kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 18:35:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

client: split identity_hook across allocrunner and taskrunner (#18431)

Browse Source 
This commit splits identity_hook between the allocrunner and taskrunner. The
allocrunner-level part of the hook signs each task identity, and the
taskrunner-level part picks it up and stores secrets for each task.

The code revamps the WIDMgr, which is now split into 2 interfaces:
IdentityManager which manages renewals of signatures and handles sending
updates to subscribers via Watch method, and IdentitySigner which only does the
signing.

This work is necessary for having a unified Consul login workflow that comes
with the new Consul integration. A new, allocrunner-level consul_hook will now
be the only hook doing Consul authentication.
This commit is contained in:
Piotr Kazmierczak
2023-09-21 17:31:27 +02:00
committed by GitHub
parent cf8dde0850
commit 86d2cdcf80
17 changed files with 829 additions and 409 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
client/allocrunner/taskrunner/task_runner_test.go
View File

@@ -30,6 +30,7 @@ import (
cstate "github.com/hashicorp/nomad/client/state"
ctestutil "github.com/hashicorp/nomad/client/testutil"
"github.com/hashicorp/nomad/client/vaultclient"
"github.com/hashicorp/nomad/client/widmgr"
agentconsul "github.com/hashicorp/nomad/command/agent/consul"
mockdriver "github.com/hashicorp/nomad/drivers/mock"
"github.com/hashicorp/nomad/drivers/rawexec"
@@ -116,6 +117,9 @@ func testTaskRunnerConfig(t *testing.T, alloc *structs.Allocation, taskName stri
nomadRegMock := regMock.NewServiceRegistrationHandler(logger)
wrapperMock := wrapper.NewHandlerWrapper(logger, consulRegMock, nomadRegMock)
task := alloc.LookupTask(taskName)
widsigner := widmgr.NewMockWIDSigner(task.Identities)
var vaultFunc vaultclient.VaultClientFunc
if vault != nil {
vaultFunc = func(_ string) (vaultclient.VaultClient, error) { return vault, nil }
@@ -141,7 +145,7 @@ func testTaskRunnerConfig(t *testing.T, alloc *structs.Allocation, taskName stri
ServiceRegWrapper: wrapperMock,
Getter: getter.TestSandbox(t),
Wranglers: proclib.MockWranglers(t),
WIDMgr: NewMockWIDMgr(nil),
WIDMgr: widmgr.NewWIDMgr(widsigner, alloc, logger),
}
return conf, trCleanup
@@ -153,6 +157,13 @@ func testTaskRunnerConfig(t *testing.T, alloc *structs.Allocation, taskName stri
func runTestTaskRunner(t *testing.T, alloc *structs.Allocation, taskName string) (*TaskRunner, *Config, func()) {
config, cleanup := testTaskRunnerConfig(t, alloc, taskName, nil)
// This is usually handled by the identity hook in the alloc runner, so it
// must be called manually when testing a task runner in isolation.
if config.WIDMgr != nil {
err := config.WIDMgr.Run()
must.NoError(t, err)
}
tr, err := NewTaskRunner(config)
require.NoError(t, err)
go tr.Run()