From f1fb51422ba91eff4179478b274a02c05087d5e2 Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Fri, 15 Dec 2023 17:16:00 +0100 Subject: [PATCH] client: consul hook not called for templates (#19490) Due to some refactoring mishap, task-level Consul hook was never triggered and thus never wrote any secrets in task secret dirs. --- .changelog/19490.txt | 3 +++ client/allocrunner/taskrunner/consul_hook.go | 27 +++++++++++-------- .../taskrunner/task_runner_hooks.go | 4 +++ 3 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 .changelog/19490.txt diff --git a/.changelog/19490.txt b/.changelog/19490.txt new file mode 100644 index 000000000..c2d5e988d --- /dev/null +++ b/.changelog/19490.txt @@ -0,0 +1,3 @@ +```release-note:bug +client: Fixed a bug where where the environment variable / file for the Consul token weren't written. +``` diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go index 8ffac91cd..e34929573 100644 --- a/client/allocrunner/taskrunner/consul_hook.go +++ b/client/allocrunner/taskrunner/consul_hook.go @@ -18,10 +18,9 @@ import ( ) const ( - // consulTokenFilePrefix is the begging of the name of the file holding the - // Consul SI token inside the task's secret directory. Full name of the file is - // always consulTokenFilePrefix_identityName - consulTokenFilePrefix = "nomad_consul" + // consulTokenFilename is the name of the file holding the Consul SI token + // inside the task's secret directory. + consulTokenFilename = "consul_token" // consulTokenFilePerms is the level of file permissions granted on the file in // the secrets directory for the task @@ -32,14 +31,15 @@ type consulHook struct { task *structs.Task tokenDir string hookResources *cstructs.AllocHookResources - logger log.Logger + + logger log.Logger } -func newConsulHook(logger log.Logger, tr *TaskRunner, hookResources *cstructs.AllocHookResources) *consulHook { +func newConsulHook(logger log.Logger, tr *TaskRunner) *consulHook { h := &consulHook{ task: tr.Task(), tokenDir: tr.taskDir.SecretsDir, - hookResources: hookResources, + hookResources: tr.allocHookResources, } h.logger = logger.Named(h.Name()) return h @@ -49,13 +49,13 @@ func (*consulHook) Name() string { return "consul_task" } -func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, *interfaces.TaskPrestartResponse) error { +func (h *consulHook) Prestart(ctx context.Context, req *interfaces.TaskPrestartRequest, resp *interfaces.TaskPrestartResponse) error { mErr := multierror.Error{} tokens := h.hookResources.GetConsulTokens() // Write tokens to tasks' secret dirs - for cluster, t := range tokens { + for _, t := range tokens { for identity, token := range t { // do not write tokens that do not belong to any of this task's // identities @@ -66,11 +66,16 @@ func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, continue } - filename := fmt.Sprintf("%s_%s_%s", consulTokenFilePrefix, cluster, identity) - tokenPath := filepath.Join(h.tokenDir, filename) + tokenPath := filepath.Join(h.tokenDir, consulTokenFilename) if err := os.WriteFile(tokenPath, []byte(token.SecretID), consulTokenFilePerms); err != nil { mErr.Errors = append(mErr.Errors, fmt.Errorf("failed to write Consul SI token: %w", err)) } + + env := map[string]string{ + "CONSUL_TOKEN": token.SecretID, + } + + resp.Env = env } } diff --git a/client/allocrunner/taskrunner/task_runner_hooks.go b/client/allocrunner/taskrunner/task_runner_hooks.go index 9cf6009aa..5282f6697 100644 --- a/client/allocrunner/taskrunner/task_runner_hooks.go +++ b/client/allocrunner/taskrunner/task_runner_hooks.go @@ -107,6 +107,10 @@ func (tr *TaskRunner) initHooks() { // Get the consul namespace for the TG of the allocation. consulNamespace := tr.alloc.ConsulNamespaceForTask(tr.taskName) + // Add the consul hook (populates task secret dirs and sets the environment if + // consul tokens are present for the task). + tr.runnerHooks = append(tr.runnerHooks, newConsulHook(hookLogger, tr)) + // If there are templates is enabled, add the hook if len(task.Templates) != 0 { tr.runnerHooks = append(tr.runnerHooks, newTemplateHook(&templateHookConfig{