diff --git a/e2e/terraform/compute.tf b/e2e/terraform/compute.tf index af4254825a9..07a56f6fa93 100644 --- a/e2e/terraform/compute.tf +++ b/e2e/terraform/compute.tf @@ -48,7 +48,7 @@ resource "aws_instance" "client_windows_2016_amd64" { iam_instance_profile = data.aws_iam_instance_profile.nomad_e2e_cluster.name availability_zone = var.availability_zone - user_data = file("${path.root}/userdata/windows-2016.ps1") + user_data = file("${path.module}/userdata/windows-2016.ps1") # Instance tags tags = { diff --git a/e2e/terraform/consul-clients.tf b/e2e/terraform/consul-clients.tf index 33a59e8cb42..ce23d8ca1ce 100644 --- a/e2e/terraform/consul-clients.tf +++ b/e2e/terraform/consul-clients.tf @@ -48,7 +48,7 @@ resource "local_sensitive_file" "consul_agents_cert" { resource "random_uuid" "consul_agent_token" {} resource "local_sensitive_file" "consul_agent_config_file" { - content = templatefile("etc/consul.d/clients.hcl", { + content = templatefile("${path.module}/etc/consul.d/clients.hcl", { token = "${random_uuid.consul_agent_token.result}" autojoin_value = "auto-join-${local.random_name}" }) @@ -61,7 +61,7 @@ resource "local_sensitive_file" "consul_agent_config_file" { resource "random_uuid" "consul_token_for_nomad" {} resource "local_sensitive_file" "nomad_client_config_for_consul" { - content = templatefile("etc/nomad.d/client-consul.hcl", { + content = templatefile("${path.module}/etc/nomad.d/client-consul.hcl", { token = "${random_uuid.consul_token_for_nomad.result}" client_service_name = "client-${local.random_name}" server_service_name = "server-${local.random_name}" @@ -71,7 +71,7 @@ resource "local_sensitive_file" "nomad_client_config_for_consul" { } resource "local_sensitive_file" "nomad_server_config_for_consul" { - content = templatefile("etc/nomad.d/server-consul.hcl", { + content = templatefile("${path.module}/etc/nomad.d/server-consul.hcl", { token = "${random_uuid.consul_token_for_nomad.result}" client_service_name = "client-${local.random_name}" server_service_name = "server-${local.random_name}" diff --git a/e2e/terraform/consul-servers.tf b/e2e/terraform/consul-servers.tf index eaffbc65697..ffecad5c32f 100644 --- a/e2e/terraform/consul-servers.tf +++ b/e2e/terraform/consul-servers.tf @@ -15,7 +15,7 @@ resource "local_sensitive_file" "consul_initial_management_token" { } resource "local_sensitive_file" "consul_server_config_file" { - content = templatefile("etc/consul.d/servers.hcl", { + content = templatefile("${path.module}/etc/consul.d/servers.hcl", { management_token = "${random_uuid.consul_initial_management_token.result}" token = "${random_uuid.consul_agent_token.result}" nomad_token = "${random_uuid.consul_token_for_nomad.result}" @@ -69,7 +69,7 @@ resource "local_sensitive_file" "consul_server_cert" { # if consul_license is unset, it'll be a harmless empty license file resource "local_sensitive_file" "consul_environment" { - content = templatefile("etc/consul.d/.environment", { + content = templatefile("${path.module}/etc/consul.d/.environment", { license = var.consul_license }) filename = "uploads/shared/consul.d/.environment" @@ -117,7 +117,7 @@ resource "null_resource" "upload_consul_server_configs" { destination = "/tmp/consul_server.hcl" } provisioner "file" { - source = "etc/consul.d/consul-server.service" + source = "${path.module}/etc/consul.d/consul-server.service" destination = "/tmp/consul.service" } } diff --git a/e2e/terraform/consul.hclic b/e2e/terraform/consul.hclic new file mode 100644 index 00000000000..1f0b9e0dde4 --- /dev/null +++ b/e2e/terraform/consul.hclic @@ -0,0 +1 @@ +02MV4UU43BK5HGYYTOJZWFQMTMNNEWU33JLJKEU3COKRLG2TKUNN2FSV2WNNHGSMBULFKGW6CMKRLG2WSUMN2FS6SJPFHGUVTLLJLVE3KOGJGTKSLJO5UVSM2WPJSEOOLULJMEUZTBK5IWST3JJJVVSV2VO5HUIUTIJVJTANKOPJDG2TCXJJWVUVCJORGXURTIJ5BTA6SONVMTEWL2IU2U26SZGFGWUY3JJRBUU4DCNZHDAWKXPBZVSWCSOBRDENLGMFLVC2KPNFEXCSLJO5UWCWCOPJSFOVTGMRDWY5C2KNETMSLKJF3U22SRORGVIQLUJVKFMVKNKRETMTKULE3E26SNOVHUI23ZJV5FKMCNNJATIV3JJFZUS3SOGBMVQSRQLAZVE4DCK5KWST3JJF4U2RCJGBGFIRLXJRKEKMKWIRAXOT3KIF3U62SBO5LWSSLTJFWVMNDDI5WHSWKYKJYGEMRVMZSEO3DULJJUSNSJNJEXOTLKKV2E2VCFORGVIUSVJVCECNSNIRATMTKEIJQUS2LXNFSEOVTZMJLWY5KZLBJHAYRSGVTGIR3MORNFGSJWJFVES52NNJKXITKUIV2E2VCSKVGUIQJWJVCECNSNIRBGCSLJO5UWGSCKOZNEQVTKMRBUSNSJNVHHMYTOJYYWEQ2JONEW2WTTLFLWI6SJNJYDOZSYGA6S4U3EJV2U2Y2TGBHUG5DHIJDECZRXNVDVCNDGME3W4Z2VNQ2UKVL2JJETG3LMIFMUSQLXIJDS63KPMRMVSR2RGRDFQ3CPGZCGQMSFJNXXE3LBKRTEY2L2JJAXI2BQGNLEMUSZOR4UENJRMRAWWY3BGRSFMMBTGM4FA53NKZWGC5SKKA2HASTYJFETSRBWKVDEYVLBKZIGU22XJJ2GGRBWOBQWYNTPJ5TEO3SLGJ5FAS2KKJWUOSCWGNSVU53RIZSSW3ZXNMXXGK2BKRHGQUC2M5JS6S2WLFTS6SZLNRDVA52MG5VEE6CJG5DU6YLLGZKWC2LBJBXWK2ZQKJKG6NZSIRIT2PI \ No newline at end of file diff --git a/e2e/terraform/ecs.tf b/e2e/terraform/ecs.tf index 9c1c27e72ca..98ea555548d 100644 --- a/e2e/terraform/ecs.tf +++ b/e2e/terraform/ecs.tf @@ -8,7 +8,7 @@ resource "aws_ecs_cluster" "nomad_rtd_e2e" { resource "aws_ecs_task_definition" "nomad_rtd_e2e" { family = "nomad-rtd-e2e" - container_definitions = file("ecs-task.json") + container_definitions = file("${path.module}/ecs-task.json") # Don't need a network for e2e tests network_mode = "awsvpc" diff --git a/e2e/terraform/hcp_vault.tf b/e2e/terraform/hcp_vault.tf index b148f25ef99..f2073000a12 100644 --- a/e2e/terraform/hcp_vault.tf +++ b/e2e/terraform/hcp_vault.tf @@ -16,7 +16,7 @@ data "hcp_vault_cluster" "e2e_shared_vault" { # between concurrent E2E clusters resource "vault_policy" "nomad" { name = "${local.random_name}-nomad-server" - policy = templatefile("${path.root}/etc/acls/vault/nomad-policy.hcl", { + policy = templatefile("${path.module}/etc/acls/vault/nomad-policy.hcl", { role = "nomad-tasks-${local.random_name}" }) } @@ -42,7 +42,7 @@ resource "vault_token_auth_backend_role" "nomad_cluster" { # Nomad agent configuration for Vault resource "local_sensitive_file" "nomad_config_for_vault" { - content = templatefile("etc/nomad.d/vault.hcl", { + content = templatefile("${path.module}/etc/nomad.d/vault.hcl", { token = vault_token.nomad.client_token url = data.hcp_vault_cluster.e2e_shared_vault.vault_private_endpoint_url namespace = var.hcp_vault_namespace diff --git a/e2e/terraform/nomad.hclic b/e2e/terraform/nomad.hclic new file mode 100644 index 00000000000..f376b37816f --- /dev/null +++ b/e2e/terraform/nomad.hclic @@ -0,0 +1 @@ +02MV4UU43BK5HGYYTOJZWFQMTMNNEWU33JJZ5FC6KNNJDGSWSUKF2E2R2SNRGWSMDXJZVGWNCMK5GXST2UM52FUV2KNFNGUTL2LF5FE2K2NVFGWSLJO5UVSM2WPJSEOOLULJMEUZTBK5IWST3JJJVVSV2VO5HUIUTIJVJTANKOPJDG2TCXJJWVUVCJORGXURTIJ5BTA6SONVMTEWL2IU2U26SZGFGWUY3JJRBUU4DCNZHDAWKXPBZVSWCSOBRDENLGMFLVC2KPNFEXCSLJO5UWCWCOPJSFOVTGMRDWY5C2KNETMSLKJF3U22SRORGUIY3UJVKGYVKNKRITMTSUJE3E2RCFOVHFISLZJVVGO52OKRGTAV3JJFZUS3SOGBMVQSRQLAZVE4DCK5KWST3JJF4U2RCJGBGFIQJTJRKEKNKWIRAXOT3KIF3U62SBO5LWSSLTJFWVMNDDI5WHSWKYKJYGEMRVMZSEO3DULJJUSNSJNJEXOTL2IF2E2RDDORGUIRSVJVCECNSNIRATMTKEIJQUS2LXNFSEOVTZMJLWY5KZLBJHAYRSGVTGIR3MORNFGSJWJFVES52NPJAXITKEMN2E2RCGKVGUIQJWJVCECNSNIRBGCSLJO5UWGSCKOZNEQVTKMRBUSNSJNU2XMYSXIZVUS2LXNFNG26DILIZU22KPNZZWSYSXHFVWIV3YNRRXSSJWK54UU5DEK54DAYKXJZZWIWCOGBNFQSLULFLTK22MK5LG2WTNNRVGCV2WOVMTG23JJRBUU3TCGNNGYY3NGVUGE3KONRGFQQTWMJDWY2TFKNFGIZSYGA6S433EPBJUEWTKOJSDCTKZJFZUIQTSM5LHUL3JO4VVORLPOBIDIKZWJBGE6RTEIUYDGQ3ILIYESMDGNVNFQNTLMIYGYRSKJJRDM4CKPFDECMT2GNNHSWDOG5HSW2TPKZVGS4SOI5YEE4BRMRAWWY3BGRSFMMBTGM4FA53NKZWGC5SKKA2HASTYJFETSRBWKVDEYVLBKZIGU22XJJ2GGRBWOBQWYNTPJ5TEO3SLGJ5FAS2KKJWUOSCWGNSVU53RIZSSW3ZXNMXXGK2BKRHGQUC2M5JS6S2WLFTS6SZLNRDVA52MG5VEE6CJG5DU6YLLGZKWC2LBJBXWK2ZQKJKG6NZSIRIT2PI \ No newline at end of file diff --git a/e2e/terraform/provision-nomad/etc/acls/consul/consul-agent-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/consul/consul-agent-policy.hcl