upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-27 18:10:26 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
vault/enos/enos-globals.hcl
Vault Automation ad9a5b1e0a
[VAULT-34888] enos: backport changes for Fyre scenarios for testing on linux/s390x 
Add support for running enos on Fyre with support for linux/s390x,
linux/amd64, and linux/ppc64le. The enterprise version of this PR
has enterprise only scenarios. The changes reflected here are on
shared modules.

We now have three new fyre modules that are can swap in-place of
create_vpc, ec2_info, and target_ec2_instances:
create_vpc_fyre_shim, fyre_os_info and target_fyre_vms. This pass
doesn't make them adhered 1:1 as module interfaces but that can come
later when the base scenarios are merged.

The only major change we had to make to long existing modules was
supporting leader_api_addr for discovery. Historically we've always used
cloud based node discovery but that's obviously not available in Fyre.
Nowyou can set the retry_join variable to either local_api_addr or
aws.

We also modify our integration containers to use those available from
the HashiCorp docker mirror. We do this because we pull those images
unauthenticated and thus share the same external address as the larger
network, which makes the likelihood of throttling very high.

To maintain the goal of the Fyre scenarios not requiring AWS credentials, I
had to move the AWS secrets verification into it's own module. That allows
us now to simply not include it, but later if/when we include it we can have
scenarios with the Fyre backend compile them out by skipping.

This PR is massive and covers the following tickets:

    VAULT-40635
    VAULT-40636
    VAULT-44591
    VAULT-34888
    VAULT-34887
    VAULT-34886
    VAULT-34885
    VAULT-34884

