debug vault daemon in CI

nzlosh · nzlosh · commit d26564bcbfee · 2026-05-21T09:45:58.000+02:00
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -19,14 +19,17 @@ jobs:
         include:
           - python-version-short: "3.9"
             python-version: 3.9.21
+            consul-version: "1.22.7-1"
             vault-version: "2.0.0-1"
             hvac-gh-tag: "v2.4.0"
           - python-version-short: "3.10"
             python-version: 3.10.16
+            consul-version: "1.22.7-1"
             vault-version: "2.0.0-1"
             hvac-gh-tag: "v2.4.0"
           - python-version-short: "3.11"
             python-version: 3.11.11
+            consul-version: "1.22.7-1"
             vault-version: "2.0.0-1"
             hvac-gh-tag: "v2.4.0"
     steps:
@@ -59,22 +62,7 @@ jobs:
         working-directory: pack
         shell: bash
         run: |
-          wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/hashicorp.gpg
-          echo "deb [arch=amd64, signed-by=/etc/apt/trusted.gpg.d/hashicorp.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
-            | sudo tee /etc/apt/sources.list.d/hashicorp.list
-
-          sudo apt update \
-            -o Dir::Etc::sourceparts="-" \
-            -o APT::Get::List-Cleanup="0" \
-            -o Dir::Etc::sourcelist="sources.list.d/hashicorp.list"
-
-          sudo apt install consul vault=${{ matrix.vault-version }}
-
-          # We disble cap_ipc_lock here as its generally incompatabile with GitHub
-          # Actions' runtime environments.
-          sudo setcap cap_ipc_lock= /usr/bin/vault
-          sudo systemctl restart consul vault
-          sudo systemctl status consul vault
+          ${ROOT_DIR}/tests/scripts/install_vault ${{ matrix.vault-version }} ${{ matrix.consul-version }}
 
