diff --git a/e2e/consulacls/README.md b/e2e/consulacls/README.md deleted file mode 100644 index 772261b85..000000000 --- a/e2e/consulacls/README.md +++ /dev/null @@ -1,46 +0,0 @@ -# Configure Consul ACLs - -This directory contains a set of scripts for re-configuring Consul in the TF -provisioned e2e environment to enable Consul ACLs. - -## Usage - -The `consul-acls-manage.sh` script can be used to manipulate the Consul cluster -to activate or de-activate Consul ACLs. There are 3 targets into the script, only -2 of which should be used from e2e framework tests. The script should be run from -the e2e directory (i.e. the directory from wich the e2e framework also runs). - -### bootstrap - -The command `consul-acls-manage.sh bootstrap` should *NOT* be used from e2e -framework tests. It's merely a convenience entry-point for doing development / -debugging on the script itself. - -The bootstrap process will upload "reasonable" ACL policy files to Consul Servers, -Consul Clients, Nomad Servers, and Nomad Clients. - -The bootstrap process creates a file on local disk which contains the generated -Consul ACL master token. The file is named based on the current TF state file -serial number. `/tmp/e2e-consul-bootstrap-.token` - -### enable - -The command `consul-acls-manage.sh enable` will enable Consul ACLs, going through -the bootstrap process only if necessary. Whether the bootstrap process is necessary -depends on the existence of a token file that matches the current TF state serial -number. If no associated token file exists for the current TF state, the bootstrap -process is required. Otherwise, the bootstrap process is skipped. - -If the bootstrap process was not required (i.e. it already occurred and a -Consul master token already exists for the current TF state), the script will -activate ACLs in the Consul Server configurations and restart those agents. After -using `enable`, the `disable` command can be used to turn Consul ACLs back off, -without destroying any of the existing ACL configuration. - -### disable - -The command `consul-acls-manage.sh disable` will disable Consul ACLs. This does -not "cleanup" the policy files for Consul / Nomad agents, it merely deactivates -ACLs in the Consul Server configurations and restarts those agents. After using -`disable`, the `enable` command can be used to turn Consul ACLs back on, using -the same ACL token(s) generated before. diff --git a/e2e/consulacls/acl-disable.hcl b/e2e/consulacls/acl-disable.hcl deleted file mode 100644 index 9dac26de2..000000000 --- a/e2e/consulacls/acl-disable.hcl +++ /dev/null @@ -1,6 +0,0 @@ -# This partial consul configuration file will disable Consul ACLs. The -# consul-acls-manage.sh script uploads this file as "acl.hcl" to Consul Server -# configuration directories, and restarts those agents. -acl = { - enabled = false -} diff --git a/e2e/consulacls/acl-enable.hcl b/e2e/consulacls/acl-enable.hcl deleted file mode 100644 index f4204befd..000000000 --- a/e2e/consulacls/acl-enable.hcl +++ /dev/null @@ -1,8 +0,0 @@ -# This partial consul configuration file will enable Consul ACLs. The -# consul-acls-manage.sh script uploads this file as "acl.hcl" to Consul Server -# configuration directories, and restarts those agents. -acl = { - enabled = true - default_policy = "deny" - enable_token_persistence = true -} diff --git a/e2e/consulacls/acl-pre-enable.hcl b/e2e/consulacls/acl-pre-enable.hcl deleted file mode 100644 index a91916d7f..000000000 --- a/e2e/consulacls/acl-pre-enable.hcl +++ /dev/null @@ -1,13 +0,0 @@ -# This partial consul configuration file will enable Consul ACLs in the default:allow -# mode, which is nessessary for the ACL bootstrapping process of a pre-existing cluster. -# -# The consul-acls-manage.sh script uploads this file as "acl.hcl" to Consul Server -# configuration directories, and restarts those agents. -# -# Later the consul-acls-manage.sh script will replace this configuration with the -# one found in acl-enable.sh so as to enforce ACLs. -acl = { - enabled = true - default_policy = "allow" - enable_token_persistence = true -} diff --git a/e2e/consulacls/consul-acls-manage.sh b/e2e/consulacls/consul-acls-manage.sh deleted file mode 100755 index 8caa97edb..000000000 --- a/e2e/consulacls/consul-acls-manage.sh +++ /dev/null @@ -1,412 +0,0 @@ -#!