diff --git a/.dockerignore b/.dockerignore index 933b380f..0adb7bee 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,6 +1,6 @@ # Local build and dev artifacts target -tests +# tests # Docker files Dockerfile* diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bf68e25c..accfd19f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -166,15 +166,16 @@ build:debug:cargo:x86_64-unknown-linux-musl: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY # Only log in to Dockerhub if the credentials are given: - if [ -n "${DOCKER_HUB}" ]; then docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" "$DOCKER_HUB"; fi - script: # Prepare buildx to build multiarch stuff: - docker context create 'ci-context' - docker buildx create --name 'multiarch-builder' --use 'ci-context' - # Copy binaries to their docker arch path - - mkdir -p linux/ && mv ./conduit-x86_64-unknown-linux-musl linux/amd64 - - mkdir -p linux/arm/ && mv ./conduit-arm-unknown-linux-musleabihf linux/arm/v6 - - mkdir -p linux/arm/ && mv ./conduit-armv7-unknown-linux-musleabihf linux/arm/v7 - - mv ./conduit-aarch64-unknown-linux-musl linux/arm64 + script: + # Copy binaries to their docker arch path: + - test "${PLATFORMS#*'amd64'}" != "$PLATFORMS" && mkdir -p linux/ && mv ./conduit-*x86_64-unknown-linux-musl linux/amd64 + - test "${PLATFORMS#*'v6'}" != "$PLATFORMS" && mkdir -p linux/arm/ && mv ./conduit-arm-unknown-linux-musleabihf linux/arm/v6 + - test "${PLATFORMS#*'v7'}" != "$PLATFORMS" && mkdir -p linux/arm/ && mv ./conduit-armv7-unknown-linux-musleabihf linux/arm/v7 + - test "${PLATFORMS#*'arm64'}" != "$PLATFORMS" && mkdir -p linux/ && mv ./conduit-aarch64-unknown-linux-musl linux/arm64 + # Embed build date in image: - 'export CREATED=$(date -u +''%Y-%m-%dT%H:%M:%SZ'') && echo "Docker image creation date: $CREATED"' # Build and push image: - > @@ -234,6 +235,14 @@ docker:tags:dockerhub: variables: TAG: "$DOCKER_HUB_IMAGE/matrixconduit/matrix-conduit:$CI_COMMIT_TAG" +docker:debug:gitlab: + extends: .docker-shared-settings + needs: + - "build:debug:cargo:x86_64-unknown-linux-musl" + variables: + TAG: "$CI_REGISTRY_IMAGE/debug/matrix-conduit:$CI_COMMIT_BRANCH" + PLATFORMS: "linux/amd64" + # --------------------------------------------------------------------- # # Run tests # # --------------------------------------------------------------------- # @@ -284,6 +293,7 @@ test:audit: test:sytest: stage: "test" allow_failure: true + interruptible: true needs: - "build:debug:cargo:x86_64-unknown-linux-musl" image: @@ -347,6 +357,42 @@ test:dockerlint: - if: '$CI_COMMIT_REF_NAME == "master"' - if: '$CI_COMMIT_REF_NAME == "next"' +test:complement: + stage: "test" + allow_failure: true + interruptible: true + needs: + - "docker:debug:gitlab" + tags: ["docker"] + image: "docker:latest" + services: + - "docker:dind" + variables: + # Tell docker to use the docker service: + DOCKER_HOST: "tcp://docker:2375/" + DOCKER_TLS_CERTDIR: "" + DOCKER_DRIVER: "overlay2" + CI: "true" + COMPLEMENT_DEBUG: "1" + COMPLEMENT_ALWAYS_PRINT_SERVER_LOGS: "1" + COMPLEMENT_CA: "true" + COMPLEMENT_BASE_IMAGE: "conduit:complement" + CONDUIT_DEBUG_IMAGE: "$CI_REGISTRY_IMAGE/debug/matrix-conduit:$CI_COMMIT_BRANCH" + before_script: + - 'sed -i "s#matrixconduit/matrix-conduit:next-alpine#$CONDUIT_DEBUG_IMAGE#g" tests/Complement.Dockerfile' + - 'echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin' + - "docker build -f tests/Complement.Dockerfile -t $COMPLEMENT_BASE_IMAGE ." + - "wget https://faulty-storage.de/gotestsum -O /gotestsum && chmod +x /gotestsum" + - "apk add go git olm olm-dev musl-dev gcc build-base" + - "git clone https://github.com/matrix-org/complement.git" + script: + - "cd ./complement/" + - "/gotestsum --junitfile $CI_PROJECT_DIR/complement-report.xml --format testname --rerun-fails --rerun-fails-max-failures=200" + artifacts: + when: "always" + reports: + junit: "$CI_PROJECT_DIR/complement-report.xml" + # --------------------------------------------------------------------- # # Store binaries as package so they have download urls # # --------------------------------------------------------------------- # diff --git a/tests/Complement.Dockerfile b/tests/Complement.Dockerfile index 22016e91..46204748 100644 --- a/tests/Complement.Dockerfile +++ b/tests/Complement.Dockerfile @@ -1,48 +1,33 @@ -# For use in our CI only. This requires a build artifact created by a previous run pipline stage to be placed in cached_target/release/conduit -FROM valkum/docker-rust-ci:latest as