AUT-201 - make autograph monitor work in GCP (#1006)

* Adjusting docker compose to work with a non-lambda monitor * Adjusted integration tests to not require lambda emulator * Leaving old lambda code around until we are no longer running side-by-side
mozilla-services · Sep 26, 2024 · 30d626b · 30d626b
1 parent 55492ed
commit 30d626b
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 76 deletions.
diff --git a/Makefile b/Makefile
@@ -80,13 +80,13 @@ gpg-test-clean:
 # image build order:
 #
 # app -> {app-hsm,monitor}
-# monitor -> monitor-lambda-emulator,monitor-hsm-lambda-emulator
-# app-hsm -> monitor-hsm-lambda-emulator (app-hsm writes chains and updated config to shared /tmp volume)
+# monitor -> monitor,monitor-hsm
+# app-hsm -> monitor-hsm(app-hsm writes chains and updated config to shared /tmp volume)
 #
 build: generate
 	DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --no-cache --parallel app db
 	DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --no-cache --parallel app-hsm monitor
-	DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --no-cache --parallel monitor-lambda-emulator monitor-hsm-lambda-emulator
+	DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --no-cache --parallel monitor monitor-hsm
 
 integration-test:
 	./bin/run_integration_tests.sh

diff --git a/bin/run_integration_tests.sh b/bin/run_integration_tests.sh
@@ -28,20 +28,18 @@ done
 APP_HSM_NORMANDY_ROOT_HASH=$(docker compose exec app-hsm yq -r '.signers[] | select(.id == "normandy").cacert' /app/autograph.softhsm.yaml | \
                              openssl x509 -outform DER | sha256sum | awk '{print $1}')
 
-# start the monitor lambda emulators
+# start the monitor containers
 echo "checking autograph monitors"
 docker compose run \
 	       --rm \
 	       -e AUTOGRAPH_URL=http://app:8000/ \
-	       --entrypoint /usr/local/bin/lambda-selftest-entrypoint.sh \
-	       monitor-lambda-emulator /go/bin/autograph-monitor
+	       monitor /go/bin/autograph-monitor
 
 docker compose run \
 	       --rm \
 	       -e AUTOGRAPH_URL=http://autograph-app-hsm:8001/ \
 	       -e AUTOGRAPH_ROOT_HASH=$APP_HSM_NORMANDY_ROOT_HASH \
-	       --entrypoint /usr/local/bin/lambda-selftest-entrypoint.sh \
-	       monitor-hsm-lambda-emulator /go/bin/autograph-monitor
+	       monitor-hsm /go/bin/autograph-monitor
 
 echo "checking read-only API"
 # user bob doesn't exist in the softhsm config

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -65,42 +65,27 @@ services:
 
   monitor:
     container_name: autograph-monitor
-    image: autograph-app
-    command: ["/go/bin/autograph-monitor"]
-
-  monitor-lambda-emulator:
-    container_name: autograph-monitor-lambda-emulator
-    image: autograph-monitor-lambda-emulator
+    image: autograph-monitor
     build:
       context: tools/autograph-monitor/
-      dockerfile: Dockerfile.lambda-emulator
+      dockerfile: Dockerfile.monitor-selftest
     environment:
       - AUTOGRAPH_URL=http://autograph-app:8000/
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
-      # set a non-empty value to use the lambda handler
-      - LAMBDA_TASK_ROOT=/usr/local/bin/
-      - AUTOGRAPH_ROOT_HASH
-    command: ["/go/bin/autograph-monitor"]
-    ports:
-      - "9000:8080"
     links:
       - app
     depends_on:
       - app
 
-  monitor-hsm-lambda-emulator:
-    container_name: autograph-monitor-hsm-lambda-emulator
-    image: autograph-monitor-lambda-emulator
+  monitor-hsm:
+    container_name: autograph-monitor-hsm
+    image: autograph-monitor
     build:
       context: tools/autograph-monitor/
-      dockerfile: Dockerfile.lambda-emulator
+      dockerfile: Dockerfile.monitor-selftest
     environment:
       - AUTOGRAPH_URL=http://autograph-app-hsm:8001/
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
-      # set a non-empty value to use the lambda handler
-      - LAMBDA_TASK_ROOT=/usr/local/bin/
-      - AUTOGRAPH_ROOT_HASH
-    command: ["/go/bin/autograph-monitor"]
     ports:
       - "9001:8080"
     links:

diff --git a/tools/autograph-client/integration-tests.yml b/tools/autograph-client/integration-tests.yml
@@ -63,8 +63,7 @@ services:
     container_name: test-monitor-app
     extends:
       file: ../../docker-compose.yml
-      service: monitor-lambda-emulator
-    entrypoint: [ "/usr/local/bin/lambda-selftest-entrypoint.sh" ]
+      service: monitor
 
-  # TODO: Add a monitor test for the HSM lambda - tricky because we need
+  # TODO: Add a monitor test for the HSM container - tricky because we need
   # a way to dynamically grab the root hash from the HSM.
diff --git a/tools/autograph-monitor/Dockerfile.lambda-emulator b/tools/autograph-monitor/Dockerfile.lambda-emulator
diff --git a/tools/autograph-monitor/Dockerfile.monitor-selftest b/tools/autograph-monitor/Dockerfile.monitor-selftest
@@ -0,0 +1,8 @@
+FROM autograph-app
+
+USER root
+
+COPY selftest-entrypoint.sh /usr/local/bin/selftest-entrypoint.sh
+
+USER app
+CMD ["/usr/local/bin/selftest-entrypoint.sh"]
diff --git a/tools/autograph-monitor/lambda-selftest-entrypoint.sh b/tools/autograph-monitor/lambda-selftest-entrypoint.sh
diff --git a/tools/autograph-monitor/selftest-entrypoint.sh b/tools/autograph-monitor/selftest-entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -o pipefail
+
+/go/bin/autograph-monitor
+EXIT_CODE=$?
+if [ $EXIT_CODE -ne 0 ]; then
+  echo "Monitor test failure detected"
+  exit 1
+fi