Skip to content

Commit

Permalink
consul: handle "not found" errors from Consul when deleting tokens
Browse files Browse the repository at this point in the history 
In Consul 1.15.0, the Delete Token API was changed so as to return an error when
deleting a non-existent ACL token. This means that if Nomad successfully deletes
the token but fails to persist that fact, it will get stuck trying to delete a
non-existent token forever.

Update the token deletion function to ignore "not found" errors and treat them
as successful deletions.

Fixes: #17833
  • Loading branch information
@tgross
tgross committed Jul 7, 2023
1 parent 100c460 commit 81deb09
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
3 changes: 3 additions & 0 deletions .changelog/17847.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
consul: Fixed a bug where Nomad would repeatedly try to revoke successfully revoked SI tokens
```
4 changes: 3 additions & 1 deletion nomad/consul.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -419,8 +419,10 @@ func (c *consulACLsAPI) singleRevoke(ctx context.Context, accessor *structs.SITo
return err
}

// Consul will no-op the deletion of a non-existent token (no error)
_, err := c.aclClient.TokenDelete(accessor.AccessorID, &api.WriteOptions{Namespace: accessor.ConsulNamespace})
if err != nil && strings.Contains(err.Error(), "ACL not found") {
return nil // Consul will error when deleting a non-existent token
}
return err
}

Expand Down

0 comments on commit 81deb09

Please sign in to comment.