Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Vault CI test with deployed Vault with Transit #424

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Add Vault CI test with deployed Vault with Transit #424

wants to merge 11 commits into from

Conversation

shtripat
Copy link
Contributor

@shtripat shtripat commented Nov 29, 2023
edited

This PR introduces a github workflow to deploy HashiCorp Vault with Transit enabled and execute tests.

@shtripat shtripat force-pushed the vault-tests branch 4 times, most recently from 2c39733 to d205f79 Compare November 30, 2023 08:57
@shtripat shtripat changed the title WIP - Add Vault CI test with deployed Vault with Transit Add Vault CI test with deployed Vault with Transit Nov 30, 2023
@shtripat shtripat marked this pull request as ready for review November 30, 2023 09:04
@shtripat shtripat force-pushed the vault-tests branch 3 times, most recently from e6f137e to 23423fd Compare November 30, 2023 09:48
@shtripat
Add Vault CI test with deployed Vault with Transit
d18a4b9 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@shtripat shtripat requested a review from aead November 30, 2023 12:01
shtripat and others added 2 commits December 1, 2023 21:16
@shtripat
Set correct certificate paths
7e43f49 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@harshavardhana
Merge branch 'master' into vault-tests
ff772ce
harshavardhana
harshavardhana reviewed Jan 9, 2024
View reviewed changes
.github/workflows/ci-test.yml Outdated Show resolved Hide resolved
.github/workflows/ci-test.yml Outdated Show resolved Hide resolved
.github/workflows/ci-test.yml Outdated Show resolved Hide resolved
@harshavardhana
Apply suggestions from code review
e0f3081 
Signed-off-by: Harshavardhana <harsha@minio.io>
@harshavardhana
Copy link
Member

PTAL at the CI failure

go: downloading github.com/go-logr/stdr v1.2.2
=== RUN   TestVaultCI
    vault_ci_test.go:21: kesconf: invalid vault keystore: invalid approle config: no approle ID specified
--- FAIL: TestVaultCI (0.00s)
FAIL
FAIL	github.com/minio/kes/kesconf	0.014s
FAIL
Error: Process completed with exit code 1.

@shtripat
Run commands as sudo when needed
4860420 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@shtripat
Verbose logging of commands and config files
88caa9c 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@shtripat
Disable mlock by default
4fef26a 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@harshavardhana
Copy link
Member

Looks like KV List permissions are missing @shtripat

@shtripat
Copy link
Contributor Author

Looks like KV List permissions are missing @shtripat

Somehow locally inside a ubuntu VM with below kes-policy.hcl the tests run fine

path "transit/encrypt/my-key" {
   capabilities = [ "update" ]
}
path "transit/decrypt/my-key" {
   capabilities = [ "update" ]
}
path "kv/*" {
   capabilities = [ "create", "read", "delete", "list" ]
}

root@vm-01:~/kes# go test ./kesconf -v -vault-ci.config=/root/kes/kesconf/testdata/vault/kes-config-vault.yml -run="TestVaultCI"
=== RUN   TestVaultCI
=== RUN   TestVaultCI/Create
=== RUN   TestVaultCI/Get
=== RUN   TestVaultCI/Status
--- PASS: TestVaultCI (0.05s)
    --- PASS: TestVaultCI/Create (0.01s)
    --- PASS: TestVaultCI/Get (0.03s)
    --- PASS: TestVaultCI/Status (0.00s)
PASS
ok  	github.com/minio/kes/kesconf	0.064s

do you mean to change policy as below?

path "transit/encrypt/my-key" {
   capabilities = [ "update", "list" ]
}
path "transit/decrypt/my-key" {
   capabilities = [ "update", "list" ]
}
path "kv/*" {
   capabilities = [ "create", "read", "delete", "list" ]
}

aead
aead previously approved these changes Jan 10, 2024
View reviewed changes
@shtripat
Trying to fix list issue
d17bbea 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@shtripat
Simplify kes config
7e04980 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@shtripat shtripat force-pushed the vault-tests branch 2 times, most recently from 7afd7ef to 46c3ae4 Compare January 10, 2024 12:36
@shtripat
Debug CI failure
086ed95 
Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
@bh4t
Copy link

bh4t commented Jan 23, 2024

@harshavardhana @aead can one of you PTAL?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@harshavardhana harshavardhana harshavardhana left review comments

@aead aead aead left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@shtripat shtripat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@shtripat @harshavardhana @bh4t @aead