comments: cleanup some leftover debug comments and such
This commit is contained in:
parent
5c5da95f34
commit
78a7d1e426
|
@ -121,7 +121,6 @@ func (h *envoyBootstrapHook) Prestart(ctx context.Context, req *interfaces.TaskP
|
||||||
siToken: siToken,
|
siToken: siToken,
|
||||||
}.args()
|
}.args()
|
||||||
|
|
||||||
// put old stuff in here
|
|
||||||
// Since Consul services are registered asynchronously with this task
|
// Since Consul services are registered asynchronously with this task
|
||||||
// hook running, retry a small number of times with backoff.
|
// hook running, retry a small number of times with backoff.
|
||||||
for tries := 3; ; tries-- {
|
for tries := 3; ; tries-- {
|
||||||
|
|
|
@ -1830,7 +1830,7 @@ func TestTaskRunner_RestartSignalTask_NotRunning(t *testing.T) {
|
||||||
require.Fail(t, "timed out waiting for task to complete")
|
require.Fail(t, "timed out waiting for task to complete")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Assert the task unblocked and never restarted
|
// Assert the task ran and never restarted
|
||||||
state := tr.TaskState()
|
state := tr.TaskState()
|
||||||
require.Equal(t, structs.TaskStateDead, state.State)
|
require.Equal(t, structs.TaskStateDead, state.State)
|
||||||
require.False(t, state.Failed)
|
require.False(t, state.Failed)
|
||||||
|
|
|
@ -148,7 +148,7 @@ func (t *tasklet) run() *taskletHandle {
|
||||||
|
|
||||||
select {
|
select {
|
||||||
case <-t.shutdownCh:
|
case <-t.shutdownCh:
|
||||||
// We've been told to exit and just unblocked so exit
|
// We've been told to exit and just ran so exit
|
||||||
return
|
return
|
||||||
default:
|
default:
|
||||||
}
|
}
|
||||||
|
|
|
@ -96,7 +96,7 @@ func (h *volumeHook) Prestart(ctx context.Context, req *interfaces.TaskPrestartR
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Because this hook is also unblocked on restores, we only add mounts that do not
|
// Because this hook is also ran on restores, we only add mounts that do not
|
||||||
// already exist. Although this loop is somewhat expensive, there are only
|
// already exist. Although this loop is somewhat expensive, there are only
|
||||||
// a small number of mounts that exist within most individual tasks. We may
|
// a small number of mounts that exist within most individual tasks. We may
|
||||||
// want to revisit this using a `hookdata` param to be "mount only once"
|
// want to revisit this using a `hookdata` param to be "mount only once"
|
||||||
|
|
|
@ -9,7 +9,7 @@ import (
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestCSI_DeriveTokens(t *testing.T) {
|
func TestSI_DeriveTokens(t *testing.T) {
|
||||||
logger := testlog.HCLogger(t)
|
logger := testlog.HCLogger(t)
|
||||||
dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) {
|
dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) {
|
||||||
return map[string]string{"a": "b"}, nil
|
return map[string]string{"a": "b"}, nil
|
||||||
|
@ -20,7 +20,7 @@ func TestCSI_DeriveTokens(t *testing.T) {
|
||||||
require.Equal(t, map[string]string{"a": "b"}, tokens)
|
require.Equal(t, map[string]string{"a": "b"}, tokens)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestCSI_DeriveTokens_error(t *testing.T) {
|
func TestSI_DeriveTokens_error(t *testing.T) {
|
||||||
logger := testlog.HCLogger(t)
|
logger := testlog.HCLogger(t)
|
||||||
dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) {
|
dFunc := func(alloc *structs.Allocation, taskNames []string) (map[string]string, error) {
|
||||||
return nil, errors.New("some failure")
|
return nil, errors.New("some failure")
|
||||||
|
|
|
@ -88,7 +88,7 @@ func (m *MockACLsAPI) RoleRead(roleID string, _ *api.QueryOptions) (*api.ACLRole
|
||||||
ID: ExamplePolicyID1,
|
ID: ExamplePolicyID1,
|
||||||
Name: "example-policy-1",
|
Name: "example-policy-1",
|
||||||
}},
|
}},
|
||||||
ServiceIdentities: nil, // would it ever make sense ?
