Merge pull request #2031 from tmacam/HashicorpVaultCertification_I1926

2022-08-29 21:51:59 -07:00 · 2022-08-29 21:51:59 -07:00 · 6f8fa005b7
parent c59d27f9e6 b84adbf03a
commit 6f8fa005b7
6 changed files with 87 additions and 0 deletions
--- a/.github/infrastructure/conformance/hashicorp/setup-hashicorp-vault-secrets.sh
+++ b/.github/infrastructure/conformance/hashicorp/setup-hashicorp-vault-secrets.sh
@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Notice that while hashicorp supports multiple keys in a secret,
+# our confirmance tests needs to go for the common demominator 
+# which is a secret store that only has name/value semantic.
+# Hence we setup secret containing a single key with the their
+# same name.
+
+set -eu
+
+MAX_ATTEMPTS=30
+
+for attempt in `seq $MAX_ATTEMPTS`; do
+    # Test connectivity to vault server and create secrets to match
+    # conformance tests / contents from tests/conformance/secrets.json
+    if vault status && 
+        vault kv put secret/dapr/conftestsecret conftestsecret=abcd &&
+        vault kv put secret/dapr/secondsecret secondsecret=efgh;
+    then
+        echo ✅ secrets set;
+        sleep 1;
+        exit 0;
+    else
+        echo "⏰ vault not available, waiting... - attempt $attempt of $MAX_ATTEMPTS";
+        sleep 1;
+    fi
+done;
+
+echo ❌ Failed to set secrets;
+exit 1
--- a/.github/infrastructure/docker-compose-hashicorp-vault.yml
+++ b/.github/infrastructure/docker-compose-hashicorp-vault.yml
@ -0,0 +1,32 @@
+version: '3.9'
+
+# Use a YAML reference to define VAULT_TOKEN and DOCKER_IMAGE only once
+x-common-vaues:
+  # This should match tests/config/secrestore/hashicorp/vault/hashicorp-vault.yaml
+  vault_token: &VAULT_TOKEN "vault-dev-root-token-id"
+  # Reuse the same docker image to save on resources and because the base vault image
+  # has everything we need for seeding the initial key values too.
+  vault_docker_image: &VAULT_DOCKER_IMAGE vault:1.11.2
+
+services:
+  hashicorp_vault:
+    image: *VAULT_DOCKER_IMAGE
+    ports:
+      - '8200:8200'
+    cap_add:
+      - IPC_LOCK
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: *VAULT_TOKEN
+
+  # We define a aux. service to seed the expected conformance secrets to vault
+  seed_conformance_secrets:
+    image: *VAULT_DOCKER_IMAGE
+    depends_on:
+     - hashicorp_vault
+    environment:
+      VAULT_TOKEN : *VAULT_TOKEN
+      VAULT_ADDR: http://hashicorp_vault:8200/
+    volumes:
+      - ./conformance/hashicorp/:/setup:ro
+    entrypoint: /setup/setup-hashicorp-vault-secrets.sh
+    
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@ -61,6 +61,7 @@ jobs:
        - secretstores.kubernetes
        - secretstores.localenv
        - secretstores.localfile
+        - secretstores.hashicorp.vault
        - state.cassandra
        - state.memcached
        - state.mongodb
@ -306,6 +307,11 @@ jobs:
      run: |
        docker-compose -f ./.github/infrastructure/docker-compose-cockroachdb.yml -p cockroachdb up -d
      if: contains(matrix.component, 'cockroachdb')
+    
+    - name: Start vault
+      run: |
+        docker-compose -f ./.github/infrastructure/docker-compose-hashicorp-vault.yml -p vault up -d
+      if: contains(matrix.component, 'hashicorp.vault')

    - name: Start rethinkdb
      run: |
--- a/tests/config/secretstores/hashicorp/vault/hashicorp-vault.yml
+++ b/tests/config/secretstores/hashicorp/vault/hashicorp-vault.yml
@ -0,0 +1,13 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: valut
+  namespace: default
+spec:
+  type: secretstores.hashicorp.vault
+  version: v1
+  metadata:
+  - name: vaultAddr
+    value: "http://127.0.0.1:8200"
+  - name: vaultToken  # Matches docker compose VAULT_DEV_ROOT_TOKEN_ID env. var.
+    value: "vault-dev-root-token-id"
--- a/tests/config/secretstores/tests.yml
+++ b/tests/config/secretstores/tests.yml
@ -11,3 +11,6 @@ components:
    allOperations: true
  - component: kubernetes
    allOperations: true
+  - component: hashicorp.vault
+    allOperations: true
+
--- a/tests/conformance/common.go
+++ b/tests/conformance/common.go
@ -60,6 +60,7 @@ import (
 	p_rabbitmq "github.com/dapr/components-contrib/pubsub/rabbitmq"
 	p_redis "github.com/dapr/components-contrib/pubsub/redis"
 	ss_azure "github.com/dapr/components-contrib/secretstores/azure/keyvault"
+	ss_hashicorp_vault "github.com/dapr/components-contrib/secretstores/hashicorp/vault"
 	ss_kubernetes "github.com/dapr/components-contrib/secretstores/kubernetes"
 	ss_local_env "github.com/dapr/components-contrib/secretstores/local/env"
 	ss_local_file "github.com/dapr/components-contrib/secretstores/local/file"
@ -399,6 +400,8 @@ func loadSecretStore(tc TestComponent) secretstores.SecretStore {
 		store = ss_local_env.NewEnvSecretStore(testLogger)
 	case "localfile":
 		store = ss_local_file.NewLocalSecretStore(testLogger)
+	case "hashicorp.vault":
+		store = ss_hashicorp_vault.NewHashiCorpVaultSecretStore(testLogger)
 	default:
 		return nil
 	}