luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/client/allocrunner/taskrunner/sids_hook_test.go

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

315 lines
7.7 KiB
Go
Raw Normal View History

[COMPLIANCE] Add Copyright and License Headers
2023-04-10 15:36:59 +00:00
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
gofmt all the files mostly to handle build directives in 1.17.
2021-10-01 13:59:55 +00:00
//go:build !windows
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
// +build !windows
gofmt all the files mostly to handle build directives in 1.17.
2021-10-01 13:59:55 +00:00
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
// todo(shoenig): Once Connect is supported on Windows, we'll need to make this
// set of tests work there too.
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
package taskrunner
import (
"context"
"os"
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
"path/filepath"
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
"testing"
"time"
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
"github.com/hashicorp/nomad/ci"
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
"github.com/hashicorp/nomad/client/allocrunner/interfaces"
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
consulapi "github.com/hashicorp/nomad/client/consul"
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
"github.com/hashicorp/nomad/helper"
"github.com/hashicorp/nomad/helper/testlog"
nomad,client: apply more comment/style PR tweaks
2020-01-15 15:29:47 +00:00
"github.com/hashicorp/nomad/helper/uuid"
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
"github.com/hashicorp/nomad/nomad/mock"
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
"github.com/hashicorp/nomad/nomad/structs"
"github.com/stretchr/testify/require"
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
"golang.org/x/sys/unix"
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
)
var _ interfaces.TaskPrestartHook = (*sidsHook)(nil)
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
func sidecar(task string) (string, structs.TaskKind) {
name := structs.ConnectProxyPrefix + "-" + task
kind := structs.TaskKind(structs.ConnectProxyPrefix + ":" + task)
return name, kind
}
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
func TestSIDSHook_recoverToken(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
r := require.New(t)
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart.
2020-01-15 15:56:48 +00:00
test: use `T.TempDir` to create temporary test directory (#12853) * test: use `T.TempDir` to create temporary test directory This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix TestLogmon_Start_restart on Windows Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix failing TestConsul_Integration t.TempDir fails to perform the cleanup properly because the folder is still in use testing.go:967: TempDir RemoveAll cleanup: unlinkat /tmp/TestConsul_Integration2837567823/002/191a6f1a-5371-cf7c-da38-220fe85d10e5/web/secrets: device or resource busy Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-12 15:42:40 +00:00
secrets := t.TempDir()
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
taskName, taskKind := sidecar("foo")
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
h := newSIDSHook(sidsHookConfig{
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
task: &structs.Task{
Name: taskName,
Kind: taskKind,
},
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
logger: testlog.HCLogger(t),
})
nomad,client: apply more comment/style PR tweaks
2020-01-15 15:29:47 +00:00
expected := uuid.Generate()
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
err := h.writeToken(secrets, expected)
r.NoError(err)
token, err := h.recoverToken(secrets)
r.NoError(err)
r.Equal(expected, token)
}
func TestSIDSHook_recoverToken_empty(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
r := require.New(t)
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart.
2020-01-15 15:56:48 +00:00
test: use `T.TempDir` to create temporary test directory (#12853) * test: use `T.TempDir` to create temporary test directory This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix TestLogmon_Start_restart on Windows Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix failing TestConsul_Integration t.TempDir fails to perform the cleanup properly because the folder is still in use testing.go:967: TempDir RemoveAll cleanup: unlinkat /tmp/TestConsul_Integration2837567823/002/191a6f1a-5371-cf7c-da38-220fe85d10e5/web/secrets: device or resource busy Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-12 15:42:40 +00:00
secrets := t.TempDir()
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
taskName, taskKind := sidecar("foo")
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
h := newSIDSHook(sidsHookConfig{
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
task: &structs.Task{
Name: taskName,
Kind: taskKind,
},
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
logger: testlog.HCLogger(t),
})
token, err := h.recoverToken(secrets)
r.NoError(err)
r.Empty(token)
}
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
func TestSIDSHook_recoverToken_unReadable(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
// This test fails when running as root because the test case for checking
// the error condition when the file is unreadable fails (root can read the
// file even though the permissions are set to 0200).
if unix.Geteuid() == 0 {
t.Skip("test only works as non-root")
}
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
r := require.New(t)
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart.
