open-nomad/client/allocrunner/taskrunner/sids_hook_test.go

package taskrunner

import (
	"context"
	"io/ioutil"
	"os"
	"testing"
	"time"

	"github.com/hashicorp/nomad/client/allocrunner/interfaces"
	"github.com/hashicorp/nomad/client/consul"
	"github.com/hashicorp/nomad/helper"
	"github.com/hashicorp/nomad/helper/testlog"
	"github.com/hashicorp/nomad/helper/uuid"
	"github.com/hashicorp/nomad/nomad/structs"
	"github.com/stretchr/testify/require"
)

var _ interfaces.TaskPrestartHook = (*sidsHook)(nil)

func tmpDir(t *testing.T) string {
	dir, err := ioutil.TempDir("", "sids-")
	require.NoError(t, err)
	return dir
}

func cleanupDir(t *testing.T, dir string) {
	err := os.RemoveAll(dir)
	require.NoError(t, err)
}

func sidecar(task string) (string, structs.TaskKind) {
	name := structs.ConnectProxyPrefix + "-" + task
	kind := structs.TaskKind(structs.ConnectProxyPrefix + ":" + task)
	return name, kind
}

func TestSIDSHook_recoverToken(t *testing.T) {
	t.Parallel()
	r := require.New(t)

	secrets := tmpDir(t)
	defer cleanupDir(t, secrets)

	taskName, taskKind := sidecar("foo")

	h := newSIDSHook(sidsHookConfig{
		task: &structs.Task{
			Name: taskName,
			Kind: taskKind,
		},
		logger: testlog.HCLogger(t),
	})

	expected := uuid.Generate()
	err := h.writeToken(secrets, expected)
	r.NoError(err)

	token, err := h.recoverToken(secrets)
	r.NoError(err)
	r.Equal(expected, token)
}

func TestSIDSHook_recoverToken_empty(t *testing.T) {
	t.Parallel()
	r := require.New(t)

	secrets := tmpDir(t)
	defer cleanupDir(t, secrets)

	taskName, taskKind := sidecar("foo")

	h := newSIDSHook(sidsHookConfig{
		task: &structs.Task{
			Name: taskName,
			Kind: taskKind,
		},
		logger: testlog.HCLogger(t),
	})

	token, err := h.recoverToken(secrets)
	r.NoError(err)
	r.Empty(token)
}

func TestSIDSHook_deriveSIToken(t *testing.T) {
	t.Parallel()
	r := require.New(t)

	secrets := tmpDir(t)
	defer cleanupDir(t, secrets)

	taskName, taskKind := sidecar("task1")

	h := newSIDSHook(sidsHookConfig{
		alloc: &structs.Allocation{ID: "a1"},
		task: &structs.Task{
			Name: taskName,
			Kind: taskKind,
		},
		logger:     testlog.HCLogger(t),
		sidsClient: consul.NewMockServiceIdentitiesClient(),
	})

	ctx := context.Background()
	token, err := h.deriveSIToken(ctx)
	r.NoError(err)
	r.True(helper.IsUUID(token), "token: %q", token)
}

func TestSIDSHook_deriveSIToken_timeout(t *testing.T) {
	t.Parallel()
	r := require.New(t)

	secrets := tmpDir(t)
	defer cleanupDir(t, secrets)

	taskName, taskKind := sidecar("task1")

	siClient := consul.NewMockServiceIdentitiesClient()
	siClient.DeriveTokenFn = func(allocation *structs.Allocation, strings []string) (m map[string]string, err error) {
		select {
		// block forever, hopefully triggering a timeout in the caller
		}
	}

	h := newSIDSHook(sidsHookConfig{
		alloc: &structs.Allocation{ID: "a1"},
		task: &structs.Task{
			Name: taskName,
			Kind: taskKind,
		},
		logger:     testlog.HCLogger(t),
		sidsClient: siClient,
	})

