luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/command/agent/auth/auth.go

366 lines
9.4 KiB
Go
Raw Normal View History

VSI (#4985)
2018-07-25 02:02:27 +00:00
package auth
import (
"context"
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
"encoding/json"
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel()
2020-09-30 01:03:09 +00:00
"errors"
VSI (#4985)
2018-07-25 02:02:27 +00:00
"math/rand"
Add Kerberos auth agent (#7999) * add kerberos auth agent * strip old comment * changes from feedback * strip appengine indirect dependency
2020-01-09 22:56:34 +00:00
"net/http"
VSI (#4985)
2018-07-25 02:02:27 +00:00
"time"
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
"github.com/hashicorp/go-hclog"
VSI (#4985)
2018-07-25 02:02:27 +00:00
"github.com/hashicorp/vault/api"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/jsonutil"
VSI (#4985)
2018-07-25 02:02:27 +00:00
)
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
const (
initialBackoff = 1 * time.Second
defaultMaxBackoff = 5 * time.Minute
)
agent: support providing certificate information in cert's config map (#9819) * agent: support providing certificate information in cert's config map * update TestCertEndToEnd * remove URL reference on warning message
2020-08-25 21:26:06 +00:00
// AuthMethod is the interface that auto-auth methods implement for the agent
// to use.
VSI (#4985)
2018-07-25 02:02:27 +00:00
type AuthMethod interface {
Add Kerberos auth agent (#7999) * add kerberos auth agent * strip old comment * changes from feedback * strip appengine indirect dependency
2020-01-09 22:56:34 +00:00
// Authenticate returns a mount path, header, request body, and error.
// The header may be nil if no special header is needed.
Authenticate(context.Context, *api.Client) (string, http.Header, map[string]interface{}, error)
VSI (#4985)
2018-07-25 02:02:27 +00:00
NewCreds() chan struct{}
CredSuccess()
Shutdown()
}
agent: support providing certificate information in cert's config map (#9819) * agent: support providing certificate information in cert's config map * update TestCertEndToEnd * remove URL reference on warning message
2020-08-25 21:26:06 +00:00
// AuthMethodWithClient is an extended interface that can return an API client
// for use during the authentication call.
type AuthMethodWithClient interface {
AuthMethod
AuthClient(client *api.Client) (*api.Client, error)
}
VSI (#4985)
2018-07-25 02:02:27 +00:00
type AuthConfig struct {
Logger hclog.Logger
MountPath string
WrapTTL time.Duration
Config map[string]interface{}
}
// AuthHandler is responsible for keeping a token alive and renewed and passing
// new tokens to the sink server
type AuthHandler struct {
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
OutputCh chan string
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
TemplateTokenCh chan string
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
token string
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
logger hclog.Logger
client *api.Client
random *rand.Rand
wrapTTL time.Duration
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
maxBackoff time.Duration
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
enableReauthOnNewCredentials bool
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
enableTemplateTokenCh bool
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
type AuthHandlerConfig struct {
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
Logger hclog.Logger
Client *api.Client
WrapTTL time.Duration
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
MaxBackoff time.Duration
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
Token string
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
EnableReauthOnNewCredentials bool
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
EnableTemplateTokenCh bool
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
func NewAuthHandler(conf *AuthHandlerConfig) *AuthHandler {
ah := &AuthHandler{
Buffer authhandler output channel to prevent hang on shutdown (#5507) Fixes #5026
2018-10-15 15:02:53 +00:00
// This is buffered so that if we try to output after the sink server
// has been shut down, during agent shutdown, we won't block
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
OutputCh: make(chan string, 1),
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
TemplateTokenCh: make(chan string, 1),
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
token: conf.Token,
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
logger: conf.Logger,
client: conf.Client,
random: rand.New(rand.NewSource(int64(time.Now().Nanosecond()))),
wrapTTL: conf.WrapTTL,
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
maxBackoff: conf.MaxBackoff,
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
enableReauthOnNewCredentials: conf.EnableReauthOnNewCredentials,
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
enableTemplateTokenCh: conf.EnableTemplateTokenCh,
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
return ah
}
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
func backoffOrQuit(ctx context.Context, backoff *agentBackoff) {
VSI (#4985)
2018-07-25 02:02:27 +00:00
select {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
case <-time.After(backoff.current):
VSI (#4985)
2018-07-25 02:02:27 +00:00
case <-ctx.Done():
}
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
// Increase exponential backoff for the next time if we don't
// successfully auth/renew/etc.
