Skip to content

Commit

Permalink
skip removal correctly for consul
Browse files Browse the repository at this point in the history
  • Loading branch information
miagilepner committed Dec 20, 2024
1 parent 378ca2c commit ae9fb02
Show file tree
Hide file tree
Showing 5 changed files with 236 additions and 56 deletions.
10 changes: 10 additions & 0 deletions enos/enos-modules.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -225,11 +225,21 @@ module "vault_failover_update_dr_primary" {
vault_install_dir = var.vault_install_dir
}

module "vault_raft_remove_and_verify" {
source = "./modules/vault_raft_remove_and_verify"
vault_install_dir = var.vault_install_dir
}

module "vault_raft_remove_peer" {
source = "./modules/vault_raft_remove_peer"
vault_install_dir = var.vault_install_dir
}

module "vault_removed_do_nothing" {
source = "./modules/vault_removed_do_nothing"
vault_install_dir = var.vault_install_dir
}

module "vault_setup_dr_primary" {
source = "./modules/vault_setup_dr_primary"

Expand Down
4 changes: 2 additions & 2 deletions enos/enos-scenario-autopilot.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ scenario "autopilot" {
manage_service = matrix.artifact_type == "bundle"
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_autopilot_default_max_leases = semverconstraint(var.vault_upgrade_initial_version, ">=1.16.0-0") ? "300000" : ""
verify_removed_step_module = semverconstraint(var.vault_product_version, ">=1.19.0-0") && matrix.backend == "raft" ? "vault_verify_raft_removed" : "vault_removed_do_nothing"
}

step "build_vault" {
Expand Down Expand Up @@ -633,11 +634,10 @@ scenario "autopilot" {
}

step "verify_removed" {
skip_step = semverconstraint(var.vault_upgrade_initial_version, "<1.19.0-0")
description = <<-EOF
Verify that the removed nodes are marked as such
EOF
module = module.vault_verify_raft_removed
module = local.verify_removed_step_module
depends_on = [
step.create_vault_cluster,
step.get_updated_vault_cluster_ips,
Expand Down
66 changes: 12 additions & 54 deletions enos/enos-scenario-smoke.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,8 @@ scenario "smoke" {
sles = provider.enos.ec2_user
ubuntu = provider.enos.ubuntu
}
manage_service = matrix.artifact_type == "bundle"
manage_service = matrix.artifact_type == "bundle"
removed_step_module = semverconstraint(var.vault_product_version, ">=1.19.0-0") && matrix.backend == "raft" ? "vault_raft_remove_and_verify" : "vault_removed_do_nothing"
}

step "build_vault" {
Expand Down Expand Up @@ -496,75 +497,32 @@ scenario "smoke" {
}
}

step "choose_follower_to_remove" {
skip_step = semverconstraint(var.vault_product_version, "<1.19.0-0") || matrix.backend != "raft"
module = module.choose_follower_host
depends_on = [
step.get_vault_cluster_ips,
]

variables {
followers = step.get_vault_cluster_ips.follower_hosts
}
}

step "remove_raft_node" {
skip_step = semverconstraint(var.vault_product_version, "<1.19.0-0") || matrix.backend != "raft"
module = module.vault_raft_remove_peer
depends_on = [
step.verify_raft_auto_join_voter,
step.get_vault_cluster_ips,
step.create_vault_cluster,
step.choose_follower_to_remove,
]

providers = {
enos = local.enos_provider[matrix.distro]
}

verifies = [
quality.vault_api_sys_storage_raft_remove_peer_write_removes_peer,
quality.vault_cli_operator_raft_remove_peer,
]

variables {
hosts = step.choose_follower_to_remove.chosen_follower
ip_version = matrix.ip_version
operator_instance = step.get_vault_cluster_ips.leader_public_ip
vault_addr = step.create_vault_cluster.api_addr_localhost
vault_cluster_addr_port = step.create_vault_cluster.cluster_port
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
vault_root_token = step.create_vault_cluster.root_token
is_voter = true
}
}

step "verify_removed" {
skip_step = semverconstraint(var.vault_product_version, "<1.19.0-0") || matrix.backend != "raft"
step "vault_remove_node_and_verify" {
description = <<-EOF
Verify that the removed nodes are marked as such and can be added back if their data has been deleted
Remove a follower and ensure that it's marked as removed and can be added back once its data has been deleted
EOF
module = module.vault_verify_raft_removed
module = local.removed_step_module
depends_on = [
step.create_vault_cluster_targets,
step.get_vault_cluster_ips,
step.remove_raft_node,
step.choose_follower_to_remove,
step.verify_vault_unsealed,
]

providers = {
enos = local.enos_provider[matrix.distro]
}

verifies = [
quality.vault_api_sys_storage_raft_remove_peer_write_removes_peer,
quality.vault_cli_operator_raft_remove_peer,
quality.vault_raft_removed_after_restart,
quality.vault_raft_removed_statuses,
quality.vault_raft_removed_cant_rejoin,
quality.vault_raft_removed_rejoin_after_deletion,
]

