open-nomad/client/fingerprint/vault.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package fingerprint

import (
	"fmt"
	"strconv"
	"strings"
	"time"

	log "github.com/hashicorp/go-hclog"
	"github.com/hashicorp/nomad/helper"
	"github.com/hashicorp/nomad/helper/useragent"
	vapi "github.com/hashicorp/vault/api"
)

const (
	vaultAvailable   = "available"
	vaultUnavailable = "unavailable"
)

// VaultFingerprint is used to fingerprint for Vault
type VaultFingerprint struct {
	logger    log.Logger
	client    *vapi.Client
	lastState string
}

// NewVaultFingerprint is used to create a Vault fingerprint
func NewVaultFingerprint(logger log.Logger) Fingerprint {
	return &VaultFingerprint{logger: logger.Named("vault"), lastState: vaultUnavailable}
}

func (f *VaultFingerprint) Fingerprint(req *FingerprintRequest, resp *FingerprintResponse) error {
	config := req.Config

	if config.VaultConfig == nil || !config.VaultConfig.IsEnabled() {
		return nil
	}

	// Only create the client once to avoid creating too many connections to Vault
	if f.client == nil {
		vaultConfig, err := config.VaultConfig.ApiConfig()
		if err != nil {
			return fmt.Errorf("Failed to initialize the Vault client config: %v", err)
		}
		f.client, err = vapi.NewClient(vaultConfig)
		if err != nil {
			return fmt.Errorf("Failed to initialize Vault client: %s", err)
		}
		useragent.SetHeaders(f.client)
	}

	// Connect to vault and parse its information
	status, err := f.client.Sys().SealStatus()
	if err != nil {

		// Print a message indicating that Vault is not available anymore
		if f.lastState == vaultAvailable {
			f.logger.Info("Vault is unavailable")
		}
		f.lastState = vaultUnavailable
		return nil
	}

	resp.AddAttribute("vault.accessible", strconv.FormatBool(true))
	// We strip the Vault prefix because < 0.6.2 the version looks like:
	// status.Version = "Vault v0.6.1"
	resp.AddAttribute("vault.version", strings.TrimPrefix(status.Version, "Vault "))
	resp.AddAttribute("vault.cluster_id", status.ClusterID)
	resp.AddAttribute("vault.cluster_name", status.ClusterName)

	// If Vault was previously unavailable print a message to indicate the Agent
	// is available now
	if f.lastState == vaultUnavailable {
		f.logger.Info("Vault is available")
	}
	f.lastState = vaultAvailable
	resp.Detected = true
	return nil
}

func (f *VaultFingerprint) Periodic() (bool, time.Duration) {
	if f.lastState == vaultAvailable {
		// Fingerprint infrequently once Vault is initially discovered with wide
		// jitter to avoid thundering herds of fingerprints against central Vault
		// servers.
		return true, (30 * time.Second) + helper.RandomStagger(90*time.Second)
	}
	return true, 15 * time.Second
}
[COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Fingerprint 2016-09-01 18:02:19 +00:00			`package fingerprint`

			`import (`
			`"fmt"`
			`"strconv"`
			`"strings"`
			`"time"`

client uses passed logger and fix fingerprinters 2018-09-16 00:48:59 +00:00			`log "github.com/hashicorp/go-hclog"`
fingerprint: lengthen Vault check after seen (#14693) Extension of #14673 Once Vault is initially fingerprinted, extend the period since changes should be infrequent and the fingerprint is relatively expensive since it is contacting a central Vault server. Also move the period timer reset after the fingerprint. This is similar to #9435 where the idea is to ensure the retry period starts after the operation is attempted. 15s will be the minimum time between fingerprints now instead of the maximum time between fingerprints. In the case of Vault fingerprinting, the original behavior might cause the following: 1. Timer is reset to 15s 2. Fingerprint takes 16s 3. Timer has already elapsed so we immediately Fingerprint again Even if fingerprinting Vault only takes a few seconds, that may very well be due to excessive load and backing off our fingerprints is desirable. The new bevahior ensures we always wait at least 15s between fingerprint attempts and should allow some natural jittering based on server load and network latency. 2022-09-26 19:14:19 +00:00			`"github.com/hashicorp/nomad/helper"`
vault: configure user agent on Nomad vault clients (#15745) * vault: configure user agent on Nomad vault clients This PR attempts to set the User-Agent header on each Vault API client created by Nomad. Still need to figure a way to set User-Agent on the Vault client created internally by consul-template. * vault: fixup find-and-replace gone awry 2023-01-10 16:39:45 +00:00			`"github.com/hashicorp/nomad/helper/useragent"`
Fingerprint 2016-09-01 18:02:19 +00:00			`vapi "github.com/hashicorp/vault/api"`
			`)`