2020-01-15 15:56:48 +00:00
test: use `T.TempDir` to create temporary test directory (#12853) * test: use `T.TempDir` to create temporary test directory This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix TestLogmon_Start_restart on Windows Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix failing TestConsul_Integration t.TempDir fails to perform the cleanup properly because the folder is still in use testing.go:967: TempDir RemoveAll cleanup: unlinkat /tmp/TestConsul_Integration2837567823/002/191a6f1a-5371-cf7c-da38-220fe85d10e5/web/secrets: device or resource busy Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-12 15:42:40 +00:00
secrets := t.TempDir()
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
err := os.Chmod(secrets, 0000)
r.NoError(err)
taskName, taskKind := sidecar("foo")
h := newSIDSHook(sidsHookConfig{
task: &structs.Task{
Name: taskName,
Kind: taskKind,
},
logger: testlog.HCLogger(t),
})
_, err = h.recoverToken(secrets)
r.Error(err)
}
func TestSIDSHook_writeToken(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
r := require.New(t)
test: use `T.TempDir` to create temporary test directory (#12853) * test: use `T.TempDir` to create temporary test directory This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix TestLogmon_Start_restart on Windows Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix failing TestConsul_Integration t.TempDir fails to perform the cleanup properly because the folder is still in use testing.go:967: TempDir RemoveAll cleanup: unlinkat /tmp/TestConsul_Integration2837567823/002/191a6f1a-5371-cf7c-da38-220fe85d10e5/web/secrets: device or resource busy Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-12 15:42:40 +00:00
secrets := t.TempDir()
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
id := uuid.Generate()
h := new(sidsHook)
err := h.writeToken(secrets, id)
r.NoError(err)
deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) * Update ioutil deprecated library references to os and io respectively * Deal with the errors produced. Add error handling to filEntry info Add error handling to info
2023-03-08 19:25:10 +00:00
content, err := os.ReadFile(filepath.Join(secrets, sidsTokenFile))
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
r.NoError(err)
r.Equal(id, string(content))
}
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
func TestSIDSHook_writeToken_unWritable(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
// This test fails when running as root because the test case for checking
// the error condition when the file is unreadable fails (root can read the
// file even though the permissions are set to 0200).
if unix.Geteuid() == 0 {
t.Skip("test only works as non-root")
}
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
r := require.New(t)
test: use `T.TempDir` to create temporary test directory (#12853) * test: use `T.TempDir` to create temporary test directory This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix TestLogmon_Start_restart on Windows Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix failing TestConsul_Integration t.TempDir fails to perform the cleanup properly because the folder is still in use testing.go:967: TempDir RemoveAll cleanup: unlinkat /tmp/TestConsul_Integration2837567823/002/191a6f1a-5371-cf7c-da38-220fe85d10e5/web/secrets: device or resource busy Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-12 15:42:40 +00:00
secrets := t.TempDir()
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
err := os.Chmod(secrets, 0000)
r.NoError(err)
id := uuid.Generate()
h := new(sidsHook)
err = h.writeToken(secrets, id)
r.Error(err)
}
func Test_SIDSHook_writeToken_nonExistent(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
r := require.New(t)
test: use `T.TempDir` to create temporary test directory (#12853) * test: use `T.TempDir` to create temporary test directory This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix TestLogmon_Start_restart on Windows Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix failing TestConsul_Integration t.TempDir fails to perform the cleanup properly because the folder is still in use testing.go:967: TempDir RemoveAll cleanup: unlinkat /tmp/TestConsul_Integration2837567823/002/191a6f1a-5371-cf7c-da38-220fe85d10e5/web/secrets: device or resource busy Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-12 15:42:40 +00:00
base := t.TempDir()
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
secrets := filepath.Join(base, "does/not/exist")
id := uuid.Generate()
h := new(sidsHook)
err := h.writeToken(secrets, id)
r.Error(err)
}
func TestSIDSHook_deriveSIToken(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
r := require.New(t)
taskName, taskKind := sidecar("task1")
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
h := newSIDSHook(sidsHookConfig{
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
alloc: &structs.Allocation{ID: "a1"},
task: &structs.Task{
Name: taskName,
Kind: taskKind,
},
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
logger: testlog.HCLogger(t),
tests: remove duplicate import statements.
2021-06-11 07:39:22 +00:00
sidsClient: consulapi.NewMockServiceIdentitiesClient(),
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
})
ctx := context.Background()
token, err := h.deriveSIToken(ctx)
r.NoError(err)
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory.
2019-12-18 16:23:16 +00:00
r.True(helper.IsUUID(token), "token: %q", token)
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
}
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart.
2020-01-15 15:56:48 +00:00
func TestSIDSHook_deriveSIToken_timeout(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart.
2020-01-15 15:56:48 +00:00
r := require.New(t)
tests: remove duplicate import statements.
