fingerprint: add support for fingerprinting multiple Vault clusters #18253
Conversation
tgross
changed the title
tgross
force-pushed
the
multiple-vault-cluster-fingerprint
branch
from
6a3f073 to
5e41ce4
Compare
Add fingerprinting we'll need to accept multiple Vault clusters in upcoming Nomad Enterprise features. The fingerprinter will create a map of Vault clients by cluster name. In Nomad CE, all but the default cluster will be ignored and there will be no visible behavior change.
tgross
force-pushed
the
multiple-vault-cluster-fingerprint
branch
from
5e41ce4 to
40187ff
Compare
| // vaultConfigs returns the set of Vault configurations the fingerprint needs to | ||
| // check. In Nomad CE we only check the default Vault. | ||
| func (f *VaultFingerprint) vaultConfigs(req *FingerprintRequest) map[string]*config.VaultConfig { | ||
| agentCfg := req.Config | ||
| if agentCfg.VaultConfig == nil || !agentCfg.VaultConfig.IsEnabled() { | ||
| return nil | ||
| } | ||
|
|
||
| return map[string]*config.VaultConfig{"default": agentCfg.VaultConfig} | ||
| } |
There was a problem hiding this comment.
Note for reviewers: once I get to the point where I'm ready to start instantiating multiple clients in client/vaultclient, I'll probably pull this out to some shared helper, but I want to keep the review sizes small in the meanwhile.
client/fingerprint/vault.go
Outdated
| for _, lastState := range f.lastStates { | ||
| if lastState != vaultAvailable { | ||
| return true, 15 * time.Second | ||
| } |
There was a problem hiding this comment.
Probably not worth changing anything, but I think this means that a single cluster not being available will cause all cluster to be fingerprinted at this accelerated interval.
There was a problem hiding this comment.
Yeah, the architecture of periodic fingerprinting means we'd end up spinning up a separate fingerprinter goroutine for each Vault (and Consul, once that's done). Maybe we could do something a little more sophisticated here though and fire the fingerprinter goroutine without necessarily sending the API calls to healthy Vaults on each pass.
There was a problem hiding this comment.
I gave this a go in 05a9047. The results are a little dissatisfying. The healthy Vaults effectively get checked on a fixed 45s interval when one of the other Vaults is unhealthy. But this avoids waking up the outer loop unnecessarily and avoids desync where healthy vaults get accidentally skipped for one cycle when the group as a whole skips from unhealthy to healthy.
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
Add fingerprinting we'll need to accept multiple Vault clusters in upcoming Nomad Enterprise features. The fingerprinter will create a map of Vault clients by cluster name. In Nomad CE, all but the default cluster will be ignored and there will be no visible behavior change.
Ref: https://github.com/hashicorp/team-nomad/issues/404
Don't merge until we've got a ENT repo PR ready for the
vault_ent.gofile.