mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-06 06:37:02 +02:00
Code Issues Projects Releases Wiki Activity

VAULT-31185 & 31186/use identity token auth for Artifactory in Vault CE & Ent (#31255)

Browse Source 
* removed artifactory_username

* updated artifactory token

* ran enos fmt

* ran terraform fmt

* debugging/ testing - pinned enos version, added null username

* byyyyy
This commit is contained in:
kelly 2025-07-28 12:16:25 -04:00 committed by GitHub
parent a47862e435
commit f0201408b4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 149 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/test-run-enos-scenario-matrix.yml vendored
View File

@ -131,8 +131,7 @@ jobs:
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/artifactory token | ARTIFACTORY_TOKEN;
kv/data/github/${{ github.repository }}/artifactory username | ARTIFACTORY_USER;
kv/data/github/${{ github.repository }}/artifactory bearer-token | ARTIFACTORY_BEARER_TOKEN;
kv/data/github/${{ github.repository }}/aws access-key-id | AWS_ACCESS_KEY_ID_CI;
kv/data/github/${{ github.repository }}/aws secret-access-key | AWS_SECRET_ACCESS_KEY_CI;
kv/data/github/${{ github.repository }}/aws role-arn | AWS_ROLE_ARN_CI;
@ -146,8 +145,7 @@ jobs:
run: |
if [[ "${{ needs.metadata.outputs.is-enterprise }}" != 'true' ]]; then
{
echo "artifactory-user=${{ secrets.ARTIFACTORY_USER }}"
echo "artifactory-token=${{ secrets.ARTIFACTORY_TOKEN }}"
echo "artifactory-token=${{ secrets.ARTIFACTORY_BEARER_TOKEN }}"
echo "aws-access-key-id=${{ secrets.AWS_ACCESS_KEY_ID_CI }}"
echo "aws-secret-access-key=${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}"
echo "aws-role-arn=${{ secrets.AWS_ROLE_ARN_CI }}"
@ -162,8 +160,7 @@ jobs:
} | tee -a "$GITHUB_OUTPUT"
else
{
echo "artifactory-user=${{ steps.vault-secrets.outputs.ARTIFACTORY_USER }}"
echo "artifactory-token=${{ steps.vault-secrets.outputs.ARTIFACTORY_TOKEN }}"
echo "artifactory-token=${{ steps.vault-secrets.outputs.ARTIFACTORY_BEARER_TOKEN }}"
echo "aws-access-key-id=${{ steps.vault-secrets.outputs.AWS_ACCESS_KEY_ID_CI }}"
echo "aws-secret-access-key=${{ steps.vault-secrets.outputs.AWS_SECRET_ACCESS_KEY_CI }}"
echo "aws-role-arn=${{ steps.vault-secrets.outputs.AWS_ROLE_ARN_CI }}"
@ -183,7 +180,6 @@ jobs:
{
echo "GITHUB_TOKEN=${{ steps.secrets.outputs.github-token }}"
echo "ENOS_DEBUG_DATA_ROOT_DIR=/tmp/enos-debug-data"
echo "ENOS_VAR_artifactory_username=${{ steps.secrets.outputs.artifactory-user }}"
echo "ENOS_VAR_artifactory_token=${{ steps.secrets.outputs.artifactory-token }}"
echo "ENOS_VAR_aws_region=${{ matrix.attributes.aws_region }}"
echo "ENOS_VAR_aws_ssh_keypair_name=${{ inputs.ssh-key-name }}"

1
enos/README.md
View File

@ -184,7 +184,6 @@ unzipped Vault binary at the `vault_local_binary_path`.
## `artifact_source:artifactory`
This variant is for running the Enos scenario to test an artifact from Artifactory. It requires following Enos variables to be set:
* `artifactory_username`
* `artifactory_token`
* `aws_ssh_keypair_name`
* `aws_ssh_private_key_path`

9
enos/enos-dev-scenario-pr-replication.hcl
View File

@ -113,12 +113,10 @@ scenario "dev_pr_replication" {
artifactory_repo:
The artifactory host to search. It's very unlikely that you'll want to change this. The
default value is where CRT will publish packages.
artifactory_username:
The artifactory username associated with your token. You'll need this if you wish to use
deb or rpm artifacts! You can request access via Okta.
artifactory_token:
The artifactory token associated with your username. You'll need this if you wish to use
deb or rpm artifacts! You can create a token by logging into Artifactory via Okta.
The artifactory identity token to use for authentication. You'll need this if you wish
to use deb or rpm artifacts! You can get a token by joining the 'artifactory-users' Doormat
group and using 'doormat artifactory create-token'.
dev_build_local_ui:
If you are not testing any changes in the UI, set to false. This will save time by not
building the entire UI. If you need to test the UI, set to true.
@ -151,7 +149,6 @@ scenario "dev_pr_replication" {
// required.
artifactory_host = local.use_artifactory ? var.artifactory_host : null
artifactory_repo = local.use_artifactory ? var.artifactory_repo : null
artifactory_username = local.use_artifactory ? var.artifactory_username : null
artifactory_token = local.use_artifactory ? var.artifactory_token : null
distro = matrix.distro
}

