luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-nomad/command/agent/agent_test.go

1194 lines
33 KiB
Go
Raw Normal View History

http: basic framework
2015-09-06 00:06:05 +00:00
package agent
import (
"io/ioutil"
"os"
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
"path/filepath"
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
"strings"
http: basic framework
2015-09-06 00:06:05 +00:00
"testing"
agent: make unit tests much faster
2015-09-06 01:41:00 +00:00
"time"
Unit test for dev agent
2018-05-22 21:39:51 +00:00
cstructs "github.com/hashicorp/nomad/client/structs"
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
"github.com/hashicorp/nomad/helper"
Tests only use testlog package logger
2018-06-13 22:33:25 +00:00
"github.com/hashicorp/nomad/helper/testlog"
Unit test for dev agent
2018-05-22 21:39:51 +00:00
"github.com/hashicorp/nomad/nomad/structs"
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
"github.com/hashicorp/nomad/nomad/structs/config"
Fix tests
2016-06-17 05:26:45 +00:00
sconfig "github.com/hashicorp/nomad/nomad/structs/config"
improve documentation move metrics to telemetry; copy to client config
2017-09-06 18:23:58 +00:00
"github.com/stretchr/testify/assert"
code review feedback
2018-03-23 21:58:10 +00:00
"github.com/stretchr/testify/require"
http: basic framework
2015-09-06 00:06:05 +00:00
)
Use codegen for json marshalling: 20% faster, 12% less bytes allocated, 85% less allocations
2016-05-18 01:05:00 +00:00
func tmpDir(t testing.TB) string {
http: basic framework
2015-09-06 00:06:05 +00:00
dir, err := ioutil.TempDir("", "nomad")
if err != nil {
t.Fatalf("err: %v", err)
}
return dir
}
Nomad agent reload TLS configuration on SIGHUP (#3479) * Allow server TLS configuration to be reloaded via SIGHUP * dynamic tls reloading for nomad agents * code cleanup and refactoring * ensure keyloader is initialized, add comments * allow downgrading from TLS * initalize keyloader if necessary * integration test for tls reload * fix up test to assert success on reloaded TLS configuration * failure in loading a new TLS config should remain at current Reload only the config if agent is already using TLS * reload agent configuration before specific server/client lock keyloader before loading/caching a new certificate * introduce a get-or-set method for keyloader * fixups from code review * fix up linting errors * fixups from code review * add lock for config updates; improve copy of tls config * GetCertificate only reloads certificates dynamically for the server * config updates/copies should be on agent * improve http integration test * simplify agent reloading storing a local copy of config * reuse the same keyloader when reloading * Test that server and client get reloaded but keep keyloader * Keyloader exposes GetClientCertificate as well for outgoing connections * Fix spelling * correct changelog style
2017-11-15 01:53:23 +00:00
func TestAgent_RPC_Ping(t *testing.T) {
More parallel
2017-07-20 05:42:15 +00:00
t.Parallel()
Standardize retrieving a free port into a helper package
2017-10-19 04:45:18 +00:00
agent := NewTestAgent(t, t.Name(), nil)
agent: adding basic test
2015-09-06 00:07:36 +00:00
defer agent.Shutdown()
var out struct{}
if err := agent.RPC("Status.Ping", struct{}{}, &out); err != nil {
t.Fatalf("err: %v", err)
}
}
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
func TestAgent_ServerConfig(t *testing.T) {
More parallel
2017-07-20 05:42:15 +00:00
t.Parallel()
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
conf := DefaultConfig()
Addresses are just addresses - no ports Store address+port in an unexported field for ease-of-use
2016-11-09 19:37:41 +00:00
conf.DevMode = true // allow localhost for advertise addrs
enable server in test
2018-03-16 23:52:37 +00:00
conf.Server.Enabled = true
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
a := &Agent{config: conf}
conf.AdvertiseAddrs.Serf = "127.0.0.1:4000"
conf.AdvertiseAddrs.RPC = "127.0.0.1:4001"
Added a test for generation of the server addr
2016-05-25 01:33:24 +00:00
conf.AdvertiseAddrs.HTTP = "10.10.11.1:4005"
agent: thread through ACL config to Server
2017-08-13 21:11:06 +00:00
conf.ACL.Enabled = true
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
// Parses the advertise addrs correctly
Addresses are just addresses - no ports Store address+port in an unexported field for ease-of-use
2016-11-09 19:37:41 +00:00
if err := conf.normalizeAddrs(); err != nil {
t.Fatalf("error normalizing config: %v", err)
Fix int pointer formatting and server config test
2016-11-09 00:02:20 +00:00
}
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
out, err := a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
serfAddr := out.SerfConfig.MemberlistConfig.AdvertiseAddr
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.Equal(t, "127.0.0.1", serfAddr)
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
serfPort := out.SerfConfig.MemberlistConfig.AdvertisePort
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.Equal(t, 4000, serfPort)
require.Equal(t, "global", out.AuthoritativeRegion)
require.True(t, out.ACLEnabled)
Fix int pointer formatting and server config test
2016-11-09 00:02:20 +00:00
// Assert addresses weren't changed
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.Equal(t, "127.0.0.1:4001", conf.AdvertiseAddrs.RPC)
require.Equal(t, "10.10.11.1:4005", conf.AdvertiseAddrs.HTTP)
require.Equal(t, "0.0.0.0", conf.Addresses.RPC)
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
// Sets up the ports properly
Fix int pointer formatting and server config test
2016-11-09 00:02:20 +00:00
conf.Addresses.RPC = ""
conf.Addresses.Serf = ""
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
conf.Ports.RPC = 4003
conf.Ports.Serf = 4004
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, conf.normalizeAddrs())
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
require.Equal(t, 4003, out.RPCAddr.Port)
require.Equal(t, 4004, out.SerfConfig.MemberlistConfig.BindPort)
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
Fix tests for client.TestAgent_ServerConfig Add similar logic in Agent `serverConfig()` to set up the `serverSerfAddr` the same as `serverHttpAddr` and `serverRpcAddr`.