/usr/bin/env bash - -# must be run from e2e directory - -set -o errexit -set -o nounset -set -o pipefail - -tfstatefile="terraform/terraform.tfstate" - -# Make sure we are running from the e2e/ directory -[ "$(basename "$(pwd)")" == "e2e" ] || (echo "must be run from nomad/e2e directory" && exit 1) - -# Make sure one argument was provided (subcommand) -[ ${#} -eq 1 ] || (echo "expect one argument (subcommand)" && exit 1) - -# Make sure terraform state file exists -[ -f "${tfstatefile}" ] || (echo "file ${tfstatefile} must exist (run terraform?)" && exit 1) - -# Load Linux Client Node IPs from terraform state file -linux_clients=$(jq -r .outputs.linux_clients.value[] <"${tfstatefile}" | xargs) - -# Load Windows Client Node IPs from terraform state file -windows_clients=$(jq -r .outputs.windows_clients.value[] <"${tfstatefile}" | xargs) - -# Combine all the clients together -# clients="${linux_clients} ${windows_clients}" - -# Load Server Node IPs from terraform/terraform.tfstate -servers=$(jq -r .outputs.servers.value[] <"${tfstatefile}" | xargs) - -# Use the 0th server as the ACL bootstrap server -server0=$(echo "${servers}" | cut -d' ' -f1) - -# Find the .pem file to use -pemfile="terraform/$(jq -r '.resources[] | select(.name=="private_key_pem") | .instances[0].attributes.filename' <"terraform/terraform.tfstate")" - -# See AWS service file -consul_configs="/etc/consul.d" -nomad_configs="/etc/nomad.d" - -# Not really present in the config -user=ubuntu - -# Create a filename based on the TF state file (.serial), where we will store and/or -# lookup the consul master token. The presense of this file is what determines -# whether a full ACL bootstrap must occur, or if we only need to activate ACLs -# whenever the "enable" sub-command is chosen. -token_file="/tmp/e2e-consul-bootstrap-$(jq .serial <${tfstatefile}).token" - -# One argument - the subcommand to run which may be: bootstrap, enable, or disable -subcommand="${1}" - -echo "==== SETUP configuration =====" -echo "SETUP command is: ${subcommand}" -echo "SETUP token file: ${token_file}" -echo "SETUP servers: ${servers}" -echo "SETUP linux clients: ${linux_clients}" -echo "SETUP windows clients: ${windows_clients}" -echo "SETUP pem file: ${pemfile}" -echo "SETUP consul configs: ${consul_configs}" -echo "SETUP nomad configs: ${nomad_configs}" -echo "SETUP aws user: ${user}" -echo "SETUP bootstrap server: ${server0}" - -function doSSH() { - hostname="$1" - command="$2" - echo "-----> will ssh command '${command}' on ${hostname}" - ssh \ - -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - -i "${pemfile}" \ - "${user}@${hostname}" "${command}" -} - -function doSCP() { - original="$1" - username="$2" - hostname="$3" - destination="$4" - echo "------> will scp ${original} to ${hostname}" - scp \ - -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - -i "${pemfile}" \ - "${original}" "${username}@${hostname}:${destination}" -} - -function doBootstrap() { - echo "=== Bootstrap: Consul Configs ===" - - # Stop all Nomad agents. - stopNomad - - # Run the pre-activation step, which uploads an acl.hcl file (with default:allow) - # to each Consul configuration directory, then (re)starts each - # Consul