Try running complement on special CI host

.dockerignore

@@ -1,6 +1,6 @@
 # Local build and dev artifacts
 target
-tests
+# tests
 
 # Docker files
 Dockerfile*

.gitlab-ci.yml

@@ -166,15 +166,16 @@ build:debug:cargo:x86_64-unknown-linux-musl:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
     # Only log in to Dockerhub if the credentials are given:
     - if [ -n "${DOCKER_HUB}" ]; then docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" "$DOCKER_HUB"; fi
-  script:
     # Prepare buildx to build multiarch stuff:
     - docker context create 'ci-context'
     - docker buildx create --name 'multiarch-builder' --use 'ci-context'
-    # Copy binaries to their docker arch path
-    - mkdir -p linux/ && mv ./conduit-x86_64-unknown-linux-musl linux/amd64
-    - mkdir -p linux/arm/ && mv ./conduit-arm-unknown-linux-musleabihf linux/arm/v6
-    - mkdir -p linux/arm/ && mv ./conduit-armv7-unknown-linux-musleabihf linux/arm/v7
-    - mv ./conduit-aarch64-unknown-linux-musl linux/arm64
+  script:
+    # Copy binaries to their docker arch path:
+    - test "${PLATFORMS#*'amd64'}" != "$PLATFORMS" && mkdir -p linux/     && mv ./conduit-*x86_64-unknown-linux-musl     linux/amd64
+    - test "${PLATFORMS#*'v6'}"    != "$PLATFORMS" && mkdir -p linux/arm/ && mv ./conduit-arm-unknown-linux-musleabihf   linux/arm/v6
+    - test "${PLATFORMS#*'v7'}"    != "$PLATFORMS" && mkdir -p linux/arm/ && mv ./conduit-armv7-unknown-linux-musleabihf linux/arm/v7
+    - test "${PLATFORMS#*'arm64'}" != "$PLATFORMS" && mkdir -p linux/     && mv ./conduit-aarch64-unknown-linux-musl     linux/arm64
+    # Embed build date in image:
     - 'export CREATED=$(date -u +''%Y-%m-%dT%H:%M:%SZ'') && echo "Docker image creation date: $CREATED"'
     # Build and push image:
     - >
@@ -234,6 +235,14 @@ docker:tags:dockerhub:
   variables:
     TAG: "$DOCKER_HUB_IMAGE/matrixconduit/matrix-conduit:$CI_COMMIT_TAG"
 
+docker:debug:gitlab:
+  extends: .docker-shared-settings
+  needs:
+    - "build:debug:cargo:x86_64-unknown-linux-musl"
+  variables:
+    TAG: "$CI_REGISTRY_IMAGE/debug/matrix-conduit:$CI_COMMIT_BRANCH"
+    PLATFORMS: "linux/amd64"
+
 # --------------------------------------------------------------------- #
 #  Run tests                                                            #
 # --------------------------------------------------------------------- #
@@ -284,6 +293,7 @@ test:audit:
 test:sytest:
   stage: "test"
   allow_failure: true
+  interruptible: true
   needs:
     - "build:debug:cargo:x86_64-unknown-linux-musl"
   image:
@@ -292,7 +302,6 @@ test:sytest:
   tags: ["docker"]
   variables:
     PLUGINS: "https://github.com/valkum/sytest_conduit/archive/master.tar.gz"
-  interruptible: true
   before_script:
     - "mkdir -p /app"
     - "cp ./conduit-debug-x86_64-unknown-linux-musl /app/conduit"
@@ -347,6 +356,33 @@ test:dockerlint:
     - if: '$CI_COMMIT_REF_NAME == "master"'
     - if: '$CI_COMMIT_REF_NAME == "next"'
 
+test:complement:
+  stage: "test"
+  allow_failure: true
+  tags: ["docker"]
+  needs:
+    - "docker:debug:gitlab"
+  variables:
+    COMPLEMENT_DEBUG: "1"
+    COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1"
+    COMPLEMENT_CA: "true"
+    COMPLEMENT_BASE_IMAGE: "conduit:complement"
+    CONDUIT_DEBUG_IMAGE: "$CI_REGISTRY_IMAGE/debug/matrix-conduit:$CI_COMMIT_BRANCH"
+  before_script:
+    - 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile'
+    - 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin'
+    - "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ."
+    - "wget https://faulty-storage.de/gotestsum -O $CI_PROJECT_DIR/gotestsum && chmod +x $CI_PROJECT_DIR/gotestsum"
+    - "git clone https://github.com/matrix-org/complement.git"
+  script:
+    - "cd ./complement/"
+    #  CI=false -> "true" makes complement assume itself is running IN a docker container, which it is not in this case.
+    - "CI=false $CI_PROJECT_DIR/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200"
+  artifacts:
+    when: "always"
+    reports:
+      junit: "$CI_PROJECT_DIR/complement-report.xml"
+
 # --------------------------------------------------------------------- #
 #  Store binaries as package so they have download urls                 #
 # --------------------------------------------------------------------- #

tests/Complement.Dockerfile

@@ -1,48 +1,38 @@
-# For use in our CI only. This requires a build artifact created by a previous run pipline stage to be placed in cached_target/release/conduit
-FROM valkum/docker-rust-ci:latest as builder
-WORKDIR /workdir
+FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement
 
