task: adds ability to interpret values from secrets hook (#26261)

2026-01-06 10:25:42 +03:00 · 2025-07-14 12:54:05 -04:00
parent 2d0ce43c47
commit 85a2875183
8 changed files with 74 additions and 43 deletions
--- a/client/allocrunner/taskrunner/artifact_hook_test.go
+++ b/client/allocrunner/taskrunner/artifact_hook_test.go
@@ -88,7 +88,7 @@ func TestTaskRunner_ArtifactHook_PartialDone(t *testing.T) {
 	_, destdir := getter.SetupDir(t)

 	req := &interfaces.TaskPrestartRequest{
-		TaskEnv: taskenv.NewTaskEnv(nil, nil, nil, nil, destdir, ""),
+		TaskEnv: taskenv.NewTaskEnv(nil, nil, nil, nil, nil, destdir, ""),
 		TaskDir: &allocdir.TaskDir{Dir: destdir},
 		Task: &structs.Task{
 			Artifacts: []*structs.TaskArtifact{
@@ -180,7 +180,7 @@ func TestTaskRunner_ArtifactHook_ConcurrentDownloadSuccess(t *testing.T) {
 	_, destdir := getter.SetupDir(t)

 	req := &interfaces.TaskPrestartRequest{
-		TaskEnv: taskenv.NewTaskEnv(nil, nil, nil, nil, destdir, ""),
+		TaskEnv: taskenv.NewTaskEnv(nil, nil, nil, nil, nil, destdir, ""),
 		TaskDir: &allocdir.TaskDir{Dir: destdir},
 		Task: &structs.Task{
 			Artifacts: []*structs.TaskArtifact{
@@ -271,7 +271,7 @@ func TestTaskRunner_ArtifactHook_ConcurrentDownloadFailure(t *testing.T) {
 	_, destdir := getter.SetupDir(t)

 	req := &interfaces.TaskPrestartRequest{
-		TaskEnv: taskenv.NewTaskEnv(nil, nil, nil, nil, destdir, ""),
+		TaskEnv: taskenv.NewTaskEnv(nil, nil, nil, nil, nil, destdir, ""),
 		TaskDir: &allocdir.TaskDir{Dir: destdir},
 		Task: &structs.Task{
 			Artifacts: []*structs.TaskArtifact{
--- a/client/allocrunner/taskrunner/envoy_version_hook_test.go
+++ b/client/allocrunner/taskrunner/envoy_version_hook_test.go
@@ -26,7 +26,7 @@ var (
 	taskEnvDefault = taskenv.NewTaskEnv(nil, nil, nil, map[string]string{
 		"meta.connect.sidecar_image": envoy.ImageFormat,
 		"meta.connect.gateway_image": envoy.ImageFormat,
-	}, "", "")
+	}, nil, "", "")
 )

 func TestEnvoyVersionHook_semver(t *testing.T) {
@@ -147,7 +147,7 @@ func TestEnvoyVersionHook_interpolateImage(t *testing.T) {
 			"MY_ENVOY": "my/envoy",
 		}, map[string]string{
 			"MY_ENVOY": "my/envoy",
-		}, nil, nil, "", ""))
+		}, nil, nil, nil, "", ""))
 		must.Eq(t, "my/envoy", task.Config["image"])
 	})

--- a/client/allocrunner/taskrunner/secrets_hook.go
+++ b/client/allocrunner/taskrunner/secrets_hook.go
@@ -6,7 +6,6 @@ package taskrunner
 import (
 	"context"
 	"fmt"
-	"maps"
 	"path/filepath"

 	log "github.com/hashicorp/go-hclog"
@@ -73,9 +72,6 @@ type secretsHook struct {

 	// secrets to be fetched and populated for interpolation
 	secrets []*structs.Secret
-
-	// taskrunner secrets map
-	taskSecrets map[string]string
 }

 func newSecretsHook(conf *secretsHookConfig, secrets []*structs.Secret) *secretsHook {
@@ -87,9 +83,6 @@ func newSecretsHook(conf *secretsHookConfig, secrets []*structs.Secret) *secrets
 		envBuilder:     conf.envBuilder,
 		nomadNamespace: conf.nomadNamespace,
 		secrets:        secrets,
-		// Future work will inject taskSecrets from the taskRunner, so that the taskrunner
-		// can make these secrets available to other hooks.
-		taskSecrets: make(map[string]string),
 	}
 }

@@ -146,13 +139,13 @@ func (h *secretsHook) Prestart(ctx context.Context, req *interfaces.TaskPrestart
 	case <-unblock:
 	}