2016-06-01 08:08:15 +00:00
// Prefers advertise over bind addr
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
conf.BindAddr = "127.0.0.3"
Fix int pointer formatting and server config test
2016-11-09 00:02:20 +00:00
conf.Addresses.HTTP = "127.0.0.2"
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
conf.Addresses.RPC = "127.0.0.2"
conf.Addresses.Serf = "127.0.0.2"
Check that advertise without ports works in test
2016-11-01 01:08:49 +00:00
conf.AdvertiseAddrs.HTTP = "10.0.0.10"
Add address selector methods to the agent
2016-09-02 23:23:45 +00:00
conf.AdvertiseAddrs.RPC = ""
Add more address selector tests
2016-09-11 18:02:11 +00:00
conf.AdvertiseAddrs.Serf = "10.0.0.12:4004"
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, conf.normalizeAddrs())
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.Equal(t, "127.0.0.2", out.RPCAddr.IP.String())
require.Equal(t, 4003, out.RPCAddr.Port)
require.Equal(t, "127.0.0.2", out.SerfConfig.MemberlistConfig.BindAddr)
require.Equal(t, 4004, out.SerfConfig.MemberlistConfig.BindPort)
require.Equal(t, "127.0.0.2", conf.Addresses.HTTP)
require.Equal(t, "127.0.0.2", conf.Addresses.RPC)
require.Equal(t, "127.0.0.2", conf.Addresses.Serf)
require.Equal(t, "127.0.0.2:4646", conf.normalizedAddrs.HTTP)
require.Equal(t, "127.0.0.2:4003", conf.normalizedAddrs.RPC)
require.Equal(t, "127.0.0.2:4004", conf.normalizedAddrs.Serf)
require.Equal(t, "10.0.0.10:4646", conf.AdvertiseAddrs.HTTP)
require.Equal(t, "127.0.0.2:4003", conf.AdvertiseAddrs.RPC)
require.Equal(t, "10.0.0.12:4004", conf.AdvertiseAddrs.Serf)
Add more address selector tests
2016-09-11 18:02:11 +00:00
Added node_gc_threshold configuration option Close #333
2015-10-29 13:47:06 +00:00
conf.Server.NodeGCThreshold = "42g"
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, conf.normalizeAddrs())
command/agent: TestAgent_ServerConfig() fix dropped errors (#6659)
2019-11-11 14:46:46 +00:00
_, err = a.serverConfig()
Added node_gc_threshold configuration option Close #333
2015-10-29 13:47:06 +00:00
if err == nil || !strings.Contains(err.Error(), "unknown unit") {
t.Fatalf("expected unknown unit error, got: %#v", err)
}
Fix int pointer formatting and server config test
2016-11-09 00:02:20 +00:00
Added node_gc_threshold configuration option Close #333
2015-10-29 13:47:06 +00:00
conf.Server.NodeGCThreshold = "10s"
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, conf.normalizeAddrs())
Added node_gc_threshold configuration option Close #333
2015-10-29 13:47:06 +00:00
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
require.Equal(t, 10*time.Second, out.NodeGCThreshold)
Added node_gc_threshold configuration option Close #333
2015-10-29 13:47:06 +00:00
Allow tuning of heartbeat ttls This PR allows tuning of heartbeat TTLs. An example of very aggressive settings is as follows: ``` server { heartbeat_grace = "1s" min_heartbeat_ttl = "1s" max_heartbeats_per_second = 200.0 } ```
2017-07-19 16:38:35 +00:00
conf.Server.HeartbeatGrace = 37 * time.Second
agent: Configurable heartbeat
2016-03-04 23:44:12 +00:00
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
require.Equal(t, 37*time.Second, out.HeartbeatGrace)
Fix int pointer formatting and server config test
2016-11-09 00:02:20 +00:00
Allow tuning of heartbeat ttls This PR allows tuning of heartbeat TTLs. An example of very aggressive settings is as follows: ``` server { heartbeat_grace = "1s" min_heartbeat_ttl = "1s" max_heartbeats_per_second = 200.0 } ```
2017-07-19 16:38:35 +00:00
conf.Server.MinHeartbeatTTL = 37 * time.Second
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
require.Equal(t, 37*time.Second, out.MinHeartbeatTTL)
Allow tuning of heartbeat ttls This PR allows tuning of heartbeat TTLs. An example of very aggressive settings is as follows: ``` server { heartbeat_grace = "1s" min_heartbeat_ttl = "1s" max_heartbeats_per_second = 200.0 } ```
2017-07-19 16:38:35 +00:00
conf.Server.MaxHeartbeatsPerSecond = 11.0
agent: Configurable heartbeat
2016-03-04 23:44:12 +00:00
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
require.Equal(t, float64(11.0), out.MaxHeartbeatsPerSecond)
agent: Configurable heartbeat
2016-03-04 23:44:12 +00:00
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
// Defaults to the global bind addr
conf.Addresses.RPC = ""
conf.Addresses.Serf = ""
Added a test for generation of the server addr
2016-05-25 01:33:24 +00:00
conf.Addresses.HTTP = ""
Fix tests for client.TestAgent_ServerConfig Add similar logic in Agent `serverConfig()` to set up the `serverSerfAddr` the same as `serverHttpAddr` and `serverRpcAddr`.
2016-06-01 08:08:15 +00:00
conf.AdvertiseAddrs.RPC = ""
conf.AdvertiseAddrs.HTTP = ""
conf.AdvertiseAddrs.Serf = ""
conf.Ports.HTTP = 4646
conf.Ports.RPC = 4647
conf.Ports.Serf = 4648
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, conf.normalizeAddrs())
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
require.Equal(t, "127.0.0.3", out.RPCAddr.IP.String())
require.Equal(t, "127.0.0.3", out.SerfConfig.MemberlistConfig.BindAddr)
require.Equal(t, "127.0.0.3", conf.Addresses.HTTP)
require.Equal(t, "127.0.0.3", conf.Addresses.RPC)
require.Equal(t, "127.0.0.3", conf.Addresses.Serf)
require.Equal(t, "127.0.0.3:4646", conf.normalizedAddrs.HTTP)
require.Equal(t, "127.0.0.3:4647", conf.normalizedAddrs.RPC)
require.Equal(t, "127.0.0.3:4648", conf.normalizedAddrs.Serf)
agent: remove explicit Bootstrap option in favor of BootstrapExpect
2015-09-22 21:25:43 +00:00
// Properly handles the bootstrap flags
conf.Server.BootstrapExpect = 1
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
Simplify Bootstrap logic in tests This change updates tests to honor `BootstrapExpect` exclusively when forming test clusters and removes test only knobs, e.g. `config.DevDisableBootstrap`. Background: Test cluster creation is fragile. Test servers don't follow the BootstapExpected route like production clusters. Instead they start as single node clusters and then get rejoin and may risk causing brain split or other test flakiness. The test framework expose few knobs to control those (e.g. `config.DevDisableBootstrap` and `config.Bootstrap`) that control whether a server should bootstrap the cluster. These flags are confusing and it's unclear when to use: their usage in multi-node cluster isn't properly documented. Furthermore, they have some bad side-effects as they don't control Raft library: If `config.DevDisableBootstrap` is true, the test server may not immediately attempt to bootstrap a cluster, but after an election timeout (~50ms), Raft may force a leadership election and win it (with only one vote) and cause a split brain. The knobs are also confusing as Bootstrap is an overloaded term. In BootstrapExpect, we refer to bootstrapping the cluster only after N servers are connected. But in tests and the knobs above, it refers to whether the server is a single node cluster and shouldn't wait for any other server. Changes: This commit makes two changes: First, it relies on `BootstrapExpected` instead of `Bootstrap` and/or `DevMode` flags. This change is relatively trivial. Introduce a `Bootstrapped` flag to track if the cluster is bootstrapped. This allows us to keep `BootstrapExpected` immutable. Previously, the flag was a config value but it gets set to 0 after cluster bootstrap completes.
