From 4b0903789eec226f6c94e754e58ae5388482343c Mon Sep 17 00:00:00 2001 From: Juanadelacuesta <8647634+Juanadelacuesta@users.noreply.github.com> Date: Fri, 14 Mar 2025 16:35:35 +0100 Subject: [PATCH] func: add check script for vault workload --- e2e/terraform/hcp-vault-auth/main.tf | 6 +-- enos/enos-scenario-upgrade.hcl | 14 +++---- enos/modules/run_workloads/main.tf | 8 ++++ .../run_workloads/scripts/populates_secret.sh | 6 ++- .../vault-secrets.nomad.hcl.tpl} | 37 +++++++++++-------- 5 files changed, 44 insertions(+), 27 deletions(-) rename enos/modules/run_workloads/{jobs/vault-secrets.nomad.hcl => templates/vault-secrets.nomad.hcl.tpl} (58%) diff --git a/e2e/terraform/hcp-vault-auth/main.tf b/e2e/terraform/hcp-vault-auth/main.tf index 1449caa4d..5eef40902 100644 --- a/e2e/terraform/hcp-vault-auth/main.tf +++ b/e2e/terraform/hcp-vault-auth/main.tf @@ -50,11 +50,11 @@ EOM } output "vault_token" { - sensitive = true - value = hcp_vault_cluster_admin_token.admin.token + sensitive = true + value = hcp_vault_cluster_admin_token.admin.token } output "vault_addr" { - value = data.hcp_vault_cluster.e2e_shared_vault.vault_public_endpoint_url + value = data.hcp_vault_cluster.e2e_shared_vault.vault_public_endpoint_url } diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl index 0e98ff582..8101bb8bf 100644 --- a/enos/enos-scenario-upgrade.hcl +++ b/enos/enos-scenario-upgrade.hcl @@ -119,7 +119,7 @@ scenario "upgrade" { } step "get_vault_env" { - + description = <<-EOF Get the HCP vault address and token EOF @@ -147,7 +147,7 @@ scenario "upgrade" { vault_token = step.get_vault_env.vault_token vault_addr = step.get_vault_env.vault_addr // The provision_cluster module enables a kv v2 secrets engine using the cluster name as path. - vault_mount_path = step.provision_cluster.cluster_unique_identifier + vault_mount_path = step.provision_cluster.cluster_unique_identifier workloads = { service_raw_exec = { job_spec = "jobs/raw-exec-service.nomad.hcl", alloc_count = 3, type = "service" } @@ -197,10 +197,10 @@ scenario "upgrade" { } gets_secret = { - job_spec = "jobs/vault-secrets.nomad.hcl", + job_spec = "jobs/vault-secrets.nomad.hcl", alloc_count = 3, - type = "service", - pre_script = "scripts/populate_secret.sh" + type = "service", + pre_script = "scripts/populates_secret.sh" } } } @@ -247,7 +247,7 @@ scenario "upgrade" { ] } - /* step "fetch_upgrade_binary" { + step "fetch_upgrade_binary" { depends_on = [step.provision_cluster, step.workloads_test_cluster_health] description = <<-EOF @@ -548,7 +548,7 @@ scenario "upgrade" { quality.nomad_allocs_status, quality.nomad_reschedule_alloc, ] - } */ + } output "servers" { value = step.provision_cluster.servers diff --git a/enos/modules/run_workloads/main.tf b/enos/modules/run_workloads/main.tf index 42d633a41..cb65b0ad9 100644 --- a/enos/modules/run_workloads/main.tf +++ b/enos/modules/run_workloads/main.tf @@ -61,10 +61,18 @@ resource "enos_local_exec" "get_allocs" { inline = ["nomad alloc status -json | jq '[.[] | select(.ClientStatus == \"running\")] | length'"] } +resource "local_file" "vault_workload" { + filename = "${path.module}/jobs/vault-secrets.nomad.hcl" + content = templatefile("${path.module}/templates/vault-secrets.nomad.hcl.tpl", { + secret_path = "${var.vault_mount_path}/default/get-secret" + }) +} + resource "enos_local_exec" "workloads" { depends_on = [ enos_local_exec.get_jobs, enos_local_exec.get_allocs, + local_file.vault_workload ] for_each = var.workloads diff --git a/enos/modules/run_workloads/scripts/populates_secret.sh b/enos/modules/run_workloads/scripts/populates_secret.sh index a4ffdb74d..bb4e44834 100755 --- a/enos/modules/run_workloads/scripts/populates_secret.sh +++ b/enos/modules/run_workloads/scripts/populates_secret.sh @@ -4,4 +4,8 @@ set -euo pipefail -vault kv put "$VAULT_PATH/default/get-secret" username="admin" password="supersecret" +# Path enabled by the provision_cluster module: +# https://github.com/hashicorp/nomad/e2e/terraform/provision-infra/hcp_vault.tf +secret_path="$VAULT_PATH/default/get-secret" + +vault kv put "$secret_path" username="admin" password="supersecret" diff --git a/enos/modules/run_workloads/jobs/vault-secrets.nomad.hcl b/enos/modules/run_workloads/templates/vault-secrets.nomad.hcl.tpl similarity index 58% rename from enos/modules/run_workloads/jobs/vault-secrets.nomad.hcl rename to enos/modules/run_workloads/templates/vault-secrets.nomad.hcl.tpl index ad392af0e..9115bdf02 100644 --- a/enos/modules/run_workloads/jobs/vault-secrets.nomad.hcl +++ b/enos/modules/run_workloads/templates/vault-secrets.nomad.hcl.tpl @@ -9,6 +9,13 @@ job "get-secret" { group "group" { count = var.alloc_count + restart { + interval = "5s" + delay = "1s" + mode = "delay" + render_templates = true + } + network { port "web" { to = 8001 @@ -17,44 +24,42 @@ job "get-secret" { service { provider = "consul" - name = "writes-vars-checker" + name = "get-secret" port = "web" - task = "task" + task = "read-secrets" - /* check { - type = "script" + check { interval = "10s" timeout = "1s" - command = "/bin/sh" - args = ["/local/read-script.sh"] - # this check will read from the Task API, so we need to ensure that we - # can tolerate the listener going away during client upgrades - check_restart { - limit = 10 - } - } */ + type = "script" + command = "/bin/bash" + args = ["-c", "test -f local/config.json"] + + } } task "read-secrets" { driver = "raw_exec" - config { + config { command = "/bin/bash" - args = ["-c", "cat local/config.json && sleep 30"] + args = ["-c", "while true; do cat local/config.json; sleep 1; done"] } vault {} template { destination = "local/config.json" - change_mode = "restart" + change_mode = "signal" + change_signal = "SIGHUP" data = <