backoff.next()
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel()
2020-09-30 01:03:09 +00:00
func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
VSI (#4985)
2018-07-25 02:02:27 +00:00
if am == nil {
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel()
2020-09-30 01:03:09 +00:00
return errors.New("auth handler: nil auth method")
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
backoff := newAgentBackoff(ah.maxBackoff)
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
VSI (#4985)
2018-07-25 02:02:27 +00:00
ah.logger.Info("starting auth handler")
defer func() {
Auth handler shutdown logic (#5170)
2018-08-24 13:17:14 +00:00
am.Shutdown()
close(ah.OutputCh)
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
close(ah.TemplateTokenCh)
Auth handler shutdown logic (#5170)
2018-08-24 13:17:14 +00:00
ah.logger.Info("auth handler stopped")
VSI (#4985)
2018-07-25 02:02:27 +00:00
}()
credCh := am.NewCreds()
Remove agent reauthentication on new credentials. (#5615) Functionality is left in for use in testing (where it is indeed quite useful). Fixes #5522
2018-10-27 17:45:55 +00:00
if !ah.enableReauthOnNewCredentials {
realCredCh := credCh
credCh = nil
if realCredCh != nil {
go func() {
for {
select {
case <-ctx.Done():
return
case <-realCredCh:
}
}
}()
}
}
VSI (#4985)
2018-07-25 02:02:27 +00:00
if credCh == nil {
credCh = make(chan struct{})
}
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
var watcher *api.LifetimeWatcher
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
first := true
VSI (#4985)
2018-07-25 02:02:27 +00:00
for {
select {
case <-ctx.Done():
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel()
2020-09-30 01:03:09 +00:00
return nil
VSI (#4985)
2018-07-25 02:02:27 +00:00
default:
}
agent: support providing certificate information in cert's config map (#9819) * agent: support providing certificate information in cert's config map * update TestCertEndToEnd * remove URL reference on warning message
2020-08-25 21:26:06 +00:00
var clientToUse *api.Client
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
var err error
var path string
var data map[string]interface{}
var header http.Header
agent: support providing certificate information in cert's config map (#9819) * agent: support providing certificate information in cert's config map * update TestCertEndToEnd * remove URL reference on warning message
2020-08-25 21:26:06 +00:00
switch am.(type) {
case AuthMethodWithClient:
clientToUse, err = am.(AuthMethodWithClient).AuthClient(ah.client)
if err != nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("error creating client for authentication call", "error", err, "backoff", backoff)
agent: support providing certificate information in cert's config map (#9819) * agent: support providing certificate information in cert's config map * update TestCertEndToEnd * remove URL reference on warning message
2020-08-25 21:26:06 +00:00
backoffOrQuit(ctx, backoff)
continue
}
default:
clientToUse = ah.client
}
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
var secret *api.Secret = new(api.Secret)
if first && ah.token != "" {
ah.logger.Debug("using preloaded token")
first = false
ah.logger.Debug("lookup-self with preloaded token")
clientToUse.SetToken(ah.token)
secret, err = clientToUse.Logical().Read("auth/token/lookup-self")
if err != nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("could not look up token", "err", err, "backoff", backoff)
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
backoffOrQuit(ctx, backoff)
continue
}
duration, _ := secret.Data["ttl"].(json.Number).Int64()
secret.Auth = &api.SecretAuth{
ClientToken: secret.Data["id"].(string),
LeaseDuration: int(duration),
Renewable: secret.Data["renewable"].(bool),
}
} else {
ah.logger.Info("authenticating")
path, header, data, err = am.Authenticate(ctx, ah.client)
if err != nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("error getting path or data from method", "error", err, "backoff", backoff)
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
backoffOrQuit(ctx, backoff)
continue
}
}
VSI (#4985)
2018-07-25 02:02:27 +00:00
if ah.wrapTTL > 0 {
