consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Immediately (mostly) useable ACL tokens: add wait and check call to allow for ACL token replication

Open skpratt opened this issue 2 years ago • 4 comments

Description

This is a borrowed workaround to allow time for ACL tokens to go through raft so that they can be immediately used after a login / creation request. See code comments for full description.

Original implementation in consul-k8s: https://github.com/hashicorp/consul-k8s/blob/dc7f08965c01d2180813d0d83539a49bcc60a7d3/control-plane/subcommand/common/common.go#L156 Once this PR is merged, a follow up PR will remove this wait from consul-k8s, since this will be moving the retry loop upstream into the consul client API itself. This should address all calls to the underlying token API, removing the need for dependent projects like consul-k8s to determine which calls should be handled with a retry loop.

Testing & Reproduction steps

Tested with removed consul k8s retry loop.

No k8s retry loop + these changes: No k8s retry loop + without these changes: No k8s retry loop + forced leader change + changes to delay raft write: VM create at follower + immediate access request + delay raft write + without these changes: VM create at follower + immediate access request + delay raft write + with these changes:

PR Checklist

  • [ ] updated test coverage
  • [ ] external facing docs updated
  • [ ] not a security concern

skpratt avatar Feb 09 '23 16:02 skpratt