2021-06-11 07:39:22 +00:00
siClient := consulapi.NewMockServiceIdentitiesClient()
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart.
2020-01-15 15:56:48 +00:00
siClient.DeriveTokenFn = func(allocation *structs.Allocation, strings []string) (m map[string]string, err error) {
select {
// block forever, hopefully triggering a timeout in the caller
}
}
client: additional test cases around failures in SIDS hook
2020-01-30 21:33:20 +00:00
taskName, taskKind := sidecar("task1")
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart.
2020-01-15 15:56:48 +00:00
h := newSIDSHook(sidsHookConfig{
alloc: &structs.Allocation{ID: "a1"},
task: &structs.Task{
Name: taskName,
Kind: taskKind,
},
logger: testlog.HCLogger(t),
sidsClient: siClient,
})
// set the timeout to a really small value for testing
h.derivationTimeout = time.Duration(1 * time.Millisecond)
ctx := context.Background()
_, err := h.deriveSIToken(ctx)
r.EqualError(err, "context deadline exceeded")
}
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
func TestSIDSHook_computeBackoff(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
try := func(i int, exp time.Duration) {
result := computeBackoff(i)
require.Equal(t, exp, result)
}
try(0, time.Duration(0))
nomad: proxy requests for Service Identity tokens between Clients and Consul Nomad jobs may be configured with a TaskGroup which contains a Service definition that is Consul Connect enabled. These service definitions end up establishing a Consul Connect Proxy Task (e.g. envoy, by default). In the case where Consul ACLs are enabled, a Service Identity token is required for these tasks to run & connect, etc. This changeset enables the Nomad Server to recieve RPC requests for the derivation of SI tokens on behalf of instances of Consul Connect using Tasks. Those tokens are then relayed back to the requesting Client, which then injects the tokens in the secrets directory of the Task.
2019-12-06 20:46:46 +00:00
try(1, 100*time.Millisecond)
try(2, 10*time.Second)
try(3, 15*time.Second)
try(4, 20*time.Second)
try(5, 25*time.Second)
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
}
func TestSIDSHook_backoff(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
r := require.New(t)
ctx := context.Background()
stop := !backoff(ctx, 0)
r.False(stop)
}
func TestSIDSHook_backoffKilled(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks.
2019-11-27 21:41:45 +00:00
r := require.New(t)
ctx, cancel := context.WithTimeout(context.Background(), 1)
defer cancel()
stop := !backoff(ctx, 1000)
r.True(stop)
}
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
func TestTaskRunner_DeriveSIToken_UnWritableTokenFile(t *testing.T) {
ci: swap ci parallelization for unconstrained gomaxprocs
2022-03-15 12:42:43 +00:00
ci.Parallel(t)
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
// Normally this test would live in test_runner_test.go, but since it requires
// root and the check for root doesn't like Windows, we put this file in here
// for now.
// This test fails when running as root because the test case for checking
// the error condition when the file is unreadable fails (root can read the
// file even though the permissions are set to 0200).
if unix.Geteuid() == 0 {
t.Skip("test only works as non-root")
}
r := require.New(t)
alloc := mock.BatchConnectAlloc()
task := alloc.Job.TaskGroups[0].Tasks[0]
task.Config = map[string]interface{}{
"run_for": "0s",
}
trConfig, cleanup := testTaskRunnerConfig(t, alloc, task.Name)
defer cleanup()
// make the si_token file un-writable, triggering a failure after a
// successful token derivation
test: use `T.TempDir` to create temporary test directory (#12853) * test: use `T.TempDir` to create temporary test directory This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix TestLogmon_Start_restart on Windows Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test: fix failing TestConsul_Integration t.TempDir fails to perform the cleanup properly because the folder is still in use testing.go:967: TempDir RemoveAll cleanup: unlinkat /tmp/TestConsul_Integration2837567823/002/191a6f1a-5371-cf7c-da38-220fe85d10e5/web/secrets: device or resource busy Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-12 15:42:40 +00:00
secrets := t.TempDir()
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
trConfig.TaskDir.SecretsDir = secrets
deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) * Update ioutil deprecated library references to os and io respectively * Deal with the errors produced. Add error handling to filEntry info Add error handling to info
2023-03-08 19:25:10 +00:00
err := os.WriteFile(filepath.Join(secrets, sidsTokenFile), nil, 0400)
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
r.NoError(err)
tests: set consul token for nomad client for testing SIDS TR hook
2020-01-31 01:30:48 +00:00
// set a consul token for the nomad client, which is what triggers the
// SIDS hook to be applied
trConfig.ClientConfig.ConsulConfig.Token = uuid.Generate()
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
// derive token works just fine
