mirror of
https://github.com/hashicorp/vault.git
synced 2025-09-19 04:41:09 +02:00
ce5885279b
As the Vault pipeline and release processes evolve over time, so too must the tooling that drives them. Historically we've utilized a combination of CI features and shell scripts that are wrapped into make targets to drive our CI. While this approach has worked, it requires careful consideration of what features to use (bash in CI almost never matches bash in developer machines, etc.) and often requires a deep understanding of several CLI tools (jq, etc). `make` itself also has limitations in user experience, e.g. passing flags. As we're all in on Github Actions as our pipeline coordinator, continuing to utilize and build CLI tools to perform our pipeline tasks makes sense. This PR adds a new CLI tool called `pipeline` which we can use to build new isolated tasks that we can string together in Github Actions. We intend to use this utility as the interface for future release automation work, see VAULT-27514. For the first task in this new `pipeline` tool, I've chosen to build two small sub-commands: * `pipeline releases list-versions` - Allows us to list Vault versions between a range. The range is configurable either by setting `--upper` and/or `--lower` bounds, or by using the `--nminus` to set the N-X to go back from the current branches version. As CE and ENT do not have version parity we also consider the `--edition`, as well as none-to-many `--skip` flags to exclude specific versions. * `pipeline generate enos-dynamic-config` - Which creates dynamic enos configuration based on the branch and the current list of release versions. It takes largely the same flags as the `release list-versions` command, however it also expects a `--dir` for the enos directory and a `--file` where the dynamic configuration will be written. This allows us to dynamically update and feed the latest versions into our sampling algorithm to get coverage over all supported prior versions. We then integrate these new tools into the pipeline itself and cache the dynamic config on a weekly basis. We also cache the pipeline tool itself as it will likely become a repository for pipeline specific tooling. The caching strategy for the `pipeline` tool itself will make most workflows that require it super fast. Signed-off-by: Ryan Cragun <me@ryan.ec>
162 lines
4.8 KiB
HCL
162 lines
4.8 KiB
HCL
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
globals {
|
|
archs = ["amd64", "arm64"]
|
|
artifact_sources = ["local", "crt", "artifactory"]
|
|
artifact_types = ["bundle", "package"]
|
|
backends = ["consul", "raft"]
|
|
backend_license_path = abspath(var.backend_license_path != null ? var.backend_license_path : joinpath(path.root, "./support/consul.hclic"))
|
|
backend_tag_key = "VaultStorage"
|
|
build_tags = {
|
|
"ce" = ["ui"]
|
|
"ent" = ["ui", "enterprise", "ent"]
|
|
"ent.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.fips1402"]
|
|
"ent.hsm" = ["ui", "enterprise", "cgo", "hsm", "venthsm"]
|
|
"ent.hsm.fips1402" = ["ui", "enterprise", "cgo", "hsm", "fips", "fips_140_2", "ent.hsm.fips1402"]
|
|
}
|
|
config_modes = ["env", "file"]
|
|
consul_editions = ["ce", "ent"]
|
|
consul_versions = ["1.14.11", "1.15.7", "1.16.3", "1.17.0"]
|
|
distros = ["amzn", "leap", "rhel", "sles", "ubuntu"]
|
|
// Different distros may require different packages, or use different aliases for the same package
|
|
distro_packages = {
|
|
amzn = {
|
|
"2" = ["nc"]
|
|
"2023" = ["nc"]
|
|
}
|
|
leap = {
|
|
"15.6" = ["netcat", "openssl"]
|
|
}
|
|
rhel = {
|
|
"8.10" = ["nc"]
|
|
"9.4" = ["nc"]
|
|
}
|
|
sles = {
|
|
// When installing Vault RPM packages on a SLES AMI, the openssl package provided
|
|
// isn't named "openssl, which rpm doesn't know how to handle. Therefore we add the
|
|
// "correctly" named one in our package installation before installing Vault.
