Make agent fail when getting unknown authority #4617
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…tries with spire server Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
MarcosDY
requested review from
evan2645,
amartinezfayo,
azdagron and
rturner3
as code owners
evan2645
previously approved these changes
Nov 16, 2023
pkg/agent/manager/manager.go
Outdated
| @@ -285,6 +285,9 @@ func (m *manager) runSynchronizer(ctx context.Context) error { | |||
|
|
|||
| err := m.synchronize(ctx) | |||
| switch { | |||
| case nodeutil.IsUnknownAuthorityError(err): | |||
| m.c.Log.WithError(err).Info("Synchronize failed, non-recoverable error") | |||
| return fmt.Errorf("agent SVID is signed by unknow authority: %w", err) | |||
There was a problem hiding this comment.
Agent SVID or Server SVID?
I think the error message we print with %w is going to be roughly the same as this one? Does it include any add'l information? Maybe the string should be something like failed to sync with SPIRE Server: %w?
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
evan2645
approved these changes
Nov 28, 2023
faisal-memon
pushed a commit
to faisal-memon/spire
that referenced
this pull request
Dec 2, 2023
* Make agent crash when getting an unknown authority error when sync entries with spire server Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com> Signed-off-by: Faisal Memon <fymemon@yahoo.com>
rushi47
pushed a commit
to rushi47/spire
that referenced
this pull request
Apr 11, 2024
* Make agent crash when getting an unknown authority error when sync entries with spire server Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make agent fails when getting unknown authority trying to get authorized entries from spire-server.
This can happen when not using an upstream authority and the server crashes.
If the server crashes, and it is no able to load previous bundles, Server will sign new authorities. In this case, the agent will still have an agent SVID using the old bundle, and communication will be broken for ever.