variables {
hosts = step.choose_follower_to_remove.chosen_follower
hosts = step.get_vault_cluster_ips.follower_hosts
vault_leader_host = step.get_vault_cluster_ips.leader_host
vault_root_token = step.create_vault_cluster.root_token
vault_seal_type = matrix.seal
Expand All @@ -581,7 +539,7 @@ scenario "smoke" {
step "verify_secrets_engines_create" {
description = global.description.verify_secrets_engines_create
module = module.vault_verify_secrets_engines_create
depends_on = [step.verify_removed]
depends_on = [step.vault_remove_node_and_verify]

providers = {
enos = local.enos_provider[matrix.distro]
Expand Down Expand Up @@ -618,7 +576,7 @@ scenario "smoke" {
step "verify_replication" {
description = global.description.verify_replication_status
module = module.vault_verify_replication
depends_on = [step.verify_removed]
depends_on = [step.vault_remove_node_and_verify]

providers = {
enos = local.enos_provider[matrix.distro]
Expand Down Expand Up @@ -697,7 +655,7 @@ scenario "smoke" {
step "verify_ui" {
description = global.description.verify_ui
module = module.vault_verify_ui
depends_on = [step.verify_removed]
depends_on = [step.vault_remove_node_and_verify]

providers = {
enos = local.enos_provider[matrix.distro]
Expand Down
126 changes: 126 additions & 0 deletions enos/modules/vault_raft_remove_and_verify/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
}
}
}

variable "hosts" {
type = map(object({
ipv6 = string
private_ip = string
public_ip = string
}))
description = "The vault cluster followers"
}


variable "retry_interval" {
type = number
description = "How many seconds to wait between each retry"
default = 2
}

variable "timeout" {
type = number
description = "The max number of seconds to wait before timing out"
default = 60
}

variable "listener_port" {
type = number
description = "The listener port for vault"
}
variable "vault_leader_host" {
type = object({
ipv6 = string
private_ip = string
public_ip = string
})
description = "The leader's host information"
}
variable "vault_local_addr" {
type = string
description = "The local address to use to query vault"
}
variable "cluster_port" {
type = number
description = "The cluster port for vault"
}

variable "ip_version" {
type = number
description = "The IP version to use for the Vault TCP listeners"

validation {
condition = contains([4, 6], var.ip_version)
error_message = "The ip_version must be either 4 or 6"
}
}
variable "vault_root_token" {
type = string
description = "The vault root token"
}
variable "vault_seal_type" {
type = string
description = "The Vault seal type"
}

variable "add_back_nodes" {
type = bool
description = "whether to add the nodes back"
}

variable "vault_unseal_keys" {}

variable "vault_install_dir" {
type = string
description = "The directory where the vault binary is installed"
}


module "choose_follower_to_remove" {
source = "../choose_follower_host"
followers = var.hosts
}

module "remove_raft_node" {
source = "../vault_raft_remove_peer"
depends_on = [module.choose_follower_to_remove]


hosts = module.choose_follower_to_remove.chosen_follower
ip_version = var.ip_version
operator_instance = var.vault_leader_host.public_ip
vault_addr = var.vault_local_addr
vault_cluster_addr_port = var.cluster_port
vault_install_dir = var.vault_install_dir
vault_root_token = var.vault_root_token
is_voter = true
}

module "verify_removed" {
source = "../vault_verify_raft_removed"
depends_on = [
module.remove_raft_node
]

hosts = module.choose_follower_to_remove.chosen_follower
vault_leader_host = var.vault_leader_host
vault_root_token = var.vault_root_token
vault_seal_type = var.vault_seal_type
vault_unseal_keys = var.vault_seal_type == "shamir" ? var.vault_unseal_keys : null
add_back_nodes = true
listener_port = var.listener_port
ip_version = var.ip_version
vault_local_addr = var.vault_local_addr
cluster_port = var.cluster_port
vault_install_dir = var.vault_install_dir
}
86 changes: 86 additions & 0 deletions enos/modules/vault_removed_do_nothing/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
enos = {
source = "registry.terraform.io/hashicorp-forge/enos"
}
}
}

variable "hosts" {
type = map(object({
ipv6 = string
private_ip = string
public_ip = string
}))
description = "The vault cluster followers"
}


variable "retry_interval" {
type = number
description = "How many seconds to wait between each retry"
default = 2
}

variable "timeout" {
type = number
description = "The max number of seconds to wait before timing out"
default = 60
}

variable "listener_port" {
type = number
description = "The listener port for vault"
}
variable "vault_leader_host" {
type = object({
ipv6 = string
private_ip = string
public_ip = string
})
description = "The leader's host information"
}
variable "vault_local_addr" {
type = string
description = "The local address to use to query vault"
}
variable "cluster_port" {
type = number
description = "The cluster port for vault"
}

variable "ip_version" {
type = number
description = "The IP version to use for the Vault TCP listeners"

validation {
condition = contains([4, 6], var.ip_version)
error_message = "The ip_version must be either 4 or 6"
}
}
variable "vault_root_token" {
type = string
description = "The vault root token"
}
variable "vault_seal_type" {
type = string
description = "The Vault seal type"
}

variable "add_back_nodes" {
type = bool
description = "whether to add the nodes back"
}

variable "vault_unseal_keys" {}

variable "vault_install_dir" {
type = string
description = "The directory where the vault binary is installed"
}

0 comments on commit ae9fb02

Please sign in to comment.