Try running complement on special CI host

This commit is contained in:
Jonas Zohren 2022-01-08 19:51:26 +01:00
parent b455e407f7
commit 0552a56fc7
No known key found for this signature in database
GPG key ID: FE3ED5D90A175463
5 changed files with 99 additions and 33 deletions

View file

@ -302,7 +302,6 @@ test:sytest:
tags: ["docker"] tags: ["docker"]
variables: variables:
PLUGINS: "https://github.com/valkum/sytest_conduit/archive/master.tar.gz" PLUGINS: "https://github.com/valkum/sytest_conduit/archive/master.tar.gz"
interruptible: true
before_script: before_script:
- "mkdir -p /app" - "mkdir -p /app"
- "cp ./conduit-debug-x86_64-unknown-linux-musl /app/conduit" - "cp ./conduit-debug-x86_64-unknown-linux-musl /app/conduit"
@ -360,19 +359,10 @@ test:dockerlint:
test:complement: test:complement:
stage: "test" stage: "test"
allow_failure: true allow_failure: true
interruptible: true tags: ["docker"]
needs: needs:
- "docker:debug:gitlab" - "docker:debug:gitlab"
tags: ["docker"]
image: "docker:latest"
services:
- "docker:dind"
variables: variables:
# Tell docker to use the docker service:
DOCKER_HOST: "tcp://docker:2375/"
DOCKER_TLS_CERTDIR: ""
DOCKER_DRIVER: "overlay2"
CI: "true"
COMPLEMENT_DEBUG: "1" COMPLEMENT_DEBUG: "1"
COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1" COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1"
COMPLEMENT_CA: "true" COMPLEMENT_CA: "true"
@ -382,12 +372,12 @@ test:complement:
- 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile' - 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile'
- 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin' - 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin'
- "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ." - "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ."
- "wget https://faulty-storage.de/gotestsum -O /gotestsum && chmod +x /gotestsum" - "wget https://faulty-storage.de/gotestsum -O $CI_PROJECT_DIR/gotestsum && chmod +x $CI_PROJECT_DIR/gotestsum"
- "apk add go git olm olm-dev musl-dev gcc build-base"
- "git clone https://github.com/matrix-org/complement.git" - "git clone https://github.com/matrix-org/complement.git"
script: script:
- "cd ./complement/" - "cd ./complement/"
- "/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200" # CI=false -> "true" makes complement assume itself is running IN a docker container, which it is not in this case.
- "CI=false $CI_PROJECT_DIR/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200"
artifacts: artifacts:
when: "always" when: "always"
reports: reports:

View file

@ -1,14 +1,26 @@
FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement
WORKDIR /workdir
USER root USER root
RUN apk add --no-cache caddy # TODO: REMOVE
# TODO: REMOVE
# TODO: REMOVE
# TODO: REMOVE
COPY --chown=1000:1000 ./conduit-debug-x86_64-unknown-linux-musl /srv/conduit/conduit
RUN chmod +x /srv/conduit/conduit
# TODO: REMOVE
# TODO: REMOVE
# TODO: REMOVE
# TODO: REMOVE
RUN apk add --no-cache caddy openssl && \
openssl genrsa -out "/conduit-https.key" 2048
ENV ROCKET_LOG=normal \ ENV ROCKET_LOG=normal \
CONDUIT_LOG="info,rocket=info,_=off,sled=off" \ CONDUIT_LOG="info,rocket=info,_=off,sled=off" \
CONDUIT_CONFIG="" \ CONDUIT_CONFIG="" \
CONDUIT_DATABASE_PATH="/tmp/" \ CONDUIT_DATABASE_PATH="/tmp/" \
CONDUIT_DATABASE_BACKEND="rocksdb" \
CONDUIT_SERVER_NAME=localhost \ CONDUIT_SERVER_NAME=localhost \
CONDUIT_ADDRESS="0.0.0.0" \ CONDUIT_ADDRESS="0.0.0.0" \
CONDUIT_PORT="6167" \ CONDUIT_PORT="6167" \
@ -17,17 +29,10 @@ ENV ROCKET_LOG=normal \
CONDUIT_ALLOW_REGISTRATION="true" CONDUIT_ALLOW_REGISTRATION="true"
# Enabled Caddy auto cert generation for complement provided CA. COPY ./tests/complement-start.sh ./tests/complement-caddy.json /
COPY ./tests/complement-caddy.json ./caddy.json RUN chmod +x /complement-start.sh
ENTRYPOINT ["/complement-start.sh"]
EXPOSE 8008 8448 EXPOSE 8008 8448
HEALTHCHECK --start-period=2s --interval=2s CMD true
ENTRYPOINT [""]
CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \
cp /ca/ca.crt /usr/local/share/ca-certificates/complement.crt && update-ca-certificates && \
export CONDUIT_SERVER_NAME="${SERVER_NAME}" && \
sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
(caddy start --config caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log && \
echo "Starting Conduit with address '${SERVER_NAME}'" && \
/srv/conduit/conduit

