mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-30 02:02:43 +00:00
174da88b9d
* VAULT-28146: Add IPV6 support to enos scenarios Add support for testing all raft storage scenarios and variants when running Vault with IPV6 networking. We retain our previous support for IPV4 and create a new variant `ip_version` which can be used to configure the IP version that we wish to test with. It's important to note that the VPC in IPV6 mode is technically mixed and that target machines still associate public IPV6 addresses. That allows us to execute our resources against them from IPV4 networks like developer machines and CI runners. Despite that, we've taken care to ensure that only IPV6 addresses are used in IPV6 mode. Because we previously had assumed the IP Version, Vault address, and listener ports in so many places, this PR is essentially a rewrite and removal of those assumptions. There are also a few places where improvements to scenarios have been included as I encountered them while working on the IPV6 changes. Signed-off-by: Ryan Cragun <me@ryan.ec>
168 lines
6.1 KiB
HCL
168 lines
6.1 KiB
HCL
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
globals {
|
|
archs = ["amd64", "arm64"]
|
|
artifact_sources = ["local", "crt", "artifactory"]
|
|
artifact_types = ["bundle", "package"]
|
|
backends = ["consul", "raft"]
|
|
backend_license_path = abspath(var.backend_license_path != null ? var.backend_license_path : joinpath(path.root, "./support/consul.hclic"))
|
|
backend_tag_key = "VaultStorage"
|
|
build_tags = {
|
|
"ce" = ["ui"]
|
|
"ent" = ["ui", "enterprise", "ent"]
|
|
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
|
|
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
|
|
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
|
|
}
|
|
config_modes = ["env", "file"]
|
|
consul_editions = ["ce", "ent"]
|
|
consul_versions = ["1.14.11", "1.15.7", "1.16.3", "1.17.0"]
|
|
distros = ["amzn2", "leap", "rhel", "sles", "ubuntu"]
|
|
// Different distros may require different packages, or use different aliases for the same package
|
|
distro_packages = {
|
|
amzn2 = ["nc"]
|
|
leap = ["netcat", "openssl"]
|
|
rhel = ["nc"]
|
|
// When installing Vault RPM packages on a SLES AMI, the openssl package provided
|
|
// isn't named "openssl, which rpm doesn't know how to handle. Therefore we add the
|
|
// "correctly" named one in our package installation before installing Vault.
|
|
sles = ["netcat-openbsd", "openssl"]
|
|
ubuntu = ["netcat"]
|
|
}
|
|
distro_version = {
|
|
amzn2 = var.distro_version_amzn2
|
|
leap = var.distro_version_leap
|
|
rhel = var.distro_version_rhel
|
|
sles = var.distro_version_sles
|
|
ubuntu = var.distro_version_ubuntu
|
|
}
|
|
editions = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
|
|
enterprise_editions = [for e in global.editions : e if e != "ce"]
|
|
ip_versions = ["4", "6"]
|
|
package_manager = {
|
|
"amzn2" = "yum"
|
|
"leap" = "zypper"
|
|
"rhel" = "yum"
|
|
"sles" = "zypper"
|
|
"ubuntu" = "apt"
|
|
}
|
|
packages = ["jq"]
|
|
// Ports that we'll open up for ingress in the security group for all target machines.