2020-03-02 15:29:24 +00:00
require.Equal(t, 1, out.BootstrapExpect)
agent: remove explicit Bootstrap option in favor of BootstrapExpect
2015-09-22 21:25:43 +00:00
conf.Server.BootstrapExpect = 3
out, err = a.serverConfig()
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
require.NoError(t, err)
Simplify Bootstrap logic in tests This change updates tests to honor `BootstrapExpect` exclusively when forming test clusters and removes test only knobs, e.g. `config.DevDisableBootstrap`. Background: Test cluster creation is fragile. Test servers don't follow the BootstapExpected route like production clusters. Instead they start as single node clusters and then get rejoin and may risk causing brain split or other test flakiness. The test framework expose few knobs to control those (e.g. `config.DevDisableBootstrap` and `config.Bootstrap`) that control whether a server should bootstrap the cluster. These flags are confusing and it's unclear when to use: their usage in multi-node cluster isn't properly documented. Furthermore, they have some bad side-effects as they don't control Raft library: If `config.DevDisableBootstrap` is true, the test server may not immediately attempt to bootstrap a cluster, but after an election timeout (~50ms), Raft may force a leadership election and win it (with only one vote) and cause a split brain. The knobs are also confusing as Bootstrap is an overloaded term. In BootstrapExpect, we refer to bootstrapping the cluster only after N servers are connected. But in tests and the knobs above, it refers to whether the server is a single node cluster and shouldn't wait for any other server. Changes: This commit makes two changes: First, it relies on `BootstrapExpected` instead of `Bootstrap` and/or `DevMode` flags. This change is relatively trivial. Introduce a `Bootstrapped` flag to track if the cluster is bootstrapped. This allows us to keep `BootstrapExpected` immutable. Previously, the flag was a config value but it gets set to 0 after cluster bootstrap completes.
2020-03-02 15:29:24 +00:00
require.Equal(t, 3, out.BootstrapExpect)
agent: split out server config parser, add tests
2015-09-11 19:02:22 +00:00
}
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
scheduler: allow configuring default preemption for system scheduler Some operators want a greater control over when preemption is enabled, especially during an upgrade to limit potential side-effects.
2020-01-12 20:50:18 +00:00
func TestAgent_ServerConfig_SchedulerFlags(t *testing.T) {
cases := []struct {
Support customizing full scheduler config
2020-01-28 16:09:36 +00:00
name string
input *structs.SchedulerConfiguration
expected structs.SchedulerConfiguration
scheduler: allow configuring default preemption for system scheduler Some operators want a greater control over when preemption is enabled, especially during an upgrade to limit potential side-effects.
2020-01-12 20:50:18 +00:00
}{
Support customizing full scheduler config
2020-01-28 16:09:36 +00:00
{
"default case",
nil,
structs.SchedulerConfiguration{
PreemptionConfig: structs.PreemptionConfig{
SystemSchedulerEnabled: true,
},
},
},
{
"empty value: preemption is disabled",
&structs.SchedulerConfiguration{},
structs.SchedulerConfiguration{
PreemptionConfig: structs.PreemptionConfig{
SystemSchedulerEnabled: false,
},
},
},
{
"all explicitly set",
&structs.SchedulerConfiguration{
PreemptionConfig: structs.PreemptionConfig{
SystemSchedulerEnabled: true,
BatchSchedulerEnabled: true,
ServiceSchedulerEnabled: true,
},
},
structs.SchedulerConfiguration{
PreemptionConfig: structs.PreemptionConfig{
SystemSchedulerEnabled: true,
BatchSchedulerEnabled: true,
ServiceSchedulerEnabled: true,
},
},
},
scheduler: allow configuring default preemption for system scheduler Some operators want a greater control over when preemption is enabled, especially during an upgrade to limit potential side-effects.
2020-01-12 20:50:18 +00:00
}
for _, c := range cases {
Support customizing full scheduler config
2020-01-28 16:09:36 +00:00
t.Run(c.name, func(t *testing.T) {
scheduler: allow configuring default preemption for system scheduler Some operators want a greater control over when preemption is enabled, especially during an upgrade to limit potential side-effects.
2020-01-12 20:50:18 +00:00
conf := DefaultConfig()
Support customizing full scheduler config
2020-01-28 16:09:36 +00:00
conf.Server.DefaultSchedulerConfig = c.input
scheduler: allow configuring default preemption for system scheduler Some operators want a greater control over when preemption is enabled, especially during an upgrade to limit potential side-effects.
2020-01-12 20:50:18 +00:00
a := &Agent{config: conf}
conf.AdvertiseAddrs.Serf = "127.0.0.1:4000"
conf.AdvertiseAddrs.RPC = "127.0.0.1:4001"
conf.AdvertiseAddrs.HTTP = "10.10.11.1:4005"
conf.ACL.Enabled = true
require.NoError(t, conf.normalizeAddrs())
out, err := a.serverConfig()
require.NoError(t, err)
Support customizing full scheduler config
2020-01-28 16:09:36 +00:00
require.Equal(t, c.expected, out.DefaultSchedulerConfig)
scheduler: allow configuring default preemption for system scheduler Some operators want a greater control over when preemption is enabled, especially during an upgrade to limit potential side-effects.
2020-01-12 20:50:18 +00:00
})
}
}
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
// TestAgent_ServerConfig_Limits_Errors asserts invalid Limits configurations
// cause errors. This is the server-only (RPC) counterpart to
// TestHTTPServer_Limits_Error.
