Remove the "netaccess" container from the docker-compose dev environment. (#7123)

Remove the "netaccess" container from the docker-compose dev
environment.

It isn't needed during a regular 'docker compose up' developer
environment, and only really serves as a way to use the same tools image
in CI. Two checks run during CI are the govulncheck and verifying go mod
tidy / go vendor. Neither of these checks require anything from the
custom image other than Golang itself, which can be provided directly
from the CI environment.

If a developer is working inside the existing containers, they can still
run `go mod tidy; go mod vendor` themselves, which is a standard Golang
workflow and thus is simpler than using the netaccess image via docker
compose.

Author: mcpherrinm

.github/workflows/boulder-ci.yml

@@ -55,11 +55,6 @@ jobs:
           - "./t.sh --unit --enable-race-detection"
           - "./tn.sh --unit --enable-race-detection"
           - "./t.sh --start-py"
-          # gomod-vendor runs with a separate network access definition
-          # because it needs to fetch packages from GitHub et. al., which
-          # is incompatible with the DNS server override in the boulder
-          # container (used for service discovery).
-          - "docker compose run --use-aliases netaccess ./test.sh --gomod-vendor"
 
     env:
       # This sets the docker image tag for the boulder-tools repository to
@@ -109,54 +104,48 @@ jobs:
       # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true
       fail-fast: false
       matrix:
-        # Add additional docker image tags here and all tests will be run with the additional image.
-        BOULDER_TOOLS_TAG:
-          - go1.21.3_2023-10-12
-
-    env:
-      # This sets the docker image tag for the boulder-tools repository to
-      # use in tests. It will be set appropriately for each tag in the list
-      # defined in the matrix.
-      BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}
+        go-version: [ '1.21.3' ]
 
     steps:
       # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v3
         with:
           persist-credentials: false
 
-      - name: Docker Login
-        # You may pin to the exact commit or the version.
-        # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
-        uses: docker/[email protected]
+      - name: Setup Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v4
         with:
-          # Username used to log against the Docker registry
-          username: ${{ secrets.DOCKER_USERNAME}}
-          # Password or personal access token used to log against the Docker registry
-          password: ${{ secrets.DOCKER_PASSWORD}}
-          # Log out from the Docker registry at the end of a job
-          logout: true
-        continue-on-error: true
+          go-version: ${{ matrix.go-version }}
 
-      # Print the env variable being used to pull the docker image. For
-      # informational use.
-      - name: Print BOULDER_TOOLS_TAG
-        run: echo "Using BOULDER_TOOLS_TAG ${BOULDER_TOOLS_TAG}"
+      - name: Run govulncheck
+        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
 
-      # Pre-pull the docker containers before running the tests.
-      - name: docker compose pull netaccess
-        run: docker compose pull netaccess
+  vendorcheck:
+    runs-on: ubuntu-20.04
+    strategy:
+      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true
+      fail-fast: false
+      matrix:
+        go-version: [ '1.21.3' ]
 
-      # Enable https://github.com/golang/go/wiki/LoopvarExperiment
-      - run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+    steps:
+      # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Setup Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Verify vendor
+        shell: bash
+        run: |
+          go mod tidy
+          go mod vendor
+          git diff --exit-code
 
-      # Unset the GOFLAGS environment variable because, by default, it will be
-      # set to "GOFLAGS='-mod=vendor'" which all go subcommands will utilize. In
-      # this instance, we want to run a package that isn't vendored in our
-      # repository because 1) we don't need this package for CA operations and
-      # 2) we want the benefits of vulnerability checking.
-      - name: Run govulncheck
-        run: docker compose run -e GOFLAGS= netaccess go run golang.org/x/vuln/cmd/govulncheck@latest ./...
 
   # This is a utility build job to detect if the status of any of the
   # above jobs have failed and fail if so. It is needed so there can be

docker-compose.yml

@@ -2,13 +2,13 @@ version: '3'
 services:
   boulder:
     # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
-    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.3_2023-10-12}
+    image: letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.21.3_2023-10-12}
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening.
       # FAKE_DNS: 172.17.0.1
       FAKE_DNS: 10.77.77.77
-      BOULDER_CONFIG_DIR: &boulder_config_dir test/config
+      BOULDER_CONFIG_DIR: test/config
       GOFLAGS: -mod=vendor
       # Forward the parent env's GOEXPERIMENT value into the container.
       GOEXPERIMENT: ${GOEXPERIMENT}
@@ -132,19 +132,6 @@ services:
         ipv4_address: 10.88.88.10
     command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 
-  netaccess:
-    image: *boulder_image
-    environment:
-      GO111MODULE: "on"
-      GOFLAGS: -mod=vendor
-      BOULDER_CONFIG_DIR: *boulder_config_dir
-    networks:
-      - bluenet
-    volumes:
-      - .:/boulder
-    working_dir: *boulder_working_dir
-    entrypoint: test/entrypoint-netaccess.sh
-
   bjaeger:
     image: jaegertracing/all-in-one:1.50
     networks:

test.sh

@@ -100,7 +100,6 @@ With no options passed, runs standard battery of tests (lint, unit, and integrat
     -n, --config-next                     Changes BOULDER_CONFIG_DIR from test/config to test/config-next
     -i, --integration                     Adds integration to the list of tests to run
     -s, --start-py                        Adds start to the list of tests to run
-    -m, --gomod-vendor                    Adds gomod-vendor to the list of tests to run
     -g, --generate                        Adds generate to the list of tests to run
     -o, --list-integration-tests          Outputs a list of the available integration tests
     -f <REGEX>, --filter=<REGEX>          Run only those tests matching the regular expression
@@ -135,7 +134,6 @@ while getopts luvweciosmgnhp:f:-: OPT; do
     o | list-integration-tests )     print_list_of_integration_tests ;;
     f | filter )                     check_arg; FILTER+=("${OPTARG}") ;;
     s | start-py )                   RUN+=("start") ;;
-    m | gomod-vendor )               RUN+=("gomod-vendor") ;;
     g | generate )                   RUN+=("generate") ;;
     n | config-next )                BOULDER_CONFIG_DIR="test/config-next" ;;
     h | help )                       print_usage_exit ;;
@@ -145,9 +143,7 @@ while getopts luvweciosmgnhp:f:-: OPT; do
 done
 shift $((OPTIND-1)) # remove parsed options and args from $@ list
 
-# The list of segments to run. Order doesn't matter. Note: gomod-vendor
-# is specifically left out of the defaults, because we don't want to run
-# it locally (it could delete local state).
+# The list of segments to run. Order doesn't matter.
 if [ -z "${RUN[@]+x}" ]
 then
   RUN+=("lints" "unit" "integration")
@@ -260,17 +256,6 @@ if [[ "${RUN[@]}" =~ "$STAGE" ]] ; then
   fi
 fi
 
-# Run go mod vendor (happens only in CI) to check that the versions in
-# vendor/ really exist in the remote repo and match what we have.
-STAGE="gomod-vendor"
-if [[ "${RUN[@]}" =~ "$STAGE" ]] ; then
-  print_heading "Running Go Mod Tidy"
-  go mod tidy
-  print_heading "Running Go Mod Vendor"
-  go mod vendor
-  run_and_expect_silence git diff --exit-code .
-fi
-
 # Run generate to make sure all our generated code can be re-generated with
 # current tools.
 # Note: Some of the tools we use seemingly don't understand ./vendor yet, and