Watch config file for token changes #3418
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dangra
approved these changes
Apr 2, 2024
|
I'm going to sit on this for another day or two to see if the nats PR merges. |
btoews
force-pushed
the
watch-config
branch
5 times, most recently
from
d3846a9 to
0bef372
Compare
This required forking NATS. I'm trying to get the changes upstreamed in nats-io/nats.go#1599
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Summary
What and Why:
The macaroons that flyctl gets have a short lifespan. Commands with
RequireSessionrefresh macaroons that are about to expire before the command runs. Similarly, the agent checks every minute if macaroons need to be refreshed soon. This setup works great for commands that run quickly, but I've had some slower deploys fail because my macaroons expired partway through. I've also had issues with long runningfly logswhere the NATS client has to reconnect but no longer has a valid token. This PR fixes that.How:
This PR adds an API for watching for changes to the config file. Both the agent and other commands load changes to auth tokens that are written to the config. The agent still checks periodically if tokens need to be updated, and writes those updates to the config. This way, a long running command will start using the new macaroons that were refreshed by the running agent.
I had to submit a PR to the NATS library to allow dynamically changing tokens to be used when reconnecting after an error. I'm hoping nats-io/nats.go#1599 will merge soon so I don't need to point flyctl at my fork.
Related to:
Documentation