mirror of
https://github.com/kemko/nomad.git
synced 2026-01-05 01:45:44 +03:00
cf25cf5cd5
Our `consulcompat` tests exercise both the Workload Identity and legacy Consul token workflow, but they are limited to running single node tests. The E2E cluster is network isolated, so using our HCP Consul cluster runs into a problem validating WI tokens because it can't reach the JWKS endpoint. In real production environments, you'd solve this with a CNAME pointing to a public IP pointing to a proxy with a real domain name. But that's logisitcally impractical for our ephemeral nightly cluster. Migrate the HCP Consul to a single-node Consul cluster on AWS EC2 alongside our Nomad cluster. Bootstrap TLS and ACLs in Terraform and ensure all nodes can reach each other. This will allow us to update our Consul tests so they can use Workload Identity, in a separate PR. Ref: #19698
30 lines
997 B
Bash
Executable File
30 lines
997 B
Bash
Executable File
#!/usr/bin/env bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
|
|
|
|
echo "waiting for Consul leader to be up..."
|
|
while true :
|
|
do
|
|
consul info && break
|
|
echo "Consul server not ready, waiting 5s"
|
|
sleep 5
|
|
done
|
|
|
|
consul acl bootstrap || echo "Consul ACLs already bootstrapped"
|
|
|
|
if [ $(consul info | grep -q "version_metadata = ent") ]; then
|
|
echo "writing namespaces"
|
|
consul namespace create -name "prod"
|
|
consul namespace create -name "dev"
|
|
fi
|
|
|
|
echo "writing Nomad cluster policy and token"
|
|
consul acl policy create -name nomad-cluster -rules @${DIR}/nomad-cluster-consul-policy.hcl
|
|
consul acl token create -policy-name=nomad-cluster -secret "$NOMAD_CLUSTER_CONSUL_TOKEN"
|
|
|
|
echo "writing Consul cluster policy and token"
|
|
consul acl policy create -name consul-agents -rules @${DIR}/consul-agents-policy.hcl
|
|
consul acl token create -policy-name=consul-agents -secret "$CONSUL_AGENT_TOKEN"
|