deriveFn := func(*structs.Allocation, []string) (map[string]string, error) {
return map[string]string{task.Name: uuid.Generate()}, nil
}
siClient := trConfig.ConsulSI.(*consulapi.MockServiceIdentitiesClient)
siClient.DeriveTokenFn = deriveFn
// start the task runner
tr, err := NewTaskRunner(trConfig)
r.NoError(err)
defer tr.Kill(context.Background(), structs.NewTaskEvent("cleanup"))
useMockEnvoyBootstrapHook(tr) // mock the envoy bootstrap
go tr.Run()
// wait for task runner to finish running
Task lifecycle restart (#14127) * allocrunner: handle lifecycle when all tasks die When all tasks die the Coordinator must transition to its terminal state, coordinatorStatePoststop, to unblock poststop tasks. Since this could happen at any time (for example, a prestart task dies), all states must be able to transition to this terminal state. * allocrunner: implement different alloc restarts Add a new alloc restart mode where all tasks are restarted, even if they have already exited. Also unifies the alloc restart logic to use the implementation that restarts tasks concurrently and ignores ErrTaskNotRunning errors since those are expected when restarting the allocation. * allocrunner: allow tasks to run again Prevent the task runner Run() method from exiting to allow a dead task to run again. When the task runner is signaled to restart, the function will jump back to the MAIN loop and run it again. The task runner determines if a task needs to run again based on two new task events that were added to differentiate between a request to restart a specific task, the tasks that are currently running, or all tasks that have already run. * api/cli: add support for all tasks alloc restart Implement the new -all-tasks alloc restart CLI flag and its API counterpar, AllTasks. The client endpoint calls the appropriate restart method from the allocrunner depending on the restart parameters used. * test: fix tasklifecycle Coordinator test * allocrunner: kill taskrunners if all tasks are dead When all non-poststop tasks are dead we need to kill the taskrunners so we don't leak their goroutines, which are blocked in the alloc restart loop. This also ensures the allocrunner exits on its own. * taskrunner: fix tests that waited on WaitCh Now that "dead" tasks may run again, the taskrunner Run() method will not return when the task finishes running, so tests must wait for the task state to be "dead" instead of using the WaitCh, since it won't be closed until the taskrunner is killed. * tests: add tests for all tasks alloc restart * changelog: add entry for #14127 * taskrunner: fix restore logic. The first implementation of the task runner restore process relied on server data (`tr.Alloc().TerminalStatus()`) which may not be available to the client at the time of restore. It also had the incorrect code path. When restoring a dead task the driver handle always needs to be clear cleanly using `clearDriverHandle` otherwise, after exiting the MAIN loop, the task may be killed by `tr.handleKill`. The fix is to store the state of the Run() loop in the task runner local client state: if the task runner ever exits this loop cleanly (not with a shutdown) it will never be able to run again. So if the Run() loops starts with this local state flag set, it must exit early. This local state flag is also being checked on task restart requests. If the task is "dead" and its Run() loop is not active it will never be able to run again. * address code review requests * apply more code review changes * taskrunner: add different Restart modes Using the task event to differentiate between the allocrunner restart methods proved to be confusing for developers to understand how it all worked. So instead of relying on the event type, this commit separated the logic of restarting an taskRunner into two methods: - `Restart` will retain the current behaviour and only will only restart the task if it's currently running. - `ForceRestart` is the new method where a `dead` task is allowed to restart if its `Run()` method is still active. Callers will need to restart the allocRunner taskCoordinator to make sure it will allow the task to run again. * minor fixes
2022-08-24 21:43:07 +00:00
testWaitForTaskToDie(t, tr)
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
// assert task exited un-successfully
finalState := tr.TaskState()
r.Equal(structs.TaskStateDead, finalState.State)
r.True(finalState.Failed) // should have failed to write SI token
r.Contains(finalState.Events[2].DisplayMessage, "failed to write SI token")
// assert the token is *not* on disk, as secrets dir was un-writable
tokenPath := filepath.Join(trConfig.TaskDir.SecretsDir, sidsTokenFile)
deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) * Update ioutil deprecated library references to os and io respectively * Deal with the errors produced. Add error handling to filEntry info Add error handling to info
2023-03-08 19:25:10 +00:00
token, err := os.ReadFile(tokenPath)
tests: skip some SIDS hook tests if running tests as root
2020-01-30 22:16:45 +00:00
r.NoError(err)
r.Empty(token)
}
Reference in a new issue Copy permalink