mirror of
https://github.com/hashicorp/vault.git
synced 2025-12-25 03:11:40 +01:00
c8e6169d5d
* VAULT-31402: Add verification for all container images Add verification for all container images that are generated as part of the build. Before this change we only ever tested a limited subset of "default" containers based on Alpine Linux that we publish via the Docker hub and AWS ECR. Now we support testing all Alpine and UBI based container images. We also verify the repository and tag information embedded in each by deploying them and verifying the repo and tag metadata match our expectations. This does change the k8s scenario interface quite a bit. We now take in an archive image and set image/repo/tag information based on the scenario variants. To enable this I also needed to add `tar` to the UBI base image. It was already available in the Alpine image and is used to copy utilities to the image when deploying and configuring the cluster via Enos. Since some images contain multiple tags we also add samples for each image and randomly select which variant to test on a given PR. Signed-off-by: Ryan Cragun <me@ryan.ec>
268 lines
8.9 KiB
YAML
268 lines
8.9 KiB
YAML
name: ce
|
|
|
|
# The inputs and outputs for this workflow have been carefully defined as a sort of workflow
|
|
# interface as defined in the build.yml workflow. The inputs and outputs here must be consistent
|
|
# across the build-artifacts-ce workflow and the build-artifacts-ent workflow.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
build-all:
|
|
type: boolean
|
|
description: Build all extended artifacts
|
|
default: false
|
|
build-date:
|
|
type: string
|
|
description: The date associated with the revision SHA
|
|
required: true
|
|
checkout-ref:
|
|
type: string
|
|
description: The repo Git SHA to checkout
|
|
default: ""
|
|
compute-build:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for build worfkflows
|
|
required: true
|
|
compute-build-compat:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for build workflows that need older glibc
|
|
required: true
|
|
compute-small:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for non-resource-intensive workflows
|
|
required: true
|
|
vault-revision:
|
|
type: string
|
|
description: The revision SHA of vault
|
|
required: true
|
|
vault-version:
|
|
type: string
|
|
description: The version of vault
|
|
required: true
|
|
vault-version-package:
|
|
type: string
|
|
description: Whether or not to package the binary as Debian and RPM packages
|
|
required: true
|
|
web-ui-cache-key:
|
|
type: string
|
|
description: The UI asset cache key
|
|
required: true
|
|
workflow_call:
|
|
inputs:
|
|
build-all:
|
|
type: boolean
|
|
default: false
|
|
build-date:
|
|
type: string
|
|
required: true
|
|
checkout-ref:
|
|
type: string
|
|
default: ""
|
|
compute-build:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for build worfkflows
|
|
required: true
|
|
compute-build-compat:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for build workflows that need older glibc
|
|
required: true
|
|
compute-small:
|
|
type: string # JSON encoded to support passing arrays
|
|
description: A JSON encoded "runs-on" for non-resource-intensive workflows
|
|
required: true
|
|
vault-revision:
|
|
type: string
|
|
required: true
|
|
vault-version:
|
|
type: string
|
|
required: true
|
|
vault-version-package:
|
|
type: string
|
|
required: true
|
|
web-ui-cache-key:
|
|
type: string
|
|
required: true
|
|
outputs:
|
|
testable-containers:
|
|
value: ${{ jobs.core.outputs.testable-containers }}
|
|
testable-packages:
|
|
value: ${{ jobs.core.outputs.testable-packages }}
|
|
|
|
jobs:
|
|
# Core are the Linux builds that are officially supported and tested as part of the normal
|
|
# CI/CD pipeline.
|
|
core:
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- goos: linux
|
|
goarch: amd64
|
|
redhat: true
|
|
- goos: linux
|
|
goarch: arm64
|
|
redhat: true
|
|
fail-fast: true
|
|
runs-on: ${{ fromJSON(inputs.compute-build) }}
|
|
name: (${{ matrix.goos }}, ${{ matrix.goarch }})
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
with:
|
|
ref: ${{ inputs.checkout-ref }}
|
|
- uses: ./.github/actions/build-vault
|
|
with:
|
|
cgo-enabled: 0
|
|
create-docker-container: true
|
|
create-packages: true
|
|
create-redhat-container: ${{ matrix.redhat }}
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
goarch: ${{ matrix.goarch }}
|
|
goos: ${{ matrix.goos }}
|
|
go-tags: ui
|
|
vault-binary-name: vault
|
|
vault-edition: ce
|
|
vault-version: ${{ inputs.vault-version }}
|
|
web-ui-cache-key: ${{ inputs.web-ui-cache-key }}
|
|
outputs:
|
|
# Outputs are strings so we need to encode our collection outputs as JSON.
|
|
testable-containers: |
|
|
[
|
|
{
|
|
"sample": "ce_default_linux_amd64_ent_docker",
|
|
"artifact": "${{ github.event.repository.name }}_default_linux_amd64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
|
|
"edition": "ce"
|
|
},
|
|
{
|
|
"sample": "ce_default_linux_arm64_ce_docker",
|
|
"artifact": "${{ github.event.repository.name }}_default_linux_arm64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
|
|
"edition": "ce"
|
|
},
|
|
{
|
|
"sample": "ce_ubi_linux_amd64_ce_redhat",
|
|
"artifact": "${{ github.event.repository.name}}_ubi_linux_amd64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
|
|
"edition": "ce"
|
|
},
|
|
{
|
|
"sample": "ce_ubi_linux_arm64_ce_redhat",
|
|
"artifact": "${{ github.event.repository.name}}_ubi_linux_arm64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
|
|
"edition": "ce"
|
|
}
|
|
]
|
|
testable-packages: |
|
|
[
|
|
{ "sample": "build_ce_linux_amd64_deb",
|
|
"artifact": "vault_${{ inputs.vault-version-package }}-1_amd64.deb",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_arm64_deb",
|
|
"artifact": "vault_${{ inputs.vault-version-package }}-1_arm64.deb",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_amd64_rpm",
|
|
"artifact": "vault-${{ inputs.vault-version-package }}-1.x86_64.rpm",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_arm64_rpm",
|
|
"artifact": "vault-${{ inputs.vault-version-package }}-1.aarch64.rpm",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_amd64_zip",
|
|
"artifact": "vault_${{ inputs.vault-version }}_linux_amd64.zip",
|
|
"edition": "ce"
|
|
},
|
|
{ "sample": "build_ce_linux_arm64_zip",
|
|
"artifact": "vault_${{ inputs.vault-version }}_linux_arm64.zip",
|
|
"edition": "ce"
|
|
}
|
|
]
|
|
|
|
# Extended build targets are best-case builds for non-Linux platforms that we create for
|
|
# convenience but are not built or tested as part our normal CI pipeline.
|
|
extended:
|
|
if: inputs.build-all == true
|
|
strategy:
|
|
matrix:
|
|
docker:
|
|
- false
|
|
packages:
|
|
- false
|
|
goos:
|
|
- freebsd
|
|
- netbsd
|
|
- openbsd
|
|
- solaris
|
|
- windows
|
|
goarch:
|
|
- 386
|
|
- amd64
|
|
- arm
|
|
exclude:
|
|
- goos: solaris
|
|
goarch: 386
|
|
- goos: solaris
|
|
goarch: arm
|
|
- goos: windows
|
|
goarch: arm
|
|
include:
|
|
- goos: darwin
|
|
goarch: amd64
|
|
go-tags: ui netcgo
|
|
docker: false
|
|
packages: false
|
|
- goos: darwin
|
|
goarch: arm64
|
|
go-tags: ui netcgo
|
|
docker: false
|
|
packages: false
|
|
- goos: linux
|
|
goarch: 386
|
|
docker: true
|
|
packages: true
|
|
- goos: linux
|
|
docker: true
|
|
goarch: arm
|
|
goarm: 6
|
|
packages: true
|
|
fail-fast: true
|
|
name: (${{ matrix.goos }}, ${{ matrix.goarch }}${{ matrix.goarm && ' ' || '' }}${{ matrix.goarm }})
|
|
runs-on: ${{ fromJSON(inputs.compute-build) }}
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
with:
|
|
ref: ${{ inputs.checkout-ref }}
|
|
- uses: ./.github/actions/build-vault
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
create-docker-container: ${{ matrix.docker }}
|
|
create-packages: ${{ matrix.packages }}
|
|
create-redhat-container: false
|
|
goarch: ${{ matrix.goarch }}
|
|
goos: ${{ matrix.goos }}
|
|
goarm: ${{ matrix.goarm }}
|
|
go-tags: ${{ matrix.go-tags != '' && matrix.go-tags || 'ui' }}
|
|
vault-binary-name: vault
|
|
vault-edition: ce
|
|
vault-version: ${{ inputs.vault-version }}
|
|
web-ui-cache-key: ${{ inputs.web-ui-cache-key }}
|
|
|
|
status:
|
|
if: always()
|
|
runs-on: ${{ fromJSON(inputs.compute-small) }}
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
needs:
|
|
- core
|
|
- extended
|
|
steps:
|
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
with:
|
|
ref: ${{ inputs.checkout-ref }}
|
|
- name: Determine status
|
|
run: |
|
|
results=$(tr -d '\n' <<< '${{ toJSON(needs.*.result) }}')
|
|
if ! grep -q -v -E '(failure|cancelled)' <<< "$results"; then
|
|
echo "One or more required build workflows failed: ${results}"
|
|
exit 1
|
|
fi
|
|
exit 0
|