new file mode 100644 index 00000000000..c24fd621b55 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/acls/consul/consul-agent-policy.hcl @@ -0,0 +1,35 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# TODO: because Nomad should own most of these interactions, I think +# it might be possible to reduce this to: +# +# node_prefix "" { +# policy = write +# } + +acl = "write" + +agent_prefix "" { + policy = "write" +} + +event_prefix "" { + policy = "write" +} + +key_prefix "" { + policy = "write" +} + +node_prefix "" { + policy = "write" +} + +query_prefix "" { + policy = "write" +} + +service_prefix "" { + policy = "write" +} diff --git a/e2e/terraform/provision-nomad/etc/acls/consul/nomad-client-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/consul/nomad-client-policy.hcl new file mode 100644 index 00000000000..c07dc09b03a --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/acls/consul/nomad-client-policy.hcl @@ -0,0 +1,34 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +// The Nomad Client will be registering things into its buddy Consul Client. +// Note: because we also test the use of Consul namespaces, this token must be +// able to register services, read the keystore, and read node data for any +// namespace. +// The operator=write permission is required for creating config entries for +// connect ingress gateways. operator ACLs are not namespaced, though the +// config entries they can generate are. +operator = "write" + +agent_prefix "" { + policy = "read" +} + +namespace_prefix "" { + // The acl=write permission is required for generating Consul Service Identity + // tokens for consul connect services. Those services could be configured for + // any Consul namespace the job-submitter has access to. + acl = "write" + + key_prefix "" { + policy = "read" + } + + node_prefix "" { + policy = "read" + } + + service_prefix "" { + policy = "write" + } +} diff --git a/e2e/terraform/provision-nomad/etc/acls/consul/nomad-server-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/consul/nomad-server-policy.hcl new file mode 100644 index 00000000000..5df4224668d --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/acls/consul/nomad-server-policy.hcl @@ -0,0 +1,30 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +// The operator=write permission is required for creating config entries for +// connect ingress gateways. operator ACLs are not namespaced, though the +// config entries they can generate are. +operator = "write" + +agent_prefix "" { + policy = "read" +} + +namespace_prefix "" { + // The acl=write permission is required for generating Consul Service Identity + // tokens for consul connect services. Those services could be configured for + // any Consul namespace the job-submitter has access to. + acl = "write" +} + +service_prefix "" { + policy = "write" +} + +agent_prefix "" { + policy = "read" +} + +node_prefix "" { + policy = "read" +} diff --git a/e2e/terraform/provision-nomad/etc/acls/vault/nomad-policy.hcl b/e2e/terraform/provision-nomad/etc/acls/vault/nomad-policy.hcl new file mode 100644 index 00000000000..1059928967f --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/acls/vault/nomad-policy.hcl @@ -0,0 +1,44 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# Allow creating tokens under "nomad-tasks" role. The role name should be +# updated if "nomad-tasks" is not used. +path "auth/token/create/${role}" { + capabilities = ["update"] +} + +# Allow looking up "${role}" role. The role name should be updated if +# "${role}" is not used. +path "auth/token/roles/${role}" { + capabilities = ["read"] +} + +# Allow looking up the token passed to Nomad to validate the token has the +# proper capabilities. This is provided by the "default" policy. +path "auth/token/lookup-self" { + capabilities = ["read"] +} + +# Allow looking up incoming tokens to validate they have permissions to access +# the tokens they are requesting. This is only required if +# `allow_unauthenticated` is set to false. +path "auth/token/lookup" { + capabilities = ["update"] +} + +# Allow revoking tokens that should no longer exist. This allows revoking +# tokens for dead tasks. +path "auth/token/revoke-accessor" { + capabilities = ["update"] +} + +# Allow checking the capabilities of our own token. This is used to validate the +# token upon startup. +path "sys/capabilities-self" { + capabilities = ["update"] +} + +# Allow our own token to be renewed. +path "auth/token/renew-self" { + capabilities = ["update"] +} diff --git a/e2e/terraform/provision-nomad/etc/consul.d/.environment b/e2e/terraform/provision-nomad/etc/consul.d/.environment new file mode 100644 index 00000000000..259caf3c318 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/consul.d/.environment @@ -0,0 +1 @@ +CONSUL_LICENSE=${license} diff --git a/e2e/terraform/provision-nomad/etc/consul.d/clients.hcl b/e2e/terraform/provision-nomad/etc/consul.d/clients.hcl new file mode 100644 index 00000000000..0a168d37d86 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/consul.d/clients.hcl @@ -0,0 +1,42 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +log_level = "DEBUG" +data_dir = "/opt/consul/data" +bind_addr = "{{ GetPrivateIP }}" +advertise_addr = "{{ GetPrivateIP }}" +client_addr = "0.0.0.0" + +server = false + +acl { + enabled = true + tokens { + agent = "${token}" + default = "${token}" + } +} + +retry_join = ["provider=aws tag_key=ConsulAutoJoin tag_value=${autojoin_value}"] + +tls { + defaults { + ca_file = "/etc/consul.d/ca.pem" + cert_file = "/etc/consul.d/cert.pem" + key_file = "/etc/consul.d/cert.key.pem" + } +} + +connect { + enabled = true +} + +service { + name = "consul" +} + +ports { + grpc = 8502 + grpc_tls = 8503 + dns = 8600 +} diff --git a/e2e/terraform/provision-nomad/etc/consul.d/consul-server.service b/e2e/terraform/provision-nomad/etc/consul.d/consul-server.service new file mode 100644 index 00000000000..f0ac464f031 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/consul.d/consul-server.service @@ -0,0 +1,20 @@ +[Unit] +Description=Consul Server +Documentation=https://developer.hashicorp.com/consul/docs +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty=/etc/consul.d/consul.hcl + +[Service] +EnvironmentFile=-/etc/consul.d/.environment +User=consul +Group=consul +ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d/ +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGTERM +Restart=on-failure +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target diff --git a/e2e/terraform/provision-nomad/etc/consul.d/consul.service b/e2e/terraform/provision-nomad/etc/consul.d/consul.service new file mode 100644 index 00000000000..2f1e9f24ed1 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/consul.d/consul.service @@ -0,0 +1,17 @@ +[Unit] +Description=Consul Agent +Requires=network-online.target +After=network-online.target + +[Service] +Restart=on-failure +Environment=CONSUL_ALLOW_PRIVILEGED_PORTS=true +WorkingDirectory=/etc/consul.d +ExecStart=/usr/bin/consul agent -config-dir="/etc/consul.d" +ExecReload=/bin/kill -HUP $MAINPID +KillSignal=SIGTERM +User=consul +Group=consul + +[Install] +WantedBy=multi-user.target diff --git a/e2e/terraform/provision-nomad/etc/consul.d/servers.hcl b/e2e/terraform/provision-nomad/etc/consul.d/servers.hcl new file mode 100644 index 00000000000..54f35892cf5 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/consul.d/servers.hcl @@ -0,0 +1,47 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +log_level = "DEBUG" +data_dir = "/opt/consul/data" +bind_addr = "{{ GetPrivateIP }}" +advertise_addr = "{{ GetPrivateIP }}" +client_addr = "0.0.0.0" + +server = true +bootstrap_expect = 1 + +ui_config { + enabled = true +} + +acl { + enabled = true + tokens { + initial_management = "${management_token}" + agent = "${token}" + default = "${token}" + } +} + +retry_join = ["provider=aws tag_key=ConsulAutoJoin tag_value=${autojoin_value}"] + +tls { + defaults { + ca_file = "/etc/consul.d/ca.pem" + cert_file = "/etc/consul.d/cert.pem" + key_file = "/etc/consul.d/cert.key.pem" + } +} + +connect { + enabled = true +} + +service { + name = "consul" +} + +ports { + https = 8501 + grpc_tls = 8502 +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/.environment b/e2e/terraform/provision-nomad/etc/nomad.d/.environment new file mode 100644 index 00000000000..a7dbdc0e93a --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/.environment @@ -0,0 +1 @@ +NOMAD_LICENSE=${license} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/base.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/base.hcl new file mode 100644 index 00000000000..2208e62ab32 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/base.hcl @@ -0,0 +1,29 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +bind_addr = "0.0.0.0" +data_dir = "${data_dir}" +enable_debug = true +log_level = "debug" + +audit { + enabled = true +} + +acl { + enabled = true + + # These values are used by the testACLTokenExpiration test within the acl + # test suite. If these need to be updated, please ensure the new values are + # reflected within the test suite and do not break the tests. Thanks. + token_min_expiration_ttl = "1s" + token_max_expiration_ttl = "24h" +} + +telemetry { + collection_interval = "1s" + disable_hostname = true + prometheus_metrics = true + publish_allocation_metrics = true + publish_node_metrics = true +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/client-consul.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-consul.hcl new file mode 100644 index 00000000000..cb097207e1d --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/client-consul.hcl @@ -0,0 +1,10 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# TODO: add workload-identity configuration for servers +consul { + address = "127.0.0.1:8500" + token = "${token}" + client_service_name = "${client_service_name}" + server_service_name = "${server_service_name}" +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-0.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-0.hcl new file mode 100644 index 00000000000..0dea00d5d30 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-0.hcl @@ -0,0 +1,12 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +client { + meta { + "rack" = "r1" + } + + host_volume "shared_data" { + path = "/srv/data" + } +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-1.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-1.hcl new file mode 100644 index 00000000000..49f23499efe --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-1.hcl @@ -0,0 +1,8 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +client { + meta { + "rack" = "r2" + } +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-2.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-2.hcl new file mode 100644 index 00000000000..ba008279261 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-2.hcl @@ -0,0 +1,10 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +datacenter = "dc2" + +client { + meta { + "rack" = "r1" + } +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-3.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-3.hcl new file mode 100644 index 00000000000..e16cce26e54 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux-3.hcl @@ -0,0 +1,10 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +datacenter = "dc2" + +client { + meta { + "rack" = "r2" + } +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/client-linux.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux.hcl new file mode 100644 index 00000000000..ef9a33efedb --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/client-linux.hcl @@ -0,0 +1,61 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +plugin_dir = "/opt/nomad/plugins" + +client { + enabled = true + options = { + "user.denylist" = "www-data" + } +} + +plugin "nomad-driver-podman" { + config { + volumes { + enabled = true + } + auth { + helper = "test.sh" + config = "/etc/auth.json" + } + } +} + +plugin "nomad-driver-ecs" { + config { + enabled = true + cluster = "nomad-rtd-e2e" + region = "us-east-1" + } +} + +plugin "raw_exec" { + config { + enabled = true + } +} + +plugin "docker" { + config { + allow_privileged = true + + volumes { + enabled = true + } + } +} + +plugin "nomad-pledge-driver" { + config { + pledge_executable = "/usr/local/bin/pledge" + } +} + +plugin "nomad-driver-exec2" { + config { + unveil_defaults = true + unveil_by_task = true + unveil_paths = ["r:/etc/mime.types"] + } +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/client-windows.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/client-windows.hcl new file mode 100644 index 00000000000..93612dbfd8d --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/client-windows.hcl @@ -0,0 +1,15 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +log_file = "C:\\opt\\nomad\\nomad.log" +plugin_dir = "C:\\opt\\nomad\\plugins" + +client { + enabled = true +} + +plugin "raw_exec" { + config { + enabled = true + } +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/index.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/index.hcl new file mode 100644 index 00000000000..beb10d76fb0 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/index.hcl @@ -0,0 +1,4 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# This is an empty placeholder for indexed configuration diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/nomad-client.service b/e2e/terraform/provision-nomad/etc/nomad.d/nomad-client.service new file mode 100644 index 00000000000..ef6a95e14a2 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/nomad-client.service @@ -0,0 +1,23 @@ +[Unit] +Description=Nomad Client Agent +Requires=network-online.target +After=network-online.target +StartLimitIntervalSec=0 +StartLimitBurst=3 + +[Service] +User=root +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d +EnvironmentFile=-/etc/nomad.d/.environment +KillMode=process +KillSignal=SIGINT +LimitNOFILE=65536 +LimitNPROC=infinity +TasksMax=infinity +Restart=on-failure +RestartSec=2 +OOMScoreAdjust=-999 + +[Install] +WantedBy=multi-user.target diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/nomad-server.service b/e2e/terraform/provision-nomad/etc/nomad.d/nomad-server.service new file mode 100644 index 00000000000..ddba05a41fe --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/nomad-server.service @@ -0,0 +1,22 @@ +[Unit] +Description=Nomad Server Agent +Requires=network-online.target +After=network-online.target +StartLimitIntervalSec=0 +StartLimitBurst=3 + +[Service] +User=nomad +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d +EnvironmentFile=-/etc/nomad.d/.environment +KillMode=process +KillSignal=SIGINT +LimitNOFILE=65536 +LimitNPROC=infinity +TasksMax=infinity +Restart=on-failure +RestartSec=2 + +[Install] +WantedBy=multi-user.target diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/server-consul.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/server-consul.hcl new file mode 100644 index 00000000000..cb097207e1d --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/server-consul.hcl @@ -0,0 +1,10 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# TODO: add workload-identity configuration for servers +consul { + address = "127.0.0.1:8500" + token = "${token}" + client_service_name = "${client_service_name}" + server_service_name = "${server_service_name}" +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/server-linux.