|
|
// Port protocol maps to the IpProtocol schema: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_IpPermission.html
|
|
ports = {
|
|
ssh : {
|
|
description = "SSH"
|
|
port = 22
|
|
protocol = "tcp"
|
|
},
|
|
vault_agent : {
|
|
description = "Vault Agent"
|
|
port = 8100
|
|
protocol = "tcp"
|
|
},
|
|
vault_proxy : {
|
|
description = "Vault Proxy"
|
|
port = 8101
|
|
protocol = "tcp"
|
|
},
|
|
vault_listener : {
|
|
description = "Vault Addr listener"
|
|
port = 8200
|
|
protocol = "tcp"
|
|
},
|
|
vault_cluster : {
|
|
description = "Vault Cluster listener"
|
|
port = 8201
|
|
protocol = "tcp"
|
|
},
|
|
consul_rpc : {
|
|
description = "Consul internal communication"
|
|
port = 8300
|
|
protocol = "tcp"
|
|
},
|
|
consul_serf_lan_tcp : {
|
|
description = "Consul Serf LAN TCP"
|
|
port = 8301
|
|
protocol = "tcp"
|
|
},
|
|
consul_serf_lan_udp : {
|
|
description = "Consul Serf LAN UDP"
|
|
port = 8301
|
|
protocol = "udp"
|
|
},
|
|
consul_serf_wan_tcp : {
|
|
description = "Consul Serf WAN TCP"
|
|
port = 8302
|
|
protocol = "tcp"
|
|
},
|
|
consul_serf_wan_udp : {
|
|
description = "Consul Serf WAN UDP"
|
|
port = 8302
|
|
protocol = "udp"
|
|
},
|
|
consul_http : {
|
|
description = "Consul HTTP API"
|
|
port = 8500
|
|
protocol = "tcp"
|
|
},
|
|
consul_https : {
|
|
description = "Consul HTTPS API"
|
|
port = 8501
|
|
protocol = "tcp"
|
|
},
|
|
consul_grpc : {
|
|
description = "Consul gRPC API"
|
|
port = 8502
|
|
protocol = "tcp"
|
|
},
|
|
consul_grpc_tls : {
|
|
description = "Consul gRPC TLS API"
|
|
port = 8503
|
|
protocol = "tcp"
|
|
},
|
|
consul_dns_tcp : {
|
|
description = "Consul TCP DNS Server"
|
|
port = 8600
|
|
protocol = "tcp"
|
|
},
|
|
consul_dns_udp : {
|
|
description = "Consul UDP DNS Server"
|
|
port = 8600
|
|
protocol = "udp"
|
|
},
|
|
}
|
|
sample_attributes = {
|
|
aws_region = ["us-east-1", "us-west-2"]
|
|
distro_version_amzn2 = ["2"]
|
|
distro_version_leap = ["15.5"]
|
|
distro_version_rhel = ["8.9", "9.3"]
|
|
distro_version_sles = ["v15_sp5_standard"]
|
|
distro_version_ubuntu = ["20.04", "22.04"]
|
|
}
|
|
seals = ["awskms", "pkcs11", "shamir"]
|
|
tags = merge({
|
|
"Project Name" : var.project_name
|
|
"Project" : "Enos",
|
|
"Environment" : "ci"
|
|
}, var.tags)
|
|
// This reads the VERSION file, strips any pre-release metadata, and selects only initial
|
|
// versions that are less than our current version. E.g. A VERSION file containing 1.17.0-beta2
|
|
// would render: semverconstraint(v, "<1.17.0-0")
|
|
upgrade_version_stripped = join("-", [split("-", chomp(file("../version/VERSION")))[0], "0"])
|
|
// NOTE: when backporting, make sure that our initial versions are less than that
|
|
// release branch's version. Also beware if adding versions below 1.11.x. Some scenarios
|
|
// that use this global might not work as expected with earlier versions. Below 1.8.x is
|
|
// not supported in any way.
|
|
upgrade_all_initial_versions_ce = ["1.8.12", "1.9.10", "1.10.11", "1.11.12", "1.12.11", "1.13.13", "1.14.10", "1.15.6", "1.16.3", "1.17.0"]
|
|
upgrade_all_initial_versions_ent = ["1.8.12", "1.9.10", "1.10.11", "1.11.12", "1.12.11", "1.13.13", "1.14.13", "1.15.10", "1.16.4", "1.17.0"]
|
|
upgrade_initial_versions_ce = [for v in global.upgrade_all_initial_versions_ce : v if semverconstraint(v, "<${global.upgrade_version_stripped}")]
|
|
upgrade_initial_versions_ent = [for v in global.upgrade_all_initial_versions_ent : v if semverconstraint(v, "<${global.upgrade_version_stripped}")]
|
|
vault_install_dir = {
|
|
bundle = "/opt/vault/bin"
|
|
package = "/usr/bin"
|
|
}
|
|
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
|
|
vault_tag_key = "vault-cluster"
|
|
}
|