wip test share_tls and override

hashicorp · Jun 8, 2020 · fb4fc0e · fb4fc0e
1 parent b5cc938
commit fb4fc0e
Showing 1 changed file with 177 additions and 2 deletions.
diff --git a/client/allocrunner/taskrunner/connect_native_hook_test.go b/client/allocrunner/taskrunner/connect_native_hook_test.go
@@ -11,8 +11,10 @@ import (
 	consultest "github.com/hashicorp/consul/sdk/testutil"
 	"github.com/hashicorp/nomad/client/allocdir"
 	"github.com/hashicorp/nomad/client/allocrunner/interfaces"
+	"github.com/hashicorp/nomad/client/taskenv"
 	"github.com/hashicorp/nomad/client/testutil"
 	agentconsul "github.com/hashicorp/nomad/command/agent/consul"
+	"github.com/hashicorp/nomad/helper"
 	"github.com/hashicorp/nomad/helper/testlog"
 	"github.com/hashicorp/nomad/helper/uuid"
 	"github.com/hashicorp/nomad/nomad/mock"
@@ -23,8 +25,7 @@ import (
 
 func getTestConsul(t *testing.T) *consultest.TestServer {
 	testConsul, err := consultest.NewTestServerConfig(func(c *consultest.TestServerConfig) {
-		// if -v was not specified squelch consul logging
-		if !testing.Verbose() {
+		if !testing.Verbose() { // disable consul logging if -v not set
 			c.Stdout = ioutil.Discard
 			c.Stderr = ioutil.Discard
 		}
@@ -326,3 +327,177 @@ func TestTaskRunner_ConnectNativeHook_with_SI_token(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 1, len(ls))
 }
+
+func TestTaskRunner_ConnectNativeHook_shareTLS(t *testing.T) {
+	t.Parallel()
+	testutil.RequireConsul(t)
+
+	fakeCert, fakeCertDir := setupCertDirs(t)
+	defer cleanupCertDirs(t, fakeCert, fakeCertDir)
+
+	testConsul := getTestConsul(t)
+	defer testConsul.Stop()
+
+	alloc := mock.Alloc()
+	alloc.AllocatedResources.Shared.Networks = []*structs.NetworkResource{{Mode: "host", IP: "1.1.1.1"}}
+	tg := alloc.Job.TaskGroups[0]
+	tg.Services = []*structs.Service{{
+		Name: "cn-service",
+		Connect: &structs.ConsulConnect{
+			Native: tg.Tasks[0].Name,
+		}},
+	}
+	tg.Tasks[0].Kind = structs.NewTaskKind("connect-native", "cn-service")
+
+	logger := testlog.HCLogger(t)
+
+	allocDir, cleanup := allocdir.TestAllocDir(t, logger, "ConnectNative")
+	defer cleanup()
+
+	// register group services
+	consulConfig := consulapi.DefaultConfig()
+	consulConfig.Address = testConsul.HTTPAddr
+	consulAPIClient, err := consulapi.NewClient(consulConfig)
+	require.NoError(t, err)
+
+	consulClient := agentconsul.NewServiceClient(consulAPIClient.Agent(), logger, true)
+	go consulClient.Run()
+	defer consulClient.Shutdown()
+	require.NoError(t, consulClient.RegisterWorkload(agentconsul.BuildAllocServices(mock.Node(), alloc, agentconsul.NoopRestarter())))
+
+	// Run Connect Native hook
+	h := newConnectNativeHook(newConnectNativeHookConfig(alloc, &config.ConsulConfig{
+		Addr: consulConfig.Address,
+
+		// TLS config consumed by native application
+		ShareSSL:  helper.BoolToPtr(true),
+		EnableSSL: helper.BoolToPtr(true),
+		VerifySSL: helper.BoolToPtr(true),
+		CAFile:    fakeCert,
+		CertFile:  fakeCert,
+		KeyFile:   fakeCert,
+		Auth:      "user:password",
+	}, logger))
+	request := &interfaces.TaskPrestartRequest{
+		Task:    tg.Tasks[0],
+		TaskDir: allocDir.NewTaskDir(tg.Tasks[0].Name),
+		TaskEnv: taskenv.NewEmptyTaskEnv(), // nothing set in env stanza
+	}
+	require.NoError(t, request.TaskDir.Build(false, nil))
+
+	response := new(interfaces.TaskPrestartResponse)
+	response.Env = make(map[string]string)
+
+	// Run the Connect Native hook
+	require.NoError(t, h.Prestart(context.Background(), request, response))
+
+	// Assert the hook is Done
+	require.True(t, response.Done)
+
+	// Assert environment variable for token is set
+	require.NotEmpty(t, response.Env)
