Run additional HAProxy tests #1097
Conversation
| # These tests pass when run locally but are not supported in CodeBuild, see CryptoAlg-1965. | ||
| # ssl_dh.vtc expects to use libssl with a FFDH ciphersuite which is unsupported, it will be gracefully turned off in | ||
| # ssl_dh.vtc with the change in https://github.com/andrewhop/haproxy/pull/1 | ||
| excluded_tests=("mcli_show_info.vtc" "mcli_start_progs.vtc" "tls_basic_sync.vtc" "tls_basic_sync_wo_stkt_backend.vtc" "acl_cli_spaces.vtc" "http_reuse_always.vtc" "ocsp_auto_update.vtc" "ssl_dh.vtc") |
There was a problem hiding this comment.
something wrong happened here ((
https://github.com/haproxy/haproxy/blob/master/reg-tests/peers/tls_basic_sync.vtc#L5
"tls_basic_sync.vtc" is marked as "SLOW", such tests are often not stable and should not be run regularly.
actually, supposed way of invocation is https://github.com/haproxy/haproxy/blob/master/.github/workflows/vtest.yml#L142
make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel
I consider that as lack of documentation. Probably we should add that convention somewhere
There was a problem hiding this comment.
This would work once andrewhop/haproxy#1 is merged in which skips ssl_dh.vtc when HAProxy is built with AWS-LC. For now I have to keep the manual filter to skip ssl_dh.vtc.
| @@ -25,10 +25,13 @@ export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" | |||
|
|
|||
| function build_and_test_haproxy() { | |||
| cd ${HAPROXY_SRC} | |||
| make CC="${CC}" -j ${NUM_CPU_THREADS} TARGET=generic USE_OPENSSL=1 SSL_INC="${AWS_LC_INSTALL_FOLDER}/include" SSL_LIB="${AWS_LC_INSTALL_FOLDER}/lib/" | |||
| make CC="${CC}" -j ${NUM_CPU_THREADS} TARGET=generic USE_OPENSSL=1 SSL_INC="${AWS_LC_INSTALL_FOLDER}/include" \ | |||
| SSL_LIB="${AWS_LC_INSTALL_FOLDER}/lib/" USE_LUA=1 LUA_LIB_NAME=lua5.4 | |||
There was a problem hiding this comment.
it would be nice to add USE_QUIC=1 (not enabled automatically)
There was a problem hiding this comment.
do we really need USE_LUA=1 LUA_LIB_NAME=lua5.4 ?
what if we leave only USE_LUA=1 ?
There was a problem hiding this comment.
That seems to work, I was running into issues locally with the lua name detection.
There was a problem hiding this comment.
AWS-LC currently doesn't support HAProxy's use of QUIC as the names of some functions are different. You have if/defs for BoringSSL to address that issue. We are thinking about adding that mapping for greater OpenSSL compatibility in CryptoAlg-1982. Otherwise HAProxy could expand this BoringSSL macro to include AWS-LC.
andrewhop
changed the title
|
|
||
| # Test with static AWS-LC libraries | ||
| aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_SHARED_LIBS=0 | ||
| aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_SHARED_LIBS=0 -DBUILD_TESTING=0 |
There was a problem hiding this comment.
Could improve code-reuse for integration tests I suppose(?).
At some point.
Description of changes:
This installs the remaining missing test dependencies so our CI agrees with HAProxy's CI and the only failing test is
ssl_dh.vtcdue to our libssl not supporting FFDH ciphersuites. My proposed change in andrewhop/haproxy#1 will turn off this test when built with AWS-LC for now.Also removed the duplicate
curlon line 28 and 50 of the Dockerfile.Call-outs:
The filtering can be removed if HAProxy takes the change proposed in andrewhop/haproxy#1.
Testing:
Before:
After:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.