-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dr-token Flag to Autopilot CLI #21165
Conversation
@@ -138,6 +155,10 @@ func (c *OperatorRaftAutopilotSetConfigCommand) Run(args []string) int { | |||
data["disable_upgrade_migration"] = c.flagDisableUpgradeMigration.Get() | |||
} | |||
|
|||
if c.flagDRToken != "" { | |||
client.SetToken(c.flagDRToken) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious about this pattern of using client.SetToken()
for passing along the DR token. If this works, why not use it for the state and get config endpoints too, instead of creating special methods for them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't verified it, but the fact that DR operation tokens are their own parameters to API calls makes me dubious that this works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a similar thought/questions. And from looking into the code and the original change to do it that way (#10856) It still wasn't very clear to me. Perhaps @vishalnayak might be able to provide some light, since they made the original change (albeit a while back).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear to me that this is a valid pattern. I would prefer if this was done in a similar style to how it's done for other raft commands that support a -dr-token
flag, e.g. list-peers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand what you are saying now. I will work on that 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nevermind 🤦 . I can see from your terminal example above that it must be valid, otherwise passing in the DR operation token via VAULT_TOKEN
wouldn't have worked. It seems confusing that we support that way of using DR operation tokens, but many places in our documentation shows explicitly passing them in via their own parameter. 🤷
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I looked at this a bit more and it looks like this is where we set a DR token (if passed through), or default to the ClientToken. https://github.com/hashicorp/vault-enterprise/blob/main/vault/replication_api_ent.go#L803-L808. I think you are correct that it is probably better to set this token explicitly, rather than just set a client token (since this looks like it is already built in). I went ahead and pushed that commit for you to review.
Build Results: |
CI Results: |
For other operator commands such as list-peers we support a
-dr-token
flag:For autopilot commands, though, you have to pass it in via
VAULT_TOKEN
:These changes will allow the token to be passed via flag, as well as maintaining the
VAULT_TOKEN
env variable method