New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connect: ensure all vault connect CA tests use limited privilege tokens #15669
Conversation
SkipIfVaultNotPresent(t) | ||
|
||
provider, testVault := testVaultProviderWithConfig(t, false, nil) | ||
defer testVault.Stop() | ||
t.Parallel() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these safe to run parallel now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They always were I believe. Each test gets its own vault process.
I added this b/c it shaved the runtime down by a factor of ~5. Locally it was ~28s -> ~6s.
tests := CASigningKeyTypeCases() | ||
|
||
for _, tc := range tests { | ||
tc := tc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We actually need this now that we're running t.Parallel()
, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did the run(t, tc)
thing here instead.
for _, tc := range KeyTestCases { | ||
tc := tc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be preserved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just did the run(t, tc)
approach for the rest of the test table tests so it shouldn't be necessary.
} | ||
} | ||
|
||
func CreateVaultTokenWithAttrs(t testing.T, client *vaultapi.Client, attr *VaultTokenAttributes) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New test helper for use outside of the package too.
@@ -87,7 +87,7 @@ func (s *Server) checkBindingRuleUUID(id string) (bool, error) { | |||
} | |||
|
|||
func (s *Server) InPrimaryDatacenter() bool { | |||
return s.config.PrimaryDatacenter == "" || s.config.Datacenter == s.config.PrimaryDatacenter | |||
return s.config.InPrimaryDatacenter() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Convenience for a test in leader_connect_ca_test.go
@@ -415,6 +415,10 @@ type Config struct { | |||
*EnterpriseConfig | |||
} | |||
|
|||
func (c *Config) InPrimaryDatacenter() bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Convenience for a test in leader_connect_ca_test.go
@@ -778,37 +826,62 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) { | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the record TestCAManager_Initialize_Vault_WithExternalTrustedCA
was a test I invested a lot in because it surfaced a bunch of strange things such as #15661
rawConfig: map[string]interface{}{}, | ||
name: "DefaultConfig", | ||
rawConfig: map[string]any{ | ||
"RootPKIPath": "pki-root/", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid accidentally triggering two providers to share some vault mount paths in tests, I changed it so that test authors need to explicitly set the paths all the time.
@@ -1118,23 +1326,8 @@ func getIntermediateCertTTL(t *testing.T, caConf *structs.CAConfiguration) time. | |||
return dur | |||
} | |||
|
|||
func testVaultProviderWithConfig(t *testing.T, isPrimary bool, rawConf map[string]interface{}) (*VaultProvider, *TestVaultServer) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I inlined testVaultProviderWithConfig
so that we can create the token in between the two steps.
RootPath: "pki-root", | ||
IntermediatePath: "pki-intermediate", | ||
ConsulManaged: true, | ||
WithSudo: withSudo, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This validates the continued need for the sudo
capability now.
assertCorrectKeyType(t, tc.CSRKeyType, intPEM) | ||
|
||
if expectFailure { | ||
testCrossSignProvidersShouldFail(t, provider1, provider2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When we repeat the test without sudo
we expect it to fail.
@@ -224,6 +215,9 @@ func (v *TestVaultServer) Stop() error { | |||
// wait for the process to exit to be sure that the data dir can be | |||
// deleted on all platforms. | |||
if err := v.cmd.Wait(); err != nil { | |||
if strings.Contains(err.Error(), "exec: Wait was already called") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In some cases when I was repeatably executing the tests it would hit this double-wait issue which crashed the test and flaked it. Now those get ignored to make double-Stop ok.
|
||
case a.VaultManaged: | ||
// Vault-managed PKI root. | ||
t.Fatal("TODO: implement this and use it in tests") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This stub is here as a reminder to add more tests for the other policy in our docs.
@@ -1069,7 +1068,7 @@ func (c *CAManager) secondaryRequestNewSigningCert(provider ca.Provider, newActi | |||
} | |||
|
|||
if err := setLeafSigningCert(newActiveRoot, intermediatePEM); err != nil { | |||
return err | |||
return fmt.Errorf("Failed to set the leaf signing cert to the intermediate: %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrapped the error here to help figure out which line caused the error (all other returns from this function wrap the errors).
b0f628b
to
97cd22b
Compare
The latest updates on your projects. Learn more about Vercel for Git ↗︎ |
…flakes (#15691) It turns out that by default the dev mode vault server will attempt to interact with the filesystem to store the provided root token. If multiple vault instances are running they'll all awkwardly share the filesystem and if timing results in one server stopping while another one is starting then the starting one will error with: Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory This change uses `-dev-no-store-token` to bypass that source of flakes. Also the stdout/stderr from the vault process is included if the test fails. The introduction of more `t.Parallel` use in #15669 increased the likelihood of this failure, but any of the tests with multiple vaults in use (or running multiple package tests in parallel that all use vault) were eventually going to flake on this.