View file

@ -45,6 +45,16 @@
], ],
"terminal": true "terminal": true
} }
],
"tls_connection_policies": [
{
"match": {
"sni": ["*"]
},
"certificate_selection": {
"any_tag": ["complement-signed-cert"]
}
}
] ]
}, },
"srv1": { "srv1": {
@ -86,13 +96,24 @@
} }
}, },
"tls": { "tls": {
"certificates": {
"load_files": [
{
"certificate": "/conduit.complement.crt.pem",
"key": "/conduit.complement.key.pem",
"format": "pem",
"tags": ["complement-signed-cert"]
}
]
},
"automation": { "automation": {
"policies": [ "policies": [
{ {
"subjects": ["your.server.name"], "subjects": ["your.server.name"],
"issuers": [ "issuers": [
{ {
"module": "internal" "module": "internal",
"lifetime": "2d"
} }
], ],
"on_demand": true "on_demand": true
@ -105,12 +126,12 @@
"local": { "local": {
"name": "Complement CA", "name": "Complement CA",
"root": { "root": {
"certificate": "/ca/ca.crt", "certificate": "/complement/ca/ca.crt",
"private_key": "/ca/ca.key" "private_key": "/complement/ca/ca.key"
}, },
"intermediate": { "intermediate": {
"certificate": "/ca/ca.crt", "certificate": "/complement/ca/ca.crt",
"private_key": "/ca/ca.key" "private_key": "/complement/ca/ca.key"
} }
} }
} }

49
tests/complement-start.sh Normal file
View file

@ -0,0 +1,49 @@
#!/bin/sh
set -e
echo "👷 Setting up Conduit instance '${SERVER_NAME}' to be tested with Complement..."
# We ecpect the following files to be mounted into the container:
# /complement/ca/ca.crt
# /complement/ca/ca.key
printf "\n👷 Generating certificate signing request (csr) for the complement dummy CA"
openssl req -new -sha256 \
-key "/conduit-https.key" \
-subj "/C=US/ST=CA/O=ComplementOrg, Inc./CN=${SERVER_NAME}" \
-out "${SERVER_NAME}.csr"
printf "\n👷 Signing the homeserver's cert with the complement dummy CA"
openssl x509 -req -sha256 -days 2 \
-in "${SERVER_NAME}.csr" \
-CA /complement/ca/ca.crt \
-CAkey /complement/ca/ca.key \
-CAcreateserial \
-out "${SERVER_NAME}.crt" \
printf "\n👷 Packing https cert+key and CA cert into a PEM file for Caddy (http reverse proxy) to read"
cat "/conduit-https.key" >> /conduit.complement.key.pem
cat "${SERVER_NAME}.crt" >> /conduit.complement.crt.pem
#cat /complement/ca/ca.key >> /conduit.complement.key.pem
cat /complement/ca/ca.crt >> /conduit.complement.crt.pem
printf "\n👷 Updating the OS CA trust store"
cp /complement/ca/ca.crt /usr/local/share/ca-certificates/
update-ca-certificates || true
export CONDUIT_SERVER_NAME="${SERVER_NAME}"
printf "\n👷 Configuring Caddy to listen on 'http(s)://%s'" "${SERVER_NAME}"
sed -i "s/your.server.name/${SERVER_NAME}/g" /complement-caddy.json
(caddy start --config /complement-caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log
TMP_DB_DIR="$(mktemp -d -p '/tmp' 'conduit_db_dir_XXXXXXXXXX')"
printf "\n👷 Preparing '%s' as Conduit's database directory" "${TMP_DB_DIR}"
rm -rf "$TMP_DB_DIR" || true
mkdir -p "$TMP_DB_DIR"
export CONDUIT_CONDUIT_DATABASE_PATH="${DB_DIR}"
printf "\n👷 Starting Conduit with address '%s'\n\n" "${SERVER_NAME}"
/srv/conduit/conduit

View file

@ -5,6 +5,7 @@ server_name = "localhost"
# With a bit of luck /tmp is a RAM disk, so that the file system does not become the bottleneck while testing # With a bit of luck /tmp is a RAM disk, so that the file system does not become the bottleneck while testing
database_path = "/tmp" database_path = "/tmp"
database_backend = "rocksdb"
# All the other settings are left at their defaults: # All the other settings are left at their defaults:
port = 6167 port = 6167