mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-01-06 17:21:36 +01:00
Code Issues Projects Releases Wiki Activity
vault/enos/enos-qualities.hcl
Ryan Cragun 720e942662
[VAULT-2937] Verify the /sys/version-history in enos scenarios (#27947) 
When verifying the Vault version, in addition to verifying the CLI
version we also check that the `/sys/version-history` contains the
expected version.

As part of this we also fix a bug where when doing an in-place upgrade
with a Debian or Redhat package we also remove the self-managed
`vault.service` systemd unit to ensure that correctly start up using the
new version of Vault.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-08-02 13:26:39 -06:00

502 lines
15 KiB
HCL
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
quality "consul_api_agent_host_read" {
description = "The /v1/agent/host Consul API returns host info for each node in the cluster"
}
quality "consul_api_health_node_read" {
description = <<-EOF
The /v1/health/node/<node> Consul API returns health info for each node in the cluster
EOF
}
quality "consul_api_operator_raft_config_read" {
description = "The /v1/operator/raft/configuration Consul API returns raft info for the cluster"
}
quality "consul_autojoin_aws" {
description = "The Consul cluster auto-joins with AWS tag discovery"
}
quality "consul_cli_validate" {
description = "The 'consul validate' command validates the Consul configuration"
}
quality "consul_config_file" {
description = "Consul starts when configured with a configuration file"
}
quality "consul_ha_leader_election" {
description = "The Consul cluster elects a leader node on start up"
}
quality "consul_health_state_passing_read_nodes_minimum" {
description = <<-EOF
The Consul cluster meets the minimum of number of healthy nodes according to the
/v1/health/state/passing Consul API
EOF
}
quality "consul_operator_raft_configuration_read_voters_minimum" {
description = <<-EOF
The Consul cluster meets the minimum number of raft voters according to the
/v1/operator/raft/configuration Consul API
EOF
}
quality "consul_service_start_client" {
description = "The Consul service starts in client mode"
}
quality "consul_service_start_server" {
description = "The Consul service starts in server mode"
}
quality "consul_service_systemd_notified" {
description = "The Consul binary notifies systemd when the service is active"
}
quality "consul_service_systemd_unit" {
description = "The 'consul.service' systemd unit starts the service"
}
quality "vault_agent_auto_auth_approle" {
description = <<-EOF
Vault running in Agent mode utilizes the approle auth method to do auto-auth via a role and
read secrets from a file source
EOF
}
quality "vault_agent_log_template" {
description = global.description.verify_agent_output
}
quality "vault_api_sys_auth_userpass_user_write" {
description = "The v1/sys/auth/userpass/users/<user> Vault API associates a policy with a user"
}
quality "vault_api_sys_config_read" {
description = <<-EOF
The v1/sys/config/sanitized Vault API returns sanitized configuration which matches our given
configuration
EOF
}
quality "vault_api_sys_ha_status_read" {
description = "The v1/sys/ha-status Vault API returns the HA status of the cluster"
}
quality "vault_api_sys_health_read" {
description = <<-EOF
The v1/sys/health Vault API returns the correct codes depending on the replication and
'seal-status' of the cluster
EOF
}
quality "vault_api_sys_host_info_read" {
description = "The v1/sys/host-info Vault API returns the host info for each node in the cluster"
}
quality "vault_api_sys_leader_read" {
description = "The v1/sys/leader Vault API returns the cluster leader info"
}
quality "vault_api_sys_metrics_vault_core_replication_write_undo_logs_enabled" {
description = <<-EOF
The v1/sys/metrics Vault API returns metrics and verifies that
'Gauges[vault.core.replication.write_undo_logs]' is enabled
EOF
}
quality "vault_api_sys_policy_write" {
description = "The v1/sys/policy Vault API writes a superuser policy"
}
quality "vault_api_sys_quotas_lease_count_read_max_leases_default" {
description = <<-EOF
The v1/sys/quotas/lease-count/default Vault API returns the lease 'count' and 'max_leases' is
set to 300,000
EOF
}
quality "vault_api_sys_replication_performance_primary_enable_write" {
description = <<-EOF
The v1/sys/replication/performance/primary/enable Vault API enables performance replication
EOF
}
quality "vault_api_sys_replication_performance_primary_secondary_token_write" {
description = <<-EOF
The v1/sys/replication/performance/primary/secondary-token Vault API configures the replication
token
EOF
}
quality "vault_api_sys_replication_performance_secondary_enable_write" {
description = <<-EOF
The v1/sys/replication/performance/secondary/enable Vault API enables performance replication
EOF
}
quality "vault_api_sys_replication_performance_read_connection_status_connected" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns status info and the
'connection_status' is correct for the given node
EOF
}
quality "vault_api_sys_replication_performance_status_known_primary_cluster_addrs" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the replication status and
'known_primary_cluster_address' is the expected primary cluster leader
EOF
}
quality "vault_api_sys_replication_performance_status_read" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the performance replication status
EOF
}
quality "vault_api_sys_replication_performance_status_read_cluster_address" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the performance replication status
and the '{primaries,secondaries}[*].cluster_address' is correct for the given node
EOF
}
quality "vault_api_sys_replication_performance_status_read_state_not_idle" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the performance replication status
and the state is not idle
EOF
}
quality "vault_api_sys_replication_status_read" {
description = <<-EOF
The v1/sys/replication/status Vault API returns the performance replication status of the
cluster
EOF
}
quality "vault_api_sys_seal_status_api_read_matches_sys_health" {
description = <<-EOF
The v1/sys/seal-status Vault API and v1/sys/health Vault API agree on the health of each node
and the cluster
EOF
}
quality "vault_api_sys_sealwrap_rewrap_read_entries_processed_eq_entries_succeeded_post_rewrap" {
description = global.description.verify_seal_rewrap_entries_processed_eq_entries_succeeded_post_rewrap
}
quality "vault_api_sys_sealwrap_rewrap_read_entries_processed_gt_zero_post_rewrap" {
description = global.description.verify_seal_rewrap_entries_processed_is_gt_zero_post_rewrap
}
quality "vault_api_sys_sealwrap_rewrap_read_is_running_false_post_rewrap" {
description = global.description.verify_seal_rewrap_is_running_false_post_rewrap
}
quality "vault_api_sys_sealwrap_rewrap_read_no_entries_fail_during_rewrap" {
description = global.description.verify_seal_rewrap_no_entries_fail_during_rewrap
}
quality "vault_api_sys_step_down_steps_down" {
description = <<-EOF
The v1/sys/step-down Vault API forces the cluster leader to step down and intiates a new leader
election
EOF
}
quality "vault_api_sys_storage_raft_autopilot_configuration_read" {
description = <<-EOF
The /sys/storage/raft/autopilot/configuration Vault API returns the autopilot configuration of
the cluster
EOF
}
quality "vault_api_sys_storage_raft_autopilot_state_read" {
description = <<-EOF
The v1/sys/storage/raft/autopilot/state Vault API returns the raft autopilot state of the
cluster
EOF
}
quality "vault_api_sys_storage_raft_autopilot_upgrade_info_read_status_matches" {
description = <<-EOF
The v1/sys/storage/raft/autopilot/state Vault API returns the raft autopilot state and the
'upgrade_info.status' matches our expected state
EOF
}
quality "vault_api_sys_storage_raft_autopilot_upgrade_info_target_version_read_matches_candidate" {
description = <<-EOF
The v1/sys/storage/raft/autopilot/state Vault API returns the raft autopilot state and the
'upgrade_info.target_version' matches the the candidate version
EOF
}
quality "vault_api_sys_storage_raft_configuration_read" {
description = <<-EOF
The v1/sys/storage/raft/configuration Vault API returns the raft configuration of the cluster
EOF
}
quality "vault_api_sys_storage_raft_remove_peer_write_removes_peer" {
description = <<-EOF
The v1/sys/storage/raft/remove-peer Vault API removes the desired node from the raft sub-system
EOF
}
quality "vault_api_sys_version_history_keys" {
description = <<-EOF
The v1/sys/version-history Vault API returns the cluster version history and the 'keys' data
includes our target version
EOF
}
quality "vault_api_sys_version_history_key_info" {
description = <<-EOF
The v1/sys/version-history Vault API returns the cluster version history and the
'key_info["$expected_version]' data is present for the expected version and the 'build_date'
matches the expected build_date.
