secrets: add job id and namespace to plugin env (#27207)

Author: mismithhisler

.changelog/27207.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets: Adds nomad job ID and namespace to plugin environment
+```

client/allocrunner/taskrunner/secrets_hook.go

@@ -49,6 +49,9 @@ type secretsHookConfig struct {
 
 	// nomadNamespace is the job's Nomad namespace
 	nomadNamespace string
+
+	// jobId is the ID of the job
+	jobId string
 }
 
 type secretsHook struct {
@@ -70,6 +73,9 @@ type secretsHook struct {
 	// nomadNamespace is the job's Nomad namespace
 	nomadNamespace string
 
+	// jobId is the nomad job's ID
+	jobId string
+
 	// secrets to be fetched and populated for interpolation
 	secrets []*structs.Secret
 }
@@ -82,6 +88,7 @@ func newSecretsHook(conf *secretsHookConfig, secrets []*structs.Secret) *secrets
 		clientConfig:   conf.clientConfig,
 		envBuilder:     conf.envBuilder,
 		nomadNamespace: conf.nomadNamespace,
+		jobId:          conf.jobId,
 		secrets:        secrets,
 	}
 }
@@ -198,6 +205,9 @@ func (h *secretsHook) buildSecretProviders(secretDir string) ([]TemplateProvider
 				tmplProvider = append(tmplProvider, p)
 			}
 		default:
+			// Add/overwrite the nomad namespace and jobID envVars
+			s.Env = h.setupPluginEnv(s.Env)
+
 			plug, err := commonplugins.NewExternalSecretsPlugin(h.clientConfig.CommonPluginDir, s.Provider, s.Env)
 			if err != nil {
 				multierror.Append(mErr, err)
@@ -209,3 +219,15 @@ func (h *secretsHook) buildSecretProviders(secretDir string) ([]TemplateProvider
 
 	return tmplProvider, pluginProvider, mErr.ErrorOrNil()
 }
+
+func (h *secretsHook) setupPluginEnv(env map[string]string) map[string]string {
+	if env == nil {
+		env = make(map[string]string)
+	}
+
+	// set jobID and namespace, overwriting anything already set
+	env[taskenv.JobID] = h.jobId
+	env[taskenv.Namespace] = h.nomadNamespace
+
+	return env
+}

client/allocrunner/taskrunner/secrets_hook_test.go

@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"strconv"
 	"testing"
 	"time"
@@ -317,3 +319,92 @@ func TestSecretsHook_Prestart_Vault(t *testing.T) {
 
 	must.Eq(t, exp, taskEnv.Build().TaskSecrets)
 }
+
+func TestSecretsHook_Prestart_Plugin(t *testing.T) {
+	basePlugin := `#!/bin/bash
+if [ "$1" = "fingerprint" ]; then
+    cat <<EOF
+{
+  "type": "secrets",
+  "version": "0.0.1"
+}
+EOF
+elif [ "$1" = "fetch" ]; then
+    cat <<EOF
+{
+  "result": {
+	%s
+  }
+}
+EOF
+fi`
+
+	t.Run("sets plugin environment correctly", func(t *testing.T) {
+		clientConfig := config.DefaultConfig()
+		clientConfig.CommonPluginDir = t.TempDir()
+
+		pluginDir := filepath.Join(clientConfig.CommonPluginDir, "secrets")
+		err := os.MkdirAll(pluginDir, 0755)
+		must.NoError(t, err)
+
+		pluginPath := filepath.Join(pluginDir, "test")
+		testPlugin := fmt.Sprintf(basePlugin, `
+				"jobID": "${NOMAD_JOB_ID}",
+				"namespace": "${NOMAD_NAMESPACE}"`)
+		err = os.WriteFile(pluginPath, []byte(testPlugin), 0755)
+		must.NoError(t, err)
+
+		taskDir := t.TempDir()
+		alloc := mock.MinAlloc()
+		task := alloc.Job.TaskGroups[0].Tasks[0]
+
+		taskEnv := taskenv.NewBuilder(mock.Node(), alloc, task, clientConfig.Region)
+		conf := &secretsHookConfig{
+			logger:         testlog.HCLogger(t),
+			lifecycle:      trtesting.NewMockTaskHooks(),
+			events:         &trtesting.MockEmitter{},
+			clientConfig:   clientConfig,
+			envBuilder:     taskEnv,
+			nomadNamespace: "test-namespace",
+			jobId:          "test-jobid",
+		}
+		secretHook := newSecretsHook(conf, []*structs.Secret{
+			{
+				Name:     "test_secret0",
+				Provider: "test",
+				Path:     "/test/path",
+				Env: map[string]string{
+					"NOMAD_NAMESPACE": "incorrect",
+					"NOMAD_JOB_ID":    "also-incorrect",
+				},
+			},
+			{
+				Name:     "test_secret1",
+				Provider: "test",
+				Path:     "/test/path",
+			},
+		})
+
+		// Start template hook with a timeout context to ensure it exists.
+		req := &interfaces.TaskPrestartRequest{
+			Alloc:   alloc,
+			Task:    task,
+			TaskDir: &allocdir.TaskDir{Dir: taskDir, SecretsDir: taskDir},
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+		t.Cleanup(cancel)
+
+		err = secretHook.Prestart(ctx, req, &interfaces.TaskPrestartResponse{})
+		must.NoError(t, err)
+
+		exp := map[string]string{
+			"secret.test_secret0.jobID":     "test-jobid",
+			"secret.test_secret0.namespace": "test-namespace",
+			"secret.test_secret1.jobID":     "test-jobid",
+			"secret.test_secret1.namespace": "test-namespace",
+		}
+
+		must.Eq(t, exp, taskEnv.Build().TaskSecrets)
+	})
+}

client/allocrunner/taskrunner/task_runner_hooks.go

@@ -89,6 +89,7 @@ func (tr *TaskRunner) initHooks() {
 			clientConfig:   tr.clientConfig,
 			envBuilder:     tr.envBuilder,
 			nomadNamespace: tr.alloc.Job.Namespace,
+			jobId:          tr.alloc.Job.ID,
 		}, task.Secrets))
 	}