consul/.circleci/config.yml

599 lines
20 KiB
YAML

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
---
version: 2.1
parameters:
commit:
type: string
default: ""
description: "Commit to run load tests against"
references:
paths:
test-results: &TEST_RESULTS_DIR /tmp/test-results
environment: &ENVIRONMENT
TEST_RESULTS_DIR: *TEST_RESULTS_DIR
EMAIL: noreply@hashicorp.com
GIT_AUTHOR_NAME: circleci-consul
GIT_COMMITTER_NAME: circleci-consul
S3_ARTIFACT_BUCKET: consul-dev-artifacts-v2
BASH_ENV: .circleci/bash_env.sh
GO_VERSION: 1.20.1
envoy-versions: &supported_envoy_versions
- &default_envoy_version "1.22.11"
- "1.23.8"
- "1.24.6"
- "1.25.4"
nomad-versions: &supported_nomad_versions
- &default_nomad_version "1.3.3"
- "1.2.10"
- "1.1.16"
vault-versions: &supported_vault_versions
- &default_vault_version "1.12.2"
- "1.11.6"
- "1.10.9"
- "1.9.10"
consul-versions: &consul_versions
- "1.14"
- "1.15"
images:
# When updating the Go version, remember to also update the versions in the
# workflows section for go-test-lib jobs.
go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.20.1
ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:16-browsers
ubuntu: &UBUNTU_CI_IMAGE ubuntu-2004:202201-02
cache:
yarn: &YARN_CACHE_KEY consul-ui-v9-{{ checksum "ui/yarn.lock" }}
steps:
install-gotestsum: &install-gotestsum
name: install gotestsum
environment:
GOTESTSUM_RELEASE: 1.9.0
command: |
ARCH=`uname -m`
if [[ "$ARCH" == "aarch64" ]]; then
ARCH="arm64"
else
ARCH="amd64"
fi
url=https://github.com/gotestyourself/gotestsum/releases/download
curl -sSL "${url}/v${GOTESTSUM_RELEASE}/gotestsum_${GOTESTSUM_RELEASE}_linux_${ARCH}.tar.gz" | \
sudo tar -xz --overwrite -C /usr/local/bin gotestsum
get-aws-cli: &get-aws-cli
run:
name: download and install AWS CLI
command: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
echo -e "${AWS_CLI_GPG_KEY}" | gpg --import
curl -o awscliv2.sig https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig
gpg --verify awscliv2.sig awscliv2.zip
unzip awscliv2.zip
sudo ./aws/install
# This step MUST be at the end of any set of steps due to the 'when' condition
notify-slack-failure: &notify-slack-failure
name: notify-slack-failure
when: on_fail
command: |
if [[ $CIRCLE_BRANCH == "main" ]]; then
CIRCLE_ENDPOINT="https://app.circleci.com/pipelines/github/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}?branch=${CIRCLE_BRANCH}"
GITHUB_ENDPOINT="https://github.com/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/commit/${CIRCLE_SHA1}"
COMMIT_MESSAGE=$(git log -1 --pretty=%B | head -n1)
SHORT_REF=$(git rev-parse --short "${CIRCLE_SHA1}")
curl -X POST -H 'Content-type: application/json' \
--data \
"{ \
\"attachments\": [ \
{ \
\"fallback\": \"CircleCI job failed!\", \
\"text\": \"❌ Failed: \`${CIRCLE_USERNAME}\`'s <${CIRCLE_BUILD_URL}|${CIRCLE_STAGE}> job failed for commit <${GITHUB_ENDPOINT}|${SHORT_REF}> on \`${CIRCLE_BRANCH}\`!\n\n- <${COMMIT_MESSAGE}\", \
\"footer\": \"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\", \
\"ts\": \"$(date +%s)\", \
\"color\": \"danger\" \
} \
] \
}" "${FEED_CONSUL_GH_URL}"
else
echo "Not posting slack failure notifications for non-main branch"
fi
commands:
assume-role:
description: "Assume role to an ARN"
parameters:
access-key:
type: env_var_name
default: AWS_ACCESS_KEY_ID
secret-key:
type: env_var_name
default: AWS_SECRET_ACCESS_KEY
role-arn:
type: env_var_name
default: ROLE_ARN
steps:
