Refactor HCP bootstrapping logic and add tests

We want to allow users to link Consul clusters that already exist to HCP. Existing clusters need care when bootstrapped by HCP, since we do not want to do things like change ACL/TLS settings for a running cluster. Additional changes: * Deconstruct MaybeBootstrap so that it can be tested. The HCP Go SDK requires HTTPS to fetch a token from the Auth URL, even if the backend server is mocked. By pulling the hcp.Client creation out we can modify its TLS configuration in tests while keeping the secure behavior in production code. * Add light validation for data received/loaded. * Sanitize initial_management token from received config, since HCP will only ever use the CloudConfig.MangementToken.
hashicorp · Apr 24, 2023 · 97b080b · 97b080b
1 parent ab59ab7
commit 97b080b
Show file tree

Hide file tree

Showing 12 changed files with 1,138 additions and 155 deletions.
diff --git a/agent/config/builder.go b/agent/config/builder.go
@@ -2527,18 +2527,23 @@ func validateAutoConfigAuthorizer(rt RuntimeConfig) error {
 	return nil
 }
 
-func (b *builder) cloudConfigVal(v *CloudConfigRaw) (val hcpconfig.CloudConfig) {
+func (b *builder) cloudConfigVal(v *CloudConfigRaw) hcpconfig.CloudConfig {
+	val := hcpconfig.CloudConfig{
+		ResourceID: os.Getenv("HCP_RESOURCE_ID"),
+	}
 	if v == nil {
 		return val
 	}
 
-	val.ResourceID = stringVal(v.ResourceID)
 	val.ClientID = stringVal(v.ClientID)
 	val.ClientSecret = stringVal(v.ClientSecret)
 	val.AuthURL = stringVal(v.AuthURL)
 	val.Hostname = stringVal(v.Hostname)
 	val.ScadaAddress = stringVal(v.ScadaAddress)
 
+	if resourceID := stringVal(v.ResourceID); resourceID != "" {
+		val.ResourceID = resourceID
+	}
 	return val
 }
 

diff --git a/agent/config/runtime.go b/agent/config/runtime.go
@@ -1749,6 +1749,9 @@ func (c *RuntimeConfig) Sanitized() map[string]interface{} {
 
 // IsCloudEnabled returns true if a cloud.resource_id is set and the server mode is enabled
 func (c *RuntimeConfig) IsCloudEnabled() bool {
+	if c == nil {
+		return false
+	}
 	return c.ServerMode && c.Cloud.ResourceID != ""
 }
 

diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go
@@ -2301,6 +2301,74 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.HTTPUseCache = false
 		},
 	})
+	run(t, testCase{
+		desc: "cloud resource id from env",
+		args: []string{
+			`-server`,
+			`-data-dir=` + dataDir,
+		},
+		setup: func() {
+			os.Setenv("HCP_RESOURCE_ID", "env-id")
+			t.Cleanup(func() {
+				os.Unsetenv("HCP_RESOURCE_ID")
+			})
+		},
+		expected: func(rt *RuntimeConfig) {
+			rt.DataDir = dataDir
+			rt.Cloud = hcpconfig.CloudConfig{
+				// ID is only populated from env if not populated from other sources.
+				ResourceID: "env-id",
+			}
+
+			// server things
+			rt.ServerMode = true
+			rt.TLS.ServerMode = true
+			rt.LeaveOnTerm = false
+			rt.SkipLeaveOnInt = true
+			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
+		},
+	})
+	run(t, testCase{
+		desc: "cloud resource id from file",
+		args: []string{
+			`-server`,
+			`-data-dir=` + dataDir,
+		},
+		setup: func() {
+			os.Setenv("HCP_RESOURCE_ID", "env-id")
+			t.Cleanup(func() {
+				os.Unsetenv("HCP_RESOURCE_ID")
+			})
+		},
+		json: []string{`{
+			  "cloud": {
+              	"resource_id": "file-id" 
+              }
+			}`},
+		hcl: []string{`
+			  cloud = {
+	            resource_id = "file-id" 
+			  }
+			`},
+		expected: func(rt *RuntimeConfig) {
+			rt.DataDir = dataDir
+			rt.Cloud = hcpconfig.CloudConfig{
+				// ID is only populated from env if not populated from other sources.
+				ResourceID: "file-id",
+			}
+
+			// server things
+			rt.ServerMode = true
+			rt.TLS.ServerMode = true
+			rt.LeaveOnTerm = false
+			rt.SkipLeaveOnInt = true
+			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
+		},
+	})
 	run(t, testCase{
 		desc: "sidecar_service can't have ID",
 		args: []string{

diff --git a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden
@@ -131,8 +131,10 @@
         "ClientID": "id",
         "ClientSecret": "hidden",
         "Hostname": "",
+        "ManagementToken": "hidden",
         "ResourceID": "cluster1",
-        "ScadaAddress": ""
+        "ScadaAddress": "",
+        "TLSConfig": null
     },
     "ConfigEntryBootstrap": [],
     "ConnectCAConfig": {},