kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 18:35:44 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ffcb72bfe38acfea7facd70ddecabe74c35a7d24
nomad/e2e/terraform/outputs.tf
Tim Gross cf25cf5cd5 E2E: use a self-hosted Consul for easier WI testing (#20256) 
Our `consulcompat` tests exercise both the Workload Identity and legacy Consul
token workflow, but they are limited to running single node tests. The E2E
cluster is network isolated, so using our HCP Consul cluster runs into a
problem validating WI tokens because it can't reach the JWKS endpoint. In real
production environments, you'd solve this with a CNAME pointing to a public IP
pointing to a proxy with a real domain name. But that's logisitcally
impractical for our ephemeral nightly cluster.

Migrate the HCP Consul to a single-node Consul cluster on AWS EC2 alongside our
Nomad cluster. Bootstrap TLS and ACLs in Terraform and ensure all nodes can
reach each other. This will allow us to update our Consul tests so they can use
Workload Identity, in a separate PR.

Ref: #19698
2024-04-02 15:24:51 -04:00

63 lines
1.8 KiB
HCL
Raw Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
output "servers" {
value = aws_instance.server.*.public_ip
}
output "linux_clients" {
value = aws_instance.client_ubuntu_jammy_amd64.*.public_ip
}
output "windows_clients" {
value = aws_instance.client_windows_2016_amd64.*.public_ip
}
output "message" {
value = <<EOM
Your cluster has been provisioned! To prepare your environment, run:
$(terraform output --raw environment)
Then you can run tests from the e2e directory with:
go test -v .
ssh into servers with:
%{for ip in aws_instance.server.*.public_ip~}
ssh -i keys/${local.random_name}.pem ubuntu@${ip}
%{endfor~}
ssh into clients with:
%{for ip in aws_instance.client_ubuntu_jammy_amd64.*.public_ip~}
ssh -i keys/${local.random_name}.pem ubuntu@${ip}
%{endfor~}
%{for ip in aws_instance.client_windows_2016_amd64.*.public_ip~}
ssh -i keys/${local.random_name}.pem Administrator@${ip}
%{endfor~}
EOM
}
# Note: Consul and Vault environment needs to be set in test
# environment before the Terraform run, so we don't have that output
# here
output "environment" {
description = "get connection config by running: $(terraform output environment)"
sensitive = true
value = <<EOM
export NOMAD_ADDR=https://${aws_instance.server[0].public_ip}:4646
export NOMAD_CACERT=${abspath(path.root)}/keys/tls_ca.crt
export NOMAD_CLIENT_CERT=${abspath(path.root)}/keys/tls_api_client.crt
export NOMAD_CLIENT_KEY=${abspath(path.root)}/keys/tls_api_client.key
export NOMAD_TOKEN=${data.local_sensitive_file.nomad_token.content}
export NOMAD_E2E=1
export CONSUL_HTTP_ADDR=https://${aws_instance.consul_server.public_ip}:8501
export CONSUL_HTTP_TOKEN=${local_sensitive_file.consul_initial_management_token.content}
export CONSUL_CACERT=${abspath(path.root)}/keys/tls_ca.crt
EOM
}
Reference in New Issue View Git Blame Copy Permalink