|
ServiceIdentities: nil,
|
||||||
}, nil, nil
|
}, nil, nil
|
||||||
case ExampleRoleID2:
|
case ExampleRoleID2:
|
||||||
return &api.ACLRole{
|
return &api.ACLRole{
|
||||||
|
@ -104,9 +104,8 @@ func (m *MockACLsAPI) RoleRead(roleID string, _ *api.QueryOptions) (*api.ACLRole
|
||||||
return &api.ACLRole{
|
return &api.ACLRole{
|
||||||
ID: ExampleRoleID3,
|
ID: ExampleRoleID3,
|
||||||
Name: "example-role-3",
|
Name: "example-role-3",
|
||||||
Policies: nil, // todo
|
Policies: nil, // todo add more if needed
|
||||||
ServiceIdentities: nil, // todo
|
ServiceIdentities: nil, // todo add more if needed
|
||||||
ModifyIndex: 0,
|
|
||||||
}, nil, nil
|
}, nil, nil
|
||||||
default:
|
default:
|
||||||
return nil, nil, nil
|
return nil, nil, nil
|
||||||
|
|
|
@ -378,14 +378,14 @@ func (c *consulACLsAPI) bgRetryRevoke() {
|
||||||
copy(toPurge, c.bgRetryRevocation)
|
copy(toPurge, c.bgRetryRevocation)
|
||||||
|
|
||||||
if err := c.parallelRevoke(context.Background(), toPurge); err != nil {
|
if err := c.parallelRevoke(context.Background(), toPurge); err != nil {
|
||||||
c.logger.Warn("background token revocation failed", "error", err)
|
c.logger.Warn("background SI token revocation failed", "error", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Call the revocation function
|
// Call the revocation function
|
||||||
if err := c.purgeFunc(toPurge); err != nil {
|
if err := c.purgeFunc(toPurge); err != nil {
|
||||||
// Just try again later (revocation is idempotent)
|
// Just try again later (revocation is idempotent)
|
||||||
c.logger.Error("token revocation failed", "error", err)
|
c.logger.Error("background SI token purge failed", "error", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -8,17 +8,21 @@ import (
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ConsulServiceRule represents a policy for a service
|
// ConsulServiceRule represents a policy for a service.
|
||||||
type ConsulServiceRule struct {
|
type ConsulServiceRule struct {
|
||||||
Name string `hcl:",key"`
|
Name string `hcl:",key"`
|
||||||
Policy string
|
Policy string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ConsulPolicy represents the parts of a ConsulServiceRule Policy that are
|
||||||
|
// relevant to Service Identity authorizations.
|
||||||
type ConsulPolicy struct {
|
type ConsulPolicy struct {
|
||||||
Services []*ConsulServiceRule `hcl:"service,expand"`
|
Services []*ConsulServiceRule `hcl:"service,expand"`
|
||||||
ServicePrefixes []*ConsulServiceRule `hcl:"service_prefix,expand"`
|
ServicePrefixes []*ConsulServiceRule `hcl:"service_prefix,expand"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsEmpty returns true if there are no Services or ServicePrefixes defined for
|
||||||
|
// the ConsulPolicy.
|
||||||
func (cp *ConsulPolicy) IsEmpty() bool {
|
func (cp *ConsulPolicy) IsEmpty() bool {
|
||||||
if cp == nil {
|
if cp == nil {
|
||||||
return true
|
return true
|
||||||
|
@ -26,6 +30,9 @@ func (cp *ConsulPolicy) IsEmpty() bool {
|
||||||
return len(cp.Services) == 0 && len(cp.ServicePrefixes) == 0
|
return len(cp.Services) == 0 && len(cp.ServicePrefixes) == 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ParseConsulPolicy parses raw string s into a ConsulPolicy. An error is
|
||||||
|
// returned if decoding the policy fails, or if the decoded policy has no
|
||||||
|
// Services or ServicePrefixes defined.
