lots more fixes, consul 1.9.5 (patched)

input-output-hk · May 4, 2021 · aea9e03 · aea9e03
1 parent de3dcf7
commit aea9e03
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 13 deletions.
diff --git a/pkgs/consul-register.nix b/pkgs/consul-register.nix
@@ -6,7 +6,7 @@ let
       checks = lib.flip lib.mapAttrsToList (service.checks or { })
         (checkName: check:
           {
-            id = service.name;
+            id = "${service.name}-${checkName}";
             service_id = service.name;
             name = checkName;
           } // check);

diff --git a/pkgs/consul/default.nix b/pkgs/consul/default.nix
@@ -1,8 +1,8 @@
-{ stdenv, buildGoModule, fetchFromGitHub, nixosTests }:
+{ stdenv, buildGoModule, fetchFromGitHub, fetchurl, nixosTests }:
 
 buildGoModule rec {
   pname = "consul";
-  version = "1.9.0";
+  version = "1.9.5";
   rev = "v${version}";
 
   # Note: Currently only release tags are supported, because they have the Consul UI
@@ -17,16 +17,20 @@ buildGoModule rec {
     owner = "hashicorp";
     repo = pname;
     inherit rev;
-    sha256 = "sha256-OOWmr9XnzyrPQAKcIZJ1j7sFUAhG2BL3Bb4aOOSveRk=";
+    sha256 = "sha256-CKezHuCbL1I79gDz7ZQiSgPbSXo0NtssQro2MqqmeXw=";
   };
 
+  patches = [
+    ./script-check.patch
+  ];
+
   passthru.tests.consul = nixosTests.consul;
 
   # This corresponds to paths with package main - normally unneeded but consul
   # has a split module structure in one repo
   subPackages = [ "." "connect/certgen" ];
 
-  vendorSha256 = "sha256-4Ck3p7a6gUQgFPPaoKzrBbBTkBvAvGV8RN9V//4xhdU=";
+  vendorSha256 = "sha256-JFpCp9/MOmHtfBYeAz6QANqfy0te2uOgb37XVHIXgVU=";
   deleteVendor = true;
 
   preBuild = ''

diff --git a/pkgs/consul/script-check.patch b/pkgs/consul/script-check.patch
@@ -0,0 +1,80 @@
+diff --git a/api/agent.go b/api/agent.go
+index a4cc143f0..696025015 100644
+--- a/api/agent.go
++++ b/api/agent.go
+@@ -288,7 +288,7 @@ type AgentCheckRegistration struct {
+ type AgentServiceCheck struct {
+ 	CheckID                string              `json:",omitempty"`
+ 	Name                   string              `json:",omitempty"`
+-	Args                   []string            `json:"ScriptArgs,omitempty"`
++	ScriptArgs             []string            `json:",omitempty"`
+ 	DockerContainerID      string              `json:",omitempty"`
+ 	Shell                  string              `json:",omitempty"` // Only supported for Docker.
+ 	Interval               string              `json:",omitempty"`
+diff --git a/api/agent_test.go b/api/agent_test.go
+index 6bcd7868c..77cd4f9a1 100644
+--- a/api/agent_test.go
++++ b/api/agent_test.go
+@@ -905,8 +905,8 @@ func TestAPI_AgentScriptCheck(t *testing.T) {
+ 		reg := &AgentCheckRegistration{
+ 			Name: "foo",
+ 			AgentServiceCheck: AgentServiceCheck{
+-				Interval: "10s",
+-				Args:     []string{"sh", "-c", "false"},
++				Interval:   "10s",
++				ScriptArgs: []string{"sh", "-c", "false"},
+ 			},
+ 		}
+ 		if err := agent.CheckRegister(reg); err != nil {
+@@ -928,8 +928,8 @@ func TestAPI_AgentScriptCheck(t *testing.T) {
+ 			Port: 1234,
+ 			Checks: AgentServiceChecks{
+ 				&AgentServiceCheck{
+-					Interval: "10s",
+-					Args:     []string{"sh", "-c", "false"},
++					Interval:   "10s",
++					ScriptArgs: []string{"sh", "-c", "false"},
+ 				},
+ 			},
+ 		}
+@@ -1063,7 +1063,7 @@ func TestAPI_AgentChecks_Docker(t *testing.T) {
+ 		ServiceID: "redis",
+ 		AgentServiceCheck: AgentServiceCheck{
+ 			DockerContainerID: "f972c95ebf0e",
+-			Args:              []string{"/bin/true"},
++			ScriptArgs:        []string{"/bin/true"},
+ 			Shell:             "/bin/bash",
+ 			Interval:          "10s",
+ 		},
+diff --git a/command/services/config_test.go b/command/services/config_test.go
+index 71cdd96e8..4b2b7e3f2 100644
+--- a/command/services/config_test.go
++++ b/command/services/config_test.go
+@@ -150,6 +150,27 @@ func TestStructsToAgentService(t *testing.T) {
+ 				},
+ 			},
+ 		},
++		{
++			"Service with scriptcheck",
++			&structs.ServiceDefinition{
++				Name: "web",
++				Checks: structs.CheckTypes{
++					&structs.CheckType{
++						Name:       "scriptcheck",
++						ScriptArgs: []string{"sh", "-c", "/bin/true"},
++					},
++				},
++			},
++			&api.AgentServiceRegistration{
++				Name: "web",
++				Checks: api.AgentServiceChecks{
++					&api.AgentServiceCheck{
++						Name:       "scriptcheck",
++						ScriptArgs: []string{"sh", "-c", "/bin/true"},
++					},
++				},
++			},
++		},
+ 	}
+
+ 	for _, tt := range cases {
diff --git a/profiles/glusterfs/client.nix b/profiles/glusterfs/client.nix
@@ -0,0 +1,9 @@
+{ config, self, pkgs, nodeName, ... }: {
+  services.glusterfs.enable = true;
+  systemd.services.glusterd.path = with pkgs; [ nettools ];
+
+  fileSystems."/mnt/gv0" = {
+    device = "glusterd.service.consul:/gv0";
+    fsType = "glusterfs";
+  };
+}
diff --git a/profiles/glusterfs-storage.nix → profiles/glusterfs/storage.nix b/profiles/glusterfs-storage.nix → profiles/glusterfs/storage.nix
@@ -1,10 +1,6 @@
-{ config, self, pkgs, nodeName, ... }: {
-  imports = [
-    (self.inputs.bitte + "/profiles/common.nix")
-    (self.inputs.bitte + "/profiles/telegraf.nix")
-    (self.inputs.bitte + "/profiles/secrets.nix")
-    (self.inputs.bitte + "/profiles/vault/client.nix")
-  ];
+{ config, self, pkgs, lib, nodeName, ... }: {
+  imports =
+    [ ../common.nix ../telegraf.nix ../secrets.nix ../vault/client.nix ];
 
   services.glusterfs.enable = true;
   services.vault-agent-core = {
@@ -31,6 +27,40 @@
     };
   };
 
+  systemd.services.storage-service = (pkgs.consulRegister {
+    service = {
+      name = "glusterd";
+      enable_tag_override = false;
+      port = 24007;
+      tags = [ "gluster" "server" ];
+
+      checks = {
+        gluster-tcp = {
+          interval = "10s";
+          timeout = "5s";
+          tcp = "localhost:24007";
+        };
+
+        gluster-pool = {
+          interval = "10s";
+          timeout = "5s";
+          ScriptArgs = let
+            script = pkgs.writeBashChecked "gluster-pool-check.sh" ''
+              set -euo pipefail
+              export PATH="${
+                lib.makeBinPath (with pkgs; [ glusterfs gnugrep ])
+              }"
+              gluster pool list \
+              | grep -v 'UUID|localhost' \
+              | grep Connected \
+              > /dev/null
+            '';
+          in [ script ];
+        };
+      };
+    };
+  }).systemdService;
+
   systemd.services."mnt-gv0.mount" = {
     after = [ "setup-glusterfs.service" ];
     wants = [ "setup-glusterfs.service" ];

diff --git a/profiles/vault/default.nix b/profiles/vault/default.nix
@@ -19,6 +19,13 @@ in {
     services.vault = {
       logLevel = "trace";
 
+      storage.consul = lib.mkDefault {
+        address = "127.0.0.1:8500";
+        tlsCaFile = full;
+        tlsCertFile = cert;
+        tlsKeyFile = key;
+      };
+
       seal.awskms = {
         kmsKeyId = kms;
         inherit region;

diff --git a/profiles/vault/policies.nix b/profiles/vault/policies.nix
@@ -79,11 +79,12 @@ in {
       "auth/token/roles/nomad-cluster".capabilities = [ r ];
       "auth/token/roles/nomad-server".capabilities = [ r ];
       "auth/token/roles/nomad-autoscaler".capabilities = [ r ];
+      "consul/creds/consul-register".capabilities = [ r ];
       "consul/creds/consul-server-agent".capabilities = [ r ];
       "consul/creds/consul-server-default".capabilities = [ r ];
+      "consul/creds/nomad-autoscaler".capabilities = [ r ];
       "consul/creds/nomad-server".capabilities = [ r ];
       "consul/creds/vault-server".capabilities = [ r ];
-      "consul/creds/nomad-autoscaler".capabilities = [ r ];
       "consul/creds/ingress".capabilities = [ r ];
       "kv/data/bootstrap/ca".capabilities = [ c r u d l ];
       "kv/data/bootstrap/*".capabilities = [ r ];