Compare commits
2 commits
next
...
complement
Author | SHA1 | Date | |
---|---|---|---|
|
0552a56fc7 | ||
|
b455e407f7 |
6 changed files with 264 additions and 48 deletions
|
@ -1,6 +1,6 @@
|
|||
# Local build and dev artifacts
|
||||
target
|
||||
tests
|
||||
# tests
|
||||
|
||||
# Docker files
|
||||
Dockerfile*
|
||||
|
|
|
@ -166,15 +166,16 @@ build:debug:cargo:x86_64-unknown-linux-musl:
|
|||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
||||
# Only log in to Dockerhub if the credentials are given:
|
||||
- if [ -n "${DOCKER_HUB}" ]; then docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" "$DOCKER_HUB"; fi
|
||||
script:
|
||||
# Prepare buildx to build multiarch stuff:
|
||||
- docker context create 'ci-context'
|
||||
- docker buildx create --name 'multiarch-builder' --use 'ci-context'
|
||||
# Copy binaries to their docker arch path
|
||||
- mkdir -p linux/ && mv ./conduit-x86_64-unknown-linux-musl linux/amd64
|
||||
- mkdir -p linux/arm/ && mv ./conduit-arm-unknown-linux-musleabihf linux/arm/v6
|
||||
- mkdir -p linux/arm/ && mv ./conduit-armv7-unknown-linux-musleabihf linux/arm/v7
|
||||
- mv ./conduit-aarch64-unknown-linux-musl linux/arm64
|
||||
script:
|
||||
# Copy binaries to their docker arch path:
|
||||
- test "${PLATFORMS#*'amd64'}" != "$PLATFORMS" && mkdir -p linux/ && mv ./conduit-*x86_64-unknown-linux-musl linux/amd64
|
||||
- test "${PLATFORMS#*'v6'}" != "$PLATFORMS" && mkdir -p linux/arm/ && mv ./conduit-arm-unknown-linux-musleabihf linux/arm/v6
|
||||
- test "${PLATFORMS#*'v7'}" != "$PLATFORMS" && mkdir -p linux/arm/ && mv ./conduit-armv7-unknown-linux-musleabihf linux/arm/v7
|
||||
- test "${PLATFORMS#*'arm64'}" != "$PLATFORMS" && mkdir -p linux/ && mv ./conduit-aarch64-unknown-linux-musl linux/arm64
|
||||
# Embed build date in image:
|
||||
- 'export CREATED=$(date -u +''%Y-%m-%dT%H:%M:%SZ'') && echo "Docker image creation date: $CREATED"'
|
||||
# Build and push image:
|
||||
- >
|
||||
|
@ -234,6 +235,14 @@ docker:tags:dockerhub:
|
|||
variables:
|
||||
TAG: "$DOCKER_HUB_IMAGE/matrixconduit/matrix-conduit:$CI_COMMIT_TAG"
|
||||
|
||||
docker:debug:gitlab:
|
||||
extends: .docker-shared-settings
|
||||
needs:
|
||||
- "build:debug:cargo:x86_64-unknown-linux-musl"
|
||||
variables:
|
||||
TAG: "$CI_REGISTRY_IMAGE/debug/matrix-conduit:$CI_COMMIT_BRANCH"
|
||||
PLATFORMS: "linux/amd64"
|
||||
|
||||
# --------------------------------------------------------------------- #
|
||||
# Run tests #
|
||||
# --------------------------------------------------------------------- #
|
||||
|
@ -284,6 +293,7 @@ test:audit:
|
|||
test:sytest:
|
||||
stage: "test"
|
||||
allow_failure: true
|
||||
interruptible: true
|
||||
needs:
|
||||
- "build:debug:cargo:x86_64-unknown-linux-musl"
|
||||
image:
|
||||
|
@ -292,7 +302,6 @@ test:sytest:
|
|||
tags: ["docker"]
|
||||
variables:
|
||||
PLUGINS: "https://github.com/valkum/sytest_conduit/archive/master.tar.gz"
|
||||
interruptible: true
|
||||
before_script:
|
||||
- "mkdir -p /app"
|
||||
- "cp ./conduit-debug-x86_64-unknown-linux-musl /app/conduit"
|
||||
|
@ -347,6 +356,33 @@ test:dockerlint:
|
|||
- if: '$CI_COMMIT_REF_NAME == "master"'
|
||||
- if: '$CI_COMMIT_REF_NAME == "next"'
|
||||
|
||||
test:complement:
|
||||
stage: "test"
|
||||
allow_failure: true
|
||||
tags: ["docker"]
|
||||
needs:
|
||||
- "docker:debug:gitlab"
|
||||
variables:
|
||||
COMPLEMENT_DEBUG: "1"
|
||||
COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1"
|
||||
COMPLEMENT_CA: "true"
|
||||
COMPLEMENT_BASE_IMAGE: "conduit:complement"
|
||||
CONDUIT_DEBUG_IMAGE: "$CI_REGISTRY_IMAGE/debug/matrix-conduit:$CI_COMMIT_BRANCH"
|
||||
before_script:
|
||||
- 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile'
|
||||
- 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin'
|
||||
- "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ."
