Michael Schurter
ef9d100d2f
Merge pull request #6082 from hashicorp/b-vault-deadlock
...
vault: fix deadlock in SetConfig
2019-08-06 15:30:17 -07:00
Michael Schurter
b8e127b3c0
vault: ensure SetConfig calls are serialized
...
This is a defensive measure as SetConfig should only be called serially.
2019-08-06 11:17:10 -07:00
Michael Schurter
5022341b27
vault: fix deadlock in SetConfig
...
This seems to be the minimum viable patch for fixing a deadlock between
establishConnection and SetConfig.
SetConfig calls tomb.Kill+tomb.Wait while holding v.lock.
establishConnection needs to acquire v.lock to exit but SetConfig is
holding v.lock until tomb.Wait exits. tomb.Wait can't exit until
establishConnect does!
```
SetConfig -> tomb.Wait
^ |
| v
v.lock <- establishConnection
```
2019-08-06 10:40:14 -07:00
Michael Schurter
d0a83eb818
vault: fix race in accessor revocations
2019-08-05 15:08:04 -07:00
Michael Schurter
9732bc37ff
nomad: refactor waitForIndex into SnapshotAfter
...
Generalize wait for index logic in the state store for reuse elsewhere.
Also begin plumbing in a context to combine handling of timeouts and
shutdown.
2019-05-17 13:30:23 -07:00
Chris Baker
34e100cc96
server vault client: use two vault clients, one with namespace, one without for /sys calls
2019-04-10 10:34:10 -05:00
Chris Baker
a26d4fe1e5
docs: -vault-namespace, VAULT_NAMESPACE, and config
...
agent: added VAULT_NAMESPACE env-based configuration
2019-04-10 10:34:10 -05:00
Chris Baker
d3041cdb17
wip: added config parsing support, CLI flag, still need more testing, VAULT_ var, documentation
2019-04-10 10:34:10 -05:00
Chris Baker
0eaeef872f
config/docs: added `namespace` to vault config
...
server/client: process `namespace` config, setting on the instantiated vault client
2019-04-10 10:34:10 -05:00
Mahmood Ali
f9164dae67
Merge pull request #5228 from hashicorp/f-vault-err-tweaks
...
server/vault: tweak error messages
2019-01-25 11:17:31 -05:00
Mahmood Ali
f4560d8a2a
server/vault: tweak error messages
...
Closes #5139
2019-01-25 10:33:54 -05:00
Alex Dadgar
4bdccab550
goimports
2019-01-22 15:44:31 -08:00
Mahmood Ali
50e38104a5
server/nomad: Lock Vault expiration tracking
...
`currentExpiration` field is accessed in multiple goroutines: Stats and
renewal, so needs locking.
I don't anticipate high contention, so simple mutex suffices.
2018-12-04 09:29:48 -05:00
Mahmood Ali
0a2611e41f
vault: protect against empty Vault secret response
...
Also, fix a case where a successful second attempt of loading token can
cause a panic.
2018-11-29 09:34:17 -05:00
Mahmood Ali
2e6133fd33
nil secrets as recoverable to keep renew attempts
2018-11-20 17:11:55 -05:00
Mahmood Ali
5827438983
Renew past recorded expiry till unrecoverable error
...
Keep attempting to renew Vault token past locally recorded expiry, just
in case the token was renewed out of band, e.g. on another Nomad server,
until Vault returns an unrecoverable error.
2018-11-20 17:10:55 -05:00
Mahmood Ali
5836a341dd
fix typo
2018-11-20 17:10:55 -05:00
Mahmood Ali
93add67e04
round ttl duration for users
2018-11-20 17:10:55 -05:00
Mahmood Ali
4a0544b369
Track renewal expiration properly
2018-11-20 17:10:55 -05:00
Mahmood Ali
6efea6d8fc
Populate agent-info with vault
...
Return Vault TTL info to /agent/self API and `nomad agent-info` command.
2018-11-20 17:10:55 -05:00
Mahmood Ali
6034af5084
Avoid explicit precomputed stats field
...
Seems like the stats field is a micro-optimization that doesn't justify
the complexity it introduces. Removing it and computing the stats from
revoking field directly.
2018-11-20 17:10:54 -05:00
Mahmood Ali
14842200ec
More metrics for Server vault
...
Add a gauge to track remaining time-to-live, duration of renewal request API call.
2018-11-20 17:10:54 -05:00
Mahmood Ali
e1994e59bd
address review comments
2018-11-20 17:10:54 -05:00
Mahmood Ali
35179c9655
Wrap Vault API api errors for easing debugging
2018-11-20 17:10:54 -05:00
Mahmood Ali
55456fc823
Set a 1s floor for Vault renew operation backoff
2018-11-20 17:10:54 -05:00
Michael Schurter
56ed4f01be
vault: fix panic by checking for nil secret
...
Vault's RenewSelf(...) API may return (nil, nil). We failed to check if
secret was nil before attempting to use it.
RenewSelf:
e3eee5b4fb/api/auth_token.go (L138-L155)
Calls ParseSecret:
e3eee5b4fb/api/secret.go (L309-L311)
If anyone has an idea on how to test this I didn't see any options. We
use a real Vault service, so there's no opportunity to mock the
response.
2018-11-19 17:07:59 -08:00
Alex Dadgar
3c19d01d7a
server
2018-09-15 16:23:13 -07:00
Chelsea Holland Komlo
9f6bd7bf3a
move logic for testing equality for vault config
2018-06-07 16:23:50 -04:00
Charlie Voiselle
ba88f00ccb
Changed "til" to "until"
...
Should be "till" or "until"; chose "until" because it is unambiguous as to meaning.
2018-04-11 12:36:28 -05:00
Alex Dadgar
58a3ec3fb2
Improve Vault error handling
2018-04-03 14:29:22 -07:00
Alex Dadgar
c152774997
Allow and recommend Orphaned Vault tokens
...
This PR removes enforcement that the Vault token role disallows orphaned
tokens and recommends orphaned tokens to simplify the
bootstrapping/upgrading of Nomad clusters. The requirement that Nomad's
Vault token never expire and be shared by all instances of Nomad servers
is not operationally friendly.
2018-03-15 15:32:08 -07:00
Josh Soref
f78d5685ee
spelling: routines
2018-03-11 18:52:35 +00:00
Josh Soref
d9ce1f7882
spelling: deregister
2018-03-11 17:53:22 +00:00
Josh Soref
d0a76b328d
spelling: captures
2018-03-11 17:46:35 +00:00
Preetha Appan
f1c2a37f57
Update error message
2018-03-09 14:25:53 -06:00
Preetha Appan
9d3980b253
update comment
2018-03-09 08:56:54 -06:00
Preetha Appan
c6b975428b
Always retry on token validation instead of special casing vault sealing
2018-03-08 20:27:49 -06:00
Preetha Appan
4421025372
Retry when vault is sealed
2018-03-08 16:53:54 -06:00
Alex Dadgar
4173834231
Enable more linters
2017-09-26 15:26:33 -07:00
Luke Farnell
f0ced87b95
fixed all spelling mistakes for goreport
2017-08-07 17:13:05 -04:00
Alex Dadgar
d3012f1447
Fix Vault Client panic when given nonexistant role
...
The Vault API returns a nil secret and nil error when reading an object
that doesn't exist. The old code assumed an error would be returned and
thus will panic when trying to validate a non-existant role.
2017-05-16 12:59:58 -04:00
Alex Dadgar
e21792091a
remove leading slash on vault path
2017-02-28 14:03:18 -08:00
Alex Dadgar
8bfc4255eb
Add server metrics
2017-02-14 16:02:18 -08:00
Alex Dadgar
15ffdff497
Vault Client on Server handles SIGHUP
...
This PR allows the Vault client on the server to handle a SIGHUP. This
allows updating the Vault token and any other configuration without
downtime.
2017-02-01 14:24:10 -08:00
Alex Dadgar
94ed50aa59
Prefer looking up using self path and remove checking for default policy
2017-01-23 11:46:27 -08:00
Alex Dadgar
442d775fb2
Test new functionality
2017-01-21 17:33:35 -08:00
Alex Dadgar
76dbc4aee1
verify we can renew ourselves
2017-01-20 14:23:50 -08:00
Alex Dadgar
faa50b851e
Cleanup errors/comments
2017-01-20 10:26:25 -08:00
Alex Dadgar
7d1ec25d09
Test pass
2017-01-20 10:06:47 -08:00
Alex Dadgar
ace50cfa19
closer on the tests
2017-01-19 17:21:46 -08:00