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/server-linux.hcl new file mode 100644 index 00000000000..9db84855b68 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/server-linux.hcl @@ -0,0 +1,17 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +server { + enabled = true + bootstrap_expect = 3 +} + +keyring "awskms" { + active = true + region = "${aws_region}" + kms_key_id = "${aws_kms_key_id}" +} + +keyring "aead" { + active = false +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/tls.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/tls.hcl new file mode 100644 index 00000000000..34f2b1171eb --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/tls.hcl @@ -0,0 +1,14 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +tls { + http = true + rpc = true + + ca_file = "/etc/nomad.d/tls/ca.crt" + cert_file = "/etc/nomad.d/tls/agent.crt" + key_file = "/etc/nomad.d/tls/agent.key" + + verify_server_hostname = true + verify_https_client = true +} diff --git a/e2e/terraform/provision-nomad/etc/nomad.d/vault.hcl b/e2e/terraform/provision-nomad/etc/nomad.d/vault.hcl new file mode 100644 index 00000000000..691f24de865 --- /dev/null +++ b/e2e/terraform/provision-nomad/etc/nomad.d/vault.hcl @@ -0,0 +1,11 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +vault { + enabled = true + address = "${url}" + task_token_ttl = "1h" + create_from_role = "${role}" + namespace = "${namespace}" + token = "${token}" +} diff --git a/e2e/terraform/provision-nomad/main.tf b/e2e/terraform/provision-nomad/main.tf index 80f974a6a05..87a09f26394 100644 --- a/e2e/terraform/provision-nomad/main.tf +++ b/e2e/terraform/provision-nomad/main.tf @@ -10,7 +10,7 @@ locals { # if nomad_license is unset, it'll be a harmless empty license file resource "local_sensitive_file" "nomad_environment" { - content = templatefile("etc/nomad.d/.environment", { + content = templatefile("${path.module}/etc/nomad.d/.environment", { license = var.nomad_license }) filename = "${local.upload_dir}/nomad.d/.environment" @@ -18,7 +18,7 @@ resource "local_sensitive_file" "nomad_environment" { } resource "local_sensitive_file" "nomad_base_config" { - content = templatefile("etc/nomad.d/base.hcl", { + content = templatefile("${path.module}/etc/nomad.d/base.hcl", { data_dir = var.platform != "windows" ? "/opt/nomad/data" : "C://opt/nomad/data" }) filename = "${local.upload_dir}/nomad.d/base.hcl" @@ -41,7 +41,7 @@ resource "local_sensitive_file" "nomad_indexed_config" { } resource "local_sensitive_file" "nomad_tls_config" { - content = templatefile("etc/nomad.d/tls.hcl", {}) + content = templatefile("${path.module}/etc/nomad.d/tls.hcl", {}) filename = "${local.upload_dir}/nomad.d/tls.hcl" file_permission = "0600" } @@ -75,7 +75,7 @@ resource "null_resource" "upload_consul_configs" { destination = "/tmp/consul_client.hcl" } provisioner "file" { - source = "etc/consul.d/consul.service" + source = "${path.module}/etc/consul.d/consul.service" destination = "/tmp/consul.service" } } diff --git a/e2e/terraform/terraform.tfvars b/e2e/terraform/terraform.tfvars index cb270665a80..0340c4ccae1 100644 --- a/e2e/terraform/terraform.tfvars +++ b/e2e/terraform/terraform.tfvars @@ -6,5 +6,5 @@ # before running `terraform apply` and created the /pkg/goos_goarch/binary # folder -nomad_local_binary = "../../pkg/linux_amd64/nomad" +nomad_local_binary = "/Users/juanita.delacuestamorales/nomad/linux-amd64-ce/nomad" nomad_local_binary_client_windows_2016_amd64 = ["../../pkg/windows_amd64/nomad.exe"] \ No newline at end of file