			`const (`
			`vaultAvailable = "available"`
			`vaultUnavailable = "unavailable"`
			`)`

small fixes 2016-09-01 20:38:31 +00:00			`// VaultFingerprint is used to fingerprint for Vault`
Fingerprint 2016-09-01 18:02:19 +00:00			`type VaultFingerprint struct {`
client uses passed logger and fix fingerprinters 2018-09-16 00:48:59 +00:00			`logger log.Logger`
Fingerprint 2016-09-01 18:02:19 +00:00			`client *vapi.Client`
			`lastState string`
			`}`

			`// NewVaultFingerprint is used to create a Vault fingerprint`
client uses passed logger and fix fingerprinters 2018-09-16 00:48:59 +00:00			`func NewVaultFingerprint(logger log.Logger) Fingerprint {`
			`return &VaultFingerprint{logger: logger.Named("vault"), lastState: vaultUnavailable}`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`

client: Move fingerprint structs to pkg This removes a cyclical dependency when importing client/structs from dependencies of the plugin_loader, specifically, drivers. Due to client/config also depending on the plugin_loader. It also better reflects the ownership of fingerprint structs, as they are fairly internal to the fingerprint manager. 2018-12-01 16:10:39 +00:00			`func (f VaultFingerprint) Fingerprint(req FingerprintRequest, resp *FingerprintResponse) error {`
refactor Fingerprint to request/response construct 2018-01-24 14:09:53 +00:00			`config := req.Config`

Fix Vault parsing of booleans 2016-10-11 01:04:39 +00:00			`if config.VaultConfig == nil \|\| !config.VaultConfig.IsEnabled() {`
refactor Fingerprint to request/response construct 2018-01-24 14:09:53 +00:00			`return nil`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`

vault: configure user agent on Nomad vault clients (#15745) * vault: configure user agent on Nomad vault clients This PR attempts to set the User-Agent header on each Vault API client created by Nomad. Still need to figure a way to set User-Agent on the Vault client created internally by consul-template. * vault: fixup find-and-replace gone awry 2023-01-10 16:39:45 +00:00			`// Only create the client once to avoid creating too many connections to Vault`
Fingerprint 2016-09-01 18:02:19 +00:00			`if f.client == nil {`
			`vaultConfig, err := config.VaultConfig.ApiConfig()`
			`if err != nil {`
refactor Fingerprint to request/response construct 2018-01-24 14:09:53 +00:00			`return fmt.Errorf("Failed to initialize the Vault client config: %v", err)`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`
			`f.client, err = vapi.NewClient(vaultConfig)`
			`if err != nil {`
refactor Fingerprint to request/response construct 2018-01-24 14:09:53 +00:00			`return fmt.Errorf("Failed to initialize Vault client: %s", err)`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`
vault: configure user agent on Nomad vault clients (#15745) * vault: configure user agent on Nomad vault clients This PR attempts to set the User-Agent header on each Vault API client created by Nomad. Still need to figure a way to set User-Agent on the Vault client created internally by consul-template. * vault: fixup find-and-replace gone awry 2023-01-10 16:39:45 +00:00			`useragent.SetHeaders(f.client)`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`

