consul: probe consul namespace feature before using namespace api #10715
Conversation
This PR changes Nomad's wrapper around the Consul NamespaceAPI so that it will detect if the Consul Namespaces feature is enabled before making a request to the Namespaces API. Namespaces are not enabled in Consul OSS, and require a suitable license to be used with Consul ENT. Previously Nomad would check for a 404 status code when makeing a request to the Namespaces API to "detect" if Consul OSS was being used. This does not work for Consul ENT with Namespaces disabled, which returns a 500. Now we avoid requesting the namespace API altogether if Consul is detected to be the OSS sku, or if the Namespaces feature is not licensed. Since Consul can be upgraded from OSS to ENT, or a new license applied, we cache the value for 1 minute, refreshing on demand if expired. Fixes hashicorp/nomad-enterprise#575 Note that the ticket originally describes using attributes from #10688. This turns out not to be possible due to a chicken-egg situation between bootstrapping the agent and setting up the consul client. Also fun: the Consul fingerprinter creates its own Consul client, because there is no [currently] no way to pass the agent's client through the fingerprint factory.
| // potentially change over time. | ||
| type Self = map[string]map[string]interface{} | ||
|
|
||
| func SKU(info Self) (string, bool) { |
There was a problem hiding this comment.
When the SKU and Namespaces functions were in the fingerprinter, it made sense that they returned (string, bool). But now that they're in a different package entirely, their signature is "weird". For SKU the bool is false iff the string is empty, and for Namespaces we're returning a stringified version of the bool.
Maybe it'd be better if SKU returned just a string and Namespaces returned just a bool, and let their callers in the fingerprint extractors and namespace client sort out returning the values the fingerprinter expects?
|
Hello folks, sorry to comment here but I have no access to nomad enterprise issues. Is that the root cause of the following terraform issue introduced by 1.1.0: Thanks |
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR changes Nomad's wrapper around the Consul NamespaceAPI so that
it will detect if the Consul Namespaces feature is enabled before making
a request to the Namespaces API. Namespaces are not enabled in Consul OSS,
and require a suitable license to be used with Consul ENT.
Previously Nomad would check for a 404 status code when makeing a request
to the Namespaces API to "detect" if Consul OSS was being used. This does
not work for Consul ENT with Namespaces disabled, which returns a 500.
Now we avoid requesting the namespace API altogether if Consul is detected
to be the OSS sku, or if the Namespaces feature is not licensed. Since
Consul can be upgraded from OSS to ENT, or a new license applied, we cache
the value for 1 minute, refreshing on demand if expired.
Fixes https://github.com/hashicorp/nomad-enterprise/issues/575
Note that the ticket originally describes using attributes from #10688.
This turns out not to be possible due to a chicken-egg situation between
bootstrapping the agent and setting up the consul client. Also fun: the
Consul fingerprinter creates its own Consul client, because there is no
currently no way to pass the agent's client through the fingerprint factory.