e2e: create consul policies and roles in respective namespaces (#25546)

2026-01-01 16:05:42 +03:00 · 2025-03-28 13:52:49 -04:00
parent 37af365cf3
commit 8e3625a716
2 changed files with 30 additions and 0 deletions
--- a/e2e/consul/namespaces.go
+++ b/e2e/consul/namespaces.go
@@ -78,6 +78,16 @@ func (tc *ConsulNamespacesE2ETest) BeforeAll(f *framework.F) {
 	// create a set of consul namespaces in which to register services
 	e2eutil.CreateConsulNamespaces(f.T(), tc.Consul(), consulNamespaces)

+	// Create a nomad task policy and role with that policy in each namespace.
+	// They will be deleted when their associated namespaces are deleted.
+	for _, n := range consulNamespaces {
+		policyID := e2eutil.CreateConsulPolicy(f.T(), tc.Consul(), n, e2eutil.ConsulPolicy{
+			Name:  "policy-nomad-tasks",
+			Rules: `service_prefix "" {policy="read"} key_prefix "" {policy="read"}`,
+		})
+		e2eutil.CreateConsulRole(f.T(), tc.Consul(), "nomad-default-tasks", n, policyID)
+	}
+
 	// insert a key of the same name into KV for each namespace, where the value
 	// contains the namespace name making it easy to determine which namespace
 	// consul template actually accessed
--- a/e2e/e2eutil/consul.go
+++ b/e2e/e2eutil/consul.go
@@ -11,6 +11,7 @@ import (
 	capi "github.com/hashicorp/consul/api"
 	"github.com/hashicorp/nomad/testutil"
 	"github.com/kr/pretty"
+	"github.com/shoenig/test/must"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -199,6 +200,25 @@ func DeleteConsulPolicies(t *testing.T, client *capi.Client, policies map[string
 	}
 }

+// CreateConsulRole is used to create a Consul ACL role with capabilities from the given policy
+// in the specified namespace.
+//
+// Requires Consul Enterprise.
+func CreateConsulRole(t *testing.T, client *capi.Client, name string, namespace string, policyID string) {
+	aclClient := client.ACL()
+
+	opts := &capi.WriteOptions{Namespace: namespace}
+	role := &capi.ACLRole{
+		Name:        name,
+		Description: "role for nomad tasks",
+		Policies: []*capi.ACLLink{{
+			ID: policyID,
+		}},
+	}
+	_, _, err := aclClient.RoleCreate(role, opts)
+	must.NoError(t, err)
+}
+
 // CreateConsulToken is used to create a Consul ACL token backed by the policy of
 // the given policyID in the specified namespace.
 //