mirror of
https://gitlab.com/famedly/conduit.git
synced 2025-01-14 21:46:29 +03:00
Try running complement on special CI host
This commit is contained in:
parent
b455e407f7
commit
0552a56fc7
5 changed files with 99 additions and 33 deletions
|
@ -302,7 +302,6 @@ test:sytest:
|
||||||
tags: ["docker"]
|
tags: ["docker"]
|
||||||
variables:
|
variables:
|
||||||
PLUGINS: "https://github.com/valkum/sytest_conduit/archive/master.tar.gz"
|
PLUGINS: "https://github.com/valkum/sytest_conduit/archive/master.tar.gz"
|
||||||
interruptible: true
|
|
||||||
before_script:
|
before_script:
|
||||||
- "mkdir -p /app"
|
- "mkdir -p /app"
|
||||||
- "cp ./conduit-debug-x86_64-unknown-linux-musl /app/conduit"
|
- "cp ./conduit-debug-x86_64-unknown-linux-musl /app/conduit"
|
||||||
|
@ -360,19 +359,10 @@ test:dockerlint:
|
||||||
test:complement:
|
test:complement:
|
||||||
stage: "test"
|
stage: "test"
|
||||||
allow_failure: true
|
allow_failure: true
|
||||||
interruptible: true
|
tags: ["docker"]
|
||||||
needs:
|
needs:
|
||||||
- "docker:debug:gitlab"
|
- "docker:debug:gitlab"
|
||||||
tags: ["docker"]
|
|
||||||
image: "docker:latest"
|
|
||||||
services:
|
|
||||||
- "docker:dind"
|
|
||||||
variables:
|
variables:
|
||||||
# Tell docker to use the docker service:
|
|
||||||
DOCKER_HOST: "tcp://docker:2375/"
|
|
||||||
DOCKER_TLS_CERTDIR: ""
|
|
||||||
DOCKER_DRIVER: "overlay2"
|
|
||||||
CI: "true"
|
|
||||||
COMPLEMENT_DEBUG: "1"
|
COMPLEMENT_DEBUG: "1"
|
||||||
COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1"
|
COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1"
|
||||||
COMPLEMENT_CA: "true"
|
COMPLEMENT_CA: "true"
|
||||||
|
@ -382,12 +372,12 @@ test:complement:
|
||||||
- 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile'
|
- 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile'
|
||||||
- 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin'
|
- 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin'
|
||||||
- "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ."
|
- "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ."
|
||||||
- "wget https://faulty-storage.de/gotestsum -O /gotestsum && chmod +x /gotestsum"
|
- "wget https://faulty-storage.de/gotestsum -O $CI_PROJECT_DIR/gotestsum && chmod +x $CI_PROJECT_DIR/gotestsum"
|
||||||
- "apk add go git olm olm-dev musl-dev gcc build-base"
|
|
||||||
- "git clone https://github.com/matrix-org/complement.git"
|
- "git clone https://github.com/matrix-org/complement.git"
|
||||||
script:
|
script:
|
||||||
- "cd ./complement/"
|
- "cd ./complement/"
|
||||||
- "/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200"