func TestAgent_ServerConfig_Limits_Error(t *testing.T) {
t.Parallel()
cases := []struct {
name string
expectedErr string
limits sconfig.Limits
}{
{
name: "Negative Timeout",
expectedErr: "rpc_handshake_timeout must be >= 0",
limits: sconfig.Limits{
RPCHandshakeTimeout: "-5s",
RPCMaxConnsPerClient: helper.IntToPtr(100),
},
},
{
name: "Invalid Timeout",
expectedErr: "error parsing rpc_handshake_timeout",
limits: sconfig.Limits{
RPCHandshakeTimeout: "s",
RPCMaxConnsPerClient: helper.IntToPtr(100),
},
},
{
name: "Missing Timeout",
expectedErr: "error parsing rpc_handshake_timeout",
limits: sconfig.Limits{
RPCHandshakeTimeout: "",
RPCMaxConnsPerClient: helper.IntToPtr(100),
},
},
{
name: "Negative Connection Limit",
expectedErr: "rpc_max_conns_per_client must be > 25; found: -100",
limits: sconfig.Limits{
RPCHandshakeTimeout: "5s",
RPCMaxConnsPerClient: helper.IntToPtr(-100),
},
},
{
name: "Low Connection Limit",
expectedErr: "rpc_max_conns_per_client must be > 25; found: 20",
limits: sconfig.Limits{
RPCHandshakeTimeout: "5s",
RPCMaxConnsPerClient: helper.IntToPtr(sconfig.LimitsNonStreamingConnsPerClient),
},
},
}
for i := range cases {
tc := cases[i]
t.Run(tc.name, func(t *testing.T) {
conf := DevConfig(nil)
require.NoError(t, conf.normalizeAddrs())
conf.Limits = tc.limits
serverConf, err := convertServerConfig(conf)
assert.Nil(t, serverConf)
require.Contains(t, err.Error(), tc.expectedErr)
})
}
}
// TestAgent_ServerConfig_Limits_OK asserts valid Limits configurations do not
// cause errors. This is the server-only (RPC) counterpart to
// TestHTTPServer_Limits_OK.
func TestAgent_ServerConfig_Limits_OK(t *testing.T) {
t.Parallel()
cases := []struct {
name string
limits sconfig.Limits
}{
{
name: "Default",
limits: config.DefaultLimits(),
},
{
name: "Zero+nil is valid to disable",
limits: sconfig.Limits{
RPCHandshakeTimeout: "0",
RPCMaxConnsPerClient: nil,
},
},
{
name: "Zeros are valid",
limits: sconfig.Limits{
RPCHandshakeTimeout: "0s",
RPCMaxConnsPerClient: helper.IntToPtr(0),
},
},
{
name: "Low limits are valid",
limits: sconfig.Limits{
RPCHandshakeTimeout: "1ms",
RPCMaxConnsPerClient: helper.IntToPtr(26),
},
},
{
name: "High limits are valid",
limits: sconfig.Limits{
RPCHandshakeTimeout: "5h",
RPCMaxConnsPerClient: helper.IntToPtr(100000),
},
},
}
for i := range cases {
tc := cases[i]
t.Run(tc.name, func(t *testing.T) {
conf := DevConfig(nil)
require.NoError(t, conf.normalizeAddrs())
conf.Limits = tc.limits
serverConf, err := convertServerConfig(conf)
assert.NoError(t, err)
require.NotNil(t, serverConf)
})
}
}
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
func TestAgent_ClientConfig(t *testing.T) {
More parallel
2017-07-20 05:42:15 +00:00
t.Parallel()
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
conf := DefaultConfig()
conf.Client.Enabled = true
Don't require serf advertise address for clients
2016-11-18 19:51:27 +00:00
// For Clients HTTP and RPC must be set (Serf can be skipped)
conf.Addresses.HTTP = "169.254.0.1"
conf.Addresses.RPC = "169.254.0.1"
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
conf.Ports.HTTP = 5678
Don't require serf advertise address for clients
2016-11-18 19:51:27 +00:00
a := &Agent{config: conf}
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
Addresses are just addresses - no ports Store address+port in an unexported field for ease-of-use
2016-11-09 19:37:41 +00:00
if err := conf.normalizeAddrs(); err != nil {
t.Fatalf("error normalizing config: %v", err)
Enable dev mode to allow using localhost in tests
2016-11-09 00:35:11 +00:00
}
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
c, err := a.clientConfig()
if err != nil {
t.Fatalf("got err: %v", err)
}
Don't require serf advertise address for clients
2016-11-18 19:51:27 +00:00
expectedHttpAddr := "169.254.0.1:5678"
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
if c.Node.HTTPAddr != expectedHttpAddr {
t.Fatalf("Expected http addr: %v, got: %v", expectedHttpAddr, c.Node.HTTPAddr)
}
Testing default http port is being set
2016-02-17 01:54:17 +00:00
conf = DefaultConfig()
Enable dev mode to allow using localhost in tests
2016-11-09 00:35:11 +00:00
conf.DevMode = true
Testing default http port is being set
2016-02-17 01:54:17 +00:00
a = &Agent{config: conf}
conf.Client.Enabled = true
Don't require serf advertise address for clients
2016-11-18 19:51:27 +00:00
conf.Addresses.HTTP = "169.254.0.1"
Testing default http port is being set
2016-02-17 01:54:17 +00:00
Addresses are just addresses - no ports Store address+port in an unexported field for ease-of-use
2016-11-09 19:37:41 +00:00
if err := conf.normalizeAddrs(); err != nil {
t.Fatalf("error normalizing config: %v", err)
Enable dev mode to allow using localhost in tests
2016-11-09 00:35:11 +00:00
}
Testing default http port is being set
2016-02-17 01:54:17 +00:00
c, err = a.clientConfig()
if err != nil {
t.Fatalf("got err: %v", err)
}
Don't require serf advertise address for clients
2016-11-18 19:51:27 +00:00
expectedHttpAddr = "169.254.0.1:4646"
Testing default http port is being set
2016-02-17 01:54:17 +00:00
if c.Node.HTTPAddr != expectedHttpAddr {
t.Fatalf("Expected http addr: %v, got: %v", expectedHttpAddr, c.Node.HTTPAddr)
}
Added a test for testing that http addr is set properly
2016-02-16 21:42:48 +00:00
}
Only register HTTPS agent check when Consul>=0.7.2 Support for TLSSkipVerify in other checks coming soon!
2017-04-19 04:28:25 +00:00
improve documentation move metrics to telemetry; copy to client config
2017-09-06 18:23:58 +00:00
// Clients should inherit telemetry configuration
core: add limits to unauthorized connections Introduce limits to prevent unauthorized users from exhausting all ephemeral ports on agents: * `{https,rpc}_handshake_timeout` * `{http,rpc}_max_conns_per_client` The handshake timeout closes connections that have not completed the TLS handshake by the deadline (5s by default). For RPC connections this timeout also separately applies to first byte being read so RPC connections with TLS enabled have `rpc_handshake_time * 2` as their deadline. The connection limit per client prevents a single remote TCP peer from exhausting all ephemeral ports. The default is 100, but can be lowered to a minimum of 26. Since streaming RPC connections create a new TCP connection (until MultiplexV2 is used), 20 connections are reserved for Raft and non-streaming RPCs to prevent connection exhaustion due to streaming RPCs. All limits are configurable and may be disabled by setting them to `0`. This also includes a fix that closes connections that attempt to create TLS RPC connections recursively. While only users with valid mTLS certificates could perform such an operation, it was added as a safeguard to prevent programming errors before they could cause resource exhaustion.
