fix and test TLS connection

.github/workflows/main.yml

@@ -45,11 +45,28 @@ jobs:
       - name: run integration tests
         run: ./integration_tests.sh --durations=10 --cov=nomad_tools -n 3
 
+  test_ssl:
+    name: Test ssl
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: upgrade pip
+        run: pip install --upgrade pip
+      - name: install editable package
+        run: pip install -e .
+      - name: install nomad server
+        run: bash ./tests/provision.sh nomad_install 1.8.0
+      - name: run nomad server tls
+        run: bash ./tests/provision.sh nomad_start_tls
+      - name: test tls connection
+        run: ./tests/tls_env.bash testall
 
   pypi-publish:
     name: Upload release to PyPI
     needs:
       - test
+      - test_ssl
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     #if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest

jobs/test-forever.nomad.hcl

@@ -0,0 +1,13 @@
+job "test-forever" {
+  # meta { uuid = uuidv4() }
+  group "test-forever" {
+    task "test-forever" {
+      driver = "docker"
+      config {
+        image   = "busybox:stable"
+        command = "sleep"
+        args    = ["3600h"]
+      }
+    }
+  }
+}

src/nomad_tools/nomadlib/connection.py

@@ -191,15 +191,6 @@ def request(
         params.setdefault(
             "namespace", self.namespace or os.environ.get(NOMAD_NAMESPACE, "*")
         )
-        print(
-            False
-            if NOMAD_SKIP_VERIFY in os.environ
-            else (
-                os.environ[NOMAD_CACERT]
-                if NOMAD_CACERT in os.environ
-                else (os.environ[NOMAD_CAPATH] if NOMAD_CAPATH in os.environ else True)
-            )
-        )
         req = self.session.request(
             method,
             self.addr() + "/v1/" + url,
@@ -309,7 +300,7 @@ def create_websocket_connection(path: str) -> websocket.WebSocket:
         sslopt["check_hostname"] = False
     cacert = os.environ.get(NOMAD_CACERT)
     if cacert:
-        sslopt["ca_cert"] = cacert
+        sslopt["ca_certs"] = cacert
     else:
         capath = os.environ.get(NOMAD_CAPATH)
         if capath:

tests/provision.sh

@@ -31,28 +31,41 @@ cni_install() {
 	sudo rm cni-plugins*.tgz
 }
 
-nomad_start() {
-	local pid now endtime
-	if pid=$(pgrep nomad); then
-		echo "nomad already running: $(xargs ps aux "$pid")"
-		return
-	fi
-	sudo nomad agent -dev -config ./tests/nomad.hcl &
-	NOMADPID=$!
-	# Wait for nomad
+wait_for() {
 	now=$(date +%s)
 	endtime=$((now + 30))
-	while ! nomad status >/dev/null; do
+	while ! "$@" >/dev/null; do
 		sleep 0.5
 		now=$(date +%s)
 		if ((now > endtime)); then
-			fatal "did not start nomad"
+			fatal "did not start $*"
 		fi
 		if ! kill -0 "$NOMADPID"; then
-			fatal "nomad exited"
+			fatal "$* exited"
 		fi
 	done
-	nomad status
+	"$@"
+}
+
+# shellcheck disable=2120
+nomad_run() {
+	local pid now endtime
+	if pid=$(pgrep nomad); then
+		echo "nomad already running: $(xargs ps aux "$pid")"
+		return
+	fi
+	sudo nomad agent -dev -config ./tests/nomad.d/nomad.hcl "$@" &
+	declare -g NOMADPID=$!
+}
+
+nomad_start() {
+	nomad_run
+	wait_for nomad status
+}
+
+nomad_start_tls() {
+	nomad_run -config ./tests/nomad.d/tls.hcl
+	wait_for ./tests/tls_env.bash tls -- nomad status
 }
 
 nomad_restart() {
@@ -79,10 +92,10 @@ vagrant() {
 }
 
 case "$1" in
-cni_install | nomad_install | nomad_start | nomad_restart | vagrant)
+cni_install | nomad_install | nomad_start | nomad_start_tls | nomad_restart | vagrant)
 	"$@"
 	;;
 *)
-	fatal ""
+	fatal "Unknown command: $1"
 	;;
 esac