-ARG RUSTC_WRAPPER
-ARG AWS_ACCESS_KEY_ID
-ARG AWS_SECRET_ACCESS_KEY
-ARG SCCACHE_BUCKET
-ARG SCCACHE_ENDPOINT
-ARG SCCACHE_S3_USE_SSL
+USER root
 
-COPY . .
-RUN mkdir -p target/release
-RUN test -e cached_target/release/conduit && cp cached_target/release/conduit target/release/conduit || cargo build --release
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+COPY --chown=1000:1000 ./conduit-debug-x86_64-unknown-linux-musl /srv/conduit/conduit
+RUN chmod +x /srv/conduit/conduit
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+# TODO: REMOVE
+
+RUN apk add --no-cache caddy openssl && \
+    openssl genrsa -out "/conduit-https.key" 2048
+
+ENV ROCKET_LOG=normal \
+    CONDUIT_LOG="info,rocket=info,_=off,sled=off" \
+    CONDUIT_CONFIG="" \
+    CONDUIT_DATABASE_PATH="/tmp/" \
+    CONDUIT_DATABASE_BACKEND="rocksdb" \
+    CONDUIT_SERVER_NAME=localhost \
+    CONDUIT_ADDRESS="0.0.0.0" \
+    CONDUIT_PORT="6167" \
+    CONDUIT_ALLOW_FEDERATION="true" \
+    CONDUIT_ALLOW_ENCRYPTION="true" \
+    CONDUIT_ALLOW_REGISTRATION="true"
 
 
-FROM valkum/docker-rust-ci:latest
-WORKDIR /workdir
+COPY ./tests/complement-start.sh ./tests/complement-caddy.json /
+RUN chmod +x /complement-start.sh
 
-RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.2.1/caddy_2.2.1_linux_amd64.tar.gz"
-RUN tar xzf caddy_2.2.1_linux_amd64.tar.gz
-
-COPY cached_target/release/conduit /workdir/conduit
-RUN chmod +x /workdir/conduit
-RUN chmod +x /workdir/caddy
-
-COPY conduit-example.toml conduit.toml
-
-ENV SERVER_NAME=localhost
-ENV CONDUIT_CONFIG=/workdir/conduit.toml
-
-RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml
-RUN echo "allow_federation = true" >> conduit.toml
-RUN echo "allow_encryption = true" >> conduit.toml
-RUN echo "allow_registration = true" >> conduit.toml
-RUN echo "log = \"info,_=off,sled=off\"" >> conduit.toml
-RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml
-
-# Enabled Caddy auto cert generation for complement provided CA.
-RUN echo '{"logging":{"logs":{"default":{"level":"WARN"}}}, "apps":{"http":{"https_port":8448,"servers":{"srv0":{"listen":[":8448"],"routes":[{"match":[{"host":["your.server.name"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:8008"}]}]}]}],"terminal":true}],"tls_connection_policies": [{"match": {"sni": ["your.server.name"]}}]}}},"pki": {"certificate_authorities": {"local": {"name": "Complement CA","root": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"},"intermediate": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"}}}},"tls":{"automation":{"policies":[{"subjects":["your.server.name"],"issuer":{"module":"internal"},"on_demand":true},{"issuer":{"module":"internal", "ca": "local"}}]}}}}' > caddy.json
+ENTRYPOINT ["/complement-start.sh"]
 
 EXPOSE 8008 8448
 
-CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \
-    sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \
-    sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
-    /workdir/caddy start --config caddy.json > /dev/null && \
-    /workdir/conduit