EOF
}
quality "vault_artifact_bundle" {
description = "The candidate binary packaged as a zip bundle is used for testing"
}
quality "vault_artifact_deb" {
description = "The candidate binary packaged as a deb package is used for testing"
}
quality "vault_artifact_rpm" {
description = "The candidate binary packaged as an rpm package is used for testing"
}
quality "vault_audit_log" {
description = "The Vault audit sub-system is enabled with the log and writes to a log"
}
quality "vault_audit_socket" {
description = "The Vault audit sub-system is enabled with the socket and writes to a socket"
}
quality "vault_audit_syslog" {
description = "The Vault audit sub-system is enabled with the syslog and writes to syslog"
}
quality "vault_auto_unseals_after_autopilot_upgrade" {
description = "Vault auto-unseals after upgrading the cluster with autopilot"
}
quality "vault_autojoins_new_nodes_into_initialized_cluster" {
description = "Vault sucessfully auto-joins new nodes into an existing cluster"
}
quality "vault_autojoin_aws" {
description = "Vault auto-joins nodes using AWS tag discovery"
}
quality "vault_autopilot_upgrade_leader_election" {
description = <<-EOF
Vault elects a new leader after upgrading the cluster with autopilot
EOF
}
quality "vault_cli_audit_enable" {
description = "The 'vault audit enable' command enables audit devices"
}
quality "vault_cli_auth_enable_approle" {
description = "The 'vault auth enable approle' command enables the approle auth method"
}
quality "vault_cli_operator_members" {
description = "The 'vault operator members' command returns the expected list of members"
}
quality "vault_cli_operator_raft_remove_peer" {
description = "The 'vault operator remove-peer' command removes the desired node"
}
quality "vault_cli_operator_step_down" {
description = "The 'vault operator step-down' command forces the cluster leader to step down"
}
quality "vault_cli_policy_write" {
description = "The 'vault policy write' command writes a policy"
}
quality "vault_cli_status_exit_code" {
description = <<-EOF
The 'vault status' command exits with the correct code depending on expected seal status
EOF
}
quality "vault_cluster_upgrade_in_place" {
description = <<-EOF
Vault starts with existing data and configuration in-place migrates the data
EOF
}
quality "vault_config_env_variables" {
description = "Vault starts when configured primarily with environment variables"
}
quality "vault_config_file" {
description = "Vault starts when configured primarily with a configuration file"
}
quality "vault_config_log_level" {
description = "The 'log_level' config stanza modifies its log level"
}
quality "vault_config_multiseal_is_toggleable" {
description = <<-EOF
The Vault Cluster can be configured with a single unseal method regardless of the
'enable_multiseal' config value
EOF
}
quality "vault_init" {
description = "Vault initializes the cluster with the given seal parameters"
}
quality "vault_license_required_ent" {
description = "Vault Enterprise requires a license in order to start"
}
quality "vault_listener_ipv4" {
description = "Vault operates on ipv4 TCP listeners"
}
quality "vault_listener_ipv6" {
description = "Vault operates on ipv6 TCP listeners"
}
quality "vault_mount_auth" {
description = "Vault mounts the auth engine"
}
quality "vault_mount_kv" {
description = "Vault mounts the kv engine"
}
quality "vault_multiseal_enable" {
description = <<-EOF
The Vault Cluster starts with 'enable_multiseal' and multiple auto-unseal methods.
EOF
}
quality "vault_proxy_auto_auth_approle" {
description = <<-EOF
Vault Proxy utilizes the approle auth method to to auto auth via a roles and secrets from file.
EOF
}
quality "vault_proxy_cli_access" {
description = <<-EOF
The Vault CLI accesses tokens through the Vault proxy without a VAULT_TOKEN available
EOF
}
quality "vault_raft_voters" {
description = global.description.verify_raft_cluster_all_nodes_are_voters
}
quality "vault_replication_ce_disabled" {
description = "Replication is not enabled for CE editions"
}
quality "vault_replication_ent_dr_available" {
description = "DR replication is available on Enterprise"
}
quality "vault_replication_ent_pr_available" {
description = "PR replication is available on Enterprise"
}
quality "vault_seal_awskms" {
description = "Vault auto-unseals with the awskms seal"
}
quality "vault_seal_shamir" {
description = <<-EOF
Vault manually unseals with the shamir seal when given the expected number of 'key_shares'
EOF
}
quality "vault_seal_pkcs11" {
description = "Vault auto-unseals with the pkcs11 seal"
}
quality "vault_secrets_auth_user_policy_write" {
description = "Vault creates auth user policies with the root token"
}
quality "vault_secrets_kv_read" {
description = "Vault kv secrets engine data is readable"
}
quality "vault_secrets_kv_write" {
description = "Vault kv secrets engine data is writable"
}
quality "vault_service_restart" {
description = "Vault restarts with existing configuration"
}
quality "vault_service_start" {
description = "Vault starts with the configuration"
}
quality "vault_service_systemd_notified" {
description = "The Vault binary notifies systemd when the service is active"
}
quality "vault_service_systemd_unit" {
description = "The 'vault.service' systemd unit starts the service"
}
quality "vault_status_seal_type" {
description = global.description.verify_seal_type
}
quality "vault_storage_backend_consul" {
description = "Vault operates using Consul for storage"
}
quality "vault_storage_backend_raft" {
description = "Vault operates using integrated Raft storage"
}
quality "vault_ui_assets" {
description = global.description.verify_ui
}
quality "vault_ui_test" {
description = <<-EOF
The Vault Web UI test suite runs against a live Vault server with the embedded static assets
EOF
}
quality "vault_unseal_ha_leader_election" {
description = "Vault performs a leader election after it is unsealed"
}
quality "vault_version_build_date" {
description = "Vault's reported build date matches our expectations"
}
quality "vault_version_edition" {
description = "Vault's reported edition matches our expectations"
}
quality "vault_version_release" {
description = "Vault's reported release version matches our expectations"
}
Reference in New Issue View Git Blame Copy Permalink