|
||||||
func ParseConsulPolicy(s string) (*ConsulPolicy, error) {
|
func ParseConsulPolicy(s string) (*ConsulPolicy, error) {
|
||||||
cp := new(ConsulPolicy)
|
cp := new(ConsulPolicy)
|
||||||
if err := hcl.Decode(cp, s); err != nil {
|
if err := hcl.Decode(cp, s); err != nil {
|
||||||
|
@ -71,7 +78,6 @@ func (c *consulACLsAPI) hasSufficientPolicy(task string, token *api.ACLToken) (b
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// policyAllowsServiceWrite
|
|
||||||
func (c *consulACLsAPI) policyAllowsServiceWrite(task string, policyID string) (bool, error) {
|
func (c *consulACLsAPI) policyAllowsServiceWrite(task string, policyID string) (bool, error) {
|
||||||
policy, _, err := c.aclClient.PolicyRead(policyID, &api.QueryOptions{
|
policy, _, err := c.aclClient.PolicyRead(policyID, &api.QueryOptions{
|
||||||
AllowStale: false,
|
AllowStale: false,
|
||||||
|
|
|
@ -350,6 +350,9 @@ func (n *Node) deregister(args *structs.NodeBatchDeregisterRequest,
|
||||||
return err
|
return err
|
||||||
} else if l := len(accessors); l > 0 {
|
} else if l := len(accessors); l > 0 {
|
||||||
n.logger.Debug("revoking si accessors on node due to deregister", "num_accessors", l, "node_id", nodeID)
|
n.logger.Debug("revoking si accessors on node due to deregister", "num_accessors", l, "node_id", nodeID)
|
||||||
|
// Unlike with the Vault integration, there's no error returned here, since
|
||||||
|
// bootstrapping the Consul client is elsewhere. Errors in revocation trigger
|
||||||
|
// background retry attempts rather than inline error handling.
|
||||||
_ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true)
|
_ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -465,10 +468,10 @@ func (n *Node) UpdateStatus(args *structs.NodeUpdateStatusRequest, reply *struct
|
||||||
|
|
||||||
// Determine if there are any SI token accessors on the node to cleanup
|
// Determine if there are any SI token accessors on the node to cleanup
|
||||||
if accessors, err := n.srv.State().SITokenAccessorsByNode(ws, args.NodeID); err != nil {
|
if accessors, err := n.srv.State().SITokenAccessorsByNode(ws, args.NodeID); err != nil {
|
||||||
n.logger.Error("looking up si accessors for node failed", "node_id", args.NodeID, "error", err)
|
n.logger.Error("looking up SI accessors for node failed", "node_id", args.NodeID, "error", err)
|
||||||
return err
|
return err
|
||||||
} else if l := len(accessors); l > 0 {
|
} else if l := len(accessors); l > 0 {
|
||||||
n.logger.Debug("revoking si accessors on node due to down state", "num_accessors", l, "node_id", args.NodeID)
|
n.logger.Debug("revoking SI accessors on node due to down state", "num_accessors", l, "node_id", args.NodeID)
|
||||||
_ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true)
|
_ = n.srv.consulACLs.RevokeTokens(context.Background(), accessors, true)
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
|
|
|
@ -146,8 +146,6 @@ func DefaultConsulConfig() *ConsulConfig {
|
||||||
//
|
//
|
||||||
// If allow_unauthenticated is false, the operator must provide a token on
|
// If allow_unauthenticated is false, the operator must provide a token on
|
||||||
// job submission (i.e. -consul-token or $CONSUL_TOKEN).
|
// job submission (i.e. -consul-token or $CONSUL_TOKEN).
|
||||||
//
|
|
||||||
// todo: seems like we should be using this somewhere...
|
|
||||||
func (c *ConsulConfig) AllowsUnauthenticated() bool {
|
func (c *ConsulConfig) AllowsUnauthenticated() bool {
|
||||||
return c.AllowUnauthenticated != nil && *c.AllowUnauthenticated
|
return c.AllowUnauthenticated != nil && *c.AllowUnauthenticated
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue