Skip to content

VAULT-31185 & 31186/use identity token auth for Artifactory in Vault CE & Ent #31255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 28, 2025
Merged

VAULT-31185 & 31186/use identity token auth for Artifactory in Vault CE & Ent #31255

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
056e6a0
removed artifactory_username
kporter101 Jul 11, 2025
b884bf2
updated artifactory token
kporter101 Jul 11, 2025
a91a48d
ran enos fmt
kporter101 Jul 14, 2025
0f34404
ran terraform fmt
kporter101 Jul 14, 2025
7b5e964
debugging/ testing - pinned enos version, added null username
kporter101 Jul 23, 2025
f2d21c4
byyyyy
kporter101 Jul 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 3 additions & 7 deletions .github/workflows/test-run-enos-scenario-matrix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,7 @@ jobs:
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/artifactory token | ARTIFACTORY_TOKEN;
kv/data/github/${{ github.repository }}/artifactory username | ARTIFACTORY_USER;
kv/data/github/${{ github.repository }}/artifactory bearer-token | ARTIFACTORY_BEARER_TOKEN;
kv/data/github/${{ github.repository }}/aws access-key-id | AWS_ACCESS_KEY_ID_CI;
kv/data/github/${{ github.repository }}/aws secret-access-key | AWS_SECRET_ACCESS_KEY_CI;
kv/data/github/${{ github.repository }}/aws role-arn | AWS_ROLE_ARN_CI;
Expand All @@ -146,8 +145,7 @@ jobs:
run: |
if [[ "${{ needs.metadata.outputs.is-enterprise }}" != 'true' ]]; then
{
echo "artifactory-user=${{ secrets.ARTIFACTORY_USER }}"
echo "artifactory-token=${{ secrets.ARTIFACTORY_TOKEN }}"
echo "artifactory-token=${{ secrets.ARTIFACTORY_BEARER_TOKEN }}"
echo "aws-access-key-id=${{ secrets.AWS_ACCESS_KEY_ID_CI }}"
echo "aws-secret-access-key=${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}"
echo "aws-role-arn=${{ secrets.AWS_ROLE_ARN_CI }}"
Expand All @@ -162,8 +160,7 @@ jobs:
} | tee -a "$GITHUB_OUTPUT"
else
{
echo "artifactory-user=${{ steps.vault-secrets.outputs.ARTIFACTORY_USER }}"
echo "artifactory-token=${{ steps.vault-secrets.outputs.ARTIFACTORY_TOKEN }}"
echo "artifactory-token=${{ steps.vault-secrets.outputs.ARTIFACTORY_BEARER_TOKEN }}"
echo "aws-access-key-id=${{ steps.vault-secrets.outputs.AWS_ACCESS_KEY_ID_CI }}"
echo "aws-secret-access-key=${{ steps.vault-secrets.outputs.AWS_SECRET_ACCESS_KEY_CI }}"
echo "aws-role-arn=${{ steps.vault-secrets.outputs.AWS_ROLE_ARN_CI }}"
Expand All @@ -183,7 +180,6 @@ jobs:
{
echo "GITHUB_TOKEN=${{ steps.secrets.outputs.github-token }}"
echo "ENOS_DEBUG_DATA_ROOT_DIR=/tmp/enos-debug-data"
echo "ENOS_VAR_artifactory_username=${{ steps.secrets.outputs.artifactory-user }}"
echo "ENOS_VAR_artifactory_token=${{ steps.secrets.outputs.artifactory-token }}"
echo "ENOS_VAR_aws_region=${{ matrix.attributes.aws_region }}"
echo "ENOS_VAR_aws_ssh_keypair_name=${{ inputs.ssh-key-name }}"
Expand Down
1 change: 0 additions & 1 deletion enos/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,6 @@ unzipped Vault binary at the `vault_local_binary_path`.

## `artifact_source:artifactory`
This variant is for running the Enos scenario to test an artifact from Artifactory. It requires following Enos variables to be set:
* `artifactory_username`
* `artifactory_token`
* `aws_ssh_keypair_name`
* `aws_ssh_private_key_path`
Expand Down
17 changes: 7 additions & 10 deletions enos/enos-dev-scenario-pr-replication.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,12 +113,10 @@ scenario "dev_pr_replication" {
artifactory_repo:
The artifactory host to search. It's very unlikely that you'll want to change this. The
default value is where CRT will publish packages.
artifactory_username:
The artifactory username associated with your token. You'll need this if you wish to use
deb or rpm artifacts! You can request access via Okta.
artifactory_token:
The artifactory token associated with your username. You'll need this if you wish to use
deb or rpm artifacts! You can create a token by logging into Artifactory via Okta.
The artifactory identity token to use for authentication. You'll need this if you wish
to use deb or rpm artifacts! You can get a token by joining the 'artifactory-users' Doormat
group and using 'doormat artifactory create-token'.
dev_build_local_ui:
If you are not testing any changes in the UI, set to false. This will save time by not
building the entire UI. If you need to test the UI, set to true.
Expand Down Expand Up @@ -149,11 +147,10 @@ scenario "dev_pr_replication" {
// Required when using a RPM or Deb package
// Some of these variables don't have default values so we'll only set them if they are
// required.
artifactory_host = local.use_artifactory ? var.artifactory_host : null
artifactory_repo = local.use_artifactory ? var.artifactory_repo : null
artifactory_username = local.use_artifactory ? var.artifactory_username : null
artifactory_token = local.use_artifactory ? var.artifactory_token : null
distro = matrix.distro
artifactory_host = local.use_artifactory ? var.artifactory_host : null
artifactory_repo = local.use_artifactory ? var.artifactory_repo : null
artifactory_token = local.use_artifactory ? var.artifactory_token : null
distro = matrix.distro
}
}