	// set the timeout to a really small value for testing
	h.derivationTimeout = time.Duration(1 * time.Millisecond)

	ctx := context.Background()
	_, err := h.deriveSIToken(ctx)
	r.EqualError(err, "context deadline exceeded")
}

func TestSIDSHook_computeBackoff(t *testing.T) {
	t.Parallel()

	try := func(i int, exp time.Duration) {
		result := computeBackoff(i)
		require.Equal(t, exp, result)
	}

	try(0, time.Duration(0))
	try(1, 100*time.Millisecond)
	try(2, 10*time.Second)
	try(3, 15*time.Second)
	try(4, 20*time.Second)
	try(5, 25*time.Second)
}

func TestSIDSHook_backoff(t *testing.T) {
	t.Parallel()
	r := require.New(t)

	ctx := context.Background()
	stop := !backoff(ctx, 0)
	r.False(stop)
}

func TestSIDSHook_backoffKilled(t *testing.T) {
	t.Parallel()
	r := require.New(t)

	ctx, cancel := context.WithTimeout(context.Background(), 1)
	defer cancel()

	stop := !backoff(ctx, 1000)
	r.True(stop)
}
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`package taskrunner`

			`import (`
			`"context"`
			`"io/ioutil"`
			`"os"`
			`"testing"`
			`"time"`

			`"github.com/hashicorp/nomad/client/allocrunner/interfaces"`
			`"github.com/hashicorp/nomad/client/consul"`
			`"github.com/hashicorp/nomad/helper"`
			`"github.com/hashicorp/nomad/helper/testlog"`
nomad,client: apply more comment/style PR tweaks 2020-01-15 15:29:47 +00:00			`"github.com/hashicorp/nomad/helper/uuid"`
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`"github.com/hashicorp/nomad/nomad/structs"`
			`"github.com/stretchr/testify/require"`
			`)`

			`var _ interfaces.TaskPrestartHook = (*sidsHook)(nil)`

			`func tmpDir(t *testing.T) string {`
			`dir, err := ioutil.TempDir("", "sids-")`
			`require.NoError(t, err)`
			`return dir`
			`}`

			`func cleanupDir(t *testing.T, dir string) {`
			`err := os.RemoveAll(dir)`
			`require.NoError(t, err)`
			`}`

client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`func sidecar(task string) (string, structs.TaskKind) {`
			`name := structs.ConnectProxyPrefix + "-" + task`
			`kind := structs.TaskKind(structs.ConnectProxyPrefix + ":" + task)`
			`return name, kind`
			`}`

client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`func TestSIDSHook_recoverToken(t *testing.T) {`
			`t.Parallel()`
			`r := require.New(t)`
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart. 2020-01-15 15:56:48 +00:00
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`secrets := tmpDir(t)`
			`defer cleanupDir(t, secrets)`

client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`taskName, taskKind := sidecar("foo")`

client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`h := newSIDSHook(sidsHookConfig{`
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`task: &structs.Task{`
			`Name: taskName,`
			`Kind: taskKind,`
			`},`
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`logger: testlog.HCLogger(t),`
			`})`

nomad,client: apply more comment/style PR tweaks 2020-01-15 15:29:47 +00:00			`expected := uuid.Generate()`
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`err := h.writeToken(secrets, expected)`
			`r.NoError(err)`

			`token, err := h.recoverToken(secrets)`
			`r.NoError(err)`
			`r.Equal(expected, token)`
			`}`

			`func TestSIDSHook_recoverToken_empty(t *testing.T) {`
			`t.Parallel()`
			`r := require.New(t)`
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart. 2020-01-15 15:56:48 +00:00
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`secrets := tmpDir(t)`
			`defer cleanupDir(t, secrets)`

client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`taskName, taskKind := sidecar("foo")`

client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`h := newSIDSHook(sidsHookConfig{`
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`task: &structs.Task{`
			`Name: taskName,`
			`Kind: taskKind,`
			`},`
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`logger: testlog.HCLogger(t),`
			`})`

			`token, err := h.recoverToken(secrets)`
			`r.NoError(err)`
			`r.Empty(token)`
			`}`

