comments: cleanup some leftover debug comments and such

This commit is contained in:
Seth Hoenig 2020-01-07 11:58:29 -06:00
parent 5c5da95f34
commit 78a7d1e426
10 changed files with 23 additions and 18 deletions

View file

@ -121,7 +121,6 @@ func (h *envoyBootstrapHook) Prestart(ctx context.Context, req *interfaces.TaskP
siToken: siToken, siToken: siToken,
}.args() }.args()
// put old stuff in here
// Since Consul services are registered asynchronously with this task // Since Consul services are registered asynchronously with this task
// hook running, retry a small number of times with backoff. // hook running, retry a small number of times with backoff.
for tries := 3; ; tries-- { for tries := 3; ; tries-- {

View file

@ -1830,7 +1830,7 @@ func TestTaskRunner_RestartSignalTask_NotRunning(t *testing.T) {
require.Fail(t, "timed out waiting for task to complete") require.Fail(t, "timed out waiting for task to complete")
} }
// Assert the task unblocked and never restarted // Assert the task ran and never restarted
state := tr.TaskState() state := tr.TaskState()
require.Equal(t, structs.TaskStateDead, state.State) require.Equal(t, structs.TaskStateDead, state.State)
require.False(t, state.Failed) require.False(t, state.Failed)

View file

@ -148,7 +148,7 @@ func (t *tasklet) run() *taskletHandle {
select { select {
case <-t.shutdownCh: case <-t.shutdownCh:
// We've been told to exit and just unblocked so exit // We've been told to exit and just ran so exit
return return
default: default:
} }

View file

@ -96,7 +96,7 @@ func (h *volumeHook) Prestart(ctx context.Context, req *interfaces.TaskPrestartR
return err return err
} }
// Because this hook is also unblocked on restores, we only add mounts that do not // Because this hook is also ran on restores, we only add mounts that do not
// already exist. Although this loop is somewhat expensive, there are only // already exist. Although this loop is somewhat expensive, there are only
// a small number of mounts that exist within most individual tasks. We may // a small number of mounts that exist within most individual tasks. We may
// want to revisit this using a `hookdata` param to be "mount only once" // want to revisit this using a `hookdata` param to be "mount only once"

View file

@ -9,7 +9,7 @@ import (
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
func TestCSI_DeriveTokens(t *testing.T) { func TestSI_DeriveTokens(t *testing.T) {
logger := testlog.HCLogger(t) logger := testlog.HCLogger(t)
dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) { dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) {
return map[string]string{"a": "b"}, nil return map[string]string{"a": "b"}, nil
@ -20,7 +20,7 @@ func TestCSI_DeriveTokens(t *testing.T) {
require.Equal(t, map[string]string{"a": "b"}, tokens) require.Equal(t, map[string]string{"a": "b"}, tokens)
} }
func TestCSI_DeriveTokens_error(t *testing.T) { func TestSI_DeriveTokens_error(t *testing.T) {
logger := testlog.HCLogger(t) logger := testlog.HCLogger(t)
dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) { dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) {
return nil, errors.New("some failure") return nil, errors.New("some failure")

View file

@ -88,7 +88,7 @@ func (m *MockACLsAPI) RoleRead(roleID string, _ *api.QueryOptions) (*api.ACLRole
ID: ExamplePolicyID1, ID: ExamplePolicyID1,
Name: "example-policy-1", Name: "example-policy-1",
}}, }},
ServiceIdentities: nil, // would it ever make sense ? ServiceIdentities: nil,
}, nil, nil }, nil, nil
case ExampleRoleID2: case ExampleRoleID2:
return &api.ACLRole{ return &api.ACLRole{
@ -104,9 +104,8 @@ func (m *MockACLsAPI) RoleRead(roleID string, _ *api.QueryOptions) (*api.ACLRole
return &api.ACLRole{ return &api.ACLRole{
ID: ExampleRoleID3, ID: ExampleRoleID3,
Name: "example-role-3", Name: "example-role-3",
Policies: nil, // todo Policies: nil, // todo add more if needed
ServiceIdentities: nil, // todo ServiceIdentities: nil, // todo add more if needed
ModifyIndex: 0,
}, nil, nil }, nil, nil
default: default:
return nil, nil, nil return nil, nil, nil

View file

@ -378,14 +378,14 @@ func (c *consulACLsAPI) bgRetryRevoke() {
copy(toPurge, c.bgRetryRevocation) copy(toPurge, c.bgRetryRevocation)
if err := c.parallelRevoke(context.Background(), toPurge); err != nil { if err := c.parallelRevoke(context.Background(), toPurge); err != nil {
c.logger.Warn("background token revocation failed", "error", err) c.logger.Warn("background SI token revocation failed", "error", err)
return return
} }
// Call the revocation function // Call the revocation function
if err := c.purgeFunc(toPurge); err != nil { if err := c.purgeFunc(toPurge); err != nil {
// Just try again later (revocation is idempotent) // Just try again later (revocation is idempotent)
c.logger.Error("token revocation failed", "error", err) c.logger.Error("background SI token purge failed", "error", err)
return return
} }

