test that also the service main process can read updated secrets

main
Jörg Thalheim 2 years ago
parent 5ec7d0120a
commit e5e1cfd714

@ -36,12 +36,13 @@
systemd.services.service2 = { systemd.services.service2 = {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
script = '' script = ''
set -x
while true; do
cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2 cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2
sleep infinity sleep 0.1
''; done
reload = ''
cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2-reload
''; '';
serviceConfig.ExecReload = "${pkgs.coreutils}/bin/true";
serviceConfig.LoadCredential = ["secret:/run/systemd-vaultd/sock"]; serviceConfig.LoadCredential = ["secret:/run/systemd-vaultd/sock"];
vault = { vault = {
template = '' template = ''
@ -109,7 +110,9 @@
machine.succeed("systemctl restart vault-agent-default") machine.succeed("systemctl restart vault-agent-default")
machine.wait_until_succeeds("cat /run/systemd-vaultd/secrets/service2.service.json >&2") machine.wait_until_succeeds("cat /run/systemd-vaultd/secrets/service2.service.json >&2")
machine.succeed("systemctl reload service2") machine.succeed("systemctl reload service2")
out = machine.wait_until_succeeds("cat /tmp/service2-reload")
machine.succeed("rm /tmp/service2")
out = machine.wait_until_succeeds("cat /tmp/service2")
print(out) print(out)
assert out == "reload", f"{out} != reload" assert out == "reload", f"{out} != reload"
''; '';

Loading…
Cancel
Save