mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/enos/enos-qualities.hcl
Ryan Cragun 84935e4416
[QT-697] enos: add descriptions and quality verification (#27311) 
In order to take advantage of enos' ability to outline scenarios and to
inventory what verification they perform we needed to retrofit all of
that information to our existing scenarios and steps.

This change introduces an initial set of descriptions and verification
declarations that we can continue to refine over time.

As doing this required that I re-read every scenanario in its entirety I
also updated and fixed a few things along the way that I noticed,
including adding a few small features to enos that we utilize to make
handling initial versions programtic between versions instead of having a
delta between our globals in each branch.

* Update autopilot and in-place upgrade initial versions
* Programatically determine which initial versions to use based on Vault
  version
* Partially normalize steps between scenarios to make comparisons easier
* Update the MOTD to explain that VAULT_ADDR and VAULT_TOKEN have been
  set
* Add scenario and step descriptions to scenarios
* Add initial scenario quality verification declarations to scenarios
* Unpin Terraform in scenarios as >= 1.8.4 should work fine
2024-06-13 11:16:33 -06:00

479 lines
14 KiB
HCL
Raw Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
quality "consul_api_agent_host_read" {
description = "The /v1/agent/host Consul API returns host info for each node in the cluster"
}
quality "consul_api_health_node_read" {
description = <<-EOF
The /v1/health/node/<node> Consul API returns health info for each node in the cluster
EOF
}
quality "consul_api_operator_raft_config_read" {
description = "The /v1/operator/raft/configuration Consul API returns raft info for the cluster"
}
quality "consul_autojoin_aws" {
description = "The Consul cluster auto-joins with AWS tag discovery"
}
quality "consul_cli_validate" {
description = "The 'consul validate' command validates the Consul configuration"
}
quality "consul_config_file" {
description = "Consul starts when configured with a configuration file"
}
quality "consul_ha_leader_election" {
description = "The Consul cluster elects a leader node on start up"
}
quality "consul_health_state_passing_read_nodes_minimum" {
description = <<-EOF
The Consul cluster meets the minimum of number of healthy nodes according to the
/v1/health/state/passing Consul API
EOF
}
quality "consul_operator_raft_configuration_read_voters_minimum" {
description = <<-EOF
The Consul cluster meets the minimum number of raft voters according to the
/v1/operator/raft/configuration Consul API
EOF
}
quality "consul_service_start_client" {
description = "The Consul service starts in client mode"
}
quality "consul_service_start_server" {
description = "The Consul service starts in server mode"
}
quality "consul_service_systemd_notified" {
description = "The Consul binary notifies systemd when the service is active"
}
quality "consul_service_systemd_unit" {
description = "The 'consul.service' systemd unit starts the service"
}
quality "vault_agent_auto_auth_approle" {
description = <<-EOF
Vault running in Agent mode utilizes the approle auth method to do auto-auth via a role and
read secrets from a file source
EOF
}
quality "vault_agent_log_template" {
description = global.description.verify_agent_output
}
quality "vault_api_sys_auth_userpass_user_write" {
description = "The v1/sys/auth/userpass/users/<user> Vault API associates a policy with a user"
}
quality "vault_api_sys_config_read" {
description = <<-EOF
The v1/sys/config/sanitized Vault API returns sanitized configuration which matches our given
configuration
EOF
}
quality "vault_api_sys_ha_status_read" {
description = "The v1/sys/ha-status Vault API returns the HA status of the cluster"
}
quality "vault_api_sys_health_read" {
description = <<-EOF
The v1/sys/health Vault API returns the correct codes depending on the replication and
'seal-status' of the cluster
EOF
}
quality "vault_api_sys_host_info_read" {
description = "The v1/sys/host-info Vault API returns the host info for each node in the cluster"
}
quality "vault_api_sys_leader_read" {
description = "The v1/sys/leader Vault API returns the cluster leader info"
}
quality "vault_api_sys_metrics_vault_core_replication_write_undo_logs_enabled" {
description = <<-EOF
The v1/sys/metrics Vault API returns metrics and verifies that
'Gauges[vault.core.replication.write_undo_logs]' is enabled
EOF
}
quality "vault_api_sys_policy_write" {
description = "The v1/sys/policy Vault API writes a superuser policy"
}
quality "vault_api_sys_quotas_lease_count_read_max_leases_default" {
description = <<-EOF
The v1/sys/quotas/lease-count/default Vault API returns the lease 'count' and 'max_leases' is
set to 300,000
EOF
}
quality "vault_api_sys_replication_performance_primary_enable_write" {
description = <<-EOF
The v1/sys/replication/performance/primary/enable Vault API enables performance replication
EOF
}
