-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test Shamir-to-Transit and Transit-to-Shamir Seal Migration for post-1.4 Vault. #9214
Changes from 79 commits
7864437
9360ddd
05a612c
28386e9
1f8c5f1
4cb0394
6e8caae
2abca4a
f7536c2
f3039df
3066b51
594bccf
b223d50
26b7a94
9a523df
0e68260
ee20dba
926a957
6781c7e
3939bf3
f7da813
ccc79c9
e830135
9dd793f
23aad62
784102e
4ec9dc1
e5f0d0f
559ddcc
1293273
f7f49ee
e2dd3d6
8c44144
149bd7f
f645ab6
0cfb125
28e5d78
3d00a70
d40b963
59a3b2f
2fa7116
9676aba
bf755da
6b313a7
31eb3a7
c211fe8
91eb9c1
0e1d20b
3738d76
7e3b1cf
4481ac1
4f5eba6
debbbb1
357a61b
1a5f997
304e932
fa9a707
106bc89
1ea087b
4fc1f52
22db307
1bb9944
f77e990
4ba1036
d717e53
3dcb5ed
1f6c138
4239d8a
5e9d375
641c40d
45df411
5f80eee
dcc8bcc
04dc99d
00f3c23
2221432
a1f6bd7
8087a07
8c3375a
a6140cb
f85159b
fdff2c4
ebf9716
c1cf085
d78f80e
0528d78
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -412,16 +412,9 @@ func (p *TestRaftServerAddressProvider) ServerAddr(id raftlib.ServerID) (raftlib | |
} | ||
|
||
func RaftClusterJoinNodes(t testing.T, cluster *vault.TestCluster) { | ||
raftClusterJoinNodes(t, cluster, false) | ||
} | ||
|
||
func RaftClusterJoinNodesWithStoredKeys(t testing.T, cluster *vault.TestCluster) { | ||
raftClusterJoinNodes(t, cluster, true) | ||
} | ||
|
||
func raftClusterJoinNodes(t testing.T, cluster *vault.TestCluster, useStoredKeys bool) { | ||
|
||
addressProvider := &TestRaftServerAddressProvider{Cluster: cluster} | ||
|
||
atomic.StoreUint32(&vault.UpdateClusterAddrForTests, 1) | ||
|
||
leader := cluster.Cores[0] | ||
|
@@ -430,11 +423,7 @@ func raftClusterJoinNodes(t testing.T, cluster *vault.TestCluster, useStoredKeys | |
{ | ||
EnsureCoreSealed(t, leader) | ||
leader.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(addressProvider) | ||
if useStoredKeys { | ||
cluster.UnsealCoreWithStoredKeys(t, leader) | ||
} else { | ||
cluster.UnsealCore(t, leader) | ||
} | ||
cluster.UnsealCore(t, leader) | ||
vault.TestWaitActive(t, leader.Core) | ||
} | ||
|
||
|
@@ -454,6 +443,37 @@ func raftClusterJoinNodes(t testing.T, cluster *vault.TestCluster, useStoredKeys | |
t.Fatal(err) | ||
} | ||
|
||
cluster.UnsealCore(t, core) | ||
} | ||
|
||
WaitForNCoresUnsealed(t, cluster, len(cluster.Cores)) | ||
} | ||
|
||
// JoinRaftFollowers unseals the leader, and then joins-and-unseals the | ||
// followers one at a time. We assume that the ServerAddressProvider has | ||
// already been installed on all the nodes. | ||
func JoinRaftFollowers(t testing.T, cluster *vault.TestCluster, useStoredKeys bool) { | ||
mjarmy marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
leader := cluster.Cores[0] | ||
|
||
cluster.UnsealCore(t, leader) | ||
vault.TestWaitActive(t, leader.Core) | ||
|
||
leaderInfos := []*raft.LeaderJoinInfo{ | ||
&raft.LeaderJoinInfo{ | ||
LeaderAPIAddr: leader.Client.Address(), | ||
TLSConfig: leader.TLSConfig, | ||
}, | ||
} | ||
|
||
// Join followers | ||
for i := 1; i < len(cluster.Cores); i++ { | ||
core := cluster.Cores[i] | ||
_, err := core.JoinRaftCluster(namespace.RootContext(context.Background()), leaderInfos, false) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
if useStoredKeys { | ||
// For autounseal, the raft backend is not initialized right away | ||
// after the join. We need to wait briefly before we can unseal. | ||
|
@@ -505,11 +525,11 @@ func (p *HardcodedServerAddressProvider) ServerAddr(id raftlib.ServerID) (raftli | |
|
||
// NewHardcodedServerAddressProvider is a convenience function that makes a | ||