agent. - doPreActivateACLs - - echo "=== Bootstrap: Consul ACL Bootstrap ===" - echo "sleeping 2 minutes to let Consul agents settle (avoid Legacy mode error)..." - sleep 120 - - # Bootstrap Consul ACLs on server[0] - echo "-> bootstrap ACL using ${server0}" - consul_http_token=$(doSSH "${server0}" "/usr/local/bin/consul acl bootstrap" | grep SecretID | awk '{print $2}') - consul_http_addr="http://${server0}:8500" - export CONSUL_HTTP_TOKEN=${consul_http_token} - export CONSUL_HTTP_ADDR=${consul_http_addr} - echo " consul http: ${CONSUL_HTTP_ADDR}" - echo " consul root: ${CONSUL_HTTP_TOKEN}" - echo "${CONSUL_HTTP_TOKEN}" > "${token_file}" - - # Create Consul Server Policy & Consul Server agent tokens - echo "-> configure consul server policy" - consul acl policy create -name server-policy -rules @consulacls/consul-server-policy.hcl - - # Create & Set agent token for each Consul Server - for server in ${servers}; do - echo "---> will create agent token for server ${server}" - server_agent_token=$(consul acl token create -description "consul server agent token" -policy-name server-policy | grep SecretID | awk '{print $2}') - echo "---> setting token for server agent: ${server} -> ${server_agent_token}" - (export CONSUL_HTTP_ADDR="${server}:8500"; consul acl set-agent-token agent "${server_agent_token}") - echo "---> done setting agent token for server ${server}" - done - - # Wait 30s before continuing with configuring consul clients. - echo "-> sleep 3s before continuing with clients" - sleep 3 - - # Create Consul Client Policy & Client agent tokens - echo "-> configure consul client policy" - consul acl policy create -name client-policy -rules @consulacls/consul-client-policy.hcl - - # Create & Set agent token for each Consul Client (excluding Windows) - for linux_client in ${linux_clients}; do - echo "---> will create consul agent token for client ${linux_client}" - client_agent_token=$(consul acl token create -description "consul client agent token" -policy-name client-policy | grep SecretID | awk '{print $2}') - echo "---> setting consul token for consul client ${linux_client} -> ${client_agent_token}" - (export CONSUL_HTTP_ADDR="${linux_client}:8500"; consul acl set-agent-token agent "${client_agent_token}") - echo "---> done setting agent token for client ${linux_client}" - done - - # Now, upload the ACL policy file with default:deny so that ACL are actually - # enforced. - doActivateACLs - - echo "=== Bootstrap: Nomad Configs ===" - - # Create Nomad Server consul Policy and Nomad Server consul tokens - echo "-> configure nomad server policy & consul token" - consul acl policy create -name nomad-server-policy -rules @consulacls/nomad-server-policy.hcl - nomad_server_consul_token=$(consul acl token create -description "nomad server consul token" -policy-name nomad-server-policy | grep SecretID | awk '{print $2}') - nomad_server_consul_token_tmp=$(mktemp) - cp consulacls/nomad-server-consul.hcl "${nomad_server_consul_token_tmp}" - sed -i "s/CONSUL_TOKEN/${nomad_server_consul_token}/g" "${nomad_server_consul_token_tmp}" - for server in ${servers}; do - echo "---> upload nomad-server-consul.hcl to ${server}" - doSCP "${nomad_server_consul_token_tmp}" "${user}" "${server}" "/tmp/nomad-server-consul.hcl" - doSSH "${server}" "sudo mv /tmp/nomad-server-consul.hcl ${nomad_configs}/nomad-server-consul.hcl" - done - - # Create Nomad Client consul Policy and Nomad Client consul token - echo "-> configure nomad client policy & consul token" - consul acl policy create -name nomad-client-policy -rules @consulacls/nomad-client-policy.hcl - nomad_client_consul_token=$(consul acl token create -description "nomad client consul token" -policy-name nomad-client-policy | grep SecretID | awk '{print $2}') - nomad_client_consul_token_tmp=$(mktemp) - cp consulacls/nomad-client-consul.hcl "${nomad_client_consul_token_tmp}" - sed -i "s/CONSUL_TOKEN/${nomad_client_consul_token}/g" "${nomad_client_consul_token_tmp}" - for linux_client in ${linux_clients}; do - echo "---> upload nomad-client-token.hcl to ${linux_client}" - doSCP "${nomad_client_consul_token_tmp}" "${user}" "${linux_client}" "/tmp/nomad-client-consul.hcl" - doSSH "${linux_client}" "sudo mv /tmp/nomad-client-consul.hcl ${nomad_configs}/nomad-client-consul.hcl" - done - - startNomad - - export NOMAD_ADDR="http://${server0}:4646" - - echo "=== Activate: DONE ===" -} - -function doSetAllowUnauthenticated { - value="${1}" - [ "${value}" == "true" ] || [ "${value}" == "false" ] || ( echo "allow_unauthenticated must be 'true' or 'false'" && exit 1) - for server in ${servers}; do - if [ "${value}" == "true" ]; then - echo "---> setting consul.allow_unauthenticated=true on ${server}" - doSSH "${server}" "sudo sed -i 's/allow_unauthenticated = false/allow_unauthenticated = true/g' ${nomad_configs}/nomad-server-consul.hcl" - else - echo "---> setting consul.allow_unauthenticated=false on ${server}" - doSSH "${server}" "sudo sed -i 's/allow_unauthenticated = true/allow_unauthenticated = false/g' ${nomad_configs}/nomad-server-consul.hcl" - fi - doSSH "${server}" "sudo systemctl restart nomad" - done - - for linux_client in ${linux_clients}; do - if [ "${value}" == "true" ]; then - echo "---> comment out consul token for Nomad client ${linux_client}" - doSSH "${linux_client}" "sudo sed -i 's!token =!// token =!g' ${nomad_configs}/nomad-client-consul.hcl" - else - echo "---> un-comment consul token for Nomad client ${linux_client}" - doSSH "${linux_client}" "sudo sed -i 's!// token =!token =!g' ${nomad_configs}/nomad-client-consul.hcl" - fi - doSSH "${linux_client}" "sudo systemctl restart nomad" - done -} - -function doEnable { - if [ ! -f "${token_file}" ]; then - echo "ENABLE: token file does not exist, doing a full ACL bootstrap" - doBootstrap - else - echo "ENABLE: token file already exists, will activate ACLs" - doSetAllowUnauthenticated "false" - doActivateACLs - fi - - echo "=== Enable: DONE ===" - - # show the status of all the agents - echo "---> token file is ${token_file}" - consul_http_token=$(cat "${token_file}") - export CONSUL_HTTP_TOKEN="${consul_http_token}" - echo "export CONSUL_HTTP_TOKEN=${CONSUL_HTTP_TOKEN}" - doStatus -} - -function doDisable { - if [ ! -f "${token_file}" ]; then - echo "DISABLE: token file does not exist, did bootstrap ever happen?" - exit 1 - else - echo "DISABLE: token file exists, will deactivate ACLs" - doSetAllowUnauthenticated "true" - doDeactivateACLs - fi - - echo "=== Disable: DONE ===" - - # show the status of all the agents - unset CONSUL_HTTP_TOKEN - doStatus -} - -function doPreActivateACLs { - echo "=== PreActivate (set default:allow) ===" - - stopConsul - - # Upload acl-pre-enable.hcl to each Consul agent's configuration directory. - for agent in ${servers} ${linux_clients}; do - echo " pre-activate: upload acl-pre-enable.hcl to ${agent}::acl.hcl" - doSCP "consulacls/acl-pre-enable.hcl" "${user}" "${agent}" "/tmp/acl.hcl" - doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl" - done - - # Start each Consul agent to pickup the new config. - for agent in ${servers} ${linux_clients}; do - echo " pre-activate: start Consul agent on ${agent}" - doSSH "${agent}" "sudo systemctl start consul" - done - - echo "=== PreActivate: DONE ===" -} - -function doActivateACLs { - echo "=== Activate (set default:deny) ===" - - stopConsul - - # Upload acl-enable.hcl to each Consul agent's configuration directory. - for agent in ${servers} ${linux_clients}; do - echo " activate: upload acl-enable.hcl to ${agent}::acl.hcl" - doSCP "consulacls/acl-enable.hcl" "${user}" "${agent}" "/tmp/acl.hcl" - doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl" - done - - # Start each Consul agent to pickup the new config. - for agent in ${servers} ${linux_clients}; do - echo " activate: restart Consul agent on ${agent} ..." - doSSH "${agent}" "sudo systemctl start consul" - done - - echo "--> activate ACLs sleep for 2 minutes to let Consul figure things out" - sleep 120 - echo "=== Activate: DONE ===" -} - -function stopNomad { - echo "=== Stop Nomad agents ===" - # Stop every Nomad agent (clients and servers) in preperation for Consul ACL - # bootstrapping. - for server in ${servers}; do - echo " stop Nomad Server on ${server}" - doSSH "${server}" "sudo systemctl stop nomad" - sleep 1 - done - - for linux_client in ${linux_clients}; do - echo " stop Nomad Client on ${linux_client}" - doSSH "${linux_client}" "sudo systemctl stop nomad" - sleep 1 - done - - echo "... all nomad agents stopped" -} - -function startNomad { - echo "=== Start Nomad agents ===" - # Start every Nomad agent (clients and servers) after having Consul ACL - # bootstrapped and configurations set for Nomad. - for server in ${servers}; do - echo " start Nomad Server on ${server}" - doSSH "${server}" "sudo systemctl start nomad" - sleep 1 - done - - # give the servers a chance to settle - sleep 10 - - for linux_client in ${linux_clients}; do - echo " start Nomad Client on ${linux_client}" - doSSH "${linux_client}" "sudo systemctl start nomad" - sleep 3 - done - - # give the clients a long time to settle - sleep 30 - - echo "... all nomad agents started" -} - -function stopConsul { - echo "=== Stop Consul agents ===" - # Stop every Nonsul agent (clients and servers) in preperation for Consul ACL - # bootstrapping. - for server in ${servers}; do - echo " stop Consul Server on ${server}" - doSSH "${server}" "sudo systemctl stop consul" - sleep 1 - done - - for linux_client in ${linux_clients}; do - echo " stop Consul Client on ${linux_client}" - doSSH "${linux_client}" "sudo systemctl stop consul" - sleep 1 - done - - echo "... all consul agents stopped" -} - -function startConsulClients { - echo "=== Start Consul Clients ===" - # Start Consul Clients - for linux_client in ${linux_clients}; do - echo " start Consul Client on ${linux_client}" - doSSH "${linux_client}" "sudo systemctl start consul" - sleep 2 - done - - sleep 5 # let them settle - echo "... all consul clients started" -} - -function doDeactivateACLs { - echo "=== Deactivate ===" - # Upload acl-disable.hcl to each Consul agent's configuration directory. - for agent in ${servers} ${linux_clients}; do - echo " deactivate: upload acl-disable.hcl to ${agent}::acl.hcl" - doSCP "consulacls/acl-disable.hcl" "${user}" "${agent}" "/tmp/acl.hcl" - doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl" - done - - # Restart each Consul agent to pickup the new config. - for agent in ${servers} ${linux_clients}; do - echo " deactivate: restart Consul on ${agent} ..." - doSSH "${agent}" "sudo systemctl restart consul" - done - - # Wait 120s before moving on, Consul / Nomad need time to settle down. - echo " deactivate: sleep 2m ..." - sleep 120 -} - -function doStatus { - # assumes CONSUL_HTTP_TOKEN is set (or not) - echo "consul members" - consul members - echo "" - echo "nomad server members" - nomad server members - echo "" - echo "nomad node status" - nomad node status - echo "" -} - -# It's the entrypoint to our script! -case "${subcommand}" in - enable) - doEnable - ;; - disable) - doDisable - ;; - *) - echo "incorrect subcommand ${subcommand}" - exit 1 - ;; -esac diff --git a/e2e/consulacls/consul-client-default-token.hcl b/e2e/consulacls/consul-client-default-token.hcl deleted file mode 100644 index d6b369b03..000000000 --- a/e2e/consulacls/consul-client-default-token.hcl +++ /dev/null @@ -1,7 +0,0 @@ -acl { - tokens { - agent = "CONSUL_TOKEN" - agent_master = "CONSUL_TOKEN" - default = "CONSUL_TOKEN" - } -} diff --git a/e2e/consulacls/consul-client-policy.hcl b/e2e/consulacls/consul-client-policy.hcl deleted file mode 100644 index 6eef6296c..000000000 --- a/e2e/consulacls/consul-client-policy.hcl +++ /dev/null @@ -1,25 +0,0 @@ -acl = "write" - -agent_prefix "" { - policy = "write" -} - -event_prefix "" { - policy = "write" -} - -key_prefix "" { - policy = "write" -} - -node_prefix "" { - policy = "write" -} - -query_prefix "" { - policy = "write" -} - -service_prefix "" { - policy = "write" -} diff --git a/e2e/consulacls/consul-server-policy.hcl b/e2e/consulacls/consul-server-policy.hcl deleted file mode 100644 index 6eef6296c..000000000 --- a/e2e/consulacls/consul-server-policy.hcl +++ /dev/null @@ -1,25 +0,0 @@ -acl = "write" - -agent_prefix "" { - policy = "write" -} - -event_prefix "" { - policy = "write" -} - -key_prefix "" { - policy = "write" -} - -node_prefix "" { - policy = "write" -} - -query_prefix "" { - policy = "write" -} - -service_prefix "" { - policy = "write" -} diff --git a/e2e/consulacls/manage.go b/e2e/consulacls/manage.go deleted file mode 100644 index dc41d61dd..000000000 --- a/e2e/consulacls/manage.go +++ /dev/null @@ -1,119 +0,0 @@ -package consulacls - -import ( - "context" - "encoding/json" - "fmt" - "io/ioutil" - "os/exec" - "strings" - "testing" - "time" - - "github.com/stretchr/testify/require" -) - -// DefaultTFStateFile is the location of the TF state file, as created for the -// e2e test framework. This file is used to extract the TF serial number, which -// is used to determine whether the consul bootstrap process is necessary or has -// already taken place. -const DefaultTFStateFile = "terraform/terraform.tfstate" - -// A Manager is used to manipulate whether Consul ACLs are enabled or disabled. -// Only works with TF provisioned clusters. -type Manager interface { - // Enable Consul ACLs in the Consul cluster. The Consul ACL master token - // associated with the Consul cluster is returned. - // - // A complete bootstrap process will take place if necessary. - // - // Once enabled, Consul ACLs can be disabled with Disable. - Enable(t *testing.T) string - - // Disable Consul ACLs in the Consul Cluster. - // - // Once disabled, Consul ACLs can be re-enabled with Enable. - Disable(t *testing.T) -} - -type tfManager struct { - serial int -} - -func New(tfStateFile string) (*tfManager, error) { - serial, err := extractSerial(tfStateFile) - if err != nil { - return nil, err - } - return &tfManager{ - serial: serial, - }, nil -} - -func (m *tfManager) Enable(t *testing.T) string { - // Run the consul ACL bootstrap script, which will store the master token - // in the deterministic path based on the TF state serial number. If the - // bootstrap process had already taken place, ACLs will be activated but - // without going through the bootstrap process again, re-using the already - // existing Consul ACL master token. - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) - defer cancel() - - response, err := exec.CommandContext(ctx, - "consulacls/consul-acls-manage.sh", "enable").CombinedOutput() - require.NoError(t, err, "consul-acls-manage.sh failed: %v", string(response)) - fmt.Println(string(response)) - - // Read the Consul ACL master token that was generated (or if the token - // already existed because the bootstrap process had already taken place, - // that one). - token, err := m.readToken() - require.NoError(t, err) - return token -} - -type tfState struct { - Serial int `json:"serial"` -} - -// extractSerial will parse