tests/complement-caddy.json

@@ -0,0 +1,140 @@
+{
+  "logging": {
+    "logs": {
+      "default": {
+        "level": "WARN",
+        "writer": {
+          "output": "stdout"
+        },
+        "encoder": {
+          "format": "console"
+        }
+      }
+    }
+  },
+  "apps": {
+    "http": {
+      "servers": {
+        "srv0": {
+          "listen": [":8448"],
+          "routes": [
+            {
+              "match": [
+                {
+                  "host": ["your.server.name", "*"]
+                }
+              ],
+              "handle": [
+                {
+                  "handler": "subroute",
+                  "routes": [
+                    {
+                      "handle": [
+                        {
+                          "handler": "reverse_proxy",
+                          "upstreams": [
+                            {
+                              "dial": "0.0.0.0:6167"
+                            }
+                          ]
+                        }
+                      ]
+                    }
+                  ]
+                }
+              ],
+              "terminal": true
+            }
+          ],
+          "tls_connection_policies": [
+            {
+              "match": {
+                "sni": ["*"]
+              },
+              "certificate_selection": {
+                "any_tag": ["complement-signed-cert"]
+              }
+            }
+          ]
+        },
+        "srv1": {
+          "listen": [":8008"],
+          "automatic_https": {
+            "disable": true,
+            "disable_redirects": true
+          },
+          "routes": [
+            {
+              "match": [
+                {
+                  "host": ["your.server.name", "*"]
+                }
+              ],
+              "handle": [
+                {
+                  "handler": "subroute",
+                  "routes": [
+                    {
+                      "handle": [
+                        {
+                          "handler": "reverse_proxy",
+                          "upstreams": [
+                            {
+                              "dial": "0.0.0.0:6167"
+                            }
+                          ]
+                        }
+                      ]
+                    }
+                  ]
+                }
+              ],
+              "terminal": true
+            }
+          ]
+        }
+      }
+    },
+    "tls": {
+      "certificates": {
+        "load_files": [
+          {
+            "certificate": "/conduit.complement.crt.pem",
+            "key": "/conduit.complement.key.pem",
+            "format": "pem",
+            "tags": ["complement-signed-cert"]
+          }
+        ]
+      },
+      "automation": {
+        "policies": [
+          {
+            "subjects": ["your.server.name"],
+            "issuers": [
+              {
+                "module": "internal",
+                "lifetime": "2d"
+              }
+            ],
+            "on_demand": true
+          }
+        ]
+      }
+    },
+    "pki": {
+      "certificate_authorities": {
+        "local": {
+          "name": "Complement CA",
+          "root": {
+            "certificate": "/complement/ca/ca.crt",
+            "private_key": "/complement/ca/ca.key"
+          },
+          "intermediate": {
+            "certificate": "/complement/ca/ca.crt",
+            "private_key": "/complement/ca/ca.key"
+          }
+        }
+      }
+    }
+  }
+}

tests/complement-start.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+
+set -e
+
+echo "👷 Setting up Conduit instance '${SERVER_NAME}' to be tested with Complement..."
+
+# We ecpect the following files to be mounted into the container:
+# /complement/ca/ca.crt
+# /complement/ca/ca.key
+
+
+printf "\n👷 Generating certificate signing request (csr) for the complement dummy CA"
+openssl req -new -sha256 \
+  -key "/conduit-https.key" \
+  -subj "/C=US/ST=CA/O=ComplementOrg, Inc./CN=${SERVER_NAME}" \
+  -out "${SERVER_NAME}.csr"
+
+printf "\n👷 Signing the homeserver's cert with the complement dummy CA"
+openssl x509 -req -sha256 -days 2 \
+  -in "${SERVER_NAME}.csr" \
+  -CA /complement/ca/ca.crt \
+  -CAkey /complement/ca/ca.key \
+  -CAcreateserial \
+  -out "${SERVER_NAME}.crt" \
+
+printf "\n👷 Packing https cert+key and CA cert into a PEM file for Caddy (http reverse proxy) to read"
+cat "/conduit-https.key"  >> /conduit.complement.key.pem
+cat "${SERVER_NAME}.crt"  >> /conduit.complement.crt.pem
+#cat /complement/ca/ca.key >> /conduit.complement.key.pem
+cat /complement/ca/ca.crt >> /conduit.complement.crt.pem
+
+printf "\n👷 Updating the OS CA trust store"
+cp /complement/ca/ca.crt /usr/local/share/ca-certificates/
+update-ca-certificates || true
+
+export CONDUIT_SERVER_NAME="${SERVER_NAME}"
+
+printf "\n👷 Configuring Caddy to listen on 'http(s)://%s'" "${SERVER_NAME}"
+sed -i "s/your.server.name/${SERVER_NAME}/g" /complement-caddy.json 
+(caddy start --config /complement-caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log
+
+TMP_DB_DIR="$(mktemp -d -p '/tmp' 'conduit_db_dir_XXXXXXXXXX')"
+printf "\n👷 Preparing '%s' as Conduit's database directory" "${TMP_DB_DIR}"
+rm -rf "$TMP_DB_DIR" || true
+mkdir -p "$TMP_DB_DIR"
+export CONDUIT_CONDUIT_DATABASE_PATH="${DB_DIR}"
+
+printf "\n👷 Starting Conduit with address '%s'\n\n" "${SERVER_NAME}"
+/srv/conduit/conduit

tests/test-config.toml

@@ -5,6 +5,7 @@ server_name = "localhost"
 
 # With a bit of luck /tmp is a RAM disk, so that the file system does not become the bottleneck while testing
 database_path = "/tmp"
+database_backend = "rocksdb"
 
 # All the other settings are left at their defaults:
 port = 6167