Skip to content

Commit

Permalink
workbench: reuse the code to fetch credentials (Vault)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fmaste
fmaste committed Apr 6, 2023
1 parent c17b852 commit 66fbd60
Show file tree
Hide file tree
Showing 5 changed files with 314 additions and 164 deletions.
60 changes: 25 additions & 35 deletions nix/workbench/backend/nomad.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
usage_nomad() {
usage_nomadbackend() {
usage "nomad" "Backend: manages a Cardano cluster using Nomad" <<EOF
Please see documentation for 'wb backend' for the supported commands.
Expand Down Expand Up @@ -65,26 +65,7 @@ EOF

backend_nomad() {

op=${1:?$(usage_nomad)}; shift

# Stateful Nomad server and agent(s):
# Calling `wb backend XXX` inside a Nix derivation will make everything fail:
# "mkdir: cannot create directory '/homeless-shelter': Permission denied"
# Better here rather than hidden in a function well below
local nomad_agents_dir="$(envjqr 'cacheDir')"/nomad
mkdir -p "${nomad_agents_dir}"
local nomad_servers_dir="${nomad_agents_dir}"/server
mkdir -p "${nomad_servers_dir}"
local nomad_clients_dir="${nomad_agents_dir}"/client
mkdir -p "${nomad_clients_dir}"
local webfs_dir="$(envjqr 'cacheDir')"/webfs
mkdir -p "${webfs_dir}"
# TODO: Which directory ? State, cache, config ?
# local nomad_state_dir=${XDG_STATE_HOME:-$HOME/.local/state}/cardano-workbench/nomad
# $XDG_STATE_HOME defines the base directory relative to which user-specific
# state files should be stored.
# (analogous to /var/lib).
# https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
op=${1:?$(usage_nomadbackend)}; shift

case "$op" in

Expand Down Expand Up @@ -125,7 +106,7 @@ backend_nomad() {

while test $# -gt 0
do case "$1" in
--* ) msg "FATAL: unknown flag '$1'"; usage_nomad;;
--* ) msg "FATAL: unknown flag '$1'"; usage_nomadbackend;;
* ) break;; esac; shift; done

# The "nomad" folder is created by the sub-backends ("podman", "exec",
Expand Down Expand Up @@ -899,7 +880,7 @@ backend_nomad() {

while test $# -gt 0
do case "$1" in
--* ) msg "FATAL: unknown flag '$1'"; usage_nomad;;
--* ) msg "FATAL: unknown flag '$1'"; usage_nomadbackend;;
* ) break;; esac; shift; done

