Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Development flow enhancements #430

Merged
merged 3 commits into from
Feb 28, 2023
Merged

Development flow enhancements #430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2b790b4
+ added a contribution section to the readme
maxcoulombe Feb 27, 2023
de09201
* bumped action/checkout
maxcoulombe Feb 27, 2023
5e7d99a
+ using ref
maxcoulombe Feb 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 15 additions & 5 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
ref: ${{ github.ref }}

- uses: actions/setup-node@v3
with:
Expand All @@ -37,7 +39,9 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v3
with:
ref: ${{ github.ref }}

- name: Run docker-compose
run: docker-compose up -d vault
Expand Down Expand Up @@ -71,7 +75,9 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v3
with:
ref: ${{ github.ref }}

- name: Run docker-compose
run: docker-compose up -d vault-enterprise
Expand Down Expand Up @@ -107,7 +113,9 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v3
with:
ref: ${{ github.ref }}

- name: Run docker-compose
run: docker-compose up -d vault
Expand Down Expand Up @@ -175,7 +183,9 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v3
with:
ref: ${{ github.ref }}

- name: Run docker-compose
run: docker-compose up -d vault-tls
Expand Down
24 changes: 24 additions & 0 deletions .github/workflows/local-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# This is a sample workflow to help test contributions
# Change the branch name, url and token to fit with your own environment

# Use 'on: push' instead of 'on: local-test' if you wish to run the test on github
# If running locally with act, run the workflow with 'act local-test'

# Don't forget to revert the file changes and invalidate any tokens that were committed before opening a pull-request
on: local-test

name: local-test

jobs:
build:
name: local-test
runs-on: ubuntu-latest
steps:
- name: Import Secrets
uses: hashicorp/vault-action@YOUR_BRANCH_NAME
with:
url: http://localhost:8200
method: token
token: testtoken
secrets: |
secret/data/test secret | SAMPLE_SECRET;
68 changes: 68 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ A helper action for easily pulling secrets from HashiCorp Vault™.
- [Reference](#reference)
- [Masking - Hiding Secrets from Logs](#masking---hiding-secrets-from-logs)
- [Normalization](#normalization)
- [Contributing](#contributing)

<!-- /TOC -->

Expand Down Expand Up @@ -419,3 +420,70 @@ This action uses GitHub Action's built-in masking, so all variables will automat
## Normalization

To make it simpler to consume certain secrets as env vars, if no Env/Output Var Name is specified `vault-action` will replace and `.` chars with `__`, remove any other non-letter or number characters. If you're concerned about the result, it's recommended to provide an explicit Output Var Key.

## Contributing

If you wish to contribute to this project, the following dependencies are recommended for local development:
- [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to install dependencies, build project and run tests
- [docker](https://docs.docker.com/get-docker/) to run the pre-configured vault containers for acceptance tests
- [docker-compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
- [act](https://github.com/nektos/act) to run the vault-action locally

### Build

Use npm to install dependencies and build the project:

```sh
$ npm install && npm run build
```

### Vault test instance

The Github Action needs access to a working Vault instance to function.
Multiple docker configurations are available via the docker-compose.yml file to run containers compatible with the various acceptance test suites.

```sh
$ docker-compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
```

Instead of using one of the dockerized instance, you can also use your own local or remote Vault instance by exporting these environment variables:

```sh
$ export VAULT_HOST=<YOUR VAULT CLUSTER LOCATION> # localhost if undefined
$ export VAULT_PORT=<YOUR VAULT PORT> # 8200 if undefined
$ export VAULT_TOKEN=<YOUR VAULT TOKEN> # testtoken if undefined
```

### Running unit tests

Unit tests can be executed at any time with no dependencies or prior setup.

```sh
$ npm test
```

### Running acceptance tests

With a succesful build to take your local changes into account and a working Vault instance configured, you can now run acceptance tests to validate if any regressions were introduced.

```sh
$ npm run test:integration:basic # Choose one of: basic, enterprise, e2e, e2e-tls
```

### Running the action locally

You can use the [act](https://github.com/nektos/act) command to test your changes locally if desired. Unfortunately it is not currently possible to use uncommitted local changes for a shared workfow. You will still need to push
the changes you would like to validate beforehand. Even if a commit is necessary, this is still a more detailed and faster feedback loop than waiting for the action to be executed by Github in a different repository.

