- Migrate undo logs verification from shell script to Go blackbox test
- Add session_metrics.go and session_remote.go helpers to blackbox SDK
- Create undo_logs_test.go in vault/external_tests/blackbox/verify package
- Update autopilot scenario to use vault_run_blackbox_test module
- Remove deprecated vault_verify_undo_logs module
- Update vault_run_blackbox_test module to support test environment variables
This change improves test maintainability and consistency by using the
standardized blackbox testing framework instead of custom shell scripts.
Co-authored-by: brewgator <12831681+brewgator@users.noreply.github.com>
In prior versions of the Vault container we'd set `ICP_LOCK` on the `vault`
binary at runtime via the entrypoint script. As we now run the Vault
container as an unprivileged user we have to set this capability at build time
as `setcap` cannot be run by unprivileged users.
This change updates the Alpine OCI and UBI container entrypoints
to not attempt to run `setcap` when running as non-root user.
Importantly, these changes introduce a *new requirement* whereby users of the
container must add `IPC_LOCK` capability to the container or pod or the
Vault service will fail to start. As running with locked memory is always our
guidance for Vault the containers now require this. Users that do not wish to grant
the `IPC_LOCK` capability will want to wrap the container unset the capability on
the binary during build time: `setcap cap_ipc_lock=-ep /bin/vault`.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Add PostgreSQL Blackbox Coverage for DB Connection Management (#13313)
* Add blackbox test for PostgreSQL database config create endpoint
* Moving to postgresql folder
* Adding test case for multi-host PostgreSQL connection
* Adding DSN test case
* Adding Connection verification test
* Get Connection verification test
* Adding test cases for list/delete/reset connections
* Refactoring and adding helper
* Refactoring and adding helper
---------
Co-authored-by: Kajal Kusum <kajal.kusum@ibm.com>
* Move postgres tests to database subdirectory to match modular structure
* go mod
* go mod
* pgx
---------
Co-authored-by: KajalKusum <kajal.kusum@hashicorp.com>
Co-authored-by: Kajal Kusum <kajal.kusum@ibm.com>
Co-authored-by: LT Carbonell <ltcarbonell@pm.me>
* no-op commit
* [Mongo SDK Plugin] (enos): Add MongoDB plugin test framework for Enos (#13576)
* Add modular database infrastructure for Enos testing
Infrastructure Changes:
- Created generic database_container module supporting PostgreSQL, MongoDB, MySQL
- Consolidated database configs in enos-globals.hcl with dynamic port generation
- Refactored set_up_external_integration_target to use generic module with for_each
- Updated enos-scenario-plugin.hcl to pass database_configs from globals
Test Organization:
- Reorganized test structure: moved postgres/ and mongodb/ into database/ directory
- Maintains existing production-ready test helpers
- Structure: plugins/database/{postgres,mongodb}/ for better organization
Benefits:
- Easy to add new databases (just add to database_configs in globals)
- No code duplication across database types
- Consistent patterns for all database testing
- Supports both Docker containers and external database URLs
---------
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* [VAULT-42245] Add IBM license update to enos upgrade scenario (#12661)
* initial changes
* more changes
* test
* test changes
* Fix test
* try ignoring customer id
* clean up
* more clean up
* lint
* PR comments
* make edition a variable
* lint
* PR comments
* add default for customer id
* fix script and lint
* specify license file
* Apply suggestion from @ryancragun
Co-authored-by: Ryan Cragun <me@ryan.ec>
* always configure ibm license
* Update enos/modules/verify_log_secrets/main.tf
Co-authored-by: Ryan Cragun <me@ryan.ec>
* lint
---------
Co-authored-by: Ryan Cragun <me@ryan.ec>
* lint
---------
Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* [VAULT-43364] pipeline: add template generation support
Add a new `template` to the `pipeline generate` command tree. It allows
rendering Go text templates with pipeline requests available via context
functions. The new system is now product agnostic and can be used to
generate any template we wish. This will supersede the enos specific
configuration command.
We also add support for multiple cadences when fetching the list of
release versions. Previously it was assumed that we followed a minor
version bump cadence when fetching versions with an n-minus style lower
bound. Now we can specify the major or minor cadence. To support a
migration from one cadence to another you can also specify an prior
cadence and the version at which the transition happened. This allows
the n-3 reverse traversal to drop into the prior cadence if/when
necessary.