builder + +FROM matrixconduit/matrix-conduit:next-alpine AS conduit-complement WORKDIR /workdir +USER root -ARG RUSTC_WRAPPER -ARG AWS_ACCESS_KEY_ID -ARG AWS_SECRET_ACCESS_KEY -ARG SCCACHE_BUCKET -ARG SCCACHE_ENDPOINT -ARG SCCACHE_S3_USE_SSL +RUN apk add --no-cache caddy -COPY . . -RUN mkdir -p target/release -RUN test -e cached_target/release/conduit && cp cached_target/release/conduit target/release/conduit || cargo build --release +ENV ROCKET_LOG=normal \ + CONDUIT_LOG="info,rocket=info,_=off,sled=off" \ + CONDUIT_CONFIG="" \ + CONDUIT_DATABASE_PATH="/tmp/" \ + CONDUIT_SERVER_NAME=localhost \ + CONDUIT_ADDRESS="0.0.0.0" \ + CONDUIT_PORT="6167" \ + CONDUIT_ALLOW_FEDERATION="true" \ + CONDUIT_ALLOW_ENCRYPTION="true" \ + CONDUIT_ALLOW_REGISTRATION="true" -FROM valkum/docker-rust-ci:latest -WORKDIR /workdir - -RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.2.1/caddy_2.2.1_linux_amd64.tar.gz" -RUN tar xzf caddy_2.2.1_linux_amd64.tar.gz - -COPY cached_target/release/conduit /workdir/conduit -RUN chmod +x /workdir/conduit -RUN chmod +x /workdir/caddy - -COPY conduit-example.toml conduit.toml - -ENV SERVER_NAME=localhost -ENV CONDUIT_CONFIG=/workdir/conduit.toml - -RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml -RUN echo "allow_federation = true" >> conduit.toml -RUN echo "allow_encryption = true" >> conduit.toml -RUN echo "allow_registration = true" >> conduit.toml -RUN echo "log = \"info,_=off,sled=off\"" >> conduit.toml -RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml - # Enabled Caddy auto cert generation for complement provided CA. -RUN echo '{"logging":{"logs":{"default":{"level":"WARN"}}}, "apps":{"http":{"https_port":8448,"servers":{"srv0":{"listen":[":8448"],"routes":[{"match":[{"host":["your.server.name"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:8008"}]}]}]}],"terminal":true}],"tls_connection_policies": [{"match": {"sni": ["your.server.name"]}}]}}},"pki": {"certificate_authorities": {"local": {"name": "Complement CA","root": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"},"intermediate": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"}}}},"tls":{"automation":{"policies":[{"subjects":["your.server.name"],"issuer":{"module":"internal"},"on_demand":true},{"issuer":{"module":"internal", "ca": "local"}}]}}}}' > caddy.json +COPY ./tests/complement-caddy.json ./caddy.json EXPOSE 8008 8448 +HEALTHCHECK --start-period=2s --interval=2s CMD true +ENTRYPOINT [""] CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \ - sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \ + cp /ca/ca.crt /usr/local/share/ca-certificates/complement.crt && update-ca-certificates && \ + export CONDUIT_SERVER_NAME="${SERVER_NAME}" && \ sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \ - /workdir/caddy start --config caddy.json > /dev/null && \ - /workdir/conduit + (caddy start --config caddy.json) >> /tmp/caddy.log 2>> /tmp/caddy.err.log && \ + echo "Starting Conduit with address '${SERVER_NAME}'" && \ + /srv/conduit/conduit diff --git a/tests/complement-caddy.json b/tests/complement-caddy.json new file mode 100644 index 00000000..a8aeb75c --- /dev/null +++ b/tests/complement-caddy.json @@ -0,0 +1,119 @@ +{ + "logging": { + "logs": { + "default": { + "level": "WARN", + "writer": { + "output": "stdout" + }, + "encoder": { + "format": "console" + } + } + } + }, + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [":8448"], + "routes": [ + { + "match": [ + { + "host": ["your.server.name", "*"] + } + ], + "handle": [ + { + "handler": "subroute", + "routes": [ + { + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "0.0.0.0:6167" + } + ] + } + ] + } + ] + } + ], + "terminal": true + } + ] + }, + "srv1": { + "listen": [":8008"], + "automatic_https": { + "disable": true, + "disable_redirects": true + }, + "routes": [ + { + "match": [ + { + "host": ["your.server.name", "*"] + } + ], + "handle": [ + { + "handler": "subroute", + "routes": [ + { + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "0.0.0.0:6167" + } + ] + } + ] + } + ] + } + ], + "terminal": true + } + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": ["your.server.name"], + "issuers": [ + { + "module": "internal" + } + ], + "on_demand": true + } + ] + } + }, + "pki": { + "certificate_authorities": { + "local": { + "name": "Complement CA", + "root": { + "certificate": "/ca/ca.crt", + "private_key": "/ca/ca.key" + }, + "intermediate": { + "certificate": "/ca/ca.crt", + "private_key": "/ca/ca.key" + } + } + } + } + } +}