// ServerAddressProvider from a given cluster address base port. | ||
func NewHardcodedServerAddressProvider(cluster *vault.TestCluster, baseClusterPort int) raftlib.ServerAddressProvider { | ||
func NewHardcodedServerAddressProvider(numCores, baseClusterPort int) raftlib.ServerAddressProvider { | ||
|
||
entries := make(map[raftlib.ServerID]raftlib.ServerAddress) | ||
|
||
for i := 0; i < len(cluster.Cores); i++ { | ||
for i := 0; i < numCores; i++ { | ||
id := fmt.Sprintf("core-%d", i) | ||
addr := fmt.Sprintf("127.0.0.1:%d", baseClusterPort+i) | ||
entries[raftlib.ServerID(id)] = raftlib.ServerAddress(addr) | ||
|
@@ -520,17 +540,6 @@ func NewHardcodedServerAddressProvider(cluster *vault.TestCluster, baseClusterPo | |
} | ||
} | ||
|
||
// SetRaftAddressProviders sets a ServerAddressProvider for all the nodes in a | ||
// cluster. | ||
func SetRaftAddressProviders(t testing.T, cluster *vault.TestCluster, provider raftlib.ServerAddressProvider) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How come this is no longer used/required? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm doing it inside the ReusableRaftStorage now |
||
|
||
atomic.StoreUint32(&vault.UpdateClusterAddrForTests, 1) | ||
|
||
for _, core := range cluster.Cores { | ||
core.UnderlyingRawStorage.(*raft.RaftBackend).SetServerAddressProvider(provider) | ||
} | ||
} | ||
|
||
// VerifyRaftConfiguration checks that we have a valid raft configuration, i.e. | ||
// the correct number of servers, having the correct NodeIDs, and exactly one | ||
// leader. | ||
|
@@ -565,6 +574,35 @@ func VerifyRaftConfiguration(core *vault.TestClusterCore, numCores int) error { | |
return nil | ||
} | ||
|
||
// AwaitLeader waits for one of the cluster's nodes to become leader. | ||
func AwaitLeader(t testing.T, cluster *vault.TestCluster) (int, error) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We already have a wait for leader function, do we need both? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I needed a function that returned the index of the leader core |
||
|
||
timeout := time.Now().Add(30 * time.Second) | ||
for { | ||
if time.Now().After(timeout) { | ||
mjarmy marked this conversation as resolved.
Show resolved
Hide resolved
|
||
break | ||
} | ||
|
||
for i, core := range cluster.Cores { | ||
if core.Core.Sealed() { | ||
continue | ||
} | ||
|
||
isLeader, _, _, err := core.Leader() | ||
if err != nil { | ||
t.Fatal(err) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would probably not error out here. Allow errors until the timeout elapses in case the cluster is still coming up and behaving strangely. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (but still report the last error encountered upon timeout, don't just report a timeout) |
||
} | ||
if isLeader { | ||
return i, nil | ||
} | ||
} | ||
|
||
time.Sleep(time.Second) | ||
} | ||
|
||
return 0, fmt.Errorf("timeout waiting leader") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 0 is a valid index, I would return -1 here. |
||
} | ||
|
||
func GenerateDebugLogs(t testing.T, client *api.Client) chan struct{} { | ||
t.Helper() | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is is equivalent logic to what was previously here. We don't want to use recovery keys to unseal we want to wait for the stored key to do the job for us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is equivalent logic to what was originally here though -- we currently don't have any tests that call this function with stored keys.