agent: support providing certificate information in cert's config map (#9819) * agent: support providing certificate information in cert's config map * update TestCertEndToEnd * remove URL reference on warning message
2020-08-25 21:26:06 +00:00
wrapClient, err := clientToUse.Clone()
VSI (#4985)
2018-07-25 02:02:27 +00:00
if err != nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("error creating client for wrapped call", "error", err, "backoff", backoff)
VSI (#4985)
2018-07-25 02:02:27 +00:00
backoffOrQuit(ctx, backoff)
continue
}
wrapClient.SetWrappingLookupFunc(func(string, string) string {
return ah.wrapTTL.String()
})
clientToUse = wrapClient
}
Add Kerberos auth agent (#7999) * add kerberos auth agent * strip old comment * changes from feedback * strip appengine indirect dependency
2020-01-09 22:56:34 +00:00
for key, values := range header {
for _, value := range values {
clientToUse.AddHeader(key, value)
}
}
VSI (#4985)
2018-07-25 02:02:27 +00:00
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
// This should only happen if there's no preloaded token (regular auto-auth login)
// or if a preloaded token has expired and is now switching to auto-auth.
if secret.Auth == nil {
secret, err = clientToUse.Logical().Write(path, data)
// Check errors/sanity
if err != nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("error authenticating", "error", err, "backoff", backoff)
agent: allow auto-auth to use an existing token (#10850) * agent/auto-auth: add use_existing_token * Add better logging for lookup errors * Fix test * changelog * Remove preload config, add token var * Update filename * Update changelog * Revert test name * Remove unused function * Remove redundant error message * Short circuit authenticate for preloaded token * Add comment for auto-auth login
2021-02-11 14:36:03 +00:00
backoffOrQuit(ctx, backoff)
continue
}
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
switch {
case ah.wrapTTL > 0:
if secret.WrapInfo == nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("authentication returned nil wrap info", "backoff", backoff)
VSI (#4985)
2018-07-25 02:02:27 +00:00
backoffOrQuit(ctx, backoff)
continue
}
if secret.WrapInfo.Token == "" {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("authentication returned empty wrapped client token", "backoff", backoff)
VSI (#4985)
2018-07-25 02:02:27 +00:00
backoffOrQuit(ctx, backoff)
continue
}
wrappedResp, err := jsonutil.EncodeJSON(secret.WrapInfo)
if err != nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("failed to encode wrapinfo", "error", err, "backoff", backoff)
VSI (#4985)
2018-07-25 02:02:27 +00:00
backoffOrQuit(ctx, backoff)
continue
}
ah.logger.Info("authentication successful, sending wrapped token to sinks and pausing")
ah.OutputCh <- string(wrappedResp)
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
if ah.enableTemplateTokenCh {
ah.TemplateTokenCh <- string(wrappedResp)
}
VSI (#4985)
2018-07-25 02:02:27 +00:00
am.CredSuccess()
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
backoff.reset()
VSI (#4985)
2018-07-25 02:02:27 +00:00
select {
case <-ctx.Done():
ah.logger.Info("shutdown triggered")
Auth handler shutdown logic (#5170)
2018-08-24 13:17:14 +00:00
continue
VSI (#4985)
2018-07-25 02:02:27 +00:00
case <-credCh:
ah.logger.Info("auth method found new credentials, re-authenticating")
continue
}
default:
agent: fix auth when multiple redirects (#5814)
2018-11-19 23:50:42 +00:00
if secret == nil || secret.Auth == nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("authentication returned nil auth info", "backoff", backoff)
VSI (#4985)
2018-07-25 02:02:27 +00:00
backoffOrQuit(ctx, backoff)
continue
}
if secret.Auth.ClientToken == "" {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("authentication returned empty client token", "backoff", backoff)
VSI (#4985)
2018-07-25 02:02:27 +00:00
backoffOrQuit(ctx, backoff)
continue
}
ah.logger.Info("authentication successful, sending token to sinks")
ah.OutputCh <- secret.Auth.ClientToken
Vault Agent Template (#7652) * Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
2019-10-18 21:21:46 +00:00
if ah.enableTemplateTokenCh {