9
enos/enos-dev-scenario-single-cluster.hcl
View File

@ -107,12 +107,10 @@ scenario "dev_single_cluster" {
artifactory_repo:
The artifactory host to search. It's very unlikely that you'll want to change this. The
default value is where CRT will publish packages.
artifactory_username:
The artifactory username associated with your token. You'll need this if you wish to use
deb or rpm artifacts! You can request access via Okta.
artifactory_token:
The artifactory token associated with your username. You'll need this if you wish to use
deb or rpm artifacts! You can create a token by logging into Artifactory via Okta.
The artifactory identity token to use for authentication. You'll need this if you wish
to use deb or rpm artifacts! You can get a token by joining the 'artifactory-users' Doormat
group and using 'doormat artifactory create-token'.
dev_build_local_ui:
If you are not testing any changes in the UI, set to false. This will save time by not
building the entire UI. If you need to test the UI, set to true.
@ -145,7 +143,6 @@ scenario "dev_single_cluster" {
// required.
artifactory_host = local.use_artifactory ? var.artifactory_host : null
artifactory_repo = local.use_artifactory ? var.artifactory_repo : null
artifactory_username = local.use_artifactory ? var.artifactory_username : null
artifactory_token = local.use_artifactory ? var.artifactory_token : null
distro = matrix.distro
distro_version = global.distro_version[matrix.distro]

2
enos/enos-scenario-agent.hcl
View File

@ -27,7 +27,6 @@ scenario "agent" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -108,7 +107,6 @@ scenario "agent" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

2
enos/enos-scenario-autopilot.hcl
View File

@ -29,7 +29,6 @@ scenario "autopilot" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value defined in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -118,7 +117,6 @@ scenario "autopilot" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

1
enos/enos-scenario-benchmark.hcl
View File

@ -134,7 +134,6 @@ scenario "benchmark" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

2
enos/enos-scenario-dr-replication.hcl
View File

@ -32,7 +32,6 @@ scenario "dr_replication" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -131,7 +130,6 @@ scenario "dr_replication" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

2
enos/enos-scenario-pr-replication.hcl
View File

@ -32,7 +32,6 @@ scenario "pr_replication" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -131,7 +130,6 @@ scenario "pr_replication" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

2
enos/enos-scenario-proxy.hcl
View File

@ -27,7 +27,6 @@ scenario "proxy" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -115,7 +114,6 @@ scenario "proxy" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

2
enos/enos-scenario-seal-ha.hcl
View File

@ -30,7 +30,6 @@ scenario "seal_ha" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -129,7 +128,6 @@ scenario "seal_ha" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

2
enos/enos-scenario-smoke.hcl
View File

@ -26,7 +26,6 @@ scenario "smoke" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -107,7 +106,6 @@ scenario "smoke" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

2
enos/enos-scenario-upgrade.hcl
View File

@ -27,7 +27,6 @@ scenario "upgrade" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
@ -117,7 +116,6 @@ scenario "upgrade" {
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version

7
enos/enos-variables.hcl
View File

@ -1,13 +1,6 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
variable "artifactory_username" {
type = string
description = "The username to use when testing an artifact from artifactory"
default = null
sensitive = true
}
variable "artifactory_token" {
type = string
description = "The token to use when authenticating to artifactory"

3
enos/enos.vars.hcl
View File

@ -1,9 +1,6 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
// artifactory_username is the username to use when testing an artifact stored in artfactory.
// artifactory_username = "yourname@hashicorp.com"
// artifactory_token is the token to use when authenticating to artifactory.
// artifactory_token = "yourtoken"

9
enos/modules/build_artifactory_artifact/main.tf
View File

@ -10,12 +10,6 @@ terraform {
}
}
variable "artifactory_username" {
type = string
description = "The username to use when connecting to artifactory"
default = null
}
variable "artifactory_token" {
type = string
description = "The token to use when connecting to artifactory"
@ -58,7 +52,6 @@ module "artifact_metadata" {
}
data "enos_artifactory_item" "vault" {
username = var.artifactory_username
token = var.artifactory_token
name = module.artifact_metadata.artifact_name
host = var.artifactory_host
@ -95,7 +88,7 @@ output "vault_artifactory_release" {
value = {
url = data.enos_artifactory_item.vault.results[0].url
sha256 = data.enos_artifactory_item.vault.results[0].sha256
username = var.artifactory_username
token = var.artifactory_token
username = null # username is not an optional value yet
}
}

9
enos/modules/build_artifactory_package/main.tf
View File

@ -5,6 +5,7 @@ terraform {
required_providers {
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
version = ">= 0.6.1"
}
}
}
@ -14,11 +15,6 @@ variable "arch" {
description = "The architecture for the desired artifact"
}
variable "artifactory_username" {
type = string
description = "The username to use when connecting to Artifactory"
}
variable "artifactory_token" {
type = string
description = "The token to use when connecting to Artifactory"
@ -73,7 +69,6 @@ module "artifact_metadata" {
}
data "enos_artifactory_item" "vault" {
username = var.artifactory_username
token = var.artifactory_token
name = module.artifact_metadata.artifact_name
host = var.artifactory_host
@ -109,7 +104,7 @@ output "release" {
value = {
url = data.enos_artifactory_item.vault.results[0].url
sha256 = data.enos_artifactory_item.vault.results[0].sha256
username = var.artifactory_username
token = var.artifactory_token
username = null # username is not optional yet
}
}

1
enos/modules/build_crt/main.tf
View File

@ -24,7 +24,6 @@ variable "goos" {
variable "artifactory_host" { default = null }
variable "artifactory_repo" { default = null }
variable "artifactory_username" { default = null }
variable "artifactory_token" { default = null }
variable "arch" { default = null }
variable "artifact_path" { default = null }

1
enos/modules/build_local/main.tf
View File

@ -38,7 +38,6 @@ variable "goos" {
variable "artifactory_host" { default = null }
variable "artifactory_repo" { default = null }
variable "artifactory_username" { default = null }
variable "artifactory_token" { default = null }
variable "arch" { default = null }
variable "artifact_type" { default = null }