-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetch agent selectors when refreshing event based cache #4803
Conversation
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2894186
to
8d6ed6d
Compare
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
8d6ed6d
to
5529949
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! Thanks for opening, @sorindumitru !
I don't think we need all the changes related to the fake data store though. Let's just always configure it to populate the events tables.
log, _ := test.NewNullLogger() | ||
|
||
ds := sql.New(log, false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's just set this to true since all it influences is whether or not the events table gets populated based on database changes.
This reverts commit 838eaf2. Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\o/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you forgot to update the fakedatastore to unconditionally pass true to enable the events based cache support after reverting the other changes.
Signed-off-by: Andrew Harding <azdagron@gmail.com>
Fixed it. |
When should we expect this to be merged? We hit a similar issue and are hoping to cherry-pick this patch from |
As soon as CI/CD passes. Unrelated failures abound. |
Thanks for taking care of that, looks like I forgot to actually commit those changes 😬 |
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net> Signed-off-by: Faisal Memon <fymemon@yahoo.com>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Pull Request check list
Affected functionality
spire-server: starting with 1.8.7 when event based cache is enabled
Description of change
The event based cache doesn't properly refersh the attested agent/node. It fetches the list of updated agents but does not fetch the selector list for them. This leads to issues if you add a node alias for a new agent (attested after the initial cache population which handles the selectors ok); due to the lack of selectors in the cached agent entry it won't be able to determine that it is also authorized for that new alias. Workload registration entries parented to that node alias will not appear in the authorized entries list for the agent.
The fix for this is easy, also fetch the selectors after fetching the attested node information. If anyone can shed some light as to why the API works like that, it would be good since it does seem a bit error prone.