+	require.Equal(t, map[string]string{
+		"CONSUL_CACERT":          "/secrets/consul_ca_file",
+		"CONSUL_CLIENT_CERT":     "/secrets/consul_cert_file",
+		"CONSUL_CLIENT_KEY":      "/secrets/consul_key_file",
+		"CONSUL_HTTP_AUTH":       "user:password",
+		"CONSUL_HTTP_SSL":        "true",
+		"CONSUL_HTTP_SSL_VERIFY": "true",
+	}, response.Env)
+
+	// Assert 3 pem files were written
+	ls, err := ioutil.ReadDir(request.TaskDir.SecretsDir)
+	require.NoError(t, err)
+	require.Equal(t, 3, len(ls))
+}
+
+func TestTaskRunner_ConnectNativeHook_shareTLS_override(t *testing.T) {
+	t.Parallel()
+	testutil.RequireConsul(t)
+
+	fakeCert, fakeCertDir := setupCertDirs(t)
+	defer cleanupCertDirs(t, fakeCert, fakeCertDir)
+
+	testConsul := getTestConsul(t)
+	defer testConsul.Stop()
+
+	alloc := mock.Alloc()
+	alloc.AllocatedResources.Shared.Networks = []*structs.NetworkResource{{Mode: "host", IP: "1.1.1.1"}}
+	tg := alloc.Job.TaskGroups[0]
+	tg.Services = []*structs.Service{{
+		Name: "cn-service",
+		Connect: &structs.ConsulConnect{
+			Native: tg.Tasks[0].Name,
+		}},
+	}
+	tg.Tasks[0].Kind = structs.NewTaskKind("connect-native", "cn-service")
+
+	logger := testlog.HCLogger(t)
+
+	allocDir, cleanup := allocdir.TestAllocDir(t, logger, "ConnectNative")
+	defer cleanup()
+
+	// register group services
+	consulConfig := consulapi.DefaultConfig()
+	consulConfig.Address = testConsul.HTTPAddr
+	consulAPIClient, err := consulapi.NewClient(consulConfig)
+	require.NoError(t, err)
+
+	consulClient := agentconsul.NewServiceClient(consulAPIClient.Agent(), logger, true)
+	go consulClient.Run()
+	defer consulClient.Shutdown()
+	require.NoError(t, consulClient.RegisterWorkload(agentconsul.BuildAllocServices(mock.Node(), alloc, agentconsul.NoopRestarter())))
+
+	// Run Connect Native hook
+	h := newConnectNativeHook(newConnectNativeHookConfig(alloc, &config.ConsulConfig{
+		Addr: consulConfig.Address,
+
+		// TLS config consumed by native application
+		ShareSSL:  helper.BoolToPtr(true),
+		EnableSSL: helper.BoolToPtr(true),
+		VerifySSL: helper.BoolToPtr(true),
+		CAFile:    fakeCert,
+		CertFile:  fakeCert,
+		KeyFile:   fakeCert,
+		Auth:      "user:password",
+	}, logger))
+
+	taskEnv := taskenv.NewEmptyTaskEnv()
+	taskEnv.EnvMap = map[string]string{
+		"CONSUL_CACERT":          "/foo/ca.pem",
+		"CONSUL_CLIENT_CERT":     "/foo/cert.pem",
+		"CONSUL_CLIENT_KEY":      "/foo/key.pem",
+		"CONSUL_HTTP_AUTH":       "foo:bar",
+		"CONSUL_HTTP_SSL_VERIFY": "false",
+		// CONSUL_HTTP_SSL (check the default value is assumed from client config)
+	}
+
+	request := &interfaces.TaskPrestartRequest{
+		Task:    tg.Tasks[0],
+		TaskDir: allocDir.NewTaskDir(tg.Tasks[0].Name),
+		TaskEnv: taskEnv, // env stanza is configured w/ non-default tls configs
+	}
+	require.NoError(t, request.TaskDir.Build(false, nil))
+
+	response := new(interfaces.TaskPrestartResponse)
+	response.Env = make(map[string]string)
+
+	// Run the Connect Native hook
+	require.NoError(t, h.Prestart(context.Background(), request, response))
+
+	// Assert the hook is Done
+	require.True(t, response.Done)
+
+	// Assert environment variable for CONSUL_HTTP_SSL is set, because it was
+	// the only one not overridden by task env stanza config
+	require.NotEmpty(t, response.Env)
+	require.Equal(t, map[string]string{
+		"CONSUL_HTTP_SSL": "true",
+	}, response.Env)
+
+	// Assert 3 pem files were written (even though they will be ignored)
+	// as this is gated by share_tls, not the presense of ca environment variables.
+	ls, err := ioutil.ReadDir(request.TaskDir.SecretsDir)
+	require.NoError(t, err)
+	require.Equal(t, 3, len(ls))
+}