2020-01-15 15:41:59 +00:00
func TestAgent_Client_TelemetryConfiguration(t *testing.T) {
improve documentation move metrics to telemetry; copy to client config
2017-09-06 18:23:58 +00:00
assert := assert.New(t)
conf := DefaultConfig()
conf.DevMode = true
conf.Telemetry.DisableTaggedMetrics = true
conf.Telemetry.BackwardsCompatibleMetrics = true
a := &Agent{config: conf}
c, err := a.clientConfig()
assert.Nil(err)
telemetry := conf.Telemetry
assert.Equal(c.StatsCollectionInterval, telemetry.collectionInterval)
assert.Equal(c.PublishNodeMetrics, telemetry.PublishNodeMetrics)
assert.Equal(c.PublishAllocationMetrics, telemetry.PublishAllocationMetrics)
assert.Equal(c.DisableTaggedMetrics, telemetry.DisableTaggedMetrics)
assert.Equal(c.BackwardsCompatibleMetrics, telemetry.BackwardsCompatibleMetrics)
}
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
// TestAgent_HTTPCheck asserts Agent.agentHTTPCheck properly alters the HTTP
// API health check depending on configuration.
func TestAgent_HTTPCheck(t *testing.T) {
More parallel
2017-07-20 05:42:15 +00:00
t.Parallel()
agent + consul
2018-09-13 17:43:40 +00:00
logger := testlog.HCLogger(t)
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
agent := func() *Agent {
return &Agent{
logger: logger,
config: &Config{
AdvertiseAddrs: &AdvertiseAddrs{HTTP: "advertise:4646"},
normalizedAddrs: &Addresses{HTTP: "normalized:4646"},
Consul: &sconfig.ConsulConfig{
ChecksUseAdvertise: helper.BoolToPtr(false),
},
TLSConfig: &sconfig.TLSConfig{EnableHTTP: false},
},
}
}
t.Run("Plain HTTP Check", func(t *testing.T) {
a := agent()
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
check := a.agentHTTPCheck(false)
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
if check == nil {
t.Fatalf("expected non-nil check")
}
if check.Type != "http" {
t.Errorf("expected http check not: %q", check.Type)
}
Agent Health Endpoint
2017-10-13 22:37:44 +00:00
if expected := "/v1/agent/health?type=client"; check.Path != expected {
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
t.Errorf("expected %q path not: %q", expected, check.Path)
}
if check.Protocol != "http" {
t.Errorf("expected http proto not: %q", check.Protocol)
}
if expected := a.config.normalizedAddrs.HTTP; check.PortLabel != expected {
t.Errorf("expected normalized addr not %q", check.PortLabel)
}
})
t.Run("Plain HTTP + ChecksUseAdvertise", func(t *testing.T) {
a := agent()
a.config.Consul.ChecksUseAdvertise = helper.BoolToPtr(true)
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
check := a.agentHTTPCheck(false)
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
if check == nil {
t.Fatalf("expected non-nil check")
}
if expected := a.config.AdvertiseAddrs.HTTP; check.PortLabel != expected {
t.Errorf("expected advertise addr not %q", check.PortLabel)
}
})
Replace Consul TLSSkipVerify handling Instead of checking Consul's version on startup to see if it supports TLSSkipVerify, assume that it does and only log in the job service handler if we discover Consul does not support TLSSkipVerify. The old code would break TLSSkipVerify support if Nomad started before Consul (such as on system boot) as TLSSkipVerify would default to false if Consul wasn't running. Since TLSSkipVerify has been supported since Consul 0.7.2, it's safe to relax our handling.
2018-03-15 00:37:54 +00:00
t.Run("HTTPS", func(t *testing.T) {
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
a := agent()
a.config.TLSConfig.EnableHTTP = true
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
check := a.agentHTTPCheck(false)
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
if check == nil {
t.Fatalf("expected non-nil check")
}
if !check.TLSSkipVerify {
t.Errorf("expected tls skip verify")
}
if check.Protocol != "https" {
t.Errorf("expected https not: %q", check.Protocol)
}
})
t.Run("HTTPS + VerifyHTTPSClient", func(t *testing.T) {
a := agent()
a.config.TLSConfig.EnableHTTP = true
a.config.TLSConfig.VerifyHTTPSClient = true
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
if check := a.agentHTTPCheck(false); check != nil {
Skip https health check if verify_https_client is true
2017-05-03 00:37:09 +00:00
t.Fatalf("expected nil check not: %#v", check)
}
})
}
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
// TestAgent_HTTPCheckPath asserts clients and servers use different endpoints
// for healthchecks.
func TestAgent_HTTPCheckPath(t *testing.T) {
More parallel
2017-07-20 05:42:15 +00:00
t.Parallel()
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
// Agent.agentHTTPCheck only needs a config and logger
a := &Agent{
agent: add optional param to -dev flag for connect (#6126) Consul Connect must route traffic between network namespaces through a public interface (i.e. not localhost). In order to support testing in dev mode, users needed to manually set the interface which doesn't make for a smooth experience. This commit adds a facility for adding optional parameters to the `nomad agent -dev` flag and uses it to add a `-dev=connect` flag that binds to a public interface on the host.
2019-08-14 19:29:37 +00:00
config: DevConfig(nil),
agent + consul
2018-09-13 17:43:40 +00:00
logger: testlog.HCLogger(t),
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
}
if err := a.config.normalizeAddrs(); err != nil {
t.Fatalf("error normalizing config: %v", err)
}
Agent Health Endpoint
2017-10-13 22:37:44 +00:00
// Assert server check uses /v1/agent/health?type=server
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
isServer := true
check := a.agentHTTPCheck(isServer)
if expected := "Nomad Server HTTP Check"; check.Name != expected {
t.Errorf("expected server check name to be %q but found %q", expected, check.Name)
}
Agent Health Endpoint
2017-10-13 22:37:44 +00:00
if expected := "/v1/agent/health?type=server"; check.Path != expected {
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
t.Errorf("expected server check path to be %q but found %q", expected, check.Path)
}
Agent Health Endpoint
2017-10-13 22:37:44 +00:00
// Assert client check uses /v1/agent/health?type=client
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
isServer = false
check = a.agentHTTPCheck(isServer)
if expected := "Nomad Client HTTP Check"; check.Name != expected {
t.Errorf("expected client check name to be %q but found %q", expected, check.Name)
}
Agent Health Endpoint
2017-10-13 22:37:44 +00:00
if expected := "/v1/agent/health?type=client"; check.Path != expected {
Fix path used by Nomad Server HTTP Check Fixes #2701
2017-06-21 17:41:28 +00:00
t.Errorf("expected client check path to be %q but found %q", expected, check.Path)
}
}
Nomad agent reload TLS configuration on SIGHUP (#3479) * Allow server TLS configuration to be reloaded via SIGHUP * dynamic tls reloading for nomad agents * code cleanup and refactoring * ensure keyloader is initialized, add comments * allow downgrading from TLS * initalize keyloader if necessary * integration test for tls reload * fix up test to assert success on reloaded TLS configuration * failure in loading a new TLS config should remain at current Reload only the config if agent is already using TLS * reload agent configuration before specific server/client lock keyloader before loading/caching a new certificate * introduce a get-or-set method for keyloader * fixups from code review * fix up linting errors * fixups from code review * add lock for config updates; improve copy of tls config * GetCertificate only reloads certificates dynamically for the server * config updates/copies should be on agent * improve http integration test * simplify agent reloading storing a local copy of config * reuse the same keyloader when reloading * Test that server and client get reloaded but keep keyloader * Keyloader exposes GetClientCertificate as well for outgoing connections * Fix spelling * correct changelog style
2017-11-15 01:53:23 +00:00
Support for hot reloading log levels
2019-07-23 13:52:24 +00:00
// Here we validate that log levels get updated when the configuration is
// reloaded. I can't find a good way to fetch this from the logger itself, so
// we pull it only from the agents configuration struct, not the logger.
