-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 9: address failing tests in CI by fixing more references of vault to be openbao #11
Conversation
…er use the vault command Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
ref: https://github.com/openbao/openbao/blob/8283776683fe3d1e956d4ad968b790db833229bc/Dockerfile#L45 also change types from null to [] to be more explicit and regenerate docs Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: JesseBot <[email protected]>
The current error we're getting in ci for this PR (this is after correcting ==> Logs of container openbao-zagktn68r5-server-test
------------------------------------------------------------------------------------------------------------------------
Checking for sealed info in 'bao status' output
Attempt 0...
Error checking seal status: Get "http://openbao-zagktn68r5.openbao-zagktn68r5.svc:8200/v1/sys/seal-status": dial tcp 10.96.239.182:8200: connect: connection refused
...<truncated for brevity>...
Attempt 9...
Error checking seal status: Get "http://openbao-zagktn68r5.openbao-zagktn68r5.svc:8200/v1/sys/seal-status": dial tcp 10.96.239.182:8200: connect: connection refused
timed out looking for sealed info in 'bao status' output Also wanted to note that this job says it's still running, but it actually finished after about 5 minutes, because that's when the test times out: https://github.com/openbao/openbao-helm/actions/runs/9177571090/job/25235481635 update 1a maintainer canceled the job :) Update 2this job will still complain until the Update 3I need to do some more local testing on this, as now I'm not sure if it's failing because of openbao-k8s/openbao-csi-provider not being available as docker images or if it's failing because of the service name not being available? Sleuthing... and looking at this failed job run: ==> Logs of container openbao-cvjh9yybky-0
------------------------------------------------------------------------------------------------------------------------
cp: cannot stat '/openbao/config/extraconfig-from-values.hcl': No such file or directory Perhaps it's failing because it wanted to copy that file here: Containers:
vault:
Container ID: containerd://9872ca8838fb8970726286c64f431be7e2c6c1bd04788d62f3e02d052e82e961
Image: quay.io/openbao/openbao:2.0.0-alpha20240329
Image ID: quay.io/openbao/openbao@sha256:a015ae0adb1af5b45b33632e29879ff87063d0878e9359584a50b2706e500e9a
Ports: 8200/TCP, 8201/TCP, 8202/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Command:
/bin/sh
-ec
Args:
cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl which I think is declared here in the openbao-helm/charts/openbao/templates/server-config-configmap.yaml Lines 26 to 27 in b59b6e5
why it's not available? I'm not sure. Need to sleuth further. I was able to locally do openbao-6g0tg6wa8l-config ConfigMapapiVersion: v1
data:
extraconfig-from-values.hcl: |2-
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200
cluster_address = "[::]:8201
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true
#}
}
storage "file" {
path = "/vault/data
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev
# region = "global
# key_ring = "vault-helm-unseal-kr
# crypto_key = "vault-helm-unseal-key
#}
# Example configuration for enabling Prometheus metrics in your config.
#telemetry {
# prometheus_retention_time = "30s
# disable_hostname = true
#} That |
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
…nbao - part 1 Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
…we're supporting supported versions of kubernetes Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
This should be good to go now, but as I said previously, we still need to move forward the other docker images before we can finish testing all angles of this helm chart for default functionality. |
changes
vault
command to bebao
, which certainly makes it fail a little better :)/vault/config
dir to/openbao/config
to match our current docker imageCaveats
These acceptance tests can't be fully operational yet though, as we still need to have working
openbao-k8s
andopenbao-csi-provider
docker images.