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-22 10:21:47 -06:00

305 lines
9.8 KiB
HCL
Raw Blame History

// Copyright IBM Corp. 2016, 2025
// SPDX-License-Identifier: BUSL-1.1
globals {
archs = ["amd64", "arm64"]
artifact_sources = ["local", "crt", "artifactory"]
artifact_types = ["bundle", "package"]
backends = ["consul", "raft"]
backend_license_path = abspath(var.backend_license_path != null ? var.backend_license_path : joinpath(path.root, "./support/consul.hclic"))
backend_tag_key = "VaultStorage"
build_tags = {
"ce" = ["ui"]
"ent" = ["ui", "enterprise", "ent"]
"ent.fips1403" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_3", "ent.fips1403"]
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
"ent.hsm.fips1403" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_3", "ent.hsm.fips1403"]
}
config_modes = ["env", "file"]
consul_editions = ["ce", "ent"]
consul_versions = ["1.18.2", "1.19.2", "1.20.6", "1.21.1"]
distros_aws = ["amzn", "rhel", "sles", "ubuntu"]
distros_fyre = ["centos", "rhel", "rocky", "sles", "ubuntu"]
// Different distros may require different packages, or use different aliases for the same package
distro_packages = {
// NOTE: These versions must always match the output of enos_host_info.target_distro. They are
// also used in various modules `artifact`, `ec2_info`, and `softhsm_install`. If you are adding
// or modifying keys you probably have to update those modules.
amzn = {
"2" = ["nc", "openldap-clients"]
"2023" = ["nc", "openldap-clients"]
}
centos = {
"9" = ["nc", "openldap-clients"]
"10" = ["nc", "openldap-clients"]
}
rhel = {
"8.10" = ["nc", "openldap-clients"]
"9.6" = ["nc", "openldap-clients"]
"9.7" = ["nc", "openldap-clients"]
"9.8" = ["nc", "openldap-clients"]
"10.0" = ["nc", "openldap-clients"]
"10.1" = ["nc", "openldap-clients"]
"10.2" = ["nc", "openldap-clients"]
}
rocky = {
"8.10" = ["nc", "openldap-clients"]
"9.7" = ["nc", "openldap-clients"]
"9.8" = ["nc", "openldap-clients"]
"10.1" = ["nc", "openldap-clients"]
"10.2" = ["nc", "openldap-clients"]
}
sles = {
// When installing Vault RPM packages on a SLES AMI, the openssl package provided
// isn't named "openssl, which rpm doesn't know how to handle. Therefore we add the
// "correctly" named one in our package installation before installing Vault.
"15.7" = ["netcat-openbsd", "openssl", "openldap2-client"]
"16.0" = ["netcat-openbsd", "openssl", "openldap2-client"]
}
ubuntu = {
"22.04" = ["netcat", "ldap-utils"]
"24.04" = ["netcat-openbsd", "ldap-utils"]
"26.04" = ["netcat-openbsd", "ldap-utils"]
}
}
distro_version = {
amzn = var.distro_version_amzn
centos = var.distro_version_centos
rhel = var.distro_version_rhel
rocky = var.distro_version_rhel
sles = var.distro_version_sles
ubuntu = var.distro_version_ubuntu
}
# NOTE: These were generated from fyre_os_info for SVL on 6/9/25. They're a
# moving target so it's likely they'll need to be updated in the future.
# Make sure distro_packages is updated for any changes that are made here.
distro_versions_fyre = {
amd64 = {
centos = ["10", "9"]
rhel = ["10.1", "10.0", "9.6", "8.10"]
rocky = ["10.1", "9.7", "8.10"]
sles = ["16.0", "15.7"]
ubuntu = ["26.04", "24.04", "22.04"]
}
ppc64le = {
centos = ["10", "9"]
rhel = ["10.2", "10.0", "9.8", "9.6", "8.10"]
rocky = ["10.2", "10.1", "9.7", "9.8"]
sles = ["16.0", "15.7"]
ubuntu = ["26.04", "24.04", "22.04"]
}
s390x = {
centos = []
rhel = ["10.0", "8.10", "9.6"]
rocky = []
sles = ["16.0", "15.7"]
ubuntu = ["24.04", "22.04"]
}
}
# The default versions we each architecture/distro combo. We currently use
# the latest as that's how things are ordered up above. When we start running
# these scenarios we'll use the distro_versions_fyre as sample attributes to
# distribute over all versions.
distro_version_fyre = {
amd64 = {
centos = global.distro_versions_fyre["amd64"]["centos"][0]
rhel = global.distro_versions_fyre["amd64"]["rhel"][0]
rocky = global.distro_versions_fyre["amd64"]["rocky"][0]
sles = global.distro_versions_fyre["amd64"]["sles"][0]
ubuntu = global.distro_versions_fyre["amd64"]["ubuntu"][0]
}
ppc64le = {
centos = global.distro_versions_fyre["ppc64le"]["centos"][0]
rhel = global.distro_versions_fyre["ppc64le"]["rhel"][0]
rocky = global.distro_versions_fyre["ppc64le"]["rocky"][0]
sles = global.distro_versions_fyre["ppc64le"]["sles"][0]
ubuntu = global.distro_versions_fyre["ppc64le"]["ubuntu"][0]
}
s390x = {
centos = null
rhel = global.distro_versions_fyre["s390x"]["rhel"][0]
rocky = null
sles = global.distro_versions_fyre["s390x"]["sles"][0]
ubuntu = global.distro_versions_fyre["s390x"]["ubuntu"][0]
}
}
editions = ["ce", "ent", "ent.fips1403", "ent.hsm", "ent.hsm.fips1403"]
enterprise_editions = [for e in global.editions : e if e != "ce"]
ip_versions = ["4", "6"]
package_manager = {
"amzn" = "yum"
"centos" = "yum"
"rhel" = "yum"
"rocky" = "yum"
"sles" = "zypper"
"ubuntu" = "apt"
}
packages = ["jq"]
// Ports that we'll open up for ingress in the security group for all target machines.
// Port protocol maps to the IpProtocol schema: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_IpPermission.html
// Ports that we'll open up for ingress in the security group for all Vault target machines.
vault_cluster_ports = {
vault_agent : {
description = "Vault Agent"
port = 8100
protocol = "tcp"
},
vault_proxy : {
description = "Vault Proxy"
port = 8101
protocol = "tcp"
},
vault_listener : {
description = "Vault Addr listener"
port = 8200
protocol = "tcp"
},
vault_cluster : {
description = "Vault Cluster listener"
port = 8201
protocol = "tcp"
}
}
// Ports that we'll open up for ingress in the security group for all Consul target machines.
consul_cluster_ports = {
consul_rpc : {
description = "Consul internal communication"
port = 8300
protocol = "tcp"
},
consul_serf_lan_tcp : {
description = "Consul Serf LAN TCP"
port = 8301
protocol = "tcp"
},
consul_serf_lan_udp : {
description = "Consul Serf LAN UDP"
port = 8301
protocol = "udp"
},
consul_serf_wan_tcp : {
description = "Consul Serf WAN TCP"
port = 8302
protocol = "tcp"
},
consul_serf_wan_udp : {
description = "Consul Serf WAN UDP"
port = 8302
protocol = "udp"
},
consul_http : {
description = "Consul HTTP API"
port = 8500
protocol = "tcp"
},
consul_https : {
description = "Consul HTTPS API"
port = 8501
protocol = "tcp"
},
consul_grpc : {
description = "Consul gRPC API"
port = 8502
protocol = "tcp"
},
consul_grpc_tls : {
description = "Consul gRPC TLS API"
port = 8503
protocol = "tcp"
},
consul_dns_tcp : {
description = "Consul TCP DNS Server"
port = 8600
protocol = "tcp"
},
consul_dns_udp : {
description = "Consul UDP DNS Server"
port = 8600
protocol = "udp"
}
}
ingress_ports = {
ssh : {
description = "SSH"
port = 22
protocol = "tcp"
}
}
// Database configurations for Vault database secrets engine testing
database_configs = {
postgres : {
port = 5432
version = "16-alpine"
username = "postgres"
password = "secret"
database = "postgres"
description = "PostgreSQL Server"
},
mongodb : {
port = 27017
version = "7.0"
username = "admin"
password = "secret"
database = "admin"
description = "MongoDB Server"
},
mysql : {
port = 3306
version = "8.0"
username = "root"
password = "secret"
database = "mysql"
description = "MySQL Server"
}
}
// Ports that we'll open up for ingress in the security group for all external integration target machines.
integration_host_ports = merge(
{
ldap : {
description = "LDAP"
port = 389
protocol = "tcp"
},
ldaps : {
description = "LDAPS"
port = 636
protocol = "tcp"
},
kmip : {
description = "KMIP Server"
port = 5696
protocol = "tcp"
}
},
// Add database ports dynamically from database_configs
{ for db_name, db_config in global.database_configs : db_name => {
description = db_config.description
port = db_config.port
protocol = "tcp"
} }
)
// Combine all ports into a single map
ports = merge(
global.vault_cluster_ports,
global.consul_cluster_ports,
global.ingress_ports,
global.integration_host_ports
)
seals = ["awskms", "pkcs11", "shamir"]
tags = merge({
"Project Name" : var.project_name
"Project" : "Enos",
"Environment" : "ci"
}, var.tags)
vault_install_dir = {
bundle = "/opt/vault/bin"
package = "/usr/bin"
}
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
vault_tag_key = "vault-cluster"
vault_disable_mlock = false
}
Reference in a new issue View git blame Copy permalink