…flakes (#15691) It turns out that by default the dev mode vault server will attempt to interact with the filesystem to store the provided root token. If multiple vault instances are running they'll all awkwardly share the filesystem and if timing results in one server stopping while another one is starting then the starting one will error with: Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory This change uses `-dev-no-store-token` to bypass that source of flakes. Also the stdout/stderr from the vault process is included if the test fails. The introduction of more `t.Parallel` use in #15669 increased the likelihood of this failure, but any of the tests with multiple vaults in use (or running multiple package tests in parallel that all use vault) were eventually going to flake on this.
…flakes (#15691) It turns out that by default the dev mode vault server will attempt to interact with the filesystem to store the provided root token. If multiple vault instances are running they'll all awkwardly share the filesystem and if timing results in one server stopping while another one is starting then the starting one will error with: Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory This change uses `-dev-no-store-token` to bypass that source of flakes. Also the stdout/stderr from the vault process is included if the test fails. The introduction of more `t.Parallel` use in #15669 increased the likelihood of this failure, but any of the tests with multiple vaults in use (or running multiple package tests in parallel that all use vault) were eventually going to flake on this.
…flakes (#15691) It turns out that by default the dev mode vault server will attempt to interact with the filesystem to store the provided root token. If multiple vault instances are running they'll all awkwardly share the filesystem and if timing results in one server stopping while another one is starting then the starting one will error with: Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory This change uses `-dev-no-store-token` to bypass that source of flakes. Also the stdout/stderr from the vault process is included if the test fails. The introduction of more `t.Parallel` use in #15669 increased the likelihood of this failure, but any of the tests with multiple vaults in use (or running multiple package tests in parallel that all use vault) were eventually going to flake on this.
…flakes (#15691) (#15694) It turns out that by default the dev mode vault server will attempt to interact with the filesystem to store the provided root token. If multiple vault instances are running they'll all awkwardly share the filesystem and if timing results in one server stopping while another one is starting then the starting one will error with: Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory This change uses `-dev-no-store-token` to bypass that source of flakes. Also the stdout/stderr from the vault process is included if the test fails. The introduction of more `t.Parallel` use in #15669 increased the likelihood of this failure, but any of the tests with multiple vaults in use (or running multiple package tests in parallel that all use vault) were eventually going to flake on this. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
…flakes (#15691) (#15693) It turns out that by default the dev mode vault server will attempt to interact with the filesystem to store the provided root token. If multiple vault instances are running they'll all awkwardly share the filesystem and if timing results in one server stopping while another one is starting then the starting one will error with: Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory This change uses `-dev-no-store-token` to bypass that source of flakes. Also the stdout/stderr from the vault process is included if the test fails. The introduction of more `t.Parallel` use in #15669 increased the likelihood of this failure, but any of the tests with multiple vaults in use (or running multiple package tests in parallel that all use vault) were eventually going to flake on this. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
…flakes (#15691) (#15692) It turns out that by default the dev mode vault server will attempt to interact with the filesystem to store the provided root token. If multiple vault instances are running they'll all awkwardly share the filesystem and if timing results in one server stopping while another one is starting then the starting one will error with: Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory This change uses `-dev-no-store-token` to bypass that source of flakes. Also the stdout/stderr from the vault process is included if the test fails. The introduction of more `t.Parallel` use in #15669 increased the likelihood of this failure, but any of the tests with multiple vaults in use (or running multiple package tests in parallel that all use vault) were eventually going to flake on this. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Description
All of the current integration tests where Vault is the Connect CA now use non-root tokens for the test. This helps us detect privilege changes in the vault model so we can keep our guides up to date.
One larger change was that the
RenewIntermediate
function got refactored slightly so it could be used from a test, rather than the large duplicated function we were testing in a test which seemed error prone.