# Only run the assume-role command for the main repo. The AWS credentials aren't available for forks.
- run: |
if [[ "${CIRCLE_BRANCH%%/*}/" != "pull/" ]]; then
export AWS_ACCESS_KEY_ID="${<< parameters.access-key >>}"
export AWS_SECRET_ACCESS_KEY="${<< parameters.secret-key >>}"
export ROLE_ARN="${<< parameters.role-arn >>}"
# assume role has duration of 15 min (the minimum allowed)
CREDENTIALS="$(aws sts assume-role --duration-seconds 900 --role-arn ${ROLE_ARN} --role-session-name build-${CIRCLE_SHA1} | jq '.Credentials')"
echo "export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.AccessKeyId')" >> $BASH_ENV
echo "export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.SecretAccessKey')" >> $BASH_ENV
echo "export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.SessionToken')" >> $BASH_ENV
fi
run-go-test-full:
parameters:
go_test_flags:
type: string
default: ""
steps:
- attach_workspace:
at: /home/circleci/go/bin
- run: go mod download
- run:
name: go test
command: |
mkdir -p $TEST_RESULTS_DIR /tmp/jsonfile
PACKAGE_NAMES=$(go list -tags "$GOTAGS" ./... | circleci tests split --split-by=timings --timings-type=classname)
echo "Running $(echo $PACKAGE_NAMES | wc -w) packages"
echo $PACKAGE_NAMES
# some tests expect this umask, and arm images have a different default
umask 0022
<< parameters.go_test_flags >>
gotestsum \
--format=short-verbose \
--jsonfile /tmp/jsonfile/go-test-${CIRCLE_NODE_INDEX}.log \
--debug \
--rerun-fails=3 \
--rerun-fails-max-failures=40 \
--rerun-fails-report=/tmp/gotestsum-rerun-fails \
--packages="$PACKAGE_NAMES" \
--junitfile $TEST_RESULTS_DIR/gotestsum-report.xml -- \
-tags="$GOTAGS" -p 2 \
${GO_TEST_FLAGS-} \
-cover -coverprofile=coverage.txt
- store_test_results:
path: *TEST_RESULTS_DIR
- store_artifacts:
path: *TEST_RESULTS_DIR
- store_artifacts:
path: /tmp/jsonfile
- run: &rerun-fails-report
name: "Re-run fails report"
command: |
.circleci/scripts/rerun-fails-report.sh /tmp/gotestsum-rerun-fails
- run: *notify-slack-failure
jobs:
check-go-mod:
docker:
- image: *GOLANG_IMAGE
environment:
<<: *ENVIRONMENT
steps:
- checkout
- run: go mod tidy
- run: |
if [[ -n $(git status -s) ]]; then
echo "Git directory has changes"
git status -s
exit 1
fi
- run: *notify-slack-failure
# build is a templated job for build-x
build-distros: &build-distros
docker:
- image: *GOLANG_IMAGE
resource_class: large
environment: &build-env
<<: *ENVIRONMENT
steps:
- checkout
- run:
name: Build
command: |
for os in $XC_OS; do
target="./pkg/bin/${GOOS}_${GOARCH}/"
GOOS="$os" CGO_ENABLED=0 go build -o "${target}" -ldflags "${GOLDFLAGS}" -tags "${GOTAGS}"
done
# save dev build to CircleCI
- store_artifacts:
path: ./pkg/bin
- run: *notify-slack-failure
# create a development build
dev-build:
docker:
- image: *GOLANG_IMAGE
resource_class: large
environment:
<<: *ENVIRONMENT
steps:
- checkout
- attach_workspace: # this normally runs as the first job and has nothing to attach; only used in main branch after rebuilding UI
at: .
- run:
name: Build
command: |
make dev
mkdir -p /home/circleci/go/bin
cp ./bin/consul /home/circleci/go/bin/consul
# save dev build to pass to downstream jobs
- persist_to_workspace:
root: /home/circleci/go/bin
paths:
- consul
- run: *notify-slack-failure
# upload development build to s3
dev-upload-s3:
docker:
- image: *GOLANG_IMAGE
environment:
<<: *ENVIRONMENT
steps:
- checkout
- *get-aws-cli
- assume-role:
access-key: AWS_ACCESS_KEY_ID_S3_UPLOAD
secret-key: AWS_SECRET_ACCESS_KEY_S3_UPLOAD
role-arn: ROLE_ARN_S3_UPLOAD
# get consul binary
- attach_workspace:
at: bin/
- run:
name: package binary
command: zip -j consul.zip bin/consul
- run:
name: Upload to s3
command: |
if [ -n "${S3_ARTIFACT_PATH}" ]; then
aws s3 cp \
--metadata "CIRCLECI=${CIRCLECI},CIRCLE_BUILD_URL=${CIRCLE_BUILD_URL},CIRCLE_BRANCH=${CIRCLE_BRANCH}" \
"consul.zip" "s3://${S3_ARTIFACT_BUCKET}/${S3_ARTIFACT_PATH}/${CIRCLE_SHA1}.zip" --acl public-read
else
echo "CircleCI - S3_ARTIFACT_PATH was not set"
exit 1
fi
- run: *notify-slack-failure
# upload dev docker image
dev-upload-docker:
docker:
- image: *GOLANG_IMAGE # use a circleci image so the attach_workspace step works (has ca-certs installed)
environment:
<<: *ENVIRONMENT
steps:
- checkout
# get consul binary
- attach_workspace:
at: bin/
- setup_remote_docker
- run: make ci.dev-docker
- run: *notify-slack-failure
nomad-integration-test: &NOMAD_TESTS
docker:
- image: docker.mirror.hashicorp.services/cimg/go:1.20
parameters:
nomad-version:
type: enum
enum: *supported_nomad_versions
default: *default_nomad_version
environment:
<<: *ENVIRONMENT
NOMAD_WORKING_DIR: &NOMAD_WORKING_DIR /home/circleci/go/src/github.com/hashicorp/nomad
NOMAD_VERSION: << parameters.nomad-version >>
steps: &NOMAD_INTEGRATION_TEST_STEPS
- run: git clone https://github.com/hashicorp/nomad.git --branch v${NOMAD_VERSION} ${NOMAD_WORKING_DIR}
# get consul binary
- attach_workspace:
at: /home/circleci/go/bin
# make dev build of nomad
- run:
command: make pkg/linux_amd64/nomad
working_directory: *NOMAD_WORKING_DIR
- run: *install-gotestsum
# run integration tests
- run:
name: go test
command: |
mkdir -p $TEST_RESULTS_DIR
gotestsum \
--format=short-verbose \
--junitfile $TEST_RESULTS_DIR/results.xml -- \
./command/agent/consul -run TestConsul
working_directory: *NOMAD_WORKING_DIR
# store test results for CircleCI
- store_test_results:
path: *TEST_RESULTS_DIR
- store_artifacts:
path: *TEST_RESULTS_DIR
- run: *notify-slack-failure
compatibility-integration-test:
machine:
image: *UBUNTU_CI_IMAGE
docker_layer_caching: true
parallelism: 1
steps:
- checkout
# Get go binary from workspace
- attach_workspace:
at: .
# Build the consul:local image from the already built binary
- run:
command: |
sudo rm -rf /usr/local/go
wget https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz
sudo tar -C /usr/local -xzvf go${GO_VERSION}.linux-amd64.tar.gz
environment:
<<: *ENVIRONMENT
- run: *install-gotestsum
- run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile .
- run:
name: Compatibility Integration Tests
command: |
mkdir -p /tmp/test-results/
cd ./test/integration/consul-container
docker run --rm consul:local consul version
gotestsum \
--raw-command \
--format=short-verbose \
--debug \
--rerun-fails=3 \
--packages="./..." \
-- \
go test \
-p=4 \
-timeout=30m \
-json \
`go list ./... | grep -v upgrade` \
--target-image consul \
--target-version local \
--latest-image consul \
--latest-version latest
ls -lrt
environment:
# this is needed because of incompatibility between RYUK container and circleci
GOTESTSUM_JUNITFILE: /tmp/test-results/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
# tput complains if this isn't set to something.
TERM: ansi
- store_test_results:
path: *TEST_RESULTS_DIR
- store_artifacts:
path: *TEST_RESULTS_DIR
- run: *notify-slack-failure
upgrade-integration-test:
machine:
image: *UBUNTU_CI_IMAGE
docker_layer_caching: true
parallelism: 3
resource_class: large
parameters:
consul-version:
type: enum
enum: *consul_versions
environment:
CONSUL_VERSION: << parameters.consul-version >>
steps:
- checkout
# Get go binary from workspace
- attach_workspace:
at: .
# Build the consul:local image from the already built binary
- run:
command: |
sudo rm -rf /usr/local/go
wget https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz
sudo tar -C /usr/local -xzvf go${GO_VERSION}.linux-amd64.tar.gz
environment:
<<: *ENVIRONMENT
- run: *install-gotestsum
- run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile .
- run:
name: Upgrade Integration Tests
command: |
mkdir -p /tmp/test-results/
cd ./test/integration/consul-container
docker run --rm consul:local consul version
gotestsum \
--raw-command \
--format=short-verbose \
--debug \
--rerun-fails=3 \
--packages="./..." \
-- \
go test \
-p=4 \
-tags "${GOTAGS}" \
-timeout=30m \
-json \
./.../upgrade/ \
--target-image consul \
--target-version local \
--latest-image consul \
--latest-version $CONSUL_VERSION
ls -lrt
environment:
# this is needed because of incompatibility between RYUK container and circleci
GOTESTSUM_JUNITFILE: /tmp/test-results/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