func TestAgent_Reload_LogLevel(t *testing.T) {
t.Parallel()
assert := assert.New(t)
agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.LogLevel = "INFO"
})
defer agent.Shutdown()
assert.Equal("INFO", agent.GetConfig().LogLevel)
newConfig := &Config{
LogLevel: "TRACE",
}
assert.Nil(agent.Reload(newConfig))
assert.Equal("TRACE", agent.GetConfig().LogLevel)
}
Nomad agent reload TLS configuration on SIGHUP (#3479) * Allow server TLS configuration to be reloaded via SIGHUP * dynamic tls reloading for nomad agents * code cleanup and refactoring * ensure keyloader is initialized, add comments * allow downgrading from TLS * initalize keyloader if necessary * integration test for tls reload * fix up test to assert success on reloaded TLS configuration * failure in loading a new TLS config should remain at current Reload only the config if agent is already using TLS * reload agent configuration before specific server/client lock keyloader before loading/caching a new certificate * introduce a get-or-set method for keyloader * fixups from code review * fix up linting errors * fixups from code review * add lock for config updates; improve copy of tls config * GetCertificate only reloads certificates dynamically for the server * config updates/copies should be on agent * improve http integration test * simplify agent reloading storing a local copy of config * reuse the same keyloader when reloading * Test that server and client get reloaded but keep keyloader * Keyloader exposes GetClientCertificate as well for outgoing connections * Fix spelling * correct changelog style
2017-11-15 01:53:23 +00:00
// This test asserts that the keyloader embedded in the TLS config is shared
// across the Agent, Server, and Client. This is essential for certificate
// reloading to work.
func TestServer_Reload_TLS_Shared_Keyloader(t *testing.T) {
t.Parallel()
assert := assert.New(t)
// We will start out with a bad cert and then reload with a good one.
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.TLSConfig = &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
}
})
defer agent.Shutdown()
originalKeyloader := agent.Config.TLSConfig.GetKeyLoader()
originalCert, err := originalKeyloader.GetOutgoingCertificate(nil)
assert.NotNil(originalKeyloader)
if assert.Nil(err) {
assert.NotNil(originalCert)
}
// Switch to the correct certificates and reload
newConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert2,
KeyFile: fookey2,
},
}
assert.Nil(agent.Reload(newConfig))
assert.Equal(agent.Config.TLSConfig.CertFile, newConfig.TLSConfig.CertFile)
assert.Equal(agent.Config.TLSConfig.KeyFile, newConfig.TLSConfig.KeyFile)
assert.Equal(agent.Config.TLSConfig.GetKeyLoader(), originalKeyloader)
// Assert is passed through on the server correctly
if assert.NotNil(agent.server.GetConfig().TLSConfig) {
serverKeyloader := agent.server.GetConfig().TLSConfig.GetKeyLoader()
assert.Equal(serverKeyloader, originalKeyloader)
newCert, err := serverKeyloader.GetOutgoingCertificate(nil)
assert.Nil(err)
assert.NotEqual(originalCert, newCert)
}
// Assert is passed through on the client correctly
if assert.NotNil(agent.client.GetConfig().TLSConfig) {
clientKeyloader := agent.client.GetConfig().TLSConfig.GetKeyLoader()
assert.Equal(clientKeyloader, originalKeyloader)
newCert, err := clientKeyloader.GetOutgoingCertificate(nil)
assert.Nil(err)
assert.NotEqual(originalCert, newCert)
}
}
func TestServer_Reload_TLS_Certificate(t *testing.T) {
t.Parallel()
assert := assert.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
agentConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
agent := &Agent{
add in change missed from ent
2020-03-25 14:53:38 +00:00
auditor: &noOpAuditor{},
config: agentConfig,
Nomad agent reload TLS configuration on SIGHUP (#3479) * Allow server TLS configuration to be reloaded via SIGHUP * dynamic tls reloading for nomad agents * code cleanup and refactoring * ensure keyloader is initialized, add comments * allow downgrading from TLS * initalize keyloader if necessary * integration test for tls reload * fix up test to assert success on reloaded TLS configuration * failure in loading a new TLS config should remain at current Reload only the config if agent is already using TLS * reload agent configuration before specific server/client lock keyloader before loading/caching a new certificate * introduce a get-or-set method for keyloader * fixups from code review * fix up linting errors * fixups from code review * add lock for config updates; improve copy of tls config * GetCertificate only reloads certificates dynamically for the server * config updates/copies should be on agent * improve http integration test * simplify agent reloading storing a local copy of config * reuse the same keyloader when reloading * Test that server and client get reloaded but keep keyloader * Keyloader exposes GetClientCertificate as well for outgoing connections * Fix spelling * correct changelog style
2017-11-15 01:53:23 +00:00
}
newConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert2,
KeyFile: fookey2,
},
}
originalKeyloader := agentConfig.TLSConfig.GetKeyLoader()
assert.NotNil(originalKeyloader)
err := agent.Reload(newConfig)
assert.Nil(err)
assert.Equal(agent.config.TLSConfig.CertFile, newConfig.TLSConfig.CertFile)
assert.Equal(agent.config.TLSConfig.KeyFile, newConfig.TLSConfig.KeyFile)
assert.Equal(agent.config.TLSConfig.GetKeyLoader(), originalKeyloader)
}
func TestServer_Reload_TLS_Certificate_Invalid(t *testing.T) {
t.Parallel()
assert := assert.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-bad.pem"
fookey = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
foocert2 = "invalid_cert_path"
fookey2 = "invalid_key_path"
)
agentConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
agent := &Agent{
add auditor
2020-03-25 14:48:23 +00:00
auditor: &noOpAuditor{},
config: agentConfig,
