Skip to content

Commit

Permalink
Vault test setup tweaks (#1322)
Browse files Browse the repository at this point in the history
* remove need for approle.json

* remove references to vault env and approle files

* remove sql init volume

* Add new lines
  • Loading branch information
kian99 authored Aug 27, 2024
1 parent c61fe72 commit 5651863
Show file tree
Hide file tree
Showing 16 changed files with 86 additions and 172 deletions.
2 changes: 1 addition & 1 deletion .air.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ tmp_dir = "tmp"
exclude_regex = ["_test.go"]
exclude_unchanged = false
follow_symlink = false
full_bin = "env $(cat /vault/vault.env | xargs) dlv exec --accept-multiclient --log --headless --continue --listen :2345 --api-version 2 ./tmp/jimm"
full_bin = "dlv exec --accept-multiclient --log --headless --continue --listen :2345 --api-version 2 ./tmp/jimm"
include_dir = []
include_ext = ["go", "tpl", "tmpl", "html"]
kill_delay = "0s"
Expand Down
6 changes: 0 additions & 6 deletions .github/workflows/cache.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,5 @@ jobs:
with:
go-version-file: 'go.mod'

- name: Add volume files
run: |
touch ./local/vault/approle.json
touch ./local/vault/roleid.txt
touch ./local/vault/vault.env
- name: Build
run: go build ./...
6 changes: 0 additions & 6 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,6 @@ jobs:
- name: Install juju-db
run: sudo snap install juju-db --channel 4.4/stable

- name: Add volume files
run: |
touch ./local/vault/approle.json
touch ./local/vault/roleid.txt
touch ./local/vault/vault.env
- name: Create test certs
run: make certs

Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/golangci-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,6 @@ jobs:
go-version: stable
cache: false

- name: Touch approle
run: touch ./local/vault/approle.json

- name: Run Golangci-lint
uses: golangci/golangci-lint-action@v6
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/integration-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,28 +17,33 @@ jobs:
steps:
- name: Checkout JIMM repo
uses: actions/checkout@v4

- name: Setup Go
if: ${{ github.event_name == 'pull_request' }}
uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'

- name: Go vendor to speed up docker build
if: ${{ github.event_name == 'pull_request' }}
run: go mod vendor

- name: Start JIMM (pull request)
if: ${{ github.event_name == 'pull_request' }}
uses: ./.github/actions/test-server
with:
jimm-version: dev
juju-channel: "3/stable"
ghcr-pat: ${{ secrets.GITHUB_TOKEN }}

- name: Start JIMM (manual run)
if: ${{ github.event_name == 'workflow_dispatch' }}
uses: ./.github/actions/test-server
with:
jimm-version: ${{ inputs.jimm-version }}
juju-channel: "3/stable"
ghcr-pat: ${{ secrets.GITHUB_TOKEN }}

- name: Create a model, deploy an application and run juju status
run: |
juju add-model foo && \
Expand Down
4 changes: 0 additions & 4 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,6 @@
/version/commit.txt
/version/version.txt
/tmp
/local/vault/approle.json
local/vault/approle.json
local/vault/roleid.txt
local/vault/vault.env

*.crt
*.key
Expand Down
2 changes: 0 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,12 @@ certs:
@cd local/traefik/certs; ./certs.sh; cd -

test-env: sys-deps certs
@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt && touch ./local/vault/vault.env
@docker compose up --force-recreate -d --wait

test-env-cleanup:
@docker compose down -v --remove-orphans

dev-env-setup: sys-deps certs
@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt && touch ./local/vault/vault.env
@make version/commit.txt && make version/version.txt

dev-env: dev-env-setup
Expand Down
2 changes: 2 additions & 0 deletions compose-common.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ services:
# Note: You can comment out the Vault ENV vars below and instead use INSECURE_SECRET_STORAGE to place secrets in Postgres.
VAULT_ADDR: "http://vault:8200"
VAULT_PATH: "/jimm-kv/"
VAULT_ROLE_ID: test-role-id
VAULT_ROLE_SECRET_ID: test-secret-id
# Note: By default we should use Vault as that is the primary means of secret storage.
# INSECURE_SECRET_STORAGE: "enabled"
# JIMM_DASHBOARD_LOCATION: ""
Expand Down
27 changes: 5 additions & 22 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,7 @@ services:
- -c
- >-
apt update && apt install curl -y
&& set -a && . /vault/vault.env && set +a && /usr/local/bin/jimmsrv
volumes:
- ./local/vault/vault.env:/vault/vault.env:rw
&& /usr/local/bin/jimmsrv
# An instance of JIMM used for dev, built from source with hot-reloading.
jimm-dev:
Expand All @@ -61,16 +59,13 @@ services:
- 2345:2345
volumes:
- ./:/jimm/
- ./local/vault/vault.env:/vault/vault.env:rw

db:
image: postgres
container_name: postgres
restart: always
ports:
- 5432:5432
volumes:
- ./local/init.sql:/docker-entrypoint-initdb.d/init.sql
environment:
POSTGRES_DB: jimm
POSTGRES_USER: jimm
Expand All @@ -85,30 +80,18 @@ services:
retries: 5