|
# CI=false -> "true" makes complement assume itself is running IN a docker container, which it is not in this case.
|
||||||
|
- "CI=false $CI_PROJECT_DIR/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200"
|
||||||
artifacts:
|
artifacts:
|
||||||
when: "always"
|
when: "always"
|
||||||
reports:
|
reports:
|
||||||
|
|
|
@ -1,14 +1,26 @@
|
||||||
|
|
||||||
FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement
|
FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement
|
||||||
WORKDIR /workdir
|
|
||||||
USER root
|
USER root
|
||||||
|
|
||||||
RUN apk add --no-cache caddy
|
# TODO: REMOVE
|
||||||
|
# TODO: REMOVE
|
||||||
|
# TODO: REMOVE
|
||||||
|
# TODO: REMOVE
|
||||||
|
COPY --chown=1000:1000 ./conduit-debug-x86_64-unknown-linux-musl /srv/conduit/conduit
|
||||||
|
RUN chmod +x /srv/conduit/conduit
|
||||||
|
# TODO: REMOVE
|
||||||
|
# TODO: REMOVE
|
||||||
|
# TODO: REMOVE
|
||||||
|
# TODO: REMOVE
|
||||||
|
|
||||||
|
RUN apk add --no-cache caddy openssl && \
|
||||||
|
openssl genrsa -out "/conduit-https.key" 2048
|
||||||
|
|
||||||
ENV ROCKET_LOG=normal \
|
ENV ROCKET_LOG=normal \
|
||||||
CONDUIT_LOG="info,rocket=info,_=off,sled=off" \
|
CONDUIT_LOG="info,rocket=info,_=off,sled=off" \
|
||||||
CONDUIT_CONFIG="" \
|
CONDUIT_CONFIG="" \
|
||||||
CONDUIT_DATABASE_PATH="/tmp/" \
|
CONDUIT_DATABASE_PATH="/tmp/" \
|
||||||
|
CONDUIT_DATABASE_BACKEND="rocksdb" \
|
||||||
CONDUIT_SERVER_NAME=localhost \
|
CONDUIT_SERVER_NAME=localhost \
|
||||||
CONDUIT_ADDRESS="0.0.0.0" \
|
CONDUIT_ADDRESS="0.0.0.0" \
|
||||||
CONDUIT_PORT="6167" \
|
CONDUIT_PORT="6167" \
|
||||||
|
@ -17,17 +29,10 @@ ENV ROCKET_LOG=normal \
|
||||||
CONDUIT_ALLOW_REGISTRATION="true"
|
CONDUIT_ALLOW_REGISTRATION="true"
|
||||||
|
|
||||||
|
|
||||||
# Enabled Caddy auto cert generation for complement provided CA.
|
COPY ./tests/complement-start.sh ./tests/complement-caddy.json /
|
||||||
COPY ./tests/complement-caddy.json ./caddy.json
|
RUN chmod +x /complement-start.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ["/complement-start.sh"]
|
||||||
|
|
||||||
EXPOSE 8008 8448
|
EXPOSE 8008 8448
|
||||||
|
|
||||||
HEALTHCHECK --start-period=2s --interval=2s CMD true
|
|
||||||
ENTRYPOINT [""]
|
|
||||||
CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \
|
|
||||||
cp /ca/ca.crt /usr/local/share/ca-certificates/complement.crt && update-ca-certificates && \
|
|
||||||
export CONDUIT_SERVER_NAME="${SERVER_NAME}" && \
|
|
||||||
sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
|
|
||||||
(caddy start --config caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log && \
|
|
||||||
echo "Starting Conduit with address '${SERVER_NAME}'" && \
|
|
||||||
/srv/conduit/conduit
|
|
||||||
|
|
|
@ -45,6 +45,16 @@
|
||||||
],
|
],
|
||||||
"terminal": true
|
"terminal": true
|
||||||
}
|
}
|
||||||
|
],
|
||||||
|
"tls_connection_policies": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"sni": ["*"]
|
||||||
|
},
|
||||||
|
"certificate_selection": {
|
||||||
|
"any_tag": ["complement-signed-cert"]
|
||||||
|
}
|
||||||
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"srv1": {
|
"srv1": {
|
||||||
|
@ -86,13 +96,24 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"tls": {
|
"tls": {
|
||||||
|
"certificates": {
|
||||||
|
"load_files": [
|
||||||
|
{
|
||||||
|
"certificate": "/conduit.complement.crt.pem",
|
||||||
|
"key": "/conduit.complement.key.pem",
|
||||||
|
"format": "pem",
|
||||||
|
"tags": ["complement-signed-cert"]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
"automation": {
|
"automation": {
|
||||||
"policies": [
|
"policies": [
|
||||||
{
|
{
|
||||||
"subjects": ["your.server.name"],
|
"subjects": ["your.server.name"],
|
||||||
"issuers": [
|
"issuers": [
|
||||||
{
|
{
|
||||||
"module": "internal"
|
"module": "internal",
|
||||||
|
"lifetime": "2d"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"on_demand": true
|
"on_demand": true
|
||||||
|
@ -105,12 +126,12 @@
|
||||||
"local": {
|
"local": {
|
||||||
"name": "Complement CA",
|
"name": "Complement CA",
|
||||||
"root": {
|
"root": {
|
||||||
"certificate": "/ca/ca.crt",
|
"certificate": "/complement/ca/ca.crt",
|
||||||
"private_key": "/ca/ca.key"
|
"private_key": "/complement/ca/ca.key"
|
||||||
},
|
},
|
||||||
"intermediate": {
|
"intermediate": {
|
||||||
"certificate": "/ca/ca.crt",
|
"certificate": "/complement/ca/ca.crt",
|
||||||
"private_key": "/ca/ca.key"
|
"private_key": "/complement/ca/ca.key"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
49
tests/complement-start.sh
Normal file
49
tests/complement-start.sh
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
echo "👷 Setting up Conduit instance '${SERVER_NAME}' to be tested with Complement..."