Nomad agent reload TLS configuration on SIGHUP (#3479) * Allow server TLS configuration to be reloaded via SIGHUP * dynamic tls reloading for nomad agents * code cleanup and refactoring * ensure keyloader is initialized, add comments * allow downgrading from TLS * initalize keyloader if necessary * integration test for tls reload * fix up test to assert success on reloaded TLS configuration * failure in loading a new TLS config should remain at current Reload only the config if agent is already using TLS * reload agent configuration before specific server/client lock keyloader before loading/caching a new certificate * introduce a get-or-set method for keyloader * fixups from code review * fix up linting errors * fixups from code review * add lock for config updates; improve copy of tls config * GetCertificate only reloads certificates dynamically for the server * config updates/copies should be on agent * improve http integration test * simplify agent reloading storing a local copy of config * reuse the same keyloader when reloading * Test that server and client get reloaded but keep keyloader * Keyloader exposes GetClientCertificate as well for outgoing connections * Fix spelling * correct changelog style
2017-11-15 01:53:23 +00:00
}
newConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert2,
KeyFile: fookey2,
},
}
err := agent.Reload(newConfig)
assert.NotNil(err)
assert.NotEqual(agent.config.TLSConfig.CertFile, newConfig.TLSConfig.CertFile)
assert.NotEqual(agent.config.TLSConfig.KeyFile, newConfig.TLSConfig.KeyFile)
}
func Test_GetConfig(t *testing.T) {
assert := assert.New(t)
agentConfig := &Config{
Telemetry: &Telemetry{},
Client: &ClientConfig{},
Server: &ServerConfig{},
ACL: &ACLConfig{},
Ports: &Ports{},
Addresses: &Addresses{},
AdvertiseAddrs: &AdvertiseAddrs{},
Vault: &sconfig.VaultConfig{},
Consul: &sconfig.ConsulConfig{},
Sentinel: &sconfig.SentinelConfig{},
}
agent := &Agent{
config: agentConfig,
}
actualAgentConfig := agent.GetConfig()
assert.Equal(actualAgentConfig, agentConfig)
}
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
func TestServer_Reload_TLS_WithNilConfiguration(t *testing.T) {
t.Parallel()
assert := assert.New(t)
agent + consul
2018-09-13 17:43:40 +00:00
logger := testlog.HCLogger(t)
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
agent := &Agent{
logger: logger,
config: &Config{},
}
err := agent.Reload(nil)
assert.NotNil(err)
assert.Equal(err.Error(), "cannot reload agent with nil configuration")
}
func TestServer_Reload_TLS_UpgradeToTLS(t *testing.T) {
t.Parallel()
assert := assert.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
dir := tmpDir(t)
defer os.RemoveAll(dir)
agent + consul
2018-09-13 17:43:40 +00:00
logger := testlog.HCLogger(t)
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
agentConfig := &Config{
TLSConfig: &sconfig.TLSConfig{},
}
agent := &Agent{
add in change missed from ent
2020-03-25 14:53:38 +00:00
auditor: &noOpAuditor{},
logger: logger,
config: agentConfig,
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
}
newConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
err := agent.Reload(newConfig)
assert.Nil(err)
assert.Equal(agent.config.TLSConfig.CAFile, newConfig.TLSConfig.CAFile)
assert.Equal(agent.config.TLSConfig.CertFile, newConfig.TLSConfig.CertFile)
assert.Equal(agent.config.TLSConfig.KeyFile, newConfig.TLSConfig.KeyFile)
}
func TestServer_Reload_TLS_DowngradeFromTLS(t *testing.T) {
t.Parallel()
assert := assert.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
dir := tmpDir(t)
defer os.RemoveAll(dir)
agent + consul
2018-09-13 17:43:40 +00:00
logger := testlog.HCLogger(t)
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
agentConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
agent := &Agent{
tests: test agent to use a noop auditor
2020-03-25 12:30:44 +00:00
logger: logger,
config: agentConfig,
auditor: &noOpAuditor{},
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
}
newConfig := &Config{
TLSConfig: &sconfig.TLSConfig{},
}
assert.False(agentConfig.TLSConfig.IsEmpty())
err := agent.Reload(newConfig)
assert.Nil(err)
assert.True(agentConfig.TLSConfig.IsEmpty())
}
func TestServer_ShouldReload_ReturnFalseForNoChanges(t *testing.T) {
t.Parallel()
assert := assert.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
dir := tmpDir(t)
defer os.RemoveAll(dir)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
sameAgentConfig := &Config{
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.TLSConfig = &sconfig.TLSConfig{
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
}
})
defer agent.Shutdown()
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP := agent.ShouldReload(sameAgentConfig)
adding additional test assertions; differentiate reloading agent and http server
2018-01-16 12:34:39 +00:00
assert.False(shouldReloadAgent)
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
assert.False(shouldReloadHTTP)
}
func TestServer_ShouldReload_ReturnTrueForOnlyHTTPChanges(t *testing.T) {
t.Parallel()
code review feedback
2018-03-23 21:58:10 +00:00
require := require.New(t)
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
dir := tmpDir(t)
defer os.RemoveAll(dir)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
sameAgentConfig := &Config{
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: false,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.TLSConfig = &sconfig.TLSConfig{
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
}
})
defer agent.Shutdown()
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP := agent.ShouldReload(sameAgentConfig)
code review feedback
2018-03-23 21:58:10 +00:00
require.True(shouldReloadAgent)
require.True(shouldReloadHTTP)
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
}
func TestServer_ShouldReload_ReturnTrueForOnlyRPCChanges(t *testing.T) {
t.Parallel()
assert := assert.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
dir := tmpDir(t)
defer os.RemoveAll(dir)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
sameAgentConfig := &Config{
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
EnableRPC: true,
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.TLSConfig = &sconfig.TLSConfig{
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
EnableHTTP: true,
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
EnableRPC: false,
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
}
})
defer agent.Shutdown()
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP := agent.ShouldReload(sameAgentConfig)
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 16:46:05 +00:00
assert.True(shouldReloadAgent)
assert.False(shouldReloadHTTP)