if ! backend_nomad task-program-start "$dir" node-0 generator
Expand Down Expand Up @@ -2273,7 +2254,7 @@ backend_nomad() {
nomad job stop -global -no-shutdown-delay -purge -yes -verbose "${job_name}"
;;
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad -> job
;;
Expand Down Expand Up @@ -2349,7 +2330,7 @@ backend_nomad() {
backend_nomad nomad server stop "${server_name}" || true
;;
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad -> agents
;;
Expand All @@ -2363,6 +2344,7 @@ backend_nomad() {
state-dir-path )
local usage="USAGE: wb backend pass $op $agent $subop SERVER-NAME"
local name=${1:?$usage}; shift
local nomad_servers_dir="$(wb_nomad dir-path server)"
echo "${nomad_servers_dir}"/"${name}"
;;
config-file-path )
Expand Down Expand Up @@ -2530,7 +2512,7 @@ backend_nomad() {
fi
;;
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad -> server
;;
Expand All @@ -2544,6 +2526,7 @@ backend_nomad() {
state-dir-path )
local usage="USAGE: wb backend pass $op $agent $subop CLIENT-NAME"
local name=${1:?$usage}; shift
local nomad_clients_dir="$(wb_nomad dir-path client)"
echo "${nomad_clients_dir}"/"${name}"
;;
config-file-path )
Expand Down Expand Up @@ -2838,7 +2821,7 @@ backend_nomad() {
;;
# Client specific subcommands here (not available for servers):
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad -> client
;;
Expand Down Expand Up @@ -2880,7 +2863,8 @@ backend_nomad() {
echo "${XDG_RUNTIME_DIR:-/run/user/$UID}/workbench-podman.sock"
;;
pid-filepath )
echo "${nomad_agents_dir}"/nomad-driver-podman.pid
local plugin_dir="$(wb_nomad dir-path plugin)"
echo "${plugin_dir}"/nomad-driver-podman.pid
;;
pid )
local pid_file=$(backend_nomad nomad plugin nomad-driver-podman pid-filepath)
Expand Down Expand Up @@ -2961,12 +2945,12 @@ backend_nomad() {
fi
;;
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad -> plugin -> nomad-driver-podman
;;
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad -> plugin
;;
Expand All @@ -2978,6 +2962,8 @@ backend_nomad() {
local subop=${1:?$usage}; shift
case "$subop" in
nuke )
local nomad_servers_dir="$(wb_nomad dir-path server)"
local nomad_clients_dir="$(wb_nomad dir-path client)"
# Nuke all Nomad clients
for client_name in $(ls "${nomad_clients_dir}"); do
if backend_nomad nomad client is-running "${client_name}"
Expand All @@ -3004,8 +2990,10 @@ backend_nomad() {
backend_nomad nomad server cleanup "${server_name}"
fi
done
# Nuke the Nomad .cache dir
rm -rf "${nomad_agents_dir}" >/dev/null 2>&1
# Nuke the Nomad Agents' .cache dir
# Keep top level Nomad cache dir because it includes Vault's dirs.
rm -rf "${nomad_servers_dir}" >/dev/null 2>&1
rm -rf "${nomad_clients_dir}" >/dev/null 2>&1
# Bye HTTP server
if backend_nomad webfs is-running
then
Expand All @@ -3018,15 +3006,15 @@ backend_nomad() {
# rm -rf ~/.config/containers/podman/
;;
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad -> all
;;
################################################################################
################################################################################
################################################################################
* )
usage_nomad
usage_nomadbackend
;;
esac # nomad
;;
Expand Down Expand Up @@ -3082,6 +3070,7 @@ EOF
# Nomad actions
case "$subop" in
state-dir-path)
local webfs_dir="$(wb_nomad dir-path webfs)"
echo "${webfs_dir}"
;;
document-root-path )
Expand Down Expand Up @@ -3161,7 +3150,7 @@ EOF
################################################################################

* )
usage_nomad
usage_nomadbackend
;;

