Merge remote-tracking branch 'origin/master' into release-0.11.2

hashicorp · May 14, 2020 · aa0cbf7 · aa0cbf7
2 parents 74f2e44 + f491c86
commit aa0cbf7
Show file tree

Hide file tree

Showing 26 changed files with 6,026 additions and 6,626 deletions.
diff --git a/.github/workflows/ember-assets.yml b/.github/workflows/ember-assets.yml
@@ -0,0 +1,24 @@
+name: Ember Asset Sizes
+
+on:
+  pull_request:
+    paths:
+    - 'ui/**'
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2-beta
+        with:
+          fetch-depth: 0
+      - name: Use Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: '10.x'
+      - uses: backspace/ember-asset-size-action@edit-comment
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          working-directory: "ui"
diff --git a/client/pluginmanager/csimanager/volume.go b/client/pluginmanager/csimanager/volume.go
@@ -203,7 +203,7 @@ func (v *volumeManager) publishVolume(ctx context.Context, vol *structs.CSIVolum
 	// CSI NodePublishVolume errors for timeout, codes.Unavailable and
 	// codes.ResourceExhausted are retried; all other errors are fatal.
 	err = v.plugin.NodePublishVolume(ctx, &csi.NodePublishVolumeRequest{
-		VolumeID:          vol.RemoteID(),
+		ExternalID:        vol.RemoteID(),
 		PublishContext:    publishContext,
 		StagingTargetPath: pluginStagingPath,
 		TargetPath:        pluginTargetPath,

diff --git a/client/structs/csi.go b/client/structs/csi.go
@@ -91,7 +91,7 @@ func (c *ClientCSIControllerAttachVolumeRequest) ToCSIRequest() (*csi.Controller
 	}
 
 	return &csi.ControllerPublishVolumeRequest{
-		VolumeID:         c.VolumeID,
+		ExternalID:       c.VolumeID,
 		NodeID:           c.ClientCSINodeID,
 		VolumeCapability: caps,
 		ReadOnly:         c.ReadOnly,
@@ -121,7 +121,7 @@ type ClientCSIControllerAttachVolumeResponse struct {
 }
 
 type ClientCSIControllerDetachVolumeRequest struct {
-	// The ID of the volume to be unpublished for the node
+	// The external ID of the volume to be unpublished for the node
 	// This field is REQUIRED.
 	VolumeID string
 
@@ -143,8 +143,8 @@ func (c *ClientCSIControllerDetachVolumeRequest) ToCSIRequest() *csi.ControllerU
 	}
 
 	return &csi.ControllerUnpublishVolumeRequest{
-		VolumeID: c.VolumeID,
-		NodeID:   c.ClientCSINodeID,
+		ExternalID: c.VolumeID,
+		NodeID:     c.ClientCSINodeID,
 	}
 }
 

diff --git a/command/agent/command.go b/command/agent/command.go
@@ -349,39 +349,36 @@ func (c *Command) isValidConfig(config, cmdConfig *Config) bool {
 		}
 	}
 
-	if config.DevMode {
-		// Skip the rest of the validation for dev mode
-		return true
-	}
-
-	// Ensure that we have the directories we need to run.
-	if config.Server.Enabled && config.DataDir == "" {
-		c.Ui.Error("Must specify data directory")
+	if err := config.Server.DefaultSchedulerConfig.Validate(); err != nil {
+		c.Ui.Error(err.Error())
 		return false
 	}
 
-	// The config is valid if the top-level data-dir is set or if both
-	// alloc-dir and state-dir are set.
-	if config.Client.Enabled && config.DataDir == "" {
-		if config.Client.AllocDir == "" || config.Client.StateDir == "" || config.PluginDir == "" {
-			c.Ui.Error("Must specify the state, alloc dir, and plugin dir if data-dir is omitted.")
+	if !config.DevMode {
+		// Ensure that we have the directories we need to run.
+		if config.Server.Enabled && config.DataDir == "" {
+			c.Ui.Error("Must specify data directory")
 			return false
 		}
-	}
 
-	// Check the bootstrap flags
-	if !config.Server.Enabled && cmdConfig.Server.BootstrapExpect > 0 {
-		// report an error if BootstrapExpect is set in CLI but server is disabled
-		c.Ui.Error("Bootstrap requires server mode to be enabled")
-		return false
-	}
-	if config.Server.Enabled && config.Server.BootstrapExpect == 1 {
-		c.Ui.Error("WARNING: Bootstrap mode enabled! Potentially unsafe operation.")
-	}
+		// The config is valid if the top-level data-dir is set or if both
+		// alloc-dir and state-dir are set.
+		if config.Client.Enabled && config.DataDir == "" {
+			if config.Client.AllocDir == "" || config.Client.StateDir == "" || config.PluginDir == "" {
+				c.Ui.Error("Must specify the state, alloc dir, and plugin dir if data-dir is omitted.")
+				return false
+			}
+		}
 