tests/tls_env.bash

@@ -4,47 +4,68 @@ _r() {
 	echo "+ $*" >&2
 	"$@"
 }
-case "$1" in
-clear)
-	_r unset NOMAD_ADDR
-	_r unset NOMAD_TLS_SERVER_NAME
-	_r unset NOMAD_CACERT
-	_r unset NOMAD_CAPATH
-	_r unset NOMAD_CLIENT_CERT
-	_r unset NOMAD_CLIENT_KEY
-	;;
-tls)
-	_r export NOMAD_ADDR=https://localhost:4646
-	_r unset NOMAD_TLS_SERVER_NAME
-	_r export NOMAD_CACERT=$_DIR/nomad-agent-ca.pem
-	_r unset NOMAD_CAPATH
-	_r export NOMAD_CLIENT_CERT=$_DIR/global-cli-nomad.pem
-	_r export NOMAD_CLIENT_KEY=$_DIR/global-cli-nomad-key.pem
-	;;
-capath)
-	_r export NOMAD_ADDR=https://localhost:4646
-	_r unset NOMAD_TLS_SERVER_NAME
-	_r unset NOMAD_CACERT
-	_r export NOMAD_CAPATH=$_DIR/capath
-	_r export NOMAD_CLIENT_CERT=$_DIR/global-cli-nomad.pem
-	_r export NOMAD_CLIENT_KEY=$_DIR/global-cli-nomad-key.pem
-	;;
-sni)
-	_r export NOMAD_ADDR=https://127.0.0.1:4646
-	_r export NOMAD_TLS_SERVER_NAME=localhost
-	_r export NOMAD_CACERT=$_DIR/nomad-agent-ca.pem
-	_r unset NOMAD_CAPATH
-	_r export NOMAD_CLIENT_CERT=$_DIR/global-cli-nomad.pem
-	_r export NOMAD_CLIENT_KEY=$_DIR/global-cli-nomad-key.pem
-	;;
-test)
-	_r nomad status
-	_r nomadtools vardir -j nginx@nginx ls
-	;;
-*)
-	echo "${BASH_SOURCE[0]}: invalid argument: $1" >&2
-	echo "${BASH_SOURCE[0]}: must be: clear tls sni" >&2
-	;;
-esac
-unset -f _r
-unset _DIR
+_clear_envs() {
+	envs=$(compgen -v NOMAD_)
+	if [[ -n "$envs" ]]; then
+		# shellcheck disable=2086
+		_r unset $envs
+	fi
+}
+while (($#)); do
+	case "$1" in
+	clear)
+		_clear_envs
+		;;
+	tls)
+		_clear_envs
+		_r export NOMAD_ADDR=https://localhost:4646
+		_r unset NOMAD_TLS_SERVER_NAME
+		_r export NOMAD_CACERT="$_DIR"/nomad-agent-ca.pem
+		_r unset NOMAD_CAPATH
+		_r export NOMAD_CLIENT_CERT="$_DIR"/global-cli-nomad.pem
+		_r export NOMAD_CLIENT_KEY="$_DIR"/global-cli-nomad-key.pem
+		;;
+	capath)
+		_clear_envs
+		_r export NOMAD_ADDR=https://localhost:4646
+		_r unset NOMAD_TLS_SERVER_NAME
+		_r unset NOMAD_CACERT
+		_r export NOMAD_CAPATH="$_DIR"/capath
+		_r export NOMAD_CLIENT_CERT="$_DIR"/global-cli-nomad.pem
+		_r export NOMAD_CLIENT_KEY="$_DIR"/global-cli-nomad-key.pem
+		;;
+	sni)
+		_clear_envs
+		_r export NOMAD_ADDR=https://127.0.0.1:4646
+		_r export NOMAD_TLS_SERVER_NAME=localhost
+		_r export NOMAD_CACERT="$_DIR"/nomad-agent-ca.pem
+		_r unset NOMAD_CAPATH
+		_r export NOMAD_CLIENT_CERT="$_DIR"/global-cli-nomad.pem
+		_r export NOMAD_CLIENT_KEY="$_DIR"/global-cli-nomad-key.pem
+		;;
+	test)
+		_r export NOMAD_NAMESPACE=default
+		_r nomad status
+		_r nomadtools vardir -j nginx@nginx ls
+		_r python -m nomad_tools.taskexec test-forever test-forever echo Hello world
+		;;
+	testall)
+		_r "$0" tls -- nomadtools watch start "$_DIR"/../../jobs/test-forever.nomad.hcl
+		echo
+		_r "$0" tls test
+		echo
+		_r "$0" capath test
+		echo
+		_r "$0" sni test
+		;;
+	--)
+		shift
+		_r exec "$@"
+		;;
+	*)
+		echo "Unknown arguments: $*" >&2
+		exit 123
+		;;
+	esac
+	shift
+done