verify the Vault "version" includes the correct base version, build date,
-
+# revision SHA, and edition metadata.
 set -e
 
 binpath=${vault_install_dir}/vault
 edition=${vault_edition}
 version=${vault_version}
 sha=${vault_revision}
-builddate=${vault_build_date}
+build_date=${vault_build_date}
-release="$version+$edition"
 
 fail() {
 	echo "$1" 1>&2
@@ -21,25 +20,20 @@ test -x "$binpath" || fail "unable to locate vault binary at $binpath"
 export VAULT_ADDR='http://127.0.0.1:8200'
 export VAULT_TOKEN='${vault_token}'
 
-if [[ "$builddate" != "" ]]; then
+# Build date was added in 1.11
-  build_date=$builddate
+if [[ "$(echo "$version" |awk -F'.' '{print $2}')" -ge 11 ]]; then
-else
-  build_date=$("$binpath" status -format=json | jq -Mr .build_date)
-fi
-
-if [[ "$(echo $version |awk -F'.' '{print $2}')" -ge 11 ]]; then
   version_expected="Vault v$version ($sha), built $build_date"
 else
   version_expected="Vault v$version ($sha)"
 fi
 
-case "$release" in
+case "$edition" in
-  *+oss) ;;
+  *oss) ;;
-  *+ent) ;;
+  *ent) ;;
-  *+ent.hsm) version_expected="$version_expected (cgo)";;
+  *ent.hsm) version_expected="$version_expected (cgo)";;
-  *+ent.fips1402) version_expected="$version_expected (cgo)" ;;
+  *ent.fips1402) version_expected="$version_expected (cgo)" ;;
-  *+ent.hsm.fips1402) version_expected="$version_expected (cgo)" ;;
+  *ent.hsm.fips1402) version_expected="$version_expected (cgo)" ;;
-  *) fail "($release) file doesn't match any known license types"
+  *) fail "Unknown Vault edition: ($edition)" ;;
 esac
 
 version_expected_nosha=$(echo "$version_expected" | awk '!($3="")' | sed 's/  / /' | sed -e 's/[[:space:]]*$//')

scripts/build.sh

@@ -18,10 +18,10 @@ cd "$DIR"
 BUILD_TAGS="${BUILD_TAGS:-"vault"}"
 
 # Get the git commit
-GIT_COMMIT="$("$SOURCE_DIR"/crt-builder.sh revision)"
+GIT_COMMIT="$("$SOURCE_DIR"/ci-helper.sh revision)"
 GIT_DIRTY="$(test -n "`git status --porcelain`" && echo "+CHANGES" || true)"
 
-BUILD_DATE="$("$SOURCE_DIR"/crt-builder.sh date)"
+BUILD_DATE="$("$SOURCE_DIR"/ci-helper.sh date)"
 
 GOPATH=${GOPATH:-$(${GO_CMD} env GOPATH)}
 case $(uname) in

scripts/ci-helper.sh

@@ -1,8 +1,7 @@
 #!/usr/bin/env bash
 
-# The crt-builder is used to detemine build metadata and create Vault builds.
+# The ci-helper is used to determine build metadata, build Vault binaries,
-# We use it in build-vault.yml for building release artifacts with CRT. It is
+# package those binaries into artifacts, and execute tests with those artifacts.
-# also used by Enos for artifact_source:local scenario variants.
 
 set -euo pipefail
 
@@ -43,6 +42,21 @@ function version_base() {
   awk '$1 == "Version" && $2 == "=" { gsub(/"/, "", $3); print $3 }' < "$VERSION_FILE"
 }
 
+# Get the version major
+function version_major() {
+  version_base | cut -d '.' -f 1
+}
+
+# Get the version minor
+function version_minor() {
+  version_base | cut -d '.' -f 2
+}
+
+# Get the version patch
+function version_patch() {
+  version_base | cut -d '.' -f 3
+}
+
 # Get the version pre-release
 function version_pre() {
   : "${VAULT_PRERELEASE:=""}"
@@ -60,7 +74,7 @@ function version_pre() {
 function version_metadata() {
   : "${VAULT_METADATA:=""}"
 
-  if [ -n "$VAULT_METADATA" ]; then
+  if [[ (-n "$VAULT_METADATA") && ("$VAULT_METADATA" != "oss") ]]; then
     echo "$VAULT_METADATA"
     return
   fi
@@ -69,6 +83,11 @@ function version_metadata() {
   awk '$1 == "VersionMetadata" && $2 == "=" { gsub(/"/, "", $3); print $3 }' < "$VERSION_FILE"
 }
 
+# Get the version formatted for Debian and RHEL packages
+function version_package() {
+  version | awk '{ gsub("-","~",$1); print $1 }'
+}
+
 # Get the build date from the latest commit since it can be used across all
 # builds
 function build_date() {
@@ -152,7 +171,7 @@ function build() {
   fi
 
   if [ -n "$metadata" ]; then
-    msg="${msg}, metadata ${VAULT_METADATA}"
+    msg="${msg}, metadata ${metadata}"
     ldflags="${ldflags} -X github.com/hashicorp/vault/version.VersionMetadata=$metadata"
   fi
 
@@ -167,7 +186,7 @@ function build() {
   popd
 }
 
-# Bundle the dist directory
+# Bundle the dist directory into a zip
 function bundle() {
   : "${BUNDLE_PATH:=$(repo_root)/vault.zip}"
   echo "--> Bundling dist/* to $BUNDLE_PATH"
@@ -188,7 +207,50 @@ function prepare_legal() {
   popd
 }
 
-# Run the CRT Builder
+# Determine the matrix group number that we'll select for execution. If the
+# MATRIX_TEST_GROUP environment variable has set then it will always return
+# that value. If has not been set, we will randomly select a number between 1
+# and the value of MATRIX_MAX_TEST_GROUPS.
+function matrix_group_id() {
+  : "${MATRIX_TEST_GROUP:=""}"
+  if [ -n "$MATRIX_TEST_GROUP" ]; then
+    echo "$MATRIX_TEST_GROUP"
+    return
+  fi
+
+  : "${MATRIX_MAX_TEST_GROUPS:=1}"
+  awk -v min=1 -v max=$MATRIX_MAX_TEST_GROUPS 'BEGIN{srand(); print int(min+rand()*(max-min+1))}'
+}
+
+# Filter matrix file reads in the contents of MATRIX_FILE and filters out
+# scenarios that are not in the current test group and/or those that have not
+# met minimux or maximum version requirements.
+function matrix_filter_file() {
+  : "${MATRIX_FILE:=""}"
+  if [ -z "$MATRIX_FILE" ]; then
+    echo "You must specify the MATRIX_FILE variable for this command" >&2
+    exit 1
+  fi
+
+  : "${MATRIX_TEST_GROUP:=$(matrix_group_id)}"
+
+  local path
+  local matrix
+  path=$(readlink -f $MATRIX_FILE)
+  matrix=$(cat "$path" | jq ".include |
+    map(. |
+      select(
+        ((.min_minor_version == null) or (.min_minor_version <= $(version_minor))) and
+        ((.max_minor_version == null) or (.max_minor_version >= $(version_minor))) and
+        ((.test_group == null) or (.test_group == $MATRIX_TEST_GROUP))
+      )
+    )"
+  )
+
+  echo "{\"include\":$matrix}" | jq -c .
+}
+
+# Run the CI Helper
 function main() {
   case $1 in
   artifact-basename)
@@ -209,6 +271,12 @@ function main() {
   prepare-legal)
     prepare_legal
   ;;
+  matrix-filter-file)
+    matrix_filter_file
+  ;;
+  matrix-group-id)
+    matrix_group_id
+  ;;
   revision)
     build_revision
   ;;
@@ -221,9 +289,21 @@ function main() {
   version-pre)
     version_pre
   ;;
+  version-major)
+    version_major
+  ;;
   version-meta)
     version_metadata
   ;;
+  version-minor)
+    version_minor
+  ;;
+  version-package)
+    version_package
+  ;;
+  version-patch)
+    version_patch
+  ;;
   *)
     echo "unknown sub-command" >&2
     exit 1