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
}
func TestServer_ShouldReload_ReturnTrueForConfigChanges(t *testing.T) {
t.Parallel()
assert := assert.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
)
dir := tmpDir(t)
defer os.RemoveAll(dir)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.TLSConfig = &sconfig.TLSConfig{
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
}
})
defer agent.Shutdown()
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
newConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert2,
KeyFile: fookey2,
},
}
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP := agent.ShouldReload(newConfig)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
assert.True(shouldReloadAgent)
assert.True(shouldReloadHTTP)
}
func TestServer_ShouldReload_ReturnTrueForFileChanges(t *testing.T) {
t.Parallel()
require := require.New(t)
oldCertificate := `
-----BEGIN CERTIFICATE-----
MIICrzCCAlagAwIBAgIUN+4rYZ6wqQCIBzYYd0sfX2e8hDowCgYIKoZIzj0EAwIw
eDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
GDAWBgNVBAMTD25vbWFkLmhhc2hpY29ycDAgFw0xNjExMTAxOTU2MDBaGA8yMTE2
MTAxNzE5NTYwMFoweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwG
A1UECxMFTm9tYWQxGDAWBgNVBAMTD3JlZ2lvbkZvby5ub21hZDBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABOqGSFNjm+EBlLYlxmIP6SQTdX8U/6hbPWObB0ffkEO/
CFweeYIVWb3FKNPqYAlhMqg1K0ileD0FbhEzarP0sL6jgbswgbgwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBQnMcjU4yI3k0AoMtapACpO+w9QMTAfBgNVHSMEGDAWgBQ6
NWr8F5y2eFwqfoQdQPg0kWb9QDA5BgNVHREEMjAwghZzZXJ2ZXIucmVnaW9uRm9v
Lm5vbWFkghZjbGllbnQucmVnaW9uRm9vLm5vbWFkMAoGCCqGSM49BAMCA0cAMEQC
ICrvzc5NzqhdT/HkazAx5OOUU8hqoptnmhRmwn6X+0y9AiA8bNvMUxHz3ZLjGBiw
PLBDC2UaSDqJqiiYpYegLhbQtw==
-----END CERTIFICATE-----
`
content := []byte(oldCertificate)
dir, err := ioutil.TempDir("", "certificate")
if err != nil {
Tests only use testlog package logger
2018-06-13 22:33:25 +00:00
t.Fatal(err)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
}
defer os.RemoveAll(dir) // clean up
tmpfn := filepath.Join(dir, "testcert")
err = ioutil.WriteFile(tmpfn, content, 0666)
require.Nil(err)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
key = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
)
agent + consul
2018-09-13 17:43:40 +00:00
logger := testlog.HCLogger(t)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
agentConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: tmpfn,
KeyFile: key,
},
}
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
agent := &Agent{
logger: logger,
config: agentConfig,
}
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
agent.config.TLSConfig.SetChecksum()
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP := agent.ShouldReload(agentConfig)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
require.False(shouldReloadAgent)
require.False(shouldReloadHTTP)
newCertificate := `
-----BEGIN CERTIFICATE-----
MIICtTCCAlqgAwIBAgIUQp/L2szbgE4b1ASlPOZMReFE27owCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFTm9tYWQx
HDAaBgNVBAMTE2JhZC5ub21hZC5oYXNoaWNvcnAwIBcNMTYxMTEwMjAxMDAwWhgP
MjExNjEwMTcyMDEwMDBaMHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlIYXNoaUNvcnAx
DjAMBgNVBAsTBU5vbWFkMRgwFgYDVQQDEw9yZWdpb25CYWQubm9tYWQwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQk6oXJwlxNrKvl6kpeeR4NJc5EYFI2b3y7odjY
u55Jp4sI91JVDqnpyatkyGmavdAWa4t0U6HkeaWqKk16/ZcYo4G7MIG4MA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUxhzOftFR2L0QAPx8LOuP99WPbpgwHwYDVR0jBBgw
FoAUHPDLSgzlHqBEh+c4A7HeT0GWygIwOQYDVR0RBDIwMIIWc2VydmVyLnJlZ2lv
bkJhZC5ub21hZIIWY2xpZW50LnJlZ2lvbkJhZC5ub21hZDAKBggqhkjOPQQDAgNJ
ADBGAiEAq2rnBeX/St/8i9Cab7Yw0C7pjcaE+mrFYeQByng1Uc0CIQD/o4BrZdkX
Nm7QGTRZbUFZTHYZr0ULz08Iaz2aHQ6Mcw==
-----END CERTIFICATE-----
`
fix up test for file content changes
2018-03-28 17:18:13 +00:00
os.Remove(tmpfn)
err = ioutil.WriteFile(tmpfn, []byte(newCertificate), 0666)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
require.Nil(err)
fix up test for file content changes
2018-03-28 17:18:13 +00:00
newAgentConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: tmpfn,
KeyFile: key,
},
}
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP = agent.ShouldReload(newAgentConfig)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
require.True(shouldReloadAgent)
require.True(shouldReloadHTTP)
}
func TestServer_ShouldReload_ShouldHandleMultipleChanges(t *testing.T) {
t.Parallel()
require := require.New(t)
const (
cafile = "../../helper/tlsutil/testdata/ca.pem"
foocert = "../../helper/tlsutil/testdata/nomad-foo.pem"
fookey = "../../helper/tlsutil/testdata/nomad-foo-key.pem"
foocert2 = "../../helper/tlsutil/testdata/nomad-bad.pem"
fookey2 = "../../helper/tlsutil/testdata/nomad-bad-key.pem"
)
dir := tmpDir(t)
defer os.RemoveAll(dir)
sameAgentConfig := &Config{
TLSConfig: &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert,
KeyFile: fookey,
},
}
agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.TLSConfig = &sconfig.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: cafile,
CertFile: foocert2,
KeyFile: fookey2,
}
})
defer agent.Shutdown()
{
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP := agent.ShouldReload(sameAgentConfig)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
require.True(shouldReloadAgent)
require.True(shouldReloadHTTP)
}
err := agent.Reload(sameAgentConfig)
require.Nil(err)
{
remove logic to reload RPC connections from agent
2018-06-08 17:14:40 +00:00
shouldReloadAgent, shouldReloadHTTP := agent.ShouldReload(sameAgentConfig)
check file contents when determining if agent should reload TLS configuration
2018-03-26 19:55:32 +00:00
require.False(shouldReloadAgent)
require.False(shouldReloadHTTP)
}
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2017-11-20 15:38:46 +00:00
}
Unit test for dev agent
2018-05-22 21:39:51 +00:00
func TestAgent_ProxyRPC_Dev(t *testing.T) {
t.Parallel()
agent := NewTestAgent(t, t.Name(), nil)
defer agent.Shutdown()
id := agent.client.NodeID()
req := &structs.NodeSpecificRequest{
NodeID: id,
QueryOptions: structs.QueryOptions{
Region: agent.server.Region(),
},
}
time.Sleep(100 * time.Millisecond)
var resp cstructs.ClientStatsResponse
if err := agent.RPC("ClientStats.Stats", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}
}