**Template Rendering System**
- New `pipeline generate template` command renders Go templates with
pipeline data access
- Supports stdin/stdout or file-based input/output
- Templates access version data via function calls rather than
pre-populated context
**Version Cadence Support**
- Added `VersionCadence` type with `minor` and `major` release cadence
tracking
- Supports cadence transitions (e.g., minor→major) with
`TransitionVersion` and `PriorCadence` fields
- Calculates version ranges respecting different release cadences
**Template Functions**
- `VersionsNMinus` / `VersionsBounded` - List versions with explicit
cadence parameter
- `VersionsNMinusTransition` / `VersionsBoundedTransition` - Handle
cadence transitions
- `ParseVersion`, `CompareVersions`, `FilterVersions` - Version
utilities
- All functions require cadence to be explicitly specified
**CLI Integration**
- `--version` and `--edition` flags expose current version/edition to
templates
- Templates reference these via `.Version` and `.Edition` context fields
**Enos Migration**
- Converted `enos-dynamic-config.hcl` to template-based generation
- Uses `VersionsNMinusTransition` to handle Vault's minor→major cadence
shift at 1.21.5
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Refactor our connection checking into a new LDAP module that is capable
of running a search and waiting for success. We now call this module
while setting up the integration host and before enabling the LDAP
secrets engine.
We also fix two race conditions in the Agent and HA Seal scenarios where
we might attempt to verify and/or test LDAP before the integration host
has been set up.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: LT Carbonell <lt.carbonell@hashicorp.com>
* Add LDAP secrets engine blackbox tests
* Format
* format
* cleanup environment
* Install ldap-utils in CI for LDAP domain provisioning
* wrap in eventually
* debugging
* fix ip issues
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* enos: poll for LDAP server readiness when populating org, groups, and users
The prior implementation had a hard 10 second sleep waiting for the
container to start up. That is not enough time as we see regular
failures in CI:
```
│ Error: exit status 1
│
│ Error: Execution Error
│
│ with module.set_up_external_integration_target.enos_remote_exec.populate_ldap,
│ on ../../modules/set_up_external_integration_target/main.tf line 70, in resource "enos_remote_exec" "populate_ldap":
│ 70: resource "enos_remote_exec" "populate_ldap" {
│
│ failed to execute commands due to: running script:
│ [/home/runner/actions-runner/_work/vault-enterprise/vault-enterprise/enos/modules/set_up_external_integration_target/scripts/populate-ldap.sh]
│ failed, due to: 1 error occurred:
│ * executing script: Process exited with status 255: ldap_sasl_bind(SIMPLE):
│ Can't contact LDAP server (-1)
```
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
While investigating a failure during another code review[0] I noticed
that we were using key/value pairs when when executing `vault write`.
That was a problem because we ran into a situtation where the password
started with an `@`, which `vault write` infers to be a localtion on
disk[1].
This change updates static-roles.sh fixes that issue as writes are
always written as JSON instead of key/value pairs.
As I was there I choose to improve the script in several ways:
- All Vault command executions now capture both STDOUT and STDERR.
When commands fail, the captured output is included in error.
- Function-local variables are now properly scoped with the `local`
- Some comment changes for clarity (obviously subjective for me)
[0]: https://github.com/hashicorp/vault-enterprise/actions/runs/22748142932/job/65978391382?pr=12001#step:17:159
[1]: https://developer.hashicorp.com/vault/docs/commands/write
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* rough draft
* add some stuff for dynamic secrets
* add some more helpers and sample tests
* new helpers, new tests, refactoring
* Add Basic Smoke SDK Scenario (#11678)
* Add simple test for stepdown election
* Add a smoke_sdk scenario
* add script to run tests locally
* fix up a few things
* VAULT-39746 - Add Tests to Smoke SDK and Cloud Scenarios (#11795)
* Add some go verification steps in enos sdk test run script
* formatting
* Add a smoke_sdk scenario userpass secret engine create test (#11808)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add Smoke tests to Cloud Scenario (#11876)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add smoke testing to cloud
* Add test results to output and test filtering
* comment
* fix test
* fix the smoke scenario
* Address some various feedback
* missed cleanup
* remove node count dependency in the tests
* Fix test perms
* Adjust the testing and clean them up a bit
* formatting
* fmt
* fmt2
* more fmt
* formatting
* tryagain
* remove the docker/hcp divide
* use the SHA as ID
* adjust perms
* Add transit test
* skip blackbox testing in test-go
* copywrite
* Apply suggestion from @brewgator
* Add godoc
* grep cleanup
---------
Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* Verify vault can generate dynamic credentials and rotate root password
* Added new line at end of the script file
* Remove extra space in sh script
* Remove extra space in sh script
* Created modular structure and other fixes
* linting issues
* lint issues
* Linting issue in verify-secrets.sh
* Linting issue in verify-secrets.sh
* Linting issues in verify-secrets.sh and verify-rotation.sh
* Linting issues
* Linting issues
* Linting issues
* Reverted the changes made to ldap-configs.sh and ldap-verify-configs
* Fix missing newline at end of ldap-verify-configs
Add a newline at the end of the ldap-verify-configs script.
