Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AUT-105: Add GitHub Workflows for building, integration and unit testing. #916

Merged
merged 10 commits into from
Jul 10, 2024

Conversation

oskirby
Copy link
Contributor

@oskirby oskirby commented Jun 21, 2024

This attempts to add a Github workflow to build the docker images then run the unit and integration tests. While github seems to build slower than CircleCI, we make up for it by running the integration tests in parallel with a matrix job.

In order to get the monitor tests working, we had to cherry-pick PR #908 onto this branch to clean up the handoff of the root hash between autograph and the lambda emulator.

This makes no attempt to deploy the image as we will need Dockerhub credentials to do that, and it would be better suited for a followup PR.

For a quick high-level tour of how this works:

  • We create a new docker compose file tools/autograph-client/integration-tests.yml which extends the top level compose file, and adds a service for each integration test. This allows each test to define which container it runs on, the dependencies and how to run the test.
  • Use Docker entrypoints for the tests to resolve startup timing between containers (IMO, this is a bug in Docker compose, but it's above my paygrade to fix that).
  • Write a github action to build the docker containers and upload it as an artifact.
  • Parse the integration test YAML to enumerate the test jobs.
  • Use a matrix job to download the container and run the tests in parallel.

@oskirby oskirby marked this pull request as ready for review June 21, 2024 15:47
@oskirby oskirby force-pushed the aut-105-github-workflows branch 3 times, most recently from dfb3f66 to e4602ab Compare June 22, 2024 01:18
fi

# Fetch the normandy root hash
export AUTOGRAPH_ROOT_HASH=$(autograph-client -t "$AUTOGRAPH_URL" -listconfig normandy | \
Copy link
Contributor

@jmhodges jmhodges Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, I've been thinking about this over the weekend. You've put a lot of work into this and it's good, but I'm kind of not sure about the goal here. My understanding of this AUTOGRAPH_ROOT_HASH variable was to prevent configurations from accidentally being changed when we didn't want them to be changed. This seems to make this check not actually a backstop check anymore. Are we sure we want to do this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(If we wanted to make sure we were future proofed for changes to existing signer configs' chains, I'd recommend adding key agility here, instead, and not doing this config lookup work.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's all a bit of a moot point as I am not sure if the monitor lambda was ever deployed anywhere, but this doesn't actually change anything in how the monitor lambda works, and the lambda-setup-entrypoint.sh script here is only being used in the test containers. In theory, if a lambda was deployed in production, it's value of AUTOGRAPH_ROOT_HASH would be hardcoded in the AWS environment and it would serve as the backstop check as intended.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That being said, I do admit that I very much over-engineered the solution :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The objective that I was working towards specifically in this train of work was to reproduce the monitor tests using a Github workflow despite making zero code changes to the autograph-monitor binary.

Copy link
Contributor

@jmhodges jmhodges Jul 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, so, in the time since this and while you were out, Jon and I have figured out that the monitor lambda does actually run, and is actually erroring. Interestingly, those errors are different in stage and in prod. I'll show you tomorrow when we're going through AWS stuff.

I think we could drop back this change to the non-config stuff, update the normandy root key value in autograph.softhsm.yaml and weave it through the other bits, and still get some success. Do you think so?

Maybe I'm missing a piece, though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay - I have rebased this work to abandon the config API, and implemented the monitor test for the non-HSM version only. I don't know if the monitor-hsm test really adds any value right now anyways.

@oskirby oskirby merged commit 554baca into main Jul 10, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants