15: test that also the service main process can read updated secrets r=Mic92 a=Mic92



Co-authored-by: Jörg Thalheim <joerg@thalheim.io>
main
bors[bot] 2 years ago committed by GitHub
commit 06f5b36c29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -36,12 +36,13 @@
systemd.services.service2 = {
wantedBy = ["multi-user.target"];
script = ''
set -x
while true; do
cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2
sleep infinity
'';
reload = ''
cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2-reload
sleep 0.1
done
'';
serviceConfig.ExecReload = "${pkgs.coreutils}/bin/true";
serviceConfig.LoadCredential = ["secret:/run/systemd-vaultd/sock"];
vault = {
template = ''
@ -109,7 +110,9 @@
machine.succeed("systemctl restart vault-agent-default")
machine.wait_until_succeeds("cat /run/systemd-vaultd/secrets/service2.service.json >&2")
machine.succeed("systemctl reload service2")
out = machine.wait_until_succeeds("cat /tmp/service2-reload")
machine.succeed("rm /tmp/service2")
out = machine.wait_until_succeeds("cat /tmp/service2")
print(out)
assert out == "reload", f"{out} != reload"
'';

Loading…
Cancel
Save