View file

@ -8,17 +8,21 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
) )
// ConsulServiceRule represents a policy for a service // ConsulServiceRule represents a policy for a service.
type ConsulServiceRule struct { type ConsulServiceRule struct {
Name string `hcl:",key"` Name string `hcl:",key"`
Policy string Policy string
} }
// ConsulPolicy represents the parts of a ConsulServiceRule Policy that are
// relevant to Service Identity authorizations.
type ConsulPolicy struct { type ConsulPolicy struct {
Services []*ConsulServiceRule `hcl:"service,expand"` Services []*ConsulServiceRule `hcl:"service,expand"`
ServicePrefixes []*ConsulServiceRule `hcl:"service_prefix,expand"` ServicePrefixes []*ConsulServiceRule `hcl:"service_prefix,expand"`
} }
// IsEmpty returns true if there are no Services or ServicePrefixes defined for
// the ConsulPolicy.
func (cp *ConsulPolicy) IsEmpty() bool { func (cp *ConsulPolicy) IsEmpty() bool {
if cp == nil { if cp == nil {
return true return true
@ -26,6 +30,9 @@ func (cp *ConsulPolicy) IsEmpty() bool {
return len(cp.Services) == 0 && len(cp.ServicePrefixes) == 0 return len(cp.Services) == 0 && len(cp.ServicePrefixes) == 0
} }
// ParseConsulPolicy parses raw string s into a ConsulPolicy. An error is
// returned if decoding the policy fails, or if the decoded policy has no
// Services or ServicePrefixes defined.
func ParseConsulPolicy(s string) (*ConsulPolicy, error) { func ParseConsulPolicy(s string) (*ConsulPolicy, error) {
cp := new(ConsulPolicy) cp := new(ConsulPolicy)
if err := hcl.Decode(cp, s); err != nil { if err := hcl.Decode(cp, s); err != nil {
@ -71,7 +78,6 @@ func (c *consulACLsAPI) hasSufficientPolicy(task string, token *api.ACLToken) (b
return false, nil return false, nil
} }
// policyAllowsServiceWrite
func (c *consulACLsAPI) policyAllowsServiceWrite(task string, policyID string) (bool, error) { func (c *consulACLsAPI) policyAllowsServiceWrite(task string, policyID string) (bool, error) {
policy, _, err := c.aclClient.PolicyRead(policyID, &api.QueryOptions{ policy, _, err := c.aclClient.PolicyRead(policyID, &api.QueryOptions{
AllowStale: false, AllowStale: false,

View file

@ -350,6 +350,9 @@ func (n *Node) deregister(args *structs.NodeBatchDeregisterRequest,
return err return err
} else if l := len(accessors); l > 0 { } else if l := len(accessors); l > 0 {
n.logger.Debug("revoking si accessors on node due to deregister", "num_accessors", l, "node_id", nodeID) n.logger.Debug("revoking si accessors on node due to deregister", "num_accessors", l, "node_id", nodeID)
// Unlike with the Vault integration, there's no error returned here, since
// bootstrapping the Consul client is elsewhere. Errors in revocation trigger
// background retry attempts rather than inline error handling.
_ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true) _ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true)
} }
@ -465,10 +468,10 @@ func (n *Node) UpdateStatus(args *structs.NodeUpdateStatusRequest, reply *struct
// Determine if there are any SI token accessors on the node to cleanup // Determine if there are any SI token accessors on the node to cleanup
if accessors, err := n.srv.State().SITokenAccessorsByNode(ws, args.NodeID); err != nil { if accessors, err := n.srv.State().SITokenAccessorsByNode(ws, args.NodeID); err != nil {
n.logger.Error("looking up si accessors for node failed", "node_id", args.NodeID, "error", err) n.logger.Error("looking up SI accessors for node failed", "node_id", args.NodeID, "error", err)
return err return err
} else if l := len(accessors); l > 0 { } else if l := len(accessors); l > 0 {
n.logger.Debug("revoking si accessors on node due to down state", "num_accessors", l, "node_id", args.NodeID) n.logger.Debug("revoking SI accessors on node due to down state", "num_accessors", l, "node_id", args.NodeID)
_ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true) _ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true)
} }
default: default:

View file

@ -146,8 +146,6 @@ func DefaultConsulConfig() *ConsulConfig {
// //
// If allow_unauthenticated is false, the operator must provide a token on // If allow_unauthenticated is false, the operator must provide a token on
// job submission (i.e. -consul-token or $CONSUL_TOKEN). // job submission (i.e. -consul-token or $CONSUL_TOKEN).
//
// todo: seems like we should be using this somewhere...
func (c *ConsulConfig) AllowsUnauthenticated() bool { func (c *ConsulConfig) AllowsUnauthenticated() bool {
return c.AllowUnauthenticated != nil && *c.AllowUnauthenticated return c.AllowUnauthenticated != nil && *c.AllowUnauthenticated
} }