-	if err := config.Server.DefaultSchedulerConfig.Validate(); err != nil {
-		c.Ui.Error(err.Error())
-		return false
+		// Check the bootstrap flags
+		if !config.Server.Enabled && cmdConfig.Server.BootstrapExpect > 0 {
+			// report an error if BootstrapExpect is set in CLI but server is disabled
+			c.Ui.Error("Bootstrap requires server mode to be enabled")
+			return false
+		}
+		if config.Server.Enabled && config.Server.BootstrapExpect == 1 {
+			c.Ui.Error("WARNING: Bootstrap mode enabled! Potentially unsafe operation.")
+		}
 	}
 
 	return true

diff --git a/e2e/terraform/shared/config/provision-client.sh b/e2e/terraform/shared/config/provision-client.sh
@@ -49,7 +49,7 @@ sudo mkdir -p /tmp/data
 # Install CNI plugins
 sudo mkdir -p /opt/cni/bin
 wget -q -O - \
-     https://github.com/containernetworking/plugins/releases/download/v0.8.4/cni-plugins-linux-amd64-v0.8.4.tgz \
+     https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz \
     | sudo tar -C /opt/cni/bin -xz
 
 # enable as a systemd service

diff --git a/e2e/terraform/shared/config/provision-windows-client.ps1 b/e2e/terraform/shared/config/provision-windows-client.ps1
@@ -36,7 +36,7 @@ New-Item -ItemType "directory" -Path "C:\tmp\data" -Force
 # TODO(tgross): not sure we even support this for Windows?
 # Write-Output "Install CNI"
 # md C:\opt\cni\bin
-# $cni_url = "https://github.com/containernetworking/plugins/releases/download/v0.8.4/cni-plugins-windows-amd64-v0.8.4.tgz"
+# $cni_url = "https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-windows-amd64-v0.8.6.tgz"
 # Invoke-WebRequest -Uri "$cni_url" -Outfile cni.tgz
 # Expand-7Zip -ArchiveFileName .\cni.tgz -TargetPath C:\opt\cni\bin\ -Force
 

diff --git a/nomad/vault.go b/nomad/vault.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"math/rand"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -1135,7 +1136,9 @@ func (v *vaultClient) storeForRevocation(accessors []*structs.VaultAccessor) {
 
 	now := time.Now()
 	for _, a := range accessors {
-		v.revoking[a] = now.Add(time.Duration(a.CreationTTL) * time.Second)
+		if _, ok := v.revoking[a]; !ok {
+			v.revoking[a] = now.Add(time.Duration(a.CreationTTL) * time.Second)
+		}
 	}
 	v.revLock.Unlock()
 }
@@ -1176,7 +1179,8 @@ func (v *vaultClient) parallelRevoke(ctx context.Context, accessors []*structs.V
 						return nil
 					}
 
-					if err := v.auth.RevokeAccessor(va.Accessor); err != nil {
+					err := v.auth.RevokeAccessor(va.Accessor)
+					if err != nil && !strings.Contains(err.Error(), "invalid accessor") {
 						return fmt.Errorf("failed to revoke token (alloc: %q, node: %q, task: %q): %v", va.AllocID, va.NodeID, va.Task, err)
 					}
 				case <-pCtx.Done():

diff --git a/nomad/vault_test.go b/nomad/vault_test.go
@@ -1409,6 +1409,52 @@ func TestVaultClient_RevokeTokens_PreEstablishs(t *testing.T) {
 	}
 }
 
+// TestVaultClient_RevokeTokens_failures_TTL asserts that
+// the registered TTL doesn't get extended on retries
+func TestVaultClient_RevokeTokens_Failures_TTL(t *testing.T) {
+	t.Parallel()
+	vconfig := &config.VaultConfig{
+		Enabled: helper.BoolToPtr(true),
+		Token:   uuid.Generate(),
+		Addr:    "http://127.0.0.1:0",
+	}
+	logger := testlog.HCLogger(t)
+	client, err := NewVaultClient(vconfig, logger, nil)
+	if err != nil {
+		t.Fatalf("failed to build vault client: %v", err)
+	}
+	client.SetActive(true)
+	defer client.Stop()
+
+	// Create some VaultAccessors
+	vas := []*structs.VaultAccessor{
+		mock.VaultAccessor(),
+		mock.VaultAccessor(),
+	}
+
+	err = client.RevokeTokens(context.Background(), vas, true)
+	require.NoError(t, err)
+
+	// Was committed
+	require.Len(t, client.revoking, 2)
+
+	// set TTL
+	ttl := time.Now().Add(50 * time.Second)
+	client.revoking[vas[0]] = ttl
+	client.revoking[vas[1]] = ttl
+
+	// revoke again and ensure that TTL isn't extended
+	err = client.RevokeTokens(context.Background(), vas, true)
+	require.NoError(t, err)
+
+	require.Len(t, client.revoking, 2)
+	expected := map[*structs.VaultAccessor]time.Time{
+		vas[0]: ttl,
+		vas[1]: ttl,
+	}
+	require.Equal(t, expected, client.revoking)
+}
+
 func TestVaultClient_RevokeTokens_Root(t *testing.T) {
 	t.Parallel()
 	v := testutil.NewTestVault(t)
@@ -1541,6 +1587,86 @@ func TestVaultClient_RevokeTokens_Role(t *testing.T) {
 	}
 }
 
+// TestVaultClient_RevokeTokens_Idempotent asserts that token revocation
+// is idempotent, and can cope with cases if token was deleted out of band.
+func TestVaultClient_RevokeTokens_Idempotent(t *testing.T) {
+	t.Parallel()
+	v := testutil.NewTestVault(t)
+	defer v.Stop()
+
+	// Set the configs token in a new test role
+	v.Config.Token = defaultTestVaultWhitelistRoleAndToken(v, t, 5)
+
+	purged := map[string]struct{}{}
+	purge := func(accessors []*structs.VaultAccessor) error {
+		for _, accessor := range accessors {
+			purged[accessor.Accessor] = struct{}{}
+		}
+		return nil
+	}
+
+	logger := testlog.HCLogger(t)
+	client, err := NewVaultClient(v.Config, logger, purge)
+	if err != nil {
+		t.Fatalf("failed to build vault client: %v", err)
+	}
+	client.SetActive(true)
+	defer client.Stop()
+
+	waitForConnection(client, t)
+
+	// Create some vault tokens
+	auth := v.Client.Auth().Token()
+	req := vapi.TokenCreateRequest{
+		Policies: []string{"default"},
+	}
+	t1, err := auth.Create(&req)
+	require.NoError(t, err)
+	require.NotNil(t, t1)
+	require.NotNil(t, t1.Auth)
+
+	t2, err := auth.Create(&req)
+	require.NoError(t, err)
+	require.NotNil(t, t2)
+	require.NotNil(t, t2.Auth)
+
+	t3, err := auth.Create(&req)
+	require.NoError(t, err)
+	require.NotNil(t, t3)
+	require.NotNil(t, t3.Auth)
+
+	// revoke t3 out of band
+	err = auth.RevokeAccessor(t3.Auth.Accessor)
+	require.NoError(t, err)
+
+	// Create two VaultAccessors
+	vas := []*structs.VaultAccessor{
+		{Accessor: t1.Auth.Accessor},
+		{Accessor: t2.Auth.Accessor},
+		{Accessor: t3.Auth.Accessor},
+	}
+
+	// Issue a token revocation
+	err = client.RevokeTokens(context.Background(), vas, true)
+	require.NoError(t, err)
+	require.Empty(t, client.revoking)
+
+	// revoke token again
+	err = client.RevokeTokens(context.Background(), vas, true)
+	require.NoError(t, err)
+	require.Empty(t, client.revoking)
+
+	// Lookup the token and make sure we get an error
+	require.Len(t, purged, 3)
+	require.Contains(t, purged, t1.Auth.Accessor)
+	require.Contains(t, purged, t2.Auth.Accessor)
+	require.Contains(t, purged, t3.Auth.Accessor)
+	s, err := auth.Lookup(t1.Auth.ClientToken)
+	require.Errorf(t, err, "failed to purge token: %v", s)
+	s, err = auth.Lookup(t2.Auth.ClientToken)
+	require.Errorf(t, err, "failed to purge token: %v", s)
+}
+
 func waitForConnection(v *vaultClient, t *testing.T) {
 	testutil.WaitForResult(func() (bool, error) {
 		return v.ConnectionEstablished()