Push your changes into a feature branch.
```sh
$ git checkout -b my-feature-branch
$ git commit -m "testing new changes"
$ git push
```

Edit the ./.github/workflows/local-test.yaml file to use your new feature branch. You may have to additionally edit the vault url, token and secret path if you are not using one of the provided containerized instance.
Run your feature branch locally.
```sh
$ act local-test
```
21 changes: 11 additions & 10 deletions integrationTests/basic/integration.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,20 +8,21 @@ const { when } = require('jest-when');
const { exportSecrets } = require('../../src/action');

const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`

describe('integration', () => {
beforeAll(async () => {
// Verify Connection
await got(`${vaultUrl}/v1/secret/config`, {
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
});

await got(`${vaultUrl}/v1/secret/data/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
data: {
Expand All @@ -33,7 +34,7 @@ describe('integration', () => {
await got(`${vaultUrl}/v1/secret/data/nested/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
data: {
Expand All @@ -45,7 +46,7 @@ describe('integration', () => {
await got(`${vaultUrl}/v1/secret/data/foobar`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
data: {
Expand All @@ -59,7 +60,7 @@ describe('integration', () => {
await got(`${vaultUrl}/v1/sys/mounts/secret-kv1`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
type: 'kv'
Expand All @@ -77,7 +78,7 @@ describe('integration', () => {
await got(`${vaultUrl}/v1/secret-kv1/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
secret: 'CUSTOMSECRET',
Expand All @@ -87,7 +88,7 @@ describe('integration', () => {
await got(`${vaultUrl}/v1/secret-kv1/foobar`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
fookv1: 'bar',
Expand All @@ -97,7 +98,7 @@ describe('integration', () => {
await got(`${vaultUrl}/v1/secret-kv1/nested/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
"other-Secret-dash": 'OTHERCUSTOMSECRET',
Expand All @@ -114,7 +115,7 @@ describe('integration', () => {

when(core.getInput)
.calledWith('token', expect.anything())
.mockReturnValueOnce('testtoken');
.mockReturnValueOnce(vaultToken);
});

function mockInput(secrets) {
Expand Down Expand Up @@ -207,7 +208,7 @@ describe('integration', () => {
await got(`${vaultUrl}/v1/cubbyhole/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
foo: "bar",
Expand Down
15 changes: 8 additions & 7 deletions integrationTests/basic/jwt_auth.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ const { when } = require('jest-when');
const { exportSecrets } = require('../../src/action');

const vaultUrl = `http://${process.env.VAULT_HOST || 'localhost'}:${process.env.VAULT_PORT || '8200'}`;
const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`

/**
* Returns Github OIDC response mock
Expand Down Expand Up @@ -59,15 +60,15 @@ describe('jwt auth', () => {
// Verify Connection
await got(`${vaultUrl}/v1/secret/config`, {
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
});

try {
await got(`${vaultUrl}/v1/sys/auth/jwt`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
type: 'jwt'
Expand All @@ -85,7 +86,7 @@ describe('jwt auth', () => {
await got(`${vaultUrl}/v1/sys/policy/reader`, {
method: 'PUT',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
policy: `
Expand All @@ -99,7 +100,7 @@ describe('jwt auth', () => {
await got(`${vaultUrl}/v1/auth/jwt/config`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
jwt_validation_pubkeys: publicRsaKey,
Expand All @@ -110,7 +111,7 @@ describe('jwt auth', () => {
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
Expand All @@ -126,7 +127,7 @@ describe('jwt auth', () => {
await got(`${vaultUrl}/v1/secret/data/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
data: {
Expand Down Expand Up @@ -172,7 +173,7 @@ describe('jwt auth', () => {
await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
Expand Down
15 changes: 8 additions & 7 deletions integrationTests/e2e/setup.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
const got = require('got');

const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
const vaultToken = `${process.env.VAULT_TOKEN || 'testtoken'}`

(async () => {
try {
// Verify Connection
await got(`http://${vaultUrl}/v1/secret/config`, {
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
});

await got(`http://${vaultUrl}/v1/secret/data/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
data: {
Expand All @@ -26,7 +27,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
await got(`http://${vaultUrl}/v1/secret/data/nested/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
data: {
Expand All @@ -38,7 +39,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
await got(`http://${vaultUrl}/v1/sys/mounts/my-secret`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
type: 'kv'
Expand All @@ -48,7 +49,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
await got(`http://${vaultUrl}/v1/my-secret/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
altSecret: 'CUSTOMSECRET',
Expand All @@ -58,7 +59,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
await got(`http://${vaultUrl}/v1/my-secret/nested/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
otherAltSecret: 'OTHERCUSTOMSECRET',
Expand All @@ -68,7 +69,7 @@ const vaultUrl = `${process.env.VAULT_HOST}:${process.env.VAULT_PORT}`;
await got(`http://${vaultUrl}/v1/cubbyhole/test`, {
method: 'POST',
headers: {
'X-Vault-Token': 'testtoken',
'X-Vault-Token': vaultToken,
},
json: {
foo: 'bar',
Expand Down
Loading