VAULT-31402: Add verification for all container images (#28605) (#28610)

* VAULT-31402: Add verification for all container images Add verification for all container images that are generated as part of the build. Before this change we only ever tested a limited subset of "default" containers based on Alpine Linux that we publish via the Docker hub and AWS ECR. Now we support testing all Alpine and UBI based container images. We also verify the repository and tag information embedded in each by deploying them and verifying the repo and tag metadata match our expectations. This does change the k8s scenario interface quite a bit. We now take in an archive image and set image/repo/tag information based on the scenario variants. To enable this I also needed to add `tar` to the UBI base image. It was already available in the Alpine image and is used to copy utilities to the image when deploying and configuring the cluster via Enos. Since some images contain multiple tags we also add samples for each image and randomly select which variant to test on a given PR. Signed-off-by: Ryan Cragun <[email protected]> Co-authored-by: Ryan Cragun <[email protected]>
hashicorp · Oct 7, 2024 · 552b7c7 · 552b7c7
1 parent 92ad805
commit 552b7c7
Show file tree

Hide file tree

Showing 16 changed files with 583 additions and 325 deletions.
diff --git a/.github/actions/containerize/action.yml b/.github/actions/containerize/action.yml
@@ -10,31 +10,24 @@ description: |
 
 inputs:
   docker:
-    type: boolean
     description: |
       Package the binary into a Docker container suitable for the Docker and AWS registries. We'll
       automatically determine the correct tags and target depending on the vault edition.
-    default: true
+    default: 'true'
   goarch:
-    type: string
     description: The Go GOARCH value environment variable to set during the build.
   goos:
-    type: string
     description: The Go GOOS value environment variable to set during the build.
   redhat:
-    type: boolean
     description: Package the binary into a UBI container suitable for the Redhat Quay registry.
-    default: false
+    default: 'false'
   vault-binary-path:
-    type: string
     description: The path to the vault binary.
     default: dist/vault
   vault-edition:
-    type: string
     description: The edition of vault to build.
     default: ce
   vault-version:
-    type: string
     description: The vault version.
 
 outputs:
@@ -48,31 +41,52 @@ runs:
     - id: vars
       shell: bash
       run: |
-        if [[ '${{ inputs.vault-edition }}' =~ 'ce' ]]; then
-          # CE containers
-          container_version='${{ inputs.vault-version }}'
-          docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}'
-          docker_container_target='default'
-          redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
-          redhat_container_target='ubi'
-        else
-          # Ent containers
-          container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
-
-          if [[ '${{ inputs.vault-edition }}' =~ 'fips' ]]; then
-            # Ent FIPS 140-2 containers
-            docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
-            docker_container_target='ubi-fips'
-            redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
-            redhat_container_target='ubi-fips'
-          else
-            # All other Ent containers
+        case '${{ inputs.vault-edition }}' in
+          "ce")
+            container_version='${{ inputs.vault-version }}'
+            docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}'
+            docker_container_target='default'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
+            redhat_container_target='ubi'
+          ;;
+          "ent")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
             docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
             docker_container_target='default'
             redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
             redhat_container_target='ubi'
-          fi
-        fi
+          ;;
+          "ent.hsm")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-hsm'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-hsm'
+          ;;
+          "ent.hsm.fips1402")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-hsm-fips'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-hsm-fips'
+          ;;
+          "ent.fips1402")
+            # NOTE: For compatibility we still publish the ent.fips1402 containers to different
+            # namespaces. All ent, ent.hsm, and ent.hsm.fips1402 containers are released in the
+            # enterprise namespaces. After we've updated the upstream docker action to support
+            # multiple tags we can start to tag images with both namespaces, publish to both, and
+            # eventually sunset the fips1402 specific namespaces.
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-fips'
+            redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-fips'
+          ;;
+          *)
+            echo "Cannot generate container tags for unknown vault edition: ${{ inputs.vault-edition }}" 2>&1
+            exit 1
+          ;;
+        esac
         {
           echo "container-version=${container_version}"
           echo "docker-container-tags=${docker_container_tags}"

diff --git a/.github/workflows/build-artifacts-ce.yml b/.github/workflows/build-artifacts-ce.yml
@@ -9,12 +9,15 @@ on:
     inputs:
       build-all:
         type: boolean
+        description: Build all extended artifacts
         default: false
       build-date:
         type: string
+        description: The date associated with the revision SHA
         required: true
       checkout-ref:
         type: string
+        description: The repo Git SHA to checkout
         default: ""
       compute-build:
         type: string # JSON encoded to support passing arrays
@@ -30,15 +33,19 @@ on:
         required: true
       vault-revision:
         type: string
+        description: The revision SHA of vault
         required: true
       vault-version:
         type: string
+        description: The version of vault
         required: true
       vault-version-package:
         type: string
+        description: Whether or not to package the binary as Debian and RPM packages
         required: true
       web-ui-cache-key:
         type: string
+        description: The UI asset cache key
         required: true
   workflow_call:
     inputs:
@@ -119,7 +126,26 @@ jobs:
       # Outputs are strings so we need to encode our collection outputs as JSON.
       testable-containers: |
         [
-          { "artifact": "${{ github.event.repository.name }}_default_linux_amd64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar" }
+          {
+            "sample": "ce_default_linux_amd64_ent_docker",
+            "artifact": "${{ github.event.repository.name }}_default_linux_amd64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
+            "edition": "ce"
+          },
+          {
+            "sample": "ce_default_linux_arm64_ce_docker",
+            "artifact": "${{ github.event.repository.name }}_default_linux_arm64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
+            "edition": "ce"
+          },
+          {
+            "sample": "ce_ubi_linux_amd64_ce_redhat",
+            "artifact": "${{ github.event.repository.name}}_ubi_linux_amd64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
+            "edition": "ce"
+          },
+          {
+            "sample": "ce_ubi_linux_arm64_ce_redhat",
+            "artifact": "${{ github.event.repository.name}}_ubi_linux_arm64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
+            "edition": "ce"
+          }
         ]
       testable-packages: |
         [

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -255,16 +255,18 @@ jobs:
       - setup
       - ui
       - artifacts
-    uses: ./.github/workflows/enos-run-k8s.yml
+    uses: ./.github/workflows/test-run-enos-scenario-containers.yml
     strategy:
       fail-fast: false
       matrix:
         include: ${{ fromJSON(needs.artifacts.outputs.testable-containers) }}
     with:
-      artifact-build-date: ${{ needs.setup.outputs.build-date }}
-      artifact-name: ${{ matrix.artifact }}
-      artifact-revision: ${{ needs.setup.outputs.vault-revision }}
-      artifact-version: ${{ needs.setup.outputs.vault-version-metadata }}
+      build-artifact-name: ${{ matrix.artifact }}
+      sample-max: 1
+      sample-name: ${{ matrix.sample }}
+      vault-edition: ${{ matrix.edition }}
+      vault-revision: ${{ needs.setup.outputs.vault-revision }}
+      vault-version: ${{ needs.setup.outputs.vault-version-metadata }}
     secrets: inherit
 
   completed-successfully:

diff --git a/.github/workflows/enos-run-k8s.yml b/.github/workflows/enos-run-k8s.yml