open-nomad/e2e/consulacls
Seth Hoenig f4a66ebd28 e2e: wait 2m rather than 10s after disabling consul acls
Pretty sure Consul / Nomad clients are often not ready yet after
the ConsulACLs test disables ACLs, by the time the next test starts
running.

Running locally things tend to work, but in TeamCity this seems to
be a recurring problem. However, when running locally sometimes I do
see that the "show status" step after disabling ACLs, some nodes are
still initializing, suggesting we're right on the border of not waiting
long enough

    nomad node status
    ID        DC   Name              Class   Drain  Eligibility  Status
    0e4dfce2  dc1  EC2AMAZ-JB3NF9P   <none>  false  eligible     ready
    6b90aa06  dc2  ip-172-31-16-225  <none>  false  eligible     ready
    7068558a  dc2  ip-172-31-20-143  <none>  false  eligible     ready
    e0ae3c5c  dc1  ip-172-31-25-165  <none>  false  eligible     ready
    15b59ed6  dc1  ip-172-31-23-199  <none>  false  eligible     initializing

Going to try waiting a full 2 minutes after disabling ACLs, hopefully that
will help things Just Work. In the future, we should probably be parsing the
output of the status checks and actually confirming all nodes are ready.

Even better, maybe that's something shipyard will have built-in.
2020-02-04 10:51:03 -06:00
..
acl-disable.hcl
acl-enable.hcl e2e: use hclfmt on consul acls policy config files 2020-01-31 19:05:59 -06:00
acl-pre-enable.hcl e2e: setup consul ACLs a little more correctly 2020-01-31 19:06:11 -06:00
consul-acls-manage.sh e2e: wait 2m rather than 10s after disabling consul acls 2020-02-04 10:51:03 -06:00
consul-client-default-token.hcl run "make hclfmt" 2020-02-03 12:15:53 -05:00
consul-client-policy.hcl e2e: setup consul ACLs a little more correctly 2020-01-31 19:06:11 -06:00
consul-server-policy.hcl e2e: setup consul ACLs a little more correctly 2020-01-31 19:06:11 -06:00
manage.go e2e: remove forgotten unused field from new struct 2020-01-31 19:05:41 -06:00
nomad-client-consul.hcl e2e: use hclfmt on consul acls policy config files 2020-01-31 19:05:59 -06:00
nomad-client-policy.hcl e2e: setup consul ACLs a little more correctly 2020-01-31 19:06:11 -06:00
nomad-server-consul.hcl e2e: use hclfmt on consul acls policy config files 2020-01-31 19:05:59 -06:00
nomad-server-policy.hcl e2e: setup consul ACLs a little more correctly 2020-01-31 19:06:11 -06:00
README.md e2e: use hclfmt on consul acls policy config files 2020-01-31 19:05:59 -06:00

Configure Consul ACLs

This directory contains a set of scripts for re-configuring Consul in the TF provisioned e2e environment to enable Consul ACLs.

Usage

The consul-acls-manage.sh script can be used to manipulate the Consul cluster to activate or de-activate Consul ACLs. There are 3 targets into the script, only 2 of which should be used from e2e framework tests. The script should be run from the e2e directory (i.e. the directory from wich the e2e framework also runs).

bootstrap

The command consul-acls-manage.sh bootstrap should NOT be used from e2e framework tests. It's merely a convenience entry-point for doing development / debugging on the script itself.

The bootstrap process will upload "reasonable" ACL policy files to Consul Servers, Consul Clients, Nomad Servers, and Nomad Clients.

The bootstrap process creates a file on local disk which contains the generated Consul ACL master token. The file is named based on the current TF state file serial number. /tmp/e2e-consul-bootstrap-<serial>.token

enable

The command consul-acls-manage.sh enable will enable Consul ACLs, going through the bootstrap process only if necessary. Whether the bootstrap process is necessary depends on the existence of a token file that matches the current TF state serial number. If no associated token file exists for the current TF state, the bootstrap process is required. Otherwise, the bootstrap process is skipped.

If the bootstrap process was not required (i.e. it already occurred and a Consul master token already exists for the current TF state), the script will activate ACLs in the Consul Server configurations and restart those agents. After using enable, the disable command can be used to turn Consul ACLs back off, without destroying any of the existing ACL configuration.

disable

The command consul-acls-manage.sh disable will disable Consul ACLs. This does not "cleanup" the policy files for Consul / Nomad agents, it merely deactivates ACLs in the Consul Server configurations and restarts those agents. After using disable, the enable command can be used to turn Consul ACLs back on, using the same ACL token(s) generated before.