From 2dced0a8b95b7d536751e22c028ae61bf1b9fb62 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 7 Jul 2023 15:47:44 -0400 Subject: [PATCH] consul: handle "not found" errors from Consul when deleting tokens In Consul 1.15.0, the Delete Token API was changed so as to return an error when deleting a non-existent ACL token. This means that if Nomad successfully deletes the token but fails to persist that fact, it will get stuck trying to delete a non-existent token forever. Update the token deletion function to ignore "not found" errors and treat them as successful deletions. Fixes: #17833 --- .changelog/17847.txt | 3 +++ nomad/consul.go | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 .changelog/17847.txt diff --git a/.changelog/17847.txt b/.changelog/17847.txt new file mode 100644 index 00000000000..7bbee3d3f39 --- /dev/null +++ b/.changelog/17847.txt @@ -0,0 +1,3 @@ +```release-note:bug +consul: Fixed a bug where Nomad would repeatedly try to revoke successfully revoked SI tokens +``` diff --git a/nomad/consul.go b/nomad/consul.go index 737e46bdbaf..510adec1a9a 100644 --- a/nomad/consul.go +++ b/nomad/consul.go @@ -419,8 +419,10 @@ func (c *consulACLsAPI) singleRevoke(ctx context.Context, accessor *structs.SITo return err } - // Consul will no-op the deletion of a non-existent token (no error) _, err := c.aclClient.TokenDelete(accessor.AccessorID, &api.WriteOptions{Namespace: accessor.ConsulNamespace}) + if err != nil && strings.Contains(err.Error(), "Cannot find token to delete") { + return nil // Consul will error when deleting a non-existent token + } return err }