quality "vault_api_sys_replication_performance_primary_secondary_token_write" {
description = <<-EOF
The v1/sys/replication/performance/primary/secondary-token Vault API configures the replication
token
EOF
}
quality "vault_api_sys_replication_performance_secondary_enable_write" {
description = <<-EOF
The v1/sys/replication/performance/secondary/enable Vault API enables performance replication
EOF
}
quality "vault_api_sys_replication_performance_read_connection_status_connected" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns status info and the
'connection_status' is correct for the given node
EOF
}
quality "vault_api_sys_replication_performance_status_known_primary_cluster_addrs" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the replication status and
'known_primary_cluster_address' is the expected primary cluster leader
EOF
}
quality "vault_api_sys_replication_performance_status_read" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the performance replication status
EOF
}
quality "vault_api_sys_replication_performance_status_read_cluster_address" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the performance replication status
and the '{primaries,secondaries}[*].cluster_address' is correct for the given node
EOF
}
quality "vault_api_sys_replication_performance_status_read_state_not_idle" {
description = <<-EOF
The v1/sys/replication/performance/status Vault API returns the performance replication status
and the state is not idle
EOF
}
quality "vault_api_sys_replication_status_read" {
description = <<-EOF
The v1/sys/replication/status Vault API returns the performance replication status of the
cluster
EOF
}
quality "vault_api_sys_seal_status_api_read_matches_sys_health" {
description = <<-EOF
The v1/sys/seal-status Vault API and v1/sys/health Vault API agree on the health of each node
and the cluster
EOF
}
quality "vault_api_sys_sealwrap_rewrap_read_entries_processed_eq_entries_succeeded_post_rewrap" {
description = global.description.verify_seal_rewrap_entries_processed_eq_entries_succeeded_post_rewrap
}
quality "vault_api_sys_sealwrap_rewrap_read_entries_processed_gt_zero_post_rewrap" {
description = global.description.verify_seal_rewrap_entries_processed_is_gt_zero_post_rewrap
}
quality "vault_api_sys_sealwrap_rewrap_read_is_running_false_post_rewrap" {
description = global.description.verify_seal_rewrap_is_running_false_post_rewrap
}
quality "vault_api_sys_sealwrap_rewrap_read_no_entries_fail_during_rewrap" {
description = global.description.verify_seal_rewrap_no_entries_fail_during_rewrap
}
quality "vault_api_sys_step_down_steps_down" {
description = <<-EOF
The v1/sys/step-down Vault API forces the cluster leader to step down and intiates a new leader
election
EOF
}
quality "vault_api_sys_storage_raft_autopilot_configuration_read" {
description = <<-EOF
The /sys/storage/raft/autopilot/configuration Vault API returns the autopilot configuration of
the cluster
EOF
}
quality "vault_api_sys_storage_raft_autopilot_state_read" {
description = <<-EOF
The v1/sys/storage/raft/autopilot/state Vault API returns the raft autopilot state of the
cluster
EOF
}
quality "vault_api_sys_storage_raft_autopilot_upgrade_info_read_status_matches" {
description = <<-EOF
The v1/sys/storage/raft/autopilot/state Vault API returns the raft autopilot state and the
'upgrade_info.status' matches our expected state
EOF
}
quality "vault_api_sys_storage_raft_autopilot_upgrade_info_target_version_read_matches_candidate" {
description = <<-EOF
The v1/sys/storage/raft/autopilot/state Vault API returns the raft autopilot state and the
'upgrade_info.target_version' matches the the candidate version
EOF
}
quality "vault_api_sys_storage_raft_configuration_read" {
description = <<-EOF
The v1/sys/storage/raft/configuration Vault API returns the raft configuration of the cluster
EOF
}
quality "vault_api_sys_storage_raft_remove_peer_write_removes_peer" {
description = <<-EOF
The v1/sys/storage/raft/remove-peer Vault API removes the desired node from the raft sub-system
EOF
}
quality "vault_artifact_bundle" {
description = "The candidate binary packaged as a zip bundle is used for testing"
}
quality "vault_artifact_deb" {
description = "The candidate binary packaged as a deb package is used for testing"
}
quality "vault_artifact_rpm" {
description = "The candidate binary packaged as an rpm package is used for testing"
}
quality "vault_audit_log" {
description = "The Vault audit sub-system is enabled with the log and writes to a log"
}
quality "vault_audit_socket" {
description = "The Vault audit sub-system is enabled with the socket and writes to a socket"
}
quality "vault_audit_syslog" {
description = "The Vault audit sub-system is enabled with the syslog and writes to syslog"
}
quality "vault_auto_unseals_after_autopilot_upgrade" {
description = "Vault auto-unseals after upgrading the cluster with autopilot"
}
quality "vault_autojoins_new_nodes_into_initialized_cluster" {
description = "Vault sucessfully auto-joins new nodes into an existing cluster"
}
quality "vault_autojoin_aws" {