-	// parse and copy variables to taskSecrets
+	// parse and copy variables to envBuilder secrets
 	for _, p := range providers {
 		vars, err := p.Parse()
 		if err != nil {
 			return err
 		}
-		maps.Copy(h.taskSecrets, vars)
+		h.envBuilder.SetSecrets(vars)
 	}

 	return nil
--- a/client/allocrunner/taskrunner/secrets_hook_test.go
+++ b/client/allocrunner/taskrunner/secrets_hook_test.go
@@ -66,12 +66,13 @@ func TestSecretsHook_Prestart_Nomad(t *testing.T) {
 		alloc := mock.MinAlloc()
 		task := alloc.Job.TaskGroups[0].Tasks[0]

+		taskEnv := taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region)
 		conf := &secretsHookConfig{
 			logger:       testlog.HCLogger(t),
 			lifecycle:    trtesting.NewMockTaskHooks(),
 			events:       &trtesting.MockEmitter{},
 			clientConfig: clientConfig,
-			envBuilder:   taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region),
+			envBuilder:   taskEnv,
 		}
 		secretHook := newSecretsHook(conf, []*structs.Secret{
 			{
@@ -100,7 +101,7 @@ func TestSecretsHook_Prestart_Nomad(t *testing.T) {
 			"secret.test_secret.key1": "value1",
 			"secret.test_secret.key2": "value2",
 		}
-		must.Eq(t, expected, secretHook.taskSecrets)
+		must.Eq(t, expected, taskEnv.Build().TaskSecrets)
 	})

 	t.Run("returns early if context is cancelled", func(t *testing.T) {
@@ -140,13 +141,13 @@ func TestSecretsHook_Prestart_Nomad(t *testing.T) {
 		alloc := mock.MinAlloc()
 		task := alloc.Job.TaskGroups[0].Tasks[0]

+		taskEnv := taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region)
 		conf := &secretsHookConfig{
-
 			logger:       testlog.HCLogger(t),
 			lifecycle:    trtesting.NewMockTaskHooks(),
 			events:       &trtesting.MockEmitter{},
 			clientConfig: clientConfig,
-			envBuilder:   taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region),
+			envBuilder:   taskEnv,
 		}
 		secretHook := newSecretsHook(conf, []*structs.Secret{
 			{
@@ -172,7 +173,7 @@ func TestSecretsHook_Prestart_Nomad(t *testing.T) {
 		must.NoError(t, err)

 		expected := map[string]string{}
-		must.Eq(t, expected, secretHook.taskSecrets)
+		must.Eq(t, expected, taskEnv.Build().TaskSecrets)
 	})

 	t.Run("errors when failure building secret providers", func(t *testing.T) {
@@ -182,13 +183,13 @@ func TestSecretsHook_Prestart_Nomad(t *testing.T) {
 		alloc := mock.MinAlloc()
 		task := alloc.Job.TaskGroups[0].Tasks[0]

+		taskEnv := taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region)
 		conf := &secretsHookConfig{
-
 			logger:       testlog.HCLogger(t),
 			lifecycle:    trtesting.NewMockTaskHooks(),
 			events:       &trtesting.MockEmitter{},
 			clientConfig: clientConfig,
-			envBuilder:   taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region),
+			envBuilder:   taskEnv,
 		}

 		// give an invalid secret, in this case a nomad secret with bad namespace
@@ -214,7 +215,7 @@ func TestSecretsHook_Prestart_Nomad(t *testing.T) {
 		must.Error(t, err)

 		expected := map[string]string{}
-		must.Eq(t, expected, secretHook.taskSecrets)
+		must.Eq(t, expected, taskEnv.Build().TaskSecrets)
 	})
 }

@@ -259,14 +260,13 @@ func TestSecretsHook_Prestart_Vault(t *testing.T) {
 	alloc := mock.MinAlloc()
 	task := alloc.Job.TaskGroups[0].Tasks[0]

+	taskEnv := taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region)
 	conf := &secretsHookConfig{
-
-		// alloc:        alloc,
 		logger:       testlog.HCLogger(t),
 		lifecycle:    trtesting.NewMockTaskHooks(),
 		events:       &trtesting.MockEmitter{},
 		clientConfig: clientConfig,
-		envBuilder:   taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region),
+		envBuilder:   taskEnv,
 	}
 	secretHook := newSecretsHook(conf, []*structs.Secret{
 		{
@@ -296,5 +296,5 @@ func TestSecretsHook_Prestart_Vault(t *testing.T) {
 		"secret.test_secret.secret": "secret",
 	}

-	must.Eq(t, exp, secretHook.taskSecrets)
+	must.Eq(t, exp, taskEnv.Build().TaskSecrets)
 }
--- a/client/allocrunner/taskrunner/template/template_test.go
+++ b/client/allocrunner/taskrunner/template/template_test.go
@@ -1699,6 +1699,7 @@ func TestTaskTemplateManager_Env_InterpolatedDest(t *testing.T) {
 		map[string]string{"NOMAD_META_path": "exists"},
 		map[string]string{},
 		map[string]string{},
+		map[string]string{},
 		d, "")

 	vars, err := loadTemplateEnv(templates, taskEnv)