* test ldap changes
* test ldap changes
* reverted the configuration for testing ldap [ci skip]
* reverted the configuration for testing ldap [ci skip]
* Refactoring
* Update ldap.tf
* Update ldap.tf [ci skip]
* Update ldap.tf
* Adding Password policy in ldap secret engine config
* Root credential rotation workflows
* linting issues
* Update test-run-enos-scenario-matrix.yml to check ldap changes
* Update test-run-enos-scenario-matrix.yml reverted
* conflicts resolved
* changes
* Update test-run-enos-scenario-matrix.yml to test ldap changes
* Update test-run-enos-scenario-matrix.yml reverted
* added functions
* linting issues
* linting issues
* linting issues
* Update test-run-enos-scenario-matrix.yml to tst ldap
* Update test-run-enos-scenario-matrix.yml reverted
* review changes
* Update test-run-enos-scenario-matrix.yml to test ldap
* lint issue
* reverted Update test-run-enos-scenario-matrix.yml
* refactor
* Update test-run-enos-scenario-matrix.yml test ldap
* Update verify-rotation.sh
* Update verify-rotation.sh
* Update test-run-enos-scenario-matrix.yml reverted
---------
Co-authored-by: pranaya092000 <pranaya.p@hashicorp.com>
Co-authored-by: Pranaya <Pranaya.P@ibm.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* LDAP Check out Check in System test Cases Part-1
* Test run on pipeline
* Test run on pipeline
* Linter error fix
* Fix linter issue
* Linter error fix
* lint issue
* lint issue
* lint issue
* lint issue
* lint issue
* lint issues
* bug fix
* lint fix
* Run test on pipeline
* Remove file enos.vars.hcl from repository
* Revert "Remove file enos.vars.hcl from repository"
This reverts commit bec9bcd5e1d8b07a662756c2385ca90e035fc125.
* Restore enos.vars.hcl to repository
* CI build failure fix
* CI bug fix
* CI bug fix
* CI bug fix
* CI bug fix
* CI bug fix
* Replace string based error detection with exit code
* Changing pipeline run variable to false
---------
Co-authored-by: KajalKusum <kajal.kusum@hashicorp.com>
Co-authored-by: Kajal Kusum <kajal.kusum@ibm.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* Verify vault can generate dynamic credentials and rotate root password
* Added new line at end of the script file
* Remove extra space in sh script
* Remove extra space in sh script
* Created modular structure and other fixes
* linting issues
* lint issues
* Linting issue in verify-secrets.sh
* Linting issue in verify-secrets.sh
* Linting issues in verify-secrets.sh and verify-rotation.sh
* Linting issues
* Linting issues
* Linting issues
* Reverted the changes made to ldap-configs.sh and ldap-verify-configs
* Fix missing newline at end of ldap-verify-configs
Add a newline at the end of the ldap-verify-configs script.
* test ldap changes
* test ldap changes
* reverted the configuration for testing ldap [ci skip]
* reverted the configuration for testing ldap [ci skip]
* Refactoring
* Update ldap.tf
* Update ldap.tf [ci skip]
* Update ldap.tf
* Adding Password policy in ldap secret engine config
* Update test-run-enos-scenario-matrix.yml with ldap changes
* Reverted Update test-run-enos-scenario-matrix.yml for testing ldap changes
* conflict changes [ci skip]
* Update test-run-enos-scenario-matrix.yml for ldap testing
* Reverted Update test-run-enos-scenario-matrix.yml
* ldap chnged to MOUNT
* Update test-run-enos-scenario-matrix.yml to test ldap changes
* Update test-run-enos-scenario-matrix.yml reverted
* updated review comments
* updated review comments
* Update test-run-enos-scenario-matrix.yml to test ldap
* Update test-run-enos-scenario-matrix.yml reverted
* Update verify-secrets.sh
---------
Co-authored-by: pranaya092000 <pranaya.p@hashicorp.com>
Co-authored-by: Pranaya <Pranaya.P@ibm.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* Verify vault can generate dynamic credentials and rotate root password
* Added new line at end of the script file
* Remove extra space in sh script
* Remove extra space in sh script
* Created modular structure and other fixes
* linting issues
* lint issues
* Linting issue in verify-secrets.sh
* Linting issue in verify-secrets.sh
* Linting issues in verify-secrets.sh and verify-rotation.sh
* Linting issues
* Linting issues
* Linting issues
* Reverted the changes made to ldap-configs.sh and ldap-verify-configs
* Fix missing newline at end of ldap-verify-configs
Add a newline at the end of the ldap-verify-configs script.
* test ldap changes
* test ldap changes
* reverted the configuration for testing ldap [ci skip]
* reverted the configuration for testing ldap [ci skip]
* Refactoring
* Update ldap.tf
* Update ldap.tf [ci skip]
* Update ldap.tf
* Update test-run-enos-scenario-matrix.yml to test ldap changes
* reverted Update test-run-enos-scenario-matrix.yml to test ldap changes
---------
Co-authored-by: pranaya092000 <pranaya.p@hashicorp.com>
Co-authored-by: Pranaya <Pranaya.P@ibm.com>
* move from yarn to pnpm for package management
* remove lodash.template patch override
* remove .yarn folder
* update GHA to use pnpm
* add @babel/plugin-proposal-decorators
* remove .yarnrc.yml
* add lock file to copywrite ignore
* add @codemirror/view as a dep for its types
* use more strict setting about peerDeps
* address some peerDep issues with ember-power-select and ember-basic-dropdown
* enable TS compilation for the kubernetes engine
* enable TS compilation in kv engine
* ignore workspace file
* use new headless mode in CI
* update enos CI scenarios
* add qs and express resolutions
* run 'pnpm up glob' and 'pnpm up js-yaml' to upgrade those packages
* run 'pnpm up preact' because posthog-js had a vulnerable install. see https://github.com/advisories/GHSA-36hm-qxxp-pg3
* add work around for browser timeout errors in test
* update other references of yarn to pnpm
Co-authored-by: Matthew Irish <39469+meirish@users.noreply.github.com>
Update the base images for all scenarios:
- RHEL: upgrade base image for 10 to 10.1
- RHEL: upgrade base image for 9 to 9.7
- SLES: upgrade base image for 15 to 15.7
- SLES: add SLES 16.0 to the matrix
- OpenSUSE: remove OpenSUSE Leap from the matrix
I ended up removing OpenSUSE because the images that we were on were rarely updated and that resulted in very slow scenarios because of package upgrades. Also, despite the latest release being in October I didn't find any public cloud images produced for the new version of Leap. We can consider adding it back later but I'm comfortable just leaving SLES 15 and 16 in there for that test coverage.
I also ended up fixing a bug in our integration host setup where we'd provision three nodes instead of one. That ought to result in many fewer instance provisions per scenario. I also had to make a few small tweaks in how we detected whether or not SELinux is enabled, as the prior implementation did not work for SLES 16.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Fix an incompatibility where we check out the repository with
checkout@v6 and then attempt to check it out again at checkout@v5 in the
set-product-version action.
* update enos directory to trigger lint
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Add docker based backed
* new line
* Add validation
* Add cloud_docker_vault_cluster
* Unify cloud scenario outputs
* Use min_vault_version consistently across both modules
* random network name for docker
* Add local build for docker
* Use environment instead of backend
* make use of existing modules for docker and k8s
* connect the peers
* formatting
* copyright
* Remove old duplicated code
* use enos local exec
* get version locally
* Dont use local time
* adjust bin path for docker
* use root dockerfile
* get dockerfile to work
* Build docker image from correct binary location
* Fix it... maybe
* Add docker admin token
* whitespace
* formatting and comment cleanup
* formatting
* undo
* Apply suggestion from @ryancragun
* Move build to make
* Default to local
* Revert k8s changes
* Add admint token
* Clean map
* whitespace
* whitespace
* Pull out k8 changes and vault_cluster_raft
* Some cleaning changes
* whitespace
* Naming cleanup
---------
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* change what performance replication checker script is checking
* fix lint errors
* enable consul backends for ent build samples
* fix up samples
* fix linting
* update release samples
* fix linting again
* output to stderr
Co-authored-by: Josh Black <raskchanky@gmail.com>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
[VAULT-39160] actions(hcp): add support for testing custom images on HCP (#9345)
Add support for running the `cloud` scenario with a custom image in the
int HCP environment. We support two new tags that trigger new
functionality. If the `hcp/build-image` tag is present on a PR at the
time of `build`, we'll automatically trigger a custom build for the int
environment. If the `hcp/test` tag is present, we'll trigger a custom
build and run the `cloud` scenario with the resulting image.
* Fix a bug in our custom build pattern to handle prerelease versions.
* pipeline(hcp): add `--github-output` support to `show image` and
`wait image` commands.
* enos(hcp/create_vault_cluster): use a unique identifier for HVN
and vault clusters.
* actions(enos-cloud): add workflow to execute the `cloud` enos
scenario.
* actions(build): add support for triggering a custom build and running
the `enos-cloud` scenario.
* add more debug logging and query without a status
* add shim build-hcp-image for CE workflows
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* [VAULT-39157] enos(cloud): add basic vault cloud scenario
Add the skeleton of a Vault Cloud scenario whereby we create an HCP
network, Vault Cloud cluster, and admin token.
In subsequent PR's we'll wire up building images, waiting on builds, and
ultimately fully testing the resulting image.
* copywrite: add headers
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