description = "Vault auto-joins nodes using AWS tag discovery"
}
quality "vault_autopilot_upgrade_leader_election" {
description = <<-EOF
Vault elects a new leader after upgrading the cluster with autopilot
EOF
}
quality "vault_cli_audit_enable" {
description = "The 'vault audit enable' command enables audit devices"
}
quality "vault_cli_auth_enable_approle" {
description = "The 'vault auth enable approle' command enables the approle auth method"
}
quality "vault_cli_operator_members" {
description = "The 'vault operator members' command returns the expected list of members"
}
quality "vault_cli_operator_raft_remove_peer" {
description = "The 'vault operator remove-peer' command removes the desired node"
}
quality "vault_cli_operator_step_down" {
description = "The 'vault operator step-down' command forces the cluster leader to step down"
}
quality "vault_cli_policy_write" {
description = "The 'vault policy write' command writes a policy"
}
quality "vault_cli_status_exit_code" {
description = <<-EOF
The 'vault status' command exits with the correct code depending on expected seal status
EOF
}
quality "vault_cluster_upgrade_in_place" {
description = <<-EOF
Vault starts with existing data and configuration in-place migrates the data
EOF
}
quality "vault_config_env_variables" {
description = "Vault starts when configured primarily with environment variables"
}
quality "vault_config_file" {
description = "Vault starts when configured primarily with a configuration file"
}
quality "vault_config_log_level" {
description = "The 'log_level' config stanza modifies its log level"
}
quality "vault_config_multiseal_is_toggleable" {
description = <<-EOF
The Vault Cluster can be configured with a single unseal method regardless of the
'enable_multiseal' config value
EOF
}
quality "vault_init" {
description = "Vault initializes the cluster with the given seal parameters"
}
quality "vault_license_required_ent" {
description = "Vault Enterprise requires a license in order to start"
}
quality "vault_mount_auth" {
description = "Vault mounts the auth engine"
}
quality "vault_mount_kv" {
description = "Vault mounts the kv engine"
}
quality "vault_multiseal_enable" {
description = <<-EOF
The Vault Cluster starts with 'enable_multiseal' and multiple auto-unseal methods.
EOF
}
quality "vault_proxy_auto_auth_approle" {
description = <<-EOF
Vault Proxy utilizes the approle auth method to to auto auth via a roles and secrets from file.
EOF
}
quality "vault_proxy_cli_access" {
description = <<-EOF
The Vault CLI accesses tokens through the Vault proxy without a VAULT_TOKEN available
EOF
}
quality "vault_raft_voters" {
description = global.description.verify_raft_cluster_all_nodes_are_voters
}
quality "vault_replication_ce_disabled" {
description = "Replication is not enabled for CE editions"
}
quality "vault_replication_ent_dr_available" {
description = "DR replication is available on Enterprise"
}
quality "vault_replication_ent_pr_available" {
description = "PR replication is available on Enterprise"
}
quality "vault_seal_awskms" {
description = "Vault auto-unseals with the awskms seal"
}
quality "vault_seal_shamir" {
description = <<-EOF
Vault manually unseals with the shamir seal when given the expected number of 'key_shares'
EOF
}
quality "vault_seal_pkcs11" {
description = "Vault auto-unseals with the pkcs11 seal"
}
quality "vault_secrets_auth_user_policy_write" {
description = "Vault creates auth user policies with the root token"
}
quality "vault_secrets_kv_read" {
description = "Vault kv secrets engine data is readable"
}
quality "vault_secrets_kv_write" {
description = "Vault kv secrets engine data is writable"
}
quality "vault_service_restart" {
description = "Vault restarts with existing configuration"
}
quality "vault_service_start" {
description = "Vault starts with the configuration"
}
quality "vault_service_systemd_notified" {
description = "The Vault binary notifies systemd when the service is active"
}
quality "vault_service_systemd_unit" {
description = "The 'vault.service' systemd unit starts the service"
}
quality "vault_status_seal_type" {
description = global.description.verify_seal_type
}
quality "vault_storage_backend_consul" {
description = "Vault operates using Consul for storage"
}
quality "vault_storage_backend_raft" {
description = "Vault operates using integrated Raft storage"
}
quality "vault_ui_assets" {
description = global.description.verify_ui
}
quality "vault_ui_test" {
description = <<-EOF
The Vault Web UI test suite runs against a live Vault server with the embedded static assets
EOF
}
quality "vault_unseal_ha_leader_election" {
description = "Vault performs a leader election after it is unsealed"
}
quality "vault_version_build_date" {
description = "Vault's reported build date matches our expectations"
}
quality "vault_version_edition" {
description = "Vault's reported edition matches our expectations"
}
quality "vault_version_release" {
description = "Vault's reported release version matches our expectations"
}
Reference in New Issue View Git Blame Copy Permalink