# tput complains if this isn't set to something.
TERM: ansi
- store_test_results:
path: *TEST_RESULTS_DIR
- store_artifacts:
path: *TEST_RESULTS_DIR
- run: *notify-slack-failure
envoy-integration-test: &ENVOY_TESTS
machine:
image: *UBUNTU_CI_IMAGE
parallelism: 4
resource_class: medium
parameters:
envoy-version:
type: enum
enum: *supported_envoy_versions
default: *default_envoy_version
xds-target:
type: enum
enum: ["server", "client"]
default: "server"
environment:
ENVOY_VERSION: << parameters.envoy-version >>
XDS_TARGET: << parameters.xds-target >>
AWS_LAMBDA_REGION: us-west-2
steps: &ENVOY_INTEGRATION_TEST_STEPS
- checkout
- assume-role:
access-key: AWS_ACCESS_KEY_ID_LAMBDA
secret-key: AWS_SECRET_ACCESS_KEY_LAMBDA
role-arn: ROLE_ARN_LAMBDA
# Get go binary from workspace
- attach_workspace:
at: .
- run: *install-gotestsum
# Build the consul:local image from the already built binary
- run: docker build -t consul:local -f ./build-support/docker/Consul-Dev.dockerfile .
- run:
name: Envoy Integration Tests
command: |
subtests=$(ls -d test/integration/connect/envoy/*/ | xargs -n 1 basename | circleci tests split)
echo "Running $(echo $subtests | wc -w) subtests"
echo "$subtests"
subtests_pipe_sepr=$(echo "$subtests" | xargs | sed 's/ /|/g')
mkdir -p /tmp/test-results/
gotestsum -- -timeout=30m -tags integration ./test/integration/connect/envoy -run="TestEnvoy/($subtests_pipe_sepr)"
environment:
GOTESTSUM_JUNITFILE: /tmp/test-results/results.xml
GOTESTSUM_FORMAT: standard-verbose
COMPOSE_INTERACTIVE_NO_CLI: 1
LAMBDA_TESTS_ENABLED: "true"
# tput complains if this isn't set to something.
TERM: ansi
- store_artifacts:
path: ./test/integration/connect/envoy/workdir/logs
destination: container-logs
- store_test_results:
path: *TEST_RESULTS_DIR
- store_artifacts:
path: *TEST_RESULTS_DIR
- run: *notify-slack-failure
# run integration tests for the connect ca providers with vault
vault-integration-test:
docker:
- image: *GOLANG_IMAGE
parameters:
vault-version:
type: enum
enum: *supported_vault_versions
default: *default_vault_version
environment:
<<: *ENVIRONMENT
VAULT_BINARY_VERSION: << parameters.vault-version >>
steps: &VAULT_INTEGRATION_TEST_STEPS
- run:
name: Install vault
command: |
wget -q -O /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_BINARY_VERSION}/vault_${VAULT_BINARY_VERSION}_linux_amd64.zip
sudo unzip -d /usr/local/bin /tmp/vault.zip
rm -rf /tmp/vault*
vault version
- checkout
- run: go mod download
- run:
name: go test
command: |
mkdir -p $TEST_RESULTS_DIR
make test-connect-ca-providers
- store_test_results:
path: *TEST_RESULTS_DIR
- run: *notify-slack-failure
# The noop job is a used as a very fast job in the verify-ci workflow because every workflow
# requires at least one job. It does nothing.
noop:
docker:
- image: docker.mirror.hashicorp.services/alpine:latest
steps:
- run: "echo ok"
workflows:
test-integrations:
jobs:
- dev-build: &filter-ignore-non-go-branches
filters:
branches:
ignore:
- stable-website
- /^docs\/.*/
- /^ui\/.*/
- /^mktg-.*/ # Digital Team Terraform-generated branches' prefix
- /^backport\/docs\/.*/
- /^backport\/ui\/.*/
- /^backport\/mktg-.*/
- dev-upload-s3: &dev-upload
requires:
- dev-build
filters:
branches:
ignore:
- /^pull\/.*$/ # only push dev builds from non forks
- main # all main dev uploads will include a UI rebuild in build-distros
- dev-upload-docker:
<<: *dev-upload
context: consul-ci
- nomad-integration-test:
requires:
- dev-build
matrix:
parameters:
nomad-version: *supported_nomad_versions
- vault-integration-test:
matrix:
parameters:
vault-version: *supported_vault_versions
<<: *filter-ignore-non-go-branches
- envoy-integration-test:
requires:
- dev-build
matrix:
parameters:
envoy-version: *supported_envoy_versions
xds-target: ["server", "client"]
- compatibility-integration-test:
requires:
- dev-build
- upgrade-integration-test:
requires:
- dev-build
matrix:
parameters:
consul-version: *consul_versions
- noop