ah.TemplateTokenCh <- secret.Auth.ClientToken
}
VSI (#4985)
2018-07-25 02:02:27 +00:00
am.CredSuccess()
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
backoff.reset()
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
if watcher != nil {
watcher.Stop()
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
agent: support providing certificate information in cert's config map (#9819) * agent: support providing certificate information in cert's config map * update TestCertEndToEnd * remove URL reference on warning message
2020-08-25 21:26:06 +00:00
watcher, err = clientToUse.NewLifetimeWatcher(&api.LifetimeWatcherInput{
VSI (#4985)
2018-07-25 02:02:27 +00:00
Secret: secret,
})
if err != nil {
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
ah.logger.Error("error creating lifetime watcher, backing off and retrying", "error", err, "backoff", backoff)
VSI (#4985)
2018-07-25 02:02:27 +00:00
backoffOrQuit(ctx, backoff)
continue
}
// Start the renewal process
ah.logger.Info("starting renewal process")
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
go watcher.Renew()
VSI (#4985)
2018-07-25 02:02:27 +00:00
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
LifetimeWatcherLoop:
VSI (#4985)
2018-07-25 02:02:27 +00:00
for {
select {
case <-ctx.Done():
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
ah.logger.Info("shutdown triggered, stopping lifetime watcher")
watcher.Stop()
break LifetimeWatcherLoop
VSI (#4985)
2018-07-25 02:02:27 +00:00
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
case err := <-watcher.DoneCh():
ah.logger.Info("lifetime watcher done channel triggered")
VSI (#4985)
2018-07-25 02:02:27 +00:00
if err != nil {
ah.logger.Error("error renewing token", "error", err)
}
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
break LifetimeWatcherLoop
VSI (#4985)
2018-07-25 02:02:27 +00:00
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
case <-watcher.RenewCh():
VSI (#4985)
2018-07-25 02:02:27 +00:00
ah.logger.Info("renewed auth token")
case <-credCh:
ah.logger.Info("auth method found new credentials, re-authenticating")
Sync up Agent and API's renewers. (#7733) * Sync up Agent and API's renewers. This introduces a new type, LifetimeWatcher, which can handle both renewable and non-renewable secrets, modeled after the version in Agent. It allows the user to select behavior, with the new style being the default when calling Start(), and old style if using the legacy Renew() call. No tests have been modified (except for reflect issues) and no other code has been modified to make sure the changes are backwards compatible. Once this is accepted I'll pull the Agent version out. * Move compat flags to NewRenewer * Port agent to shared lifetime watcher lib
2019-10-29 00:28:59 +00:00
break LifetimeWatcherLoop
VSI (#4985)
2018-07-25 02:02:27 +00:00
}
}
}
}
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
// agentBackoff tracks exponential backoff state.
type agentBackoff struct {
max time.Duration
current time.Duration
}
func newAgentBackoff(max time.Duration) *agentBackoff {
if max <= 0 {
max = defaultMaxBackoff
}
return &agentBackoff{
max: max,
current: initialBackoff,
}
}
// next determines the next backoff duration that is roughly twice
// the current value, capped to a max value, with a measure of randomness.
func (b *agentBackoff) next() {
maxBackoff := 2 * b.current
if maxBackoff > b.max {
maxBackoff = b.max
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
}
// Trim a random amount (0-25%) off the doubled duration
trim := rand.Int63n(int64(maxBackoff) / 4)
Reset agent backoff on successful auth (#11033) The existing code would retain the previous backoff value even after the system had recovered. This PR fixes that issue and improves the structure of the backoff code.
2021-03-03 22:15:18 +00:00
b.current = maxBackoff - time.Duration(trim)
}
func (b *agentBackoff) reset() {
b.current = initialBackoff
}
func (b agentBackoff) String() string {
return b.current.Truncate(10 * time.Millisecond).String()
Add configurable exponential backoff to Agent auto-auth (#10964)
2021-02-23 20:04:21 +00:00
}
Reference in a new issue Copy permalink