|
||||
- "wget https://faulty-storage.de/gotestsum -O $CI_PROJECT_DIR/gotestsum && chmod +x $CI_PROJECT_DIR/gotestsum"
|
||||
- "git clone https://github.com/matrix-org/complement.git"
|
||||
script:
|
||||
- "cd ./complement/"
|
||||
# CI=false -> "true" makes complement assume itself is running IN a docker container, which it is not in this case.
|
||||
- "CI=false $CI_PROJECT_DIR/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200"
|
||||
artifacts:
|
||||
when: "always"
|
||||
reports:
|
||||
junit: "$CI_PROJECT_DIR/complement-report.xml"
|
||||
|
||||
# --------------------------------------------------------------------- #
|
||||
# Store binaries as package so they have download urls #
|
||||
# --------------------------------------------------------------------- #
|
||||
|
|
|
@ -1,48 +1,38 @@
|
|||
# For use in our CI only. This requires a build artifact created by a previous run pipline stage to be placed in cached_target/release/conduit
|
||||
FROM valkum/docker-rust-ci:latest as builder
|
||||
WORKDIR /workdir
|
||||
FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement
|
||||
|
||||
ARG RUSTC_WRAPPER
|
||||
ARG AWS_ACCESS_KEY_ID
|
||||
ARG AWS_SECRET_ACCESS_KEY
|
||||
ARG SCCACHE_BUCKET
|
||||
ARG SCCACHE_ENDPOINT
|
||||
ARG SCCACHE_S3_USE_SSL
|
||||
USER root
|
||||
|
||||
COPY . .
|
||||
RUN mkdir -p target/release
|
||||
RUN test -e cached_target/release/conduit && cp cached_target/release/conduit target/release/conduit || cargo build --release
|
||||
# TODO: REMOVE
|
||||
# TODO: REMOVE
|
||||
# TODO: REMOVE
|
||||
# TODO: REMOVE
|
||||
COPY --chown=1000:1000 ./conduit-debug-x86_64-unknown-linux-musl /srv/conduit/conduit
|
||||
RUN chmod +x /srv/conduit/conduit
|
||||
# TODO: REMOVE
|
||||
# TODO: REMOVE
|
||||
# TODO: REMOVE
|
||||
# TODO: REMOVE
|
||||
|
||||
RUN apk add --no-cache caddy openssl && \
|
||||
openssl genrsa -out "/conduit-https.key" 2048
|
||||
|
||||
ENV ROCKET_LOG=normal \
|
||||
CONDUIT_LOG="info,rocket=info,_=off,sled=off" \
|
||||
CONDUIT_CONFIG="" \
|
||||
CONDUIT_DATABASE_PATH="/tmp/" \
|
||||
CONDUIT_DATABASE_BACKEND="rocksdb" \
|
||||
CONDUIT_SERVER_NAME=localhost \
|
||||
CONDUIT_ADDRESS="0.0.0.0" \
|
||||
CONDUIT_PORT="6167" \
|
||||
CONDUIT_ALLOW_FEDERATION="true" \
|
||||
CONDUIT_ALLOW_ENCRYPTION="true" \
|
||||
CONDUIT_ALLOW_REGISTRATION="true"
|
||||
|
||||
|
||||
FROM valkum/docker-rust-ci:latest
|
||||
WORKDIR /workdir
|
||||
COPY ./tests/complement-start.sh ./tests/complement-caddy.json /
|
||||
RUN chmod +x /complement-start.sh
|
||||
|
||||
RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.2.1/caddy_2.2.1_linux_amd64.tar.gz"