			`// Connect to vault and parse its information`
			`status, err := f.client.Sys().SealStatus()`
			`if err != nil {`
fingerprint: don't clear Consul/Vault attributes on failure (#14673) Clients periodically fingerprint Vault and Consul to ensure the server has updated attributes in the client's fingerprint. If the client can't reach Vault/Consul, the fingerprinter clears the attributes and requires a node update. Although this seems like correct behavior so that we can detect intentional removal of Vault/Consul access, it has two serious failure modes: (1) If a local Consul agent is restarted to pick up configuration changes and the client happens to fingerprint at that moment, the client will update its fingerprint and result in evaluations for all its jobs and all the system jobs in the cluster. (2) If a client loses Vault connectivity, the same thing happens. But the consequences are much worse in the Vault case because Vault is not run as a local agent, so Vault connectivity failures are highly correlated across the entire cluster. A 15 second Vault outage will cause a new `node-update` evalution for every system job on the cluster times the number of nodes, plus one `node-update` evaluation for every non-system job on each node. On large clusters of 1000s of nodes, we've seen this create a large backlog of evaluations. This changeset updates the fingerprinting behavior to keep the last fingerprint if Consul or Vault queries fail. This prevents a storm of evaluations at the cost of requiring a client restart if Consul or Vault is intentionally removed from the client. 2022-09-23 18:45:12 +00:00
Fingerprint 2016-09-01 18:02:19 +00:00			`// Print a message indicating that Vault is not available anymore`
			`if f.lastState == vaultAvailable {`
client uses passed logger and fix fingerprinters 2018-09-16 00:48:59 +00:00			`f.logger.Info("Vault is unavailable")`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`
			`f.lastState = vaultUnavailable`
refactor Fingerprint to request/response construct 2018-01-24 14:09:53 +00:00			`return nil`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`

create safe getters and setters for fingerprint response 2018-01-26 16:21:07 +00:00			`resp.AddAttribute("vault.accessible", strconv.FormatBool(true))`
Enable more linters 2017-09-26 22:26:33 +00:00			`// We strip the Vault prefix because < 0.6.2 the version looks like:`
Fingerprint 2016-09-01 18:02:19 +00:00			`// status.Version = "Vault v0.6.1"`
create safe getters and setters for fingerprint response 2018-01-26 16:21:07 +00:00			`resp.AddAttribute("vault.version", strings.TrimPrefix(status.Version, "Vault "))`
			`resp.AddAttribute("vault.cluster_id", status.ClusterID)`
			`resp.AddAttribute("vault.cluster_name", status.ClusterName)`
Fingerprint 2016-09-01 18:02:19 +00:00
			`// If Vault was previously unavailable print a message to indicate the Agent`
			`// is available now`
			`if f.lastState == vaultUnavailable {`
client uses passed logger and fix fingerprinters 2018-09-16 00:48:59 +00:00			`f.logger.Info("Vault is available")`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`
			`f.lastState = vaultAvailable`
code review fixup 2018-01-31 22:03:55 +00:00			`resp.Detected = true`
refactor Fingerprint to request/response construct 2018-01-24 14:09:53 +00:00			`return nil`
Fingerprint 2016-09-01 18:02:19 +00:00			`}`

			`func (f *VaultFingerprint) Periodic() (bool, time.Duration) {`
fingerprint: lengthen Vault check after seen (#14693) Extension of #14673 Once Vault is initially fingerprinted, extend the period since changes should be infrequent and the fingerprint is relatively expensive since it is contacting a central Vault server. Also move the period timer reset after the fingerprint. This is similar to #9435 where the idea is to ensure the retry period starts after the operation is attempted. 15s will be the minimum time between fingerprints now instead of the maximum time between fingerprints. In the case of Vault fingerprinting, the original behavior might cause the following: 1. Timer is reset to 15s 2. Fingerprint takes 16s 3. Timer has already elapsed so we immediately Fingerprint again Even if fingerprinting Vault only takes a few seconds, that may very well be due to excessive load and backing off our fingerprints is desirable. The new bevahior ensures we always wait at least 15s between fingerprint attempts and should allow some natural jittering based on server load and network latency. 2022-09-26 19:14:19 +00:00			`if f.lastState == vaultAvailable {`
			`// Fingerprint infrequently once Vault is initially discovered with wide`
			`// jitter to avoid thundering herds of fingerprints against central Vault`
			`// servers.`
			`return true, (30 * time.Second) + helper.RandomStagger(90*time.Second)`
			`}`
Fingerprint 2016-09-01 18:02:19 +00:00			`return true, 15 * time.Second`
			`}`