From 5facb00d9095662f5d4a6dbbaacacb3d295d83fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ota=CC=81vio=20Fernandes?= Date: Fri, 29 Mar 2019 21:59:36 +0100 Subject: [PATCH] Travis-CI Preparing CI and scripts to install Vault, and bootstrap service to have AppRole authentication. Role-ID and Secret-ID are saved on `.env` and employed during CI steps. --- .ci/bootstrap-vault.sh | 28 ++++++++++++++++++++++------ .ci/install-vault.sh | 30 ++++++++++++++++++++++++++++++ .dockerignore | 2 ++ .gitignore | 2 ++ .travis.yml | 21 +++++++++++++++++++++ Makefile | 25 ++++++++++++++++++------- README.md | 11 +++++++++++ 7 files changed, 106 insertions(+), 13 deletions(-) create mode 100755 .ci/install-vault.sh create mode 100644 .travis.yml diff --git a/.ci/bootstrap-vault.sh b/.ci/bootstrap-vault.sh index 3946d1e..74b5700 100755 --- a/.ci/bootstrap-vault.sh +++ b/.ci/bootstrap-vault.sh @@ -8,12 +8,27 @@ function die () { exit 1 } -function enable_secrets_kv() { +function wait_for_vault () { + max_attemtps=10 + attempts=0 + + echo "Waiting for Vault at '${VAULT_ADDR}'..." + until curl --fail ${VAULT_ADDR} > /dev/null 2>&1 || [ $attempts -eq $max_attemtps ] ; do + echo "# Failed to reach Vault at '${VAULT_ADDR}' (${attempts}/${max_attemtps})" + sleep $(( attempts++ )) + done + + if [ $attempts -eq $max_attemtps ]; then + die "Can't reach Vault at '${VAULT_ADDR}', timeout!" + fi +} + +function enable_secrets_kv () { vault secrets enable -version=2 kv || \ die "Can't enable secrets kv!" } -function enable_approle() { +function enable_approle () { if ! vault auth list |grep -q approle ; then vault auth enable approle || \ die "Can't enable approle!" @@ -25,7 +40,7 @@ function write_policy() { die "Can't apply test policy!" } -function create_approle_app() { +function create_approle_app () { vault write auth/approle/role/test-app \ policies=test-app \ secret_id_num_uses=0 \ @@ -36,20 +51,20 @@ function create_approle_app() { die "Can't create test-app approle!" } -function get_role_id() { +function get_role_id () { vault read auth/approle/role/test-app/role-id \ |grep role_id \ |awk '{print $2}' } -function get_secret_id() { +function get_secret_id () { vault write -f auth/approle/role/test-app/secret-id \ |grep secret_id \ |grep -v accessor \ |awk '{print $2}' } -function register_app() { +function register_app () { local role_id=$1 local secret_id=$2 @@ -63,6 +78,7 @@ function register_app() { # Main # +wait_for_vault enable_secrets_kv enable_approle write_policy diff --git a/.ci/install-vault.sh b/.ci/install-vault.sh new file mode 100755 index 0000000..454770b --- /dev/null +++ b/.ci/install-vault.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +VAULT_VERSION="${VAULT_VERSOIN:-1.1.0}" +VAULT_TARGET_DIR="${VAULT_TARGET_DIR:-/home/travis/bin}" + +VAULT_ZIP_FILE="vault_${VAULT_VERSION}_linux_amd64.zip" +VAULT_BIN="vault" + +function die () { + echo "[ERROR] ${*}" 1>&2 + exit 1 +} + +[ ! -d ${VAULT_TARGET_DIR} ] && die "Can't find target directory at '${VAULT_TARGET_DIR}'!" + +if ! wget "https://releases.hashicorp.com/vault/${VAULT_VERSION}/${VAULT_ZIP_FILE}" ; then + die "Can't download Vault!" +fi + +if ! unzip ${VAULT_ZIP_FILE} ; then + die "Can't unzip '${VAULT_ZIP_FILE}'" +fi + +[ ! -f ${VAULT_BIN} ] && die "Can't find vault binary at './${VAULT_BIN}'" + +if ! mv -v "${VAULT_BIN}" "${VAULT_TARGET_DIR}" ; then + die "Can't move '${VAULT_BIN}' to '${VAULT_TARGET_DIR}'!" +fi + +rm -vf "${VAULT_ZIP_FILE}" > /dev/null 2>&1 diff --git a/.dockerignore b/.dockerignore index a9d4f29..2aba685 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,6 +3,8 @@ .git* .goreleaser* .vscode +.ci +.cover* README.md build test diff --git a/.gitignore b/.gitignore index d3c9a5f..546315c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,7 @@ build/ +coverage* vendor* +.ci/codecov* .data .env .vscode diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..98ca128 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,21 @@ +--- +language: go +go: + - 1.11.x +install: true +services: + - docker +before_script: + - docker-compose up -d + - .ci/install-vault.sh + - .ci/bootstrap-vault.sh + - make dep +script: + - export VAULT_HANDLER_VAULT_ROLE_ID=$(grep ROLE_ID .env |awk -F '"' '{print $2}') + - export VAULT_HANDLER_VAULT_SECRET_ID=$(grep SECRET_ID .env |awk -F '"' '{print $2}') + - make bootstrap + - make + - make test + # - make integration +after_success: + - make codecov diff --git a/Makefile b/Makefile index c2e78f4..2beab5f 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,21 @@ +# application name APP = vault-handler +# build directory BUILD_DIR ?= build +# docker image tag DOCKER_IMAGE ?= "otaviof/$(APP)" +# directory containing end-to-end tests +E2E_TEST_DIR ?= test/e2e +# project version, used as docker tag VERSION ?= $(shell cat ./version) .PHONY: default bootstrap build clean test default: build +dep: + go get -u github.com/golang/dep/cmd/dep + bootstrap: dep ensure -v -vendor-only @@ -23,18 +32,20 @@ clean-vendor: rm -rf ./vendor > /dev/null test: - go test -cover -v pkg/$(APP)/* + go test -race -coverprofile=coverage.txt -covermode=atomic -cover -v pkg/$(APP)/* snapshot: goreleaser --rm-dist --snapshot -release: release-go release-docker - @echo "# Uploaded vault-handler v'$(VERSION)'!" - -release-go: +release: git tag $(VERSION) git push origin $(VERSION) goreleaser --rm-dist -release-docker: build-docker - docker push $(DOCKER_IMAGE):$(VERSION) +integration: + go test -v $(E2E_TEST_DIR)/* + +codecov: + mkdir .ci || true + curl -s -o .ci/codecov.sh https://codecov.io/bash + bash .ci/codecov.sh -t $(CODECOV_TOKEN) diff --git a/README.md b/README.md index 7a5828c..991f4c2 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,17 @@

+

+ + + + + + + + + +

# `vault-handler` (WIP)