vault:
image: hashicorp/vault:latest
build:
context: ./local/vault/
dockerfile: Dockerfile
container_name: vault
ports:
- 8200:8200
environment:
# For CLI
VAULT_ADDR: "http://localhost:8200"
# Dev Flag
VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
# Dev Flag
VAULT_DEV_ROOT_TOKEN_ID: "token"
VAULT_DEV_ROOT_TOKEN_ID: "root"
cap_add:
- IPC_LOCK
volumes:
- ./local/vault/vault.hcl:/vault/config/vault.hcl
- ./local/vault/init.sh:/vault/init.sh
- ./local/vault/policy.hcl:/vault/policy.hcl
- ./local/vault/approle.json:/vault/approle.json
- ./local/vault/roleid.txt:/vault/roleid.txt:rw
- ./local/vault/vault.env:/vault/vault.env:rw
command: /vault/init.sh
depends_on:
db:
condition: service_healthy

migrateopenfga:
image: openfga/openfga:v1.2.0
Expand Down
33 changes: 5 additions & 28 deletions internal/jimmtest/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@
package jimmtest

import (
"encoding/json"

"github.com/hashicorp/vault/api"
)

vault_test "github.com/canonical/jimm/v3/local/vault"
const (
testRoleID = "test-role-id"
testSecretID = "test-secret-id"
)

type fatalF interface {
Expand All @@ -20,29 +21,5 @@ func VaultClient(tb fatalF) (*api.Client, string, string, string, bool) {
cfg := api.DefaultConfig()
cfg.Address = "http://localhost:8200"
vaultClient, _ := api.NewClient(cfg)

appRole := vault_test.AppRole
var vaultAPISecret api.Secret
err := json.Unmarshal(appRole, &vaultAPISecret)
if err != nil {
panic("cannot unmarshal vault secret")
}

roleID, ok := vaultAPISecret.Data["role_id"]
if !ok {
panic("role ID not found")
}
roleSecretID, ok := vaultAPISecret.Data["secret_id"]
if !ok {
panic("role secret ID not found")
}
roleIDString, ok := roleID.(string)
if !ok {
panic("failed to convert role ID to string")
}
roleSecretIDString, ok := roleSecretID.(string)
if !ok {
panic("failed to convert role secret ID to string")
}
return vaultClient, "jimm-kv", roleIDString, roleSecretIDString, true
return vaultClient, "jimm-kv", testRoleID, testSecretID, true
}
21 changes: 0 additions & 21 deletions local/init.sql

This file was deleted.

20 changes: 20 additions & 0 deletions local/vault/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
FROM hashicorp/vault:latest

# Add jq to make scripting the calls a bit easier
# ref: https://stedolan.github.io/jq/
RUN apk add --no-cache bash jq

# Add our policy and entrypoint
COPY policy.hcl /vault/policy.hcl
COPY entrypoint.sh /vault/entrypoint.sh

EXPOSE 8200

ENTRYPOINT [ "/vault/entrypoint.sh" ]

HEALTHCHECK \
--start-period=5s \
--interval=1s \
--timeout=1s \
--retries=30 \
CMD [ "/bin/sh", "-c", "[ -f /tmp/healthy ]" ]
11 changes: 0 additions & 11 deletions local/vault/approle.go

This file was deleted.

48 changes: 48 additions & 0 deletions local/vault/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#!/bin/sh

# Much of the below was lifted from the sample Vault application setup
# in https://github.com/hashicorp/hello-vault-go/tree/main/sample-app

set -e

export VAULT_ADDR='http://localhost:8200'
export VAULT_FORMAT='json'

# Dev mode defaults some addresses, but also enables us
# to have a custom root key & automatically unsealed vault.
vault server -dev &
sleep 5s

# Authenticate container's local Vault CLI
# ref: https://www.vaultproject.io/docs/commands/login
vault login -no-print "${VAULT_DEV_ROOT_TOKEN_ID}"

# AppRole auth is what we use in JIMM, an awesome tutorial
# on how this is setup can be found below.
# HOW-TO: https://developer.hashicorp.com/vault/docs/auth/approle
# AND:
# https://developer.hashicorp.com/vault/tutorials/auth-methods/approle

echo "Enabling AppRole auth"
vault auth enable approle

echo "Creating access policy to JIMM stores"
vault policy write jimm-app /vault/policy.hcl

echo "Creating jimm-app AppRole"
vault write auth/approle/role/jimm-app policies=jimm-app

# Set fixed role ID and secret ID to simplify testing
vault write auth/approle/role/jimm-app/role-id role_id="test-role-id"
vault write auth/approle/role/jimm-app/custom-secret-id secret_id="test-secret-id"

# Enable the KV at the defined policy path
echo "Enabling KV at policy path /jimm-kv"
echo "/jimm-kv accessible by policy jimm-app"
vault secrets enable -version=2 -path /jimm-kv kv

# This container is now healthy
touch /tmp/healthy

# Keep container alive
tail -f /dev/null & trap 'kill %1' TERM ; wait
60 changes: 0 additions & 60 deletions local/vault/init.sh

This file was deleted.

8 changes: 0 additions & 8 deletions local/vault/vault.hcl

This file was deleted.

0 comments on commit 5651863

Please sign in to comment.