From e29cf567d14bde48c686b479872b24b908435645 Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Fri, 1 Sep 2017 15:14:25 -0700 Subject: [PATCH 1/2] Vendor consul-template Fixes https://github.com/hashicorp/nomad/issues/3133 --- .../consul-template/dependency/vault_read.go | 16 ++++------ .../consul-template/dependency/vault_token.go | 20 +++++++------ .../consul-template/dependency/vault_write.go | 16 ++++------ vendor/vendor.json | 30 +++++++++---------- 4 files changed, 38 insertions(+), 44 deletions(-) diff --git a/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go b/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go index 2a6e948a576..3d86fe1c324 100644 --- a/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go +++ b/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go @@ -85,16 +85,12 @@ func (d *VaultReadQuery) Fetch(clients *ClientSet, opts *QueryOptions) (interfac } else { // The secret isn't renewable, probably the generic secret backend. dur := vaultRenewDuration(d.secret) - if dur < opts.VaultGrace { - log.Printf("[TRACE] %s: remaining lease %s is less than grace, skipping sleep", d, dur) - } else { - log.Printf("[TRACE] %s: secret is not renewable, sleeping for %s", d, dur) - select { - case <-time.After(dur): - // The lease is almost expired, it's time to request a new one. - case <-d.stopCh: - return nil, nil, ErrStopped - } + log.Printf("[TRACE] %s: secret is not renewable, sleeping for %s", d, dur) + select { + case <-time.After(dur): + // The lease is almost expired, it's time to request a new one. + case <-d.stopCh: + return nil, nil, ErrStopped } } } diff --git a/vendor/github.com/hashicorp/consul-template/dependency/vault_token.go b/vendor/github.com/hashicorp/consul-template/dependency/vault_token.go index 2c81c67f6da..a3c7f4c8743 100644 --- a/vendor/github.com/hashicorp/consul-template/dependency/vault_token.go +++ b/vendor/github.com/hashicorp/consul-template/dependency/vault_token.go @@ -79,17 +79,19 @@ func (d *VaultTokenQuery) Fetch(clients *ClientSet, opts *QueryOptions) (interfa } // The secret isn't renewable, probably the generic secret backend. + // TODO This is incorrect when given a non-renewable template. We should + // instead to a lookup self to determine the lease duration. dur := vaultRenewDuration(d.secret) if dur < opts.VaultGrace { - log.Printf("[TRACE] %s: remaining lease %s is less than grace, skipping sleep", d, dur) - } else { - log.Printf("[TRACE] %s: token is not renewable, sleeping for %s", d, dur) - select { - case <-time.After(dur): - // The lease is almost expired, it's time to request a new one. - case <-d.stopCh: - return nil, nil, ErrStopped - } + dur = opts.VaultGrace + } + + log.Printf("[TRACE] %s: token is not renewable, sleeping for %s", d, dur) + select { + case <-time.After(dur): + // The lease is almost expired, it's time to request a new one. + case <-d.stopCh: + return nil, nil, ErrStopped } return nil, nil, ErrLeaseExpired diff --git a/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go b/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go index e3aa0154444..4970301d5cd 100644 --- a/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go +++ b/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go @@ -92,16 +92,12 @@ func (d *VaultWriteQuery) Fetch(clients *ClientSet, opts *QueryOptions) (interfa } else { // The secret isn't renewable, probably the generic secret backend. dur := vaultRenewDuration(d.secret) - if dur < opts.VaultGrace { - log.Printf("[TRACE] %s: remaining lease %s is less than grace, skipping sleep", d, dur) - } else { - log.Printf("[TRACE] %s: secret is not renewable, sleeping for %s", d, dur) - select { - case <-time.After(dur): - // The lease is almost expired, it's time to request a new one. - case <-d.stopCh: - return nil, nil, ErrStopped - } + log.Printf("[TRACE] %s: secret is not renewable, sleeping for %s", d, dur) + select { + case <-time.After(dur): + // The lease is almost expired, it's time to request a new one. + case <-d.stopCh: + return nil, nil, ErrStopped } } } diff --git a/vendor/vendor.json b/vendor/vendor.json index efec0e9d8ad..af06c3b1478 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -648,44 +648,44 @@ { "checksumSHA1": "Nu2j1GusM7ZH0uYrGzqr1K7yH7I=", "path": "github.com/hashicorp/consul-template/child", - "revision": "a6369e8e105f2f5534671e2609dc19e20b55da96", - "revisionTime": "2017-08-25T23:40:39Z" + "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", + "revisionTime": "2017-09-01T21:49:09Z" }, { "checksumSHA1": "lemUzh6uQDMxuvTT/BREYdGcS0U=", "path": "github.com/hashicorp/consul-template/config", - "revision": "a6369e8e105f2f5534671e2609dc19e20b55da96", - "revisionTime": "2017-08-25T23:40:39Z" + "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", + "revisionTime": "2017-09-01T21:49:09Z" }, { - "checksumSHA1": "WVZ+pqn/HLLXjj+Tj5ZZvD7w6r0=", + "checksumSHA1": "ki5mjKALz3JrAee3mYUNl8pFJnU=", "path": "github.com/hashicorp/consul-template/dependency", - "revision": "a6369e8e105f2f5534671e2609dc19e20b55da96", - "revisionTime": "2017-08-25T23:40:39Z" + "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", + "revisionTime": "2017-09-01T21:49:09Z" }, { "checksumSHA1": "ZuqKmrZAWgHbWGGt1e9RAMZ4wvs=", "path": "github.com/hashicorp/consul-template/manager", - "revision": "a6369e8e105f2f5534671e2609dc19e20b55da96", - "revisionTime": "2017-08-25T23:40:39Z" + "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", + "revisionTime": "2017-09-01T21:49:09Z" }, { "checksumSHA1": "YSEUV/9/k85XciRKu0cngxdjZLE=", "path": "github.com/hashicorp/consul-template/signals", - "revision": "a6369e8e105f2f5534671e2609dc19e20b55da96", - "revisionTime": "2017-08-25T23:40:39Z" + "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", + "revisionTime": "2017-09-01T21:49:09Z" }, { "checksumSHA1": "zSvJlNfZS3fCRlFaZ7r9Q+N17T8=", "path": "github.com/hashicorp/consul-template/template", - "revision": "a6369e8e105f2f5534671e2609dc19e20b55da96", - "revisionTime": "2017-08-25T23:40:39Z" + "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", + "revisionTime": "2017-09-01T21:49:09Z" }, { "checksumSHA1": "b4+Y+02pY2Y5620F9ALzKg8Zmdw=", "path": "github.com/hashicorp/consul-template/watch", - "revision": "a6369e8e105f2f5534671e2609dc19e20b55da96", - "revisionTime": "2017-08-25T23:40:39Z" + "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", + "revisionTime": "2017-09-01T21:49:09Z" }, { "checksumSHA1": "jfELEMRhiTcppZmRH+ZwtkVS5Uw=", From da4aa7ff20314a33ced84b3289f7da086d60a8c9 Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Fri, 1 Sep 2017 15:16:30 -0700 Subject: [PATCH 2/2] changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 443091f3f4e..4f5056eb4b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ BUG FIXES: another job [GH-3120] * cli: Fix setting of TLSServerName for node API Client. This fixes an issue of contacting nodes that are using TLS [GH-3127] + * client/template: Fix issue in which the template block could cause high load + on Vault when secret lease duration was less than the Vault grace [GH-3153] * driver/docker: Fix issue in which mounts could parse incorrectly [GH-3163] * driver/docker: Fix issue where potentially incorrect syslog server address is used [GH-3135]