Add connect-init command and consul login api

[kschoche]

Changes proposed in this PR:

• Create a new function for the consul login command which uses only Consul client API calls.
• Add connect-init command and refactor the init container and its tests to use it to do ACL retrieval for the connect-inject init container.

How I've tested this PR:
Unit tests added and passed.
Manual test by deploying kschoche/consul-k8s-dev with ACLs enabled and deploy a connect injected application.

How I expect reviewers to test this PR:
Manual test.

Checklist:

• Tests added
• CHANGELOG entry added (HashiCorp engineers only, community PRs should not add a changelog entry)

[kschoche]

When the endpoints controller is ready we will remove everything past this in the command tmpl

[kschoche]

Since we are now using consul-k8s image instead of consul the path will be from the shared vol instead of /bin/.. update all the tests accordingly.

[kschoche]

This is a sample API output from consul.io that we are mocking.

[ndhanushkodi]

This is a nifty way to stub out the server and assert on the api call! I love what you've done here.

[lkysow]

This is looking good! I think the biggest thing I'm wondering is that right now this command is only run when ACLs are enabled but the plan is for this command to eventually run when ACLs are disabled so does it make sense to write it right now so it essentially no-ops if ACLs are disabled?

Because otherwise we're writing tests that -auth-method is a required flag but then later it will be run without that flag (if ACLs are disabled).

[lkysow]

This loop ignore any sigterms right now. I'm also not sure it needs to run in a go routine? Would something like this work:

	retries := 0
	for {
		err = common.ConsulLogin(c.consulClient, c.flagBearerTokenFile, c.flagACLAuthMethod, c.flagTokenSinkFile, meta)
		if err == nil {
			break
		}
		retries++
		if retries == c.numACLLoginRetries {
			c.UI.Error("hit maximum retries for consul login")
			return 1
		}
		c.UI.Error(fmt.Sprintf("consul login failed; retrying: %s", err))

		select {
		case <-time.After(1 * time.Second):
			// retry loop
		case sig := <-c.sigCh:
			c.UI.Info(fmt.Sprintf("%s received, shutting down", sig))
			return 0
		}
	}

[kschoche]

Love it!

[ishustava]

What do you think about using backoff.Retry (example here). I think this package will already handle a lot the signals and make the logic much cleaner. You'd need to pass in backoff.WithMaxRetries(backoff.NewConstantBackOff(1*time.Second), 3) as the second argument so that it stops after 3 tries.

[kschoche]

@ishustava great idea, I like it and its much cleaner looking I'm not sure I understand how it handles signals. In get-consul-client-ca I don't see it either and we're not testing that command for any signal handling. Could you can show me? 🙇🏽

[ishustava]

What is the reason to have signal handling in this command?

In get-consul-client-ca, we don't handle interrupt signals because it doesn't start any goroutines, and so if an interrupt or a term signal is sent, it doesn't need to drain or stop any other processes that it's running. We also don't do it in other similar commands, e.g server-acl-init, probably for the same reason.

[lkysow]

We do loop for the login so wouldn't it be nice if you could delete the pod and it would exit quickly if it was in its init?

[lkysow]

I'm fine with not having it too if it's deemed too complicated.

[ishustava]

We do loop for the login so wouldn't it be nice if you could delete the pod and it would exit quickly if it was in its init

If you delete a pod, then it should still exit quickly. If you have a program that doesn't handle interrupts and you send it an interrupt, it should still exit as soon as you send that signal because it's handled by golang and OS. In this command, we don't need any graceful shutdown behavior so I think it's ok to skip OS signal handling. Maybe I'm misunderstanding something?

[lkysow]

Ahh I didn't know that there was default signal handling that gets turned off by signal.Notify (https://golang.org/pkg/os/signal/).

[ndhanushkodi]

Just a clarification on the scope of this PR, the consul login logic and tests and command look great!!

[ndhanushkodi]

This is a nifty way to stub out the server and assert on the api call! I love what you've done here.

[ndhanushkodi]

Is this just the command without the loop that waits for the consul client to have a service instance registered with the local agent? (i.e is this only don't the consul login for now)?

[ndhanushkodi]

oh I think you can ignore this, I think that is the case, and for right now the command is mostly doing the consul login.

[kschoche]

Yeah it is only doing consul login right now. trying to strike a line between this PR and the next PR which will bring in non-ACL support, etc.

[kschoche]

will rebase this at the end.

[lkysow]

I tested everything out and it's looking great. Just some small suggested changes remaining.

[lkysow]

What about the other required flags?

[kschoche]

I have them taking in defaults right now in the flag parsing, wasn't sure how to handle it, what do you think?

[lkysow]

I'd say follow the other commands we have and how they deal with flag defaults. If there is no prior art then I'd say if a flag has a default then we don't need to check if it's nil and then we also wouldn't write a test for it.

[kschoche]

Yeah that is what I ended up doing here. but let me look at some other tests and update the PR accordingly.

[ishustava]

IMO, if they have defaults, then we don't need those validation errors since it's impossible for them to be empty.

[lkysow]

Oh interesting. I would have said that if:

	if c.flagBearerTokenFile == "" {
		c.UI.Error("-bearer-token-file must be set")
		return 1
	}
	if c.flagTokenSinkFile == "" {
		c.UI.Error("-token-sink-file must be set")
		return 1
	}

Will never run because those have defaults then we can just delete those lines and then no need to test.

[ishustava]

Looking pretty good! I really like the work you did here! I left some comments; they are mostly minor suggestions or questions. Otherwise, it looks good to me!

[ishustava]

do we need the mock server for this test? I think it fails before it makes a call to consul

[ishustava]

this error should be no bearer token found in ...

[ishustava]

IMO, if they have defaults, then we don't need those validation errors since it's impossible for them to be empty.

[ishustava]

🎉

Left a couple of minor edits, but otherwise looks great!

[lkysow]

🦊 great work. Note I didn't dockerize it myself on this last review.

[lkysow]

Suggested change

	require.Equal(string(data), "b78d37c7-0ca7-5f4d-99ee-6d9975ce4586")
	require.Equal("b78d37c7-0ca7-5f4d-99ee-6d9975ce4586", string(data))

Order of these arguments is exp, act so they should be swapped.

[lkysow]

Suggested change

	// startMockServer starts an httptest server used to mock a Consul server's
	// /v1/acl/login endpoint. It also writes bearerTokenContents to a temp file.
	// apiCallCounter will be incremented on each call to /v1/acl/login.
	// It returns a consul client pointing at the server.
	func startMockServer(t *testing.T, apiCallCounter *int) *api.Client {
	// startMockServer starts an httptest server used to mock a Consul server's
	// /v1/acl/login endpoint.
	// apiCallCounter will be incremented on each call to /v1/acl/login.
	// It returns a consul client pointing at the server.
	func startMockServer(t *testing.T, apiCallCounter *int) *api.Client {

[lkysow]

ExpErr isn't used anymore