|
||||
RUN tar xzf caddy_2.2.1_linux_amd64.tar.gz
|
||||
|
||||
COPY cached_target/release/conduit /workdir/conduit
|
||||
RUN chmod +x /workdir/conduit
|
||||
RUN chmod +x /workdir/caddy
|
||||
|
||||
COPY conduit-example.toml conduit.toml
|
||||
|
||||
ENV SERVER_NAME=localhost
|
||||
ENV CONDUIT_CONFIG=/workdir/conduit.toml
|
||||
|
||||
RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml
|
||||
RUN echo "allow_federation = true" >> conduit.toml
|
||||
RUN echo "allow_encryption = true" >> conduit.toml
|
||||
RUN echo "allow_registration = true" >> conduit.toml
|
||||
RUN echo "log = \"info,_=off,sled=off\"" >> conduit.toml
|
||||
RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml
|
||||
|
||||
# Enabled Caddy auto cert generation for complement provided CA.
|
||||
RUN echo '{"logging":{"logs":{"default":{"level":"WARN"}}}, "apps":{"http":{"https_port":8448,"servers":{"srv0":{"listen":[":8448"],"routes":[{"match":[{"host":["your.server.name"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:8008"}]}]}]}],"terminal":true}],"tls_connection_policies": [{"match": {"sni": ["your.server.name"]}}]}}},"pki": {"certificate_authorities": {"local": {"name": "Complement CA","root": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"},"intermediate": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"}}}},"tls":{"automation":{"policies":[{"subjects":["your.server.name"],"issuer":{"module":"internal"},"on_demand":true},{"issuer":{"module":"internal", "ca": "local"}}]}}}}' > caddy.json
|
||||
ENTRYPOINT ["/complement-start.sh"]
|
||||
|
||||
EXPOSE 8008 8448
|
||||
|
||||
CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \
|
||||
sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \
|
||||
sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
|
||||
/workdir/caddy start --config caddy.json > /dev/null && \
|
||||
/workdir/conduit
|
||||
|
|
140
tests/complement-caddy.json
Normal file
140
tests/complement-caddy.json
Normal file
|
@ -0,0 +1,140 @@
|
|||
{
|
||||
"logging": {
|
||||
"logs": {
|
||||
"default": {
|
||||
"level": "WARN",
|
||||
"writer": {
|
||||
"output": "stdout"
|
||||
},
|
||||
"encoder": {
|
||||
"format": "console"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"apps": {
|
||||
"http": {
|
||||
"servers": {
|
||||
"srv0": {
|
||||
"listen": [":8448"],
|
||||
"routes": [
|
||||
{
|
||||
"match": [
|
||||
{
|
||||
"host": ["your.server.name", "*"]
|
||||
}
|
||||
],
|
||||
"handle": [
|
||||
{
|
||||
"handler": "subroute",
|
||||
"routes": [
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"handler": "reverse_proxy",
|
||||
"upstreams": [
|
||||
{
|
||||
"dial": "0.0.0.0:6167"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"terminal": true
|
||||
}
|
||||
],
|
||||
"tls_connection_policies": [
|
||||
{
|
||||
"match": {
|
||||
"sni": ["*"]
|
||||
},
|
||||
"certificate_selection": {
|
||||
"any_tag": ["complement-signed-cert"]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"srv1": {
|
||||
"listen": [":8008"],
|
||||
"automatic_https": {
|
||||
"disable": true,
|
||||
"disable_redirects": true
|
||||
},
|
||||
"routes": [
|
||||
{
|
||||
"match": [
|
||||
{
|
||||
"host": ["your.server.name", "*"]
|
||||
}
|
||||
],
|
||||
"handle": [
|
||||
{
|
||||
"handler": "subroute",
|
||||
"routes": [
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"handler": "reverse_proxy",
|
||||
"upstreams": [
|
||||
{
|
||||
"dial": "0.0.0.0:6167"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"terminal": true
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"tls": {
|
||||
"certificates": {
|
||||
"load_files": [
|
||||
{
|
||||
"certificate": "/conduit.complement.crt.pem",
|
||||
"key": "/conduit.complement.key.pem",
|
||||
"format": "pem",
|
||||
"tags": ["complement-signed-cert"]
|
||||
}
|
||||
]
|
||||
},
|
||||
"automation": {
|
||||
"policies": [
|
||||
{
|
||||
"subjects": ["your.server.name"],
|
||||
"issuers": [
|
||||
{
|
||||
"module": "internal",
|
||||
"lifetime": "2d"
|
||||
}
|
||||
],
|
||||
"on_demand": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"pki": {
|
||||
"certificate_authorities": {
|
||||
"local": {
|
||||
"name": "Complement CA",
|
||||
"root": {
|
||||
"certificate": "/complement/ca/ca.crt",
|
||||
"private_key": "/complement/ca/ca.key"
|
||||
},
|
||||
"intermediate": {
|
||||
"certificate": "/complement/ca/ca.crt",
|
||||
"private_key": "/complement/ca/ca.key"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
49
tests/complement-start.sh
Normal file
49
tests/complement-start.sh
Normal file
|
@ -0,0 +1,49 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
echo "👷 Setting up Conduit instance '${SERVER_NAME}' to be tested with Complement..."
