kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 01:15:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
41e0dfd13ba955d3731f3af0834e2b4ec46ae607
nomad/client/allocrunner/taskrunner/consul_hook_test.go
Tim Gross 6d58acd897 WI: ensure tasks within same alloc get different Consul tokens (#20411) 
The `consul_hook` in the allocrunner gets a separate Consul token for each task,
even if the tasks' identities have the same name, but used the identity name as
the key to the alloc hook resources map. This means the last task in the group
overwrites the Consul tokens of all other tasks.

Fix this by adding the task name to the key in the allocrunner's
`consul_hook`. And update the taskrunner's `consul_hook` to expect the task
name in the key.

Fixes: https://github.com/hashicorp/nomad/issues/20374
Fixes: https://hashicorp.atlassian.net/browse/NOMAD-614
2024-04-17 11:29:58 -04:00

55 lines
1.6 KiB
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package taskrunner
import (
"context"
"path/filepath"
"testing"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/nomad/client/allocrunner/interfaces"
cstructs "github.com/hashicorp/nomad/client/structs"
"github.com/hashicorp/nomad/helper/testlog"
"github.com/hashicorp/nomad/nomad/mock"
"github.com/hashicorp/nomad/nomad/structs"
"github.com/shoenig/test/must"
)
// TestConsulHook ensures we're only writing Consul tokens for the appropriate
// task's identities
func TestConsulHook(t *testing.T) {
alloc := mock.Alloc()
task := alloc.LookupTask("web")
task.Consul = &structs.Consul{
Cluster: "default",
}
task.Identities = []*structs.WorkloadIdentity{{Name: "consul_default"}}
resources := cstructs.NewAllocHookResources()
resources.SetConsulTokens(map[string]map[string]*api.ACLToken{
"default": map[string]*api.ACLToken{
"consul_default/web": &api.ACLToken{SecretID: "foo"},
"consul_default/extra": &api.ACLToken{SecretID: "bar"}, // for different task
"consul_infra/web": &api.ACLToken{SecretID: "baz"}, // for different cluster
"service_foo": &api.ACLToken{SecretID: "qux"}, // for service
},
})
taskDir := t.TempDir()
hook := &consulHook{
task: task,
tokenDir: taskDir,
hookResources: resources,
logger: testlog.HCLogger(t),
}
resp := &interfaces.TaskPrestartResponse{}
hook.Prestart(context.TODO(), &interfaces.TaskPrestartRequest{}, resp)
must.FileContains(t, filepath.Join(taskDir, "consul_token"), "foo")
must.Eq(t, "foo", resp.Env["CONSUL_TOKEN"])
}
Reference in New Issue View Git Blame Copy Permalink