Expand Down
19 changes: 8 additions & 11 deletions enos/enos-dev-scenario-single-cluster.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,12 +107,10 @@ scenario "dev_single_cluster" {
artifactory_repo:
The artifactory host to search. It's very unlikely that you'll want to change this. The
default value is where CRT will publish packages.
artifactory_username:
The artifactory username associated with your token. You'll need this if you wish to use
deb or rpm artifacts! You can request access via Okta.
artifactory_token:
The artifactory token associated with your username. You'll need this if you wish to use
deb or rpm artifacts! You can create a token by logging into Artifactory via Okta.
The artifactory identity token to use for authentication. You'll need this if you wish
to use deb or rpm artifacts! You can get a token by joining the 'artifactory-users' Doormat
group and using 'doormat artifactory create-token'.
dev_build_local_ui:
If you are not testing any changes in the UI, set to false. This will save time by not
building the entire UI. If you need to test the UI, set to true.
Expand Down Expand Up @@ -143,12 +141,11 @@ scenario "dev_single_cluster" {
// Required when using a RPM or Deb package
// Some of these variables don't have default values so we'll only set them if they are
// required.
artifactory_host = local.use_artifactory ? var.artifactory_host : null
artifactory_repo = local.use_artifactory ? var.artifactory_repo : null
artifactory_username = local.use_artifactory ? var.artifactory_username : null
artifactory_token = local.use_artifactory ? var.artifactory_token : null
distro = matrix.distro
distro_version = global.distro_version[matrix.distro]
artifactory_host = local.use_artifactory ? var.artifactory_host : null
artifactory_repo = local.use_artifactory ? var.artifactory_repo : null
artifactory_token = local.use_artifactory ? var.artifactory_token : null
distro = matrix.distro
distro_version = global.distro_version[matrix.distro]
}
}

Expand Down
28 changes: 13 additions & 15 deletions enos/enos-scenario-agent.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ scenario "agent" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.

Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
Expand Down Expand Up @@ -102,20 +101,19 @@ scenario "agent" {
module = "build_${matrix.artifact_source}"

variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
}
}

Expand Down
28 changes: 13 additions & 15 deletions enos/enos-scenario-autopilot.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ scenario "autopilot" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.

Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value defined in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
Expand Down Expand Up @@ -112,20 +111,19 @@ scenario "autopilot" {
module = "build_${matrix.artifact_source}"

variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
}
}

Expand Down
27 changes: 13 additions & 14 deletions enos/enos-scenario-benchmark.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,20 +128,19 @@ scenario "benchmark" {
module = "build_${matrix.artifact_source}"

variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
}
}

Expand Down
28 changes: 13 additions & 15 deletions enos/enos-scenario-dr-replication.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ scenario "dr_replication" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.

Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
Expand Down Expand Up @@ -125,20 +124,19 @@ scenario "dr_replication" {
module = "build_${matrix.artifact_source}"

variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
}
}

Expand Down
28 changes: 13 additions & 15 deletions enos/enos-scenario-pr-replication.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ scenario "pr_replication" {
https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.

Variables required for some scenario variants:
- artifactory_username (if using `artifact_source:artifactory` in your filter)
- artifactory_token (if using `artifact_source:artifactory` in your filter)
- aws_region (if different from the default value in enos-variables.hcl)
- consul_license_path (if using an ENT edition of Consul)
Expand Down Expand Up @@ -125,20 +124,19 @@ scenario "pr_replication" {
module = "build_${matrix.artifact_source}"

variables {
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_username = matrix.artifact_source == "artifactory" ? var.artifactory_username : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
build_tags = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
artifact_path = local.artifact_path
goarch = matrix.arch
goos = "linux"
artifactory_host = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
artifactory_repo = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
arch = matrix.artifact_source == "artifactory" ? matrix.arch : null
product_version = var.vault_product_version
artifact_type = matrix.artifact_type
distro = matrix.artifact_source == "artifactory" ? matrix.distro : null
edition = matrix.artifact_source == "artifactory" ? matrix.edition : null
revision = var.vault_revision
}
}

Expand Down
Loading
Loading