|
||||||
|
|
||||||
|
# We ecpect the following files to be mounted into the container:
|
||||||
|
# /complement/ca/ca.crt
|
||||||
|
# /complement/ca/ca.key
|
||||||
|
|
||||||
|
|
||||||
|
printf "\n👷 Generating certificate signing request (csr) for the complement dummy CA"
|
||||||
|
openssl req -new -sha256 \
|
||||||
|
-key "/conduit-https.key" \
|
||||||
|
-subj "/C=US/ST=CA/O=ComplementOrg, Inc./CN=${SERVER_NAME}" \
|
||||||
|
-out "${SERVER_NAME}.csr"
|
||||||
|
|
||||||
|
printf "\n👷 Signing the homeserver's cert with the complement dummy CA"
|
||||||
|
openssl x509 -req -sha256 -days 2 \
|
||||||
|
-in "${SERVER_NAME}.csr" \
|
||||||
|
-CA /complement/ca/ca.crt \
|
||||||
|
-CAkey /complement/ca/ca.key \
|
||||||
|
-CAcreateserial \
|
||||||
|
-out "${SERVER_NAME}.crt" \
|
||||||
|
|
||||||
|
printf "\n👷 Packing https cert+key and CA cert into a PEM file for Caddy (http reverse proxy) to read"
|
||||||
|
cat "/conduit-https.key" >> /conduit.complement.key.pem
|
||||||
|
cat "${SERVER_NAME}.crt" >> /conduit.complement.crt.pem
|
||||||
|
#cat /complement/ca/ca.key >> /conduit.complement.key.pem
|
||||||
|
cat /complement/ca/ca.crt >> /conduit.complement.crt.pem
|
||||||
|
|
||||||
|
printf "\n👷 Updating the OS CA trust store"
|
||||||
|
cp /complement/ca/ca.crt /usr/local/share/ca-certificates/
|
||||||
|
update-ca-certificates || true
|
||||||
|
|
||||||
|
export CONDUIT_SERVER_NAME="${SERVER_NAME}"
|
||||||
|
|
||||||
|
printf "\n👷 Configuring Caddy to listen on 'http(s)://%s'" "${SERVER_NAME}"
|
||||||
|
sed -i "s/your.server.name/${SERVER_NAME}/g" /complement-caddy.json
|
||||||
|
(caddy start --config /complement-caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log
|
||||||
|
|
||||||
|
TMP_DB_DIR="$(mktemp -d -p '/tmp' 'conduit_db_dir_XXXXXXXXXX')"
|
||||||
|
printf "\n👷 Preparing '%s' as Conduit's database directory" "${TMP_DB_DIR}"
|
||||||
|
rm -rf "$TMP_DB_DIR" || true
|
||||||
|
mkdir -p "$TMP_DB_DIR"
|
||||||
|
export CONDUIT_CONDUIT_DATABASE_PATH="${DB_DIR}"
|
||||||
|
|
||||||
|
printf "\n👷 Starting Conduit with address '%s'\n\n" "${SERVER_NAME}"
|
||||||
|
/srv/conduit/conduit
|
|
@ -5,6 +5,7 @@ server_name = "localhost"
|
||||||
|
|
||||||
# With a bit of luck /tmp is a RAM disk, so that the file system does not become the bottleneck while testing
|
# With a bit of luck /tmp is a RAM disk, so that the file system does not become the bottleneck while testing
|
||||||
database_path = "/tmp"
|
database_path = "/tmp"
|
||||||
|
database_backend = "rocksdb"
|
||||||
|
|
||||||
# All the other settings are left at their defaults:
|
# All the other settings are left at their defaults:
|
||||||
port = 6167
|
port = 6167
|
||||||
|
|
Loading…
Reference in a new issue