esac
Expand Down Expand Up @@ -3445,6 +3434,7 @@ nomad_create_client_config() {
local config_file=$(backend_nomad nomad client config-file-path "${name}")
# Look for the running servers to connect to ("wired" in the config file).
local servers_addresses=""
local nomad_servers_dir="$(wb_nomad dir-path server)"
for server_name in $(ls "${nomad_servers_dir}"); do
if backend_nomad nomad server is-running "${server_name}"
then
Expand Down
34 changes: 19 additions & 15 deletions nix/workbench/backend/nomad/cloud.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,15 +108,23 @@ backend_nomadcloud() {
# test, I repeat, this is not a drill =)
if test -z "${NOMAD_ADDR:-}"
then
msg $(yellow "WARNING: Nomad namespace \"NOMAD_NAMESPACE\" envar is not set")
msg $(blue "INFO: The SRE provided address for \"Performance and Tracing\" is \"https://nomad.world.dev.cardano.org\"")
msg $(yellow "WARNING: Nomad address \"NOMAD_ADDR\" envar is not set")
export NOMAD_ADDR="https://nomad.world.dev.cardano.org"
msg $(blue "INFO: Setting \"NOMAD_ADDR\" to the SRE provided address for \"Performance and Tracing\" (\"${NOMAD_ADDR}\")")
read -p "Hit enter to continue ..."
else
if test "${NOMAD_ADDR}" != "https://nomad.world.dev.cardano.org"
then
msg $(yellow "WARNING: Nomad address \"NOMAD_ADDR\" envar is not \"https://nomad.world.dev.cardano.org\"")
read -p "Hit enter to continue ..."
fi
fi
# The abscence of `NOMAD_NAMESPACE` or `NOMAD_TOKEN` needs confirmation
if test -z "${NOMAD_NAMESPACE:-}"
then
msg $(yellow "WARNING: Nomad namespace \"NOMAD_NAMESPACE\" envar is not set")
msg $(blue "INFO: The SRE provided namespace for \"Performance and Tracing\" is \"perf\"")
export NOMAD_NAMESPACE="perf"
msg $(blue "INFO: Setting \"NOMAD_NAMESPACE\" to the SRE provided namespace for \"Performance and Tracing\" (\"${NOMAD_NAMESPACE}\")")
read -p "Hit enter to continue ..."
else
if test "${NOMAD_NAMESPACE}" != "perf"
Expand All @@ -128,23 +136,19 @@ backend_nomadcloud() {
if test -z "${NOMAD_TOKEN:-}"
then
msg $(yellow "WARNING: Nomad token \"NOMAD_TOKEN\" envar is not set")
msg $(blue "INFO: Run "\`$(green "vault login -address=\"https://vault.world.dev.cardano.org\" -method=github -path=github-employees; vault read -address=\"https://vault.world.dev.cardano.org\" -field secret_id nomad/creds/perf")$(blue "\` to obtain one"))
read -p "Hit enter to continue ..."
msg $(blue "INFO: Fetching a \"NOMAD_TOKEN\" from SRE provided Vault for \"Performance and Tracing\"")
export NOMAD_TOKEN="$(wb_nomad vault world nomad-token)"
fi
# Check all the AWS S3 envars needed for the HTTP PUT request
# Using same names as the AWS CLI
# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
if test -z "${AWS_ACCESS_KEY_ID:-}"
then
msg $(red "ERROR: Amazon S3 \"AWS_ACCESS_KEY_ID\" envar is not set")
msg $(blue "INFO: Run "\`$(green "vault read -address=\"https://vault.world.dev.cardano.org\" -field access_key aws/creds/perf")$(blue "\` to obtain one"))
fatal "Can't run a cluster in the Nomad cloud without \"AWS_ACCESS_KEY_ID\" envar"
fi
if test -z "${AWS_SECRET_ACCESS_KEY:-}"
if test -z "${AWS_ACCESS_KEY_ID:-}" || test -z "${AWS_SECRET_ACCESS_KEY:-}"
then
msg $(red "ERROR: Amazon S3 \"AWS_SECRET_ACCESS_KEY\" envar is not set")
msg $(blue "INFO: Run "\`$(green "vault read -address=\"https://vault.world.dev.cardano.org\" -field secret_key aws/creds/perf")$(blue "\` to obtain one"))
fatal "Can't run a cluster in the Nomad cloud without \"AWS_SECRET_ACCESS_KEY\" envar"
msg $(yellow "WARNING: Amazon S3 \"AWS_ACCESS_KEY_ID\" or \"AWS_SECRET_ACCESS_KEY\" envar is not set")
msg $(blue "INFO: Fetching \"AWS_ACCESS_KEY_ID\" and \"AWS_SECRET_ACCESS_KEY\" from SRE provided Vault for \"Performance and Tracing\"")
local aws_credentials="$(wb_nomad vault world aws-s3-credentials)"
export AWS_ACCESS_KEY_ID=$(echo "${aws_credentials}" | jq -r .data.access_key)
export AWS_SECRET_ACCESS_KEY=$(echo "${aws_credentials}" | jq -r .data.secret_key)
fi
# The Nomad job spec will contain links ("nix_installables" stanza) to
# the Nix Flake outputs it needs inside the container, these are
Expand Down
Loading

0 comments on commit 66fbd60

Please sign in to comment.