test: add E2E vaultcompat test for JWT auth flow (#18822)

Test the JWT auth flow using real Nomad and Vault agents.

testutil/server.go

@@ -27,6 +27,7 @@ import (
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/nomad/ci"
 	"github.com/hashicorp/nomad/helper/discover"
+	"github.com/hashicorp/nomad/helper/pointer"
 	testing "github.com/mitchellh/go-testing-interface"
 )
 
@@ -84,11 +85,14 @@ type ClientConfig struct {
 
 // VaultConfig is used to configure Vault
 type VaultConfig struct {
-	Enabled              bool   `json:"enabled"`
-	Address              string `json:"address"`
-	AllowUnauthenticated bool   `json:"allow_unauthenticated"`
-	Token                string `json:"token"`
-	Role                 string `json:"role"`
+	Name                 string                  `json:"name,omitempty"`
+	Enabled              bool                    `json:"enabled"`
+	Address              string                  `json:"address"`
+	AllowUnauthenticated *bool                   `json:"allow_unauthenticated,omitempty"`
+	Token                string                  `json:"token,omitemtpy"`
+	Role                 string                  `json:"role,omitempty"`
+	JWTAuthBackendPath   string                  `json:"jwt_auth_backend_path,omitempty"`
+	DefaultIdentity      *WorkloadIdentityConfig `json:"default_identity,omitempty"`
 }
 
 // ACLConfig is used to configure ACLs
@@ -97,6 +101,14 @@ type ACLConfig struct {
 	BootstrapToken string `json:"-"` // not in the real config
 }
 
+// WorkloadIdentityConfig is the configuration for default workload identities.
+type WorkloadIdentityConfig struct {
+	Audience []string `json:"aud"`
+	Env      bool     `json:"env"`
+	File     bool     `json:"file"`
+	TTL      string   `json:"ttl"`
+}
+
 // ServerConfigCallback is a function interface which can be
 // passed to NewTestServerConfig to modify the server config.
 type ServerConfigCallback func(c *TestServerConfig)
@@ -123,7 +135,7 @@ func defaultServerConfig() *TestServerConfig {
 		},
 		Vault: &VaultConfig{
 			Enabled:              false,
-			AllowUnauthenticated: true,
+			AllowUnauthenticated: pointer.Of(true),
 		},
 		ACL: &ACLConfig{
 			Enabled: false,

testutil/vault.go

@@ -10,6 +10,7 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/ci"
 	"github.com/hashicorp/nomad/helper/testlog"
 	"github.com/hashicorp/nomad/helper/useragent"
@@ -27,6 +28,10 @@ import (
 // and offers and easy API to tear itself down on test end. The only
 // prerequisite is that the Vault binary is on the $PATH.
 
+const (
+	envVaultLogLevel = "NOMAD_TEST_VAULT_LOG_LEVEL"
+)
+
 // TestVault wraps a test Vault server launched in dev mode, suitable for
 // testing.
 type TestVault struct {
@@ -48,13 +53,25 @@ func NewTestVaultFromPath(t testing.T, binary string) *TestVault {
 		t.Skipf("Skipping test %s, Vault binary %q not found in path.", t.Name(), binary)
 	}
 
+	// Define which log level to use. Default to the same as Nomad but allow a
+	// custom value for Vault. Since Vault doesn't support "off", cap it to
+	// "error".
+	logLevel := testlog.HCLoggerTestLevel().String()
+	if vaultLogLevel := os.Getenv(envVaultLogLevel); vaultLogLevel != "" {
+		logLevel = vaultLogLevel
+	}
+	if logLevel == hclog.Off.String() {
+		logLevel = hclog.Error.String()
+	}
+
 	port := ci.PortAllocator.Grab(1)[0]
 	token := uuid.Generate()
 	bind := fmt.Sprintf("-dev-listen-address=127.0.0.1:%d", port)
 	http := fmt.Sprintf("http://127.0.0.1:%d", port)
 	root := fmt.Sprintf("-dev-root-token-id=%s", token)
+	log := fmt.Sprintf("-log-level=%s", logLevel)
 
-	cmd := exec.Command(binary, "server", "-dev", bind, root)
+	cmd := exec.Command(binary, "server", "-dev", bind, root, log)
 	cmd.Stdout = testlog.NewWriter(t)
 	cmd.Stderr = testlog.NewWriter(t)