       - name: Setup hvac symlinks
         shell: bash
diff --git a/tests/scripts/install_consul b/tests/scripts/install_consul
@@ -0,0 +1,133 @@
+name: CI
+
+on:
+  workflow_call:
+  pull_request:
+  schedule:
+    # NOTE: We run this weekly at 1 am UTC on every Saturday
+    - cron:  '0 1 * * 6'
+
+jobs:
+  # This is based on this workflow, with an additional test env setup method
+  # StackStorm-Exchange/ci/.github/workflows/pack-build_and_test.yaml@master
+
+  build_and_test:
+    runs-on: ubuntu-22.04
+    name: 'Build and Test / Python ${{ matrix.python-version-short }}'
+    strategy:
+      matrix:
+        include:
+          - python-version-short: "3.9"
+            python-version: 3.9.21
+            consul-version: "1.22.7-1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
+          - python-version-short: "3.10"
+            python-version: 3.10.16
+            consul-version: "1.22.7-1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
+          - python-version-short: "3.11"
+            python-version: 3.11.11
+            consul-version: "1.22.7-1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
+    steps:
+      - name: Checkout Pack Repo and CI Repos
+        uses: StackStorm-Exchange/ci/.github/actions/checkout@master
+
+      - name: Checkout github.com/hvac/hvac
+        uses: actions/checkout@v2
+        with:
+          path: hvac
+          repository: hvac/hvac
+          # main = the release branch; devel = the active development branch
+          ref: ${{ matrix.hvac-gh-tag }}
+          fetch-depth: 0
+
+      - name: Install APT Dependencies
+        uses: StackStorm-Exchange/ci/.github/actions/apt-dependencies@master
+        with:
+          cache-version: v0
+
+      - name: Install Python Dependencies
+        uses: StackStorm-Exchange/ci/.github/actions/py-dependencies@master
+        with:
+          cache-version: v0
+          python-version: ${{ matrix.python-version }}
+
+      # task copied (Apache 2.0 License) from
+      # github.com/hvac/hvac .github/workflows/lint-and-test.yml
+      - name: Install Vault and Consul (for integration tests)
+        working-directory: pack
+        shell: bash
+        run: |
+          wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/hashicorp.gpg
+          echo "deb [arch=amd64, signed-by=/etc/apt/trusted.gpg.d/hashicorp.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
+            | sudo tee /etc/apt/sources.list.d/hashicorp.list
+
+          sudo apt update \
+            -o Dir::Etc::sourceparts="-" \
+            -o APT::Get::List-Cleanup="0" \
+            -o Dir::Etc::sourcelist="sources.list.d/hashicorp.list"
+
+          sudo apt install consul=${{ matrix.consul-version }} vault=${{ matrix.vault-version }}
+
+          # We disble cap_ipc_lock here as its generally incompatabile with GitHub
+          # Actions' runtime environments.
+          sudo setcap cap_ipc_lock= /usr/bin/vault
+
+          # Consul needs to be explicitly configured to start in the CI/CD environment.
+          sudo mkdir -p /srv/consul && sudo chown -R consul:consul /srv/consul
+          sudo tee /etc/consul.d/consul.hcl >/dev/null <<EOF
+          enable_debug = false
+          datacenter = "cicd"
+          data_dir = "/srv/consul"
+          ui_config{
+            enabled = false
+          }
+          server = true
+          bind_addr = "127.0.0.1"
+          client_addr = "127.0.0.1"
+          advertise_addr = "127.0.0.1"
+          retry_join = ["localhost"]
+          bootstrap_expect = 0
+          encrypt = "katpv2wgyY5Za8bGAHh7+URaeLJWh4g+gK0GBjmvQXA="
+          EOF
+          sudo systemctl restart consul
+          sudo systemctl restart vault
+
+      - name: Setup hvac symlinks
+        shell: bash
+        env:
+          HVAC_DIR: ${{ github.workspace }}/hvac
+        run: |
+          # using symlinks allows us to import tests.utils.* without adding
+          # the rest of the hvac tests. tests.utils also uses config_files,
+          # so make that available too.
+          set -eux
+          for x in utils config_files; do
+            rm -f ${ROOT_DIR}/tests/${x}
+            # relative (-r) allows the symlink to work in vagrant
+            ln -rs ${HVAC_DIR}/tests/${x} ${ROOT_DIR}/tests/${x}
+            ls -ld ${ROOT_DIR}/tests/${x}
+          done
+
+      - name: Run pack tests
+        uses: StackStorm-Exchange/ci/.github/actions/test@master
+        with:
+          enable-common-libs: false
+
+    services:
+      mongo:
+        image: mongo:7.0
+        ports:
+          - 27017:27017
+      rabbitmq:
+        image: rabbitmq:3
+        ports:
+          - 5672:5672
+      #redis:
+      #  image: redis
+      #  ports:
+      #    - 6379:6379
diff --git a/tests/scripts/install_vault b/tests/scripts/install_vault
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -eux
+
+# Installing consul and vault in the CI/CD environment is complex.  That
+# complexity is now wrapped inside this shell script for a clearer CI/CD YAML.
+
+VAULT_VERSION="$1"
+CONSUL_VERSION="$2"
+
+# github group
+function ghg
+{
+  test "$1" == "start" && echo "##[group]$2"
+  test "$1" == "end" && echo "##[endgroup]"
+}
+
+ghg start "Setup Hashicorp (IBM) APT repository source"
+wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/hashicorp.gpg
+sudo tee /etc/apt/sources.list.d/hashicorp.list <<<"deb [arch=amd64, signed-by=/etc/apt/trusted.gpg.d/hashicorp.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
+ghg end
+
+ghg start "Install consul=${CONSUL_VERSION} vault=${VAULT_VERSION}"
+sudo apt update -o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0" -o Dir::Etc::sourcelist="sources.list.d/hashicorp.list"
+sudo apt install consul=${CONSUL_VERSION} vault=${VAULT_VERSION}
+ghg end
+
+# We disble cap_ipc_lock here as its generally incompatabile with GitHub
+# Actions' runtime environments.
+sudo setcap cap_ipc_lock= /usr/bin/vault
+
+# Consul needs to be explicitly configured to start in the CI/CD environment.
+ghg start "Configure Consul"
+sudo mkdir -p /srv/consul && sudo chown -R consul:consul /srv/consul
+
+sudo tee /etc/consul.d/consul.hcl >/dev/null <<EOF
+enable_debug = false
+datacenter = "cicd"
+data_dir = "/srv/consul"
+ui_config{
+enabled = false
+}
+server = true
+bind_addr = "127.0.0.1"
+client_addr = "127.0.0.1"
+advertise_addr = "127.0.0.1"
+retry_join = ["localhost"]
+bootstrap_expect = 0
+encrypt = "katpv2wgyY5Za8bGAHh7+URaeLJWh4g+gK0GBjmvQXA="
+EOF
+
+sudo systemctl restart consul
+ghg end
+
+ghg start "Configure Vault"
+sudo systemctl restart vault
+
+# Initialise and unseal vault
+vault init
+ghg end
diff --git a/tests/vault_action_tests_base.py b/tests/vault_action_tests_base.py
@@ -1,6 +1,6 @@
 from st2tests.base import BaseActionTestCase
 
-from tests.utils import get_config_file_path
+# #from tests.utils import get_config_file_path
 from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase
 
 
@@ -59,7 +59,9 @@ def tearDown(self):
 
     def build_dummy_pack_config(self, url="https://localhost:8200"):
         # based on create_client() in hvac/tests/utils/__init__.py
-        server_cert_path = get_config_file_path("server-cert.pem")
+        # CI/CD only has a self-signed cert.
+        # #server_cert_path = get_config_file_path("server-cert.pem")
+        server_cert_path = False
 
         token_result = self.client.auth.token.create(ttl=self.default_token_lease)
         token = token_result["auth"]["client_token"]
