actions/vault-action
12
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2026-05-14 04:20:33 +00:00
Code Activity Actions

Refine e2e-enterprise pipeline and scripts

Browse source
This commit is contained in:
Srikrishna Iyer 2026-05-11 17:03:26 +05:30
parent 5305662f7f
commit 136b822494
No known key found for this signature in database
GPG key ID: 212F890C328D4059
3 changed files with 56 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/build.yml vendored
View file

@ -205,9 +205,14 @@ jobs:
- name: Generate TLS Certificates
if: ${{ !env.ACT }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_GET_RETRIES: 3
run: |
curl -sSfL https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 -o /usr/local/bin/cfssl
curl -sSfL https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 -o /usr/local/bin/cfssljson
# Source the getGH function for authenticated GitHub downloads with retries
source ./scripts/.functions
getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 /usr/local/bin/cfssl
getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
./scripts/gen-tls-certs.sh
cat .build/e2e-tls.env >> "$GITHUB_ENV"

35
scripts/.functions Normal file
View file

@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Copyright IBM Corp. 2019, 2025
# SPDX-License-Identifier: MIT
# Adapted from: https://github.com/hashicorp/vault-secrets-operator/blob/main/hack/.functions
# getGH downloads files from GitHub with optional authentication
# Usage: getGH <url> [dest_file] [num_retries]
function getGH() {
local url="$1"
local dest="$2"
local num_retries="${3:-${GH_GET_RETRIES}}"
headers=(
'--header' "Accept: application/vnd.github+json"
'--header' "X-GitHub-Api-Version: 2022-11-28"
)
if [ -n "${GITHUB_TOKEN}" ]; then
headers+=(
'--header' "Authorization: Bearer ${GITHUB_TOKEN}"
)
fi
cmd=curl
opts=('-sfSL')
echo "Fetching ${url}"
if [ -z "${dest}" ]; then
opts+=('-O')
else
opts+=('-o' "${dest}")
fi
if [ -n "${num_retries}" ]; then
opts+=('--retry' "${num_retries}")
fi
${cmd} "${opts[@]}" "${headers[@]}" "${url}"
}

22
scripts/gen-tls-certs.sh
View file

@ -11,17 +11,19 @@
set -euo pipefail
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
OUTDIR="$REPO_ROOT/.build/certs"
ENVFILE="$REPO_ROOT/.build/e2e-tls.env"
pushd "$(git rev-parse --show-toplevel || echo .)" > /dev/null
OUTDIR=".build/certs"
ENVFILE=".build/e2e-tls.env"
if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
echo "error: cfssl and cfssljson are required." >&2
popd > /dev/null
exit 1
fi
mkdir -p "$OUTDIR"
cd "$OUTDIR"
pushd "$OUTDIR" > /dev/null
# ── cfssl signing config ──────────────────────────────────────────────────────
cat > cfssl-config.json <<'EOF'
@ -92,15 +94,19 @@ rm -f ca.csr server.csr client.csr ca-key.pem cfssl-config.json
# Ensure files are readable by the vault container user
chmod 644 ./*.crt ./*.key
popd > /dev/null
# ── Copy vault server config ──────────────────────────────────────────────────
cp "$REPO_ROOT/integrationTests/e2e-tls/configs/config.hcl" config.hcl
cp "integrationTests/e2e-tls/configs/config.hcl" "$OUTDIR/config.hcl"
# ── Write env file for local act usage ───────────────────────────────────────
{
printf 'VAULTCA=%s\n' "$(base64 < ca.crt | tr -d '\n')"
printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < client.crt | tr -d '\n')"
printf 'VAULT_CLIENT_KEY=%s\n' "$(base64 < client.key | tr -d '\n')"
printf 'VAULTCA=%s\n' "$(base64 < "$OUTDIR/ca.crt" | tr -d '\n')"
printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < "$OUTDIR/client.crt" | tr -d '\n')"
printf 'VAULT_CLIENT_KEY=%s\n' "$(base64 < "$OUTDIR/client.key" | tr -d '\n')"
} > "$ENVFILE"
echo "Certs generated in $OUTDIR"
echo "Env file written to $ENVFILE"
popd > /dev/null