the TF state file looking for the serial number. -func extractSerial(filename string) (int, error) { - if filename == "" { - filename = DefaultTFStateFile - } - b, err := ioutil.ReadFile(filename) - if err != nil { - return 0, fmt.Errorf("failed to extract TF serial: %w", err) - } - var state tfState - if err := json.Unmarshal(b, &state); err != nil { - return 0, fmt.Errorf("failed to extract TF serial: %w", err) - } - return state.Serial, nil -} - -// tokenPath returns the expected path for the Consul ACL master token generated -// by the consul-acls-manage.sh bootstrap script for the current TF serial version. -func (m *tfManager) tokenPath() string { - return fmt.Sprintf("/tmp/e2e-consul-bootstrap-%d.token", m.serial) -} - -func (m *tfManager) readToken() (string, error) { - b, err := ioutil.ReadFile(m.tokenPath()) - if err != nil { - return "", err - } - return strings.TrimSpace(string(b)), nil -} - -func (m *tfManager) Disable(t *testing.T) { - // Run the consul ACL bootstrap script, which will modify the Consul Server - // ACL policies to disable ACLs, and then restart those agents. - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) - defer cancel() - - response, err := exec.CommandContext(ctx, - "consulacls/consul-acls-manage.sh", "disable").CombinedOutput() - require.NoError(t, err) - fmt.Println(string(response)) -} diff --git a/e2e/consulacls/nomad-client-consul.hcl b/e2e/consulacls/nomad-client-consul.hcl deleted file mode 100644 index 2cd6ecc84..000000000 --- a/e2e/consulacls/nomad-client-consul.hcl +++ /dev/null @@ -1,4 +0,0 @@ -// The provided consul.token value must be blessed with service=write ACLs. -consul { - token = "CONSUL_TOKEN" -} diff --git a/e2e/consulacls/nomad-client-policy.hcl b/e2e/consulacls/nomad-client-policy.hcl deleted file mode 100644 index cd3c3b1c8..000000000 --- a/e2e/consulacls/nomad-client-policy.hcl +++ /dev/null @@ -1,22 +0,0 @@ -// The Nomad Client will be registering things into its buddy Consul Client. -// Note: because we also test the use of Consul namespaces, this token must be -// able to register services, read the keystore, and read node data for any -// namespace. - -agent_prefix "" { - policy = "read" -} - -namespace_prefix "" { - key_prefix "" { - policy = "read" - } - - node_prefix "" { - policy = "read" - } - - service_prefix "" { - policy = "write" - } -} \ No newline at end of file diff --git a/e2e/consulacls/nomad-server-consul.hcl b/e2e/consulacls/nomad-server-consul.hcl deleted file mode 100644 index ac42b5bab..000000000 --- a/e2e/consulacls/nomad-server-consul.hcl +++ /dev/null @@ -1,8 +0,0 @@ -// Nomad Server needs to set allow_unauthenticated=false to enforce the use -// of a Consul Operator Token on job submission for Connect enabled jobs. -// -// The provided consul.token value must be blessed with acl=write ACLs. -consul { - allow_unauthenticated = false - token = "CONSUL_TOKEN" -} diff --git a/e2e/consulacls/nomad-server-policy.hcl b/e2e/consulacls/nomad-server-policy.hcl deleted file mode 100644 index 6dd5a64c3..000000000 --- a/e2e/consulacls/nomad-server-policy.hcl +++ /dev/null @@ -1,23 +0,0 @@ -// The operator=write permission is required for creating config entries for -// connect ingress gateways. operator ACLs are not namespaced, though the -// config entries they can generate are. -operator = "write" - -namespace_prefix "" { - // The acl=write permission is required for generating Consul Service Identity - // tokens for consul connect services. Those services could be configured for - // any Consul namespace the job-submitter has access to. - acl = "write" -} - -service_prefix "" { - policy = "write" -} - -agent_prefix "" { - policy = "read" -} - -node_prefix "" { - policy = "read" -} \ No newline at end of file