mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-03 20:40:45 -05:00
b3f173756d
Update to the latest actions. The primary motivation here is to get the
latest action-setup-enos.
- actions/cache => v5.0.3: security patches
- actions/checkout => v6.0.2: small fixes to git user-agent and tag
fetching
- hashicorp/action-setup-enos => v1.50: security patches
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
143 lines
6.6 KiB
YAML
143 lines
6.6 KiB
YAML
---
|
|
name: enos-containers
|
|
|
|
on:
|
|
# Only trigger this working using workflow_call. This workflow requires many
|
|
# secrets that must be inherited from the caller workflow.
|
|
workflow_call:
|
|
inputs:
|
|
# The name of the artifact that we're going to use for testing. This should
|
|
# match exactly to build artifacts uploaded to Github and Artifactory.
|
|
build-artifact-name:
|
|
required: true
|
|
type: string
|
|
# The maximum number of scenarios to include in the test sample.
|
|
sample-max:
|
|
default: 1
|
|
type: number
|
|
# The name of the enos scenario sample that defines compatible scenarios we can
|
|
# can test with.
|
|
sample-name:
|
|
required: true
|
|
type: string
|
|
vault-edition:
|
|
required: false
|
|
type: string
|
|
default: ce
|
|
# The Git commit SHA used as the revision when building vault
|
|
vault-revision:
|
|
required: true
|
|
type: string
|
|
vault-version:
|
|
required: true
|
|
type: string
|
|
|
|
jobs:
|
|
metadata:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
|
|
outputs:
|
|
build-date: ${{ steps.metadata.outputs.build-date }}
|
|
is-ent-repo: ${{ steps.global-metadata.outputs.is-ent-repo }}
|
|
sample: ${{ steps.metadata.outputs.sample }}
|
|
vault-version: ${{ steps.metadata.outputs.vault-version }}
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ inputs.vault-revision }}
|
|
- uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
- uses: ./.github/actions/metadata
|
|
id: global-metadata
|
|
- id: metadata
|
|
run: |
|
|
build_date=$(make ci-get-date)
|
|
sample_seed=$(date +%s)
|
|
if ! sample=$(enos scenario sample observe "${{ inputs.sample-name }}" --chdir ./enos/k8s --min 1 --max "${{ inputs.sample-max }}" --seed "${sample_seed}" --format json | jq -c ".observation.elements"); then
|
|
echo "failed to do sample observation: $sample" 2>&1
|
|
exit 1
|
|
fi
|
|
if [[ "${{ inputs.vault-edition }}" == "ce" ]]; then
|
|
vault_version="${{ inputs.vault-version }}"
|
|
else
|
|
# shellcheck disable=2001
|
|
vault_version="$(sed 's/+ent/+${{ inputs.vault-edition }}/g' <<< '${{ inputs.vault-version }}')"
|
|
fi
|
|
{
|
|
echo "build-date=${build_date}"
|
|
echo "vault-version=${vault_version}"
|
|
echo "sample=${sample}"
|
|
echo "sample-seed=${sample_seed}" # This isn't used outside of here but is nice to know for duplicating observations
|
|
} | tee -a "$GITHUB_OUTPUT"
|
|
|
|
run:
|
|
needs: metadata
|
|
name: run ${{ matrix.scenario.id.filter }}
|
|
runs-on: ${{ fromJSON(needs.metadata.outputs.is-ent-repo == 'true' && (contains(inputs.build-artifact-name, 'arm64') && '["self-hosted","ondemand","os=ubuntu-arm","type=c6g.xlarge;c6g.2xlarge;c6g.4xlarge"]' || '["self-hosted","ubuntu-latest-x64"]') || (contains(inputs.build-artifact-name, 'arm64') && '"ubuntu-22.04-arm"' || '"ubuntu-latest"')) }}
|
|
strategy:
|
|
fail-fast: false # don't fail as that can skip required cleanup steps for jobs
|
|
matrix:
|
|
include: ${{ fromJSON(needs.metadata.outputs.sample) }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
|
with:
|
|
# the Terraform wrapper will break Terraform execution in Enos because
|
|
# it changes the output to text when we expect it to be JSON.
|
|
terraform_wrapper: false
|
|
- uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
- name: Download Docker Image
|
|
id: download
|
|
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
|
with:
|
|
name: ${{ inputs.build-artifact-name }}
|
|
path: ./enos/support/downloads
|
|
- if: inputs.vault-edition != 'ce'
|
|
name: Configure license
|
|
run: |
|
|
echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
|
|
- name: Run Enos scenario
|
|
id: run
|
|
# Continue once and retry to handle occasional blips when creating
|
|
# infrastructure.
|
|
continue-on-error: true
|
|
env:
|
|
ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
|
|
ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
|
|
ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
|
|
ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
|
|
ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
|
|
run: |
|
|
mkdir -p ./enos/support/terraform-plugin-cache
|
|
enos scenario run --timeout 10m0s --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
|
|
- name: Retry Enos scenario
|
|
id: run_retry
|
|
if: steps.run.outcome == 'failure'
|
|
env:
|
|
ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
|
|
ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
|
|
ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
|
|
ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
|
|
ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
|
|
run: |
|
|
enos scenario run --timeout 10m0s --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
|
|
- name: Destroy Enos scenario
|
|
if: ${{ always() }}
|
|
env:
|
|
ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
|
|
ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
|
|
ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
|
|
ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
|
|
ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
|
|
run: |
|
|
enos scenario destroy --timeout 10m0s --grpc-listen http://localhost --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
|
|
- name: Cleanup Enos runtime directories
|
|
if: ${{ always() }}
|
|
run: |
|
|
rm -rf /tmp/enos*
|
|
rm -rf ./enos/support
|
|
rm -rf ./enos/k8s/.enos
|