			`func TestSIDSHook_deriveSIToken(t *testing.T) {`
			`t.Parallel()`
			`r := require.New(t)`
client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart. 2020-01-15 15:56:48 +00:00
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`secrets := tmpDir(t)`
			`defer cleanupDir(t, secrets)`

client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`taskName, taskKind := sidecar("task1")`

client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`h := newSIDSHook(sidsHookConfig{`
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`alloc: &structs.Allocation{ID: "a1"},`
			`task: &structs.Task{`
			`Name: taskName,`
			`Kind: taskKind,`
			`},`
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`logger: testlog.HCLogger(t),`
			`sidsClient: consul.NewMockServiceIdentitiesClient(),`
			`})`

			`ctx := context.Background()`
			`token, err := h.deriveSIToken(ctx)`
			`r.NoError(err)`
client: enable envoy bootstrap hook to set SI token When creating the envoy bootstrap configuration, we should append the "-token=<token>" argument in the case where the sidsHook placed the token in the secrets directory. 2019-12-18 16:23:16 +00:00			`r.True(helper.IsUUID(token), "token: %q", token)`
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`}`

client: set context timeout around SI token derivation The derivation of an SI token needs to be safegaurded by a context timeout, otherwise an unresponsive Consul could cause the siHook to block forever on Prestart. 2020-01-15 15:56:48 +00:00			`func TestSIDSHook_deriveSIToken_timeout(t *testing.T) {`
			`t.Parallel()`
			`r := require.New(t)`

			`secrets := tmpDir(t)`
			`defer cleanupDir(t, secrets)`

			`taskName, taskKind := sidecar("task1")`

			`siClient := consul.NewMockServiceIdentitiesClient()`
			`siClient.DeriveTokenFn = func(allocation *structs.Allocation, strings []string) (m map[string]string, err error) {`
			`select {`
			`// block forever, hopefully triggering a timeout in the caller`
			`}`
			`}`

			`h := newSIDSHook(sidsHookConfig{`
			`alloc: &structs.Allocation{ID: "a1"},`
			`task: &structs.Task{`
			`Name: taskName,`
			`Kind: taskKind,`
			`},`
			`logger: testlog.HCLogger(t),`
			`sidsClient: siClient,`
			`})`

			`// set the timeout to a really small value for testing`
			`h.derivationTimeout = time.Duration(1 * time.Millisecond)`

			`ctx := context.Background()`
			`_, err := h.deriveSIToken(ctx)`
			`r.EqualError(err, "context deadline exceeded")`
			`}`

client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`func TestSIDSHook_computeBackoff(t *testing.T) {`
			`t.Parallel()`

			`try := func(i int, exp time.Duration) {`
			`result := computeBackoff(i)`
			`require.Equal(t, exp, result)`
			`}`

			`try(0, time.Duration(0))`
nomad: proxy requests for Service Identity tokens between Clients and Consul Nomad jobs may be configured with a TaskGroup which contains a Service definition that is Consul Connect enabled. These service definitions end up establishing a Consul Connect Proxy Task (e.g. envoy, by default). In the case where Consul ACLs are enabled, a Service Identity token is required for these tasks to run & connect, etc. This changeset enables the Nomad Server to recieve RPC requests for the derivation of SI tokens on behalf of instances of Consul Connect using Tasks. Those tokens are then relayed back to the requesting Client, which then injects the tokens in the secrets directory of the Task. 2019-12-06 20:46:46 +00:00			`try(1, 100*time.Millisecond)`
			`try(2, 10*time.Second)`
			`try(3, 15*time.Second)`
			`try(4, 20*time.Second)`
			`try(5, 25*time.Second)`
client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`}`

			`func TestSIDSHook_backoff(t *testing.T) {`
			`t.Parallel()`
			`r := require.New(t)`

			`ctx := context.Background()`
			`stop := !backoff(ctx, 0)`
			`r.False(stop)`
			`}`

			`func TestSIDSHook_backoffKilled(t *testing.T) {`
			`t.Parallel()`
			`r := require.New(t)`

			`ctx, cancel := context.WithTimeout(context.Background(), 1)`
			`defer cancel()`

			`stop := !backoff(ctx, 1000)`
			`r.True(stop)`
			`}`