|
|
"15.6" = ["netcat-openbsd", "openssl"]
|
|
}
|
|
ubuntu = {
|
|
"20.04" = ["netcat"]
|
|
"22.04" = ["netcat"]
|
|
"24.04" = ["netcat-openbsd"]
|
|
}
|
|
}
|
|
distro_version = {
|
|
amzn = var.distro_version_amzn
|
|
leap = var.distro_version_leap
|
|
rhel = var.distro_version_rhel
|
|
sles = var.distro_version_sles
|
|
ubuntu = var.distro_version_ubuntu
|
|
}
|
|
editions = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
|
|
enterprise_editions = [for e in global.editions : e if e != "ce"]
|
|
ip_versions = ["4", "6"]
|
|
package_manager = {
|
|
"amzn" = "yum"
|
|
"leap" = "zypper"
|
|
"rhel" = "yum"
|
|
"sles" = "zypper"
|
|
"ubuntu" = "apt"
|
|
}
|
|
packages = ["jq"]
|
|
// Ports that we'll open up for ingress in the security group for all target machines.
|
|
// Port protocol maps to the IpProtocol schema: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_IpPermission.html
|
|
ports = {
|
|
ssh : {
|
|
description = "SSH"
|
|
port = 22
|
|
protocol = "tcp"
|
|
},
|
|
vault_agent : {
|
|
description = "Vault Agent"
|
|
port = 8100
|
|
protocol = "tcp"
|
|
},
|
|
vault_proxy : {
|
|
description = "Vault Proxy"
|
|
port = 8101
|
|
protocol = "tcp"
|
|
},
|
|
vault_listener : {
|
|
description = "Vault Addr listener"
|
|
port = 8200
|
|
protocol = "tcp"
|
|
},
|
|
vault_cluster : {
|
|
description = "Vault Cluster listener"
|
|
port = 8201
|
|
protocol = "tcp"
|
|
},
|
|
consul_rpc : {
|
|
description = "Consul internal communication"
|
|
port = 8300
|
|
protocol = "tcp"
|
|
},
|
|
consul_serf_lan_tcp : {
|
|
description = "Consul Serf LAN TCP"
|
|
port = 8301
|
|
protocol = "tcp"
|
|
},
|
|
consul_serf_lan_udp : {
|
|
description = "Consul Serf LAN UDP"
|
|
port = 8301
|
|
protocol = "udp"
|
|
},
|
|
consul_serf_wan_tcp : {
|
|
description = "Consul Serf WAN TCP"
|
|
port = 8302
|
|
protocol = "tcp"
|
|
},
|
|
consul_serf_wan_udp : {
|
|
description = "Consul Serf WAN UDP"
|
|
port = 8302
|
|
protocol = "udp"
|
|
},
|
|
consul_http : {
|
|
description = "Consul HTTP API"
|
|
port = 8500
|
|
protocol = "tcp"
|
|
},
|
|
consul_https : {
|
|
description = "Consul HTTPS API"
|
|
port = 8501
|
|
protocol = "tcp"
|
|
},
|
|
consul_grpc : {
|
|
description = "Consul gRPC API"
|
|
port = 8502
|
|
protocol = "tcp"
|
|
},
|
|
consul_grpc_tls : {
|
|
description = "Consul gRPC TLS API"
|
|
port = 8503
|
|
protocol = "tcp"
|
|
},
|
|
consul_dns_tcp : {
|
|
description = "Consul TCP DNS Server"
|
|
port = 8600
|
|
protocol = "tcp"
|
|
},
|
|
consul_dns_udp : {
|
|
description = "Consul UDP DNS Server"
|
|
port = 8600
|
|
protocol = "udp"
|
|
},
|
|
}
|
|
seals = ["awskms", "pkcs11", "shamir"]
|
|
tags = merge({
|
|
"Project Name" : var.project_name
|
|
"Project" : "Enos",
|
|
"Environment" : "ci"
|
|
}, var.tags)
|
|
vault_install_dir = {
|
|
bundle = "/opt/vault/bin"
|
|
package = "/usr/bin"
|
|
}
|
|
vault_license_path = abspath(var.vault_license_path != null ? var.vault_license_path : joinpath(path.root, "./support/vault.hclic"))
|
|
vault_tag_key = "vault-cluster"
|
|
}
|