|
||||
|
||||
# We ecpect the following files to be mounted into the container:
|
||||
# /complement/ca/ca.crt
|
||||
# /complement/ca/ca.key
|
||||
|
||||
|
||||
printf "\n👷 Generating certificate signing request (csr) for the complement dummy CA"
|
||||
openssl req -new -sha256 \
|
||||
-key "/conduit-https.key" \
|
||||
-subj "/C=US/ST=CA/O=ComplementOrg, Inc./CN=${SERVER_NAME}" \
|
||||
-out "${SERVER_NAME}.csr"
|
||||
|
||||
printf "\n👷 Signing the homeserver's cert with the complement dummy CA"
|
||||
openssl x509 -req -sha256 -days 2 \
|
||||
-in "${SERVER_NAME}.csr" \
|
||||
-CA /complement/ca/ca.crt \
|
||||
-CAkey /complement/ca/ca.key \
|
||||
-CAcreateserial \
|
||||
-out "${SERVER_NAME}.crt" \
|
||||
|
||||
printf "\n👷 Packing https cert+key and CA cert into a PEM file for Caddy (http reverse proxy) to read"
|
||||
cat "/conduit-https.key" >> /conduit.complement.key.pem
|
||||
cat "${SERVER_NAME}.crt" >> /conduit.complement.crt.pem
|
||||
#cat /complement/ca/ca.key >> /conduit.complement.key.pem
|
||||
cat /complement/ca/ca.crt >> /conduit.complement.crt.pem
|
||||
|
||||
printf "\n👷 Updating the OS CA trust store"
|
||||
cp /complement/ca/ca.crt /usr/local/share/ca-certificates/
|
||||
update-ca-certificates || true
|
||||
|
||||
export CONDUIT_SERVER_NAME="${SERVER_NAME}"
|
||||
|
||||
printf "\n👷 Configuring Caddy to listen on 'http(s)://%s'" "${SERVER_NAME}"
|
||||
sed -i "s/your.server.name/${SERVER_NAME}/g" /complement-caddy.json
|
||||
(caddy start --config /complement-caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log
|
||||
|
||||
TMP_DB_DIR="$(mktemp -d -p '/tmp' 'conduit_db_dir_XXXXXXXXXX')"
|
||||
printf "\n👷 Preparing '%s' as Conduit's database directory" "${TMP_DB_DIR}"
|
||||
rm -rf "$TMP_DB_DIR" || true
|
||||
mkdir -p "$TMP_DB_DIR"
|
||||
export CONDUIT_CONDUIT_DATABASE_PATH="${DB_DIR}"
|
||||
|
||||
printf "\n👷 Starting Conduit with address '%s'\n\n" "${SERVER_NAME}"
|
||||
/srv/conduit/conduit
|
|
@ -5,6 +5,7 @@ server_name = "localhost"
|
|||
|
||||
# With a bit of luck /tmp is a RAM disk, so that the file system does not become the bottleneck while testing
|
||||
database_path = "/tmp"
|
||||
database_backend = "rocksdb"
|
||||
|
||||
# All the other settings are left at their defaults:
|
||||
port = 6167
|
||||
|
|
Loading…
Add table
Reference in a new issue