diff --git a/command/agentproxyshared/cache/static_secret_cache_updater.go b/command/agentproxyshared/cache/static_secret_cache_updater.go index 14ac736ba1..fbae0f3f24 100644 --- a/command/agentproxyshared/cache/static_secret_cache_updater.go +++ b/command/agentproxyshared/cache/static_secret_cache_updater.go @@ -115,7 +115,7 @@ func (updater *StaticSecretCacheUpdater) streamStaticSecretEvents(ctx context.Co updater.client.SetToken(updater.tokenSink.(sink.SinkReader).Token()) conn, err := updater.openWebSocketConnection(ctx) if err != nil { - return fmt.Errorf("error when opening event stream: %w", err) + return err } defer conn.Close(websocket.StatusNormalClosure, "") @@ -337,8 +337,8 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con // We do ten attempts, to ensure we follow forwarding to the leader. var conn *websocket.Conn + var resp *http.Response for attempt := 0; attempt < 10; attempt++ { - var resp *http.Response conn, resp, err = websocket.Dial(ctx, wsURL, &websocket.DialOptions{ HTTPClient: httpClient, HTTPHeader: headers, @@ -359,8 +359,13 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con } if err != nil { + if resp != nil { + if resp.StatusCode == http.StatusNotFound { + return nil, fmt.Errorf("received 404 when opening web socket to %s, ensure Vault is Enterprise version 1.16 or above", wsURL) + } + } return nil, fmt.Errorf("error returned when opening event stream web socket to %s, ensure auto-auth token"+ - " has correct permissions and Vault is version 1.16 or above: %w", wsURL, err) + " has correct permissions and Vault is Enterprise version 1.16 or above: %w", wsURL, err) } if conn == nil { @@ -408,7 +413,7 @@ tokenLoop: } err := updater.streamStaticSecretEvents(ctx) if err != nil { - updater.logger.Warn("error occurred during streaming static secret cache update events:", err) + updater.logger.Error("error occurred during streaming static secret cache update events", "err", err) shouldBackoff = true continue } diff --git a/command/agentproxyshared/cache/static_secret_cache_updater_test.go b/command/agentproxyshared/cache/static_secret_cache_updater_test.go index 8824df1d95..f77ad4168a 100644 --- a/command/agentproxyshared/cache/static_secret_cache_updater_test.go +++ b/command/agentproxyshared/cache/static_secret_cache_updater_test.go @@ -135,11 +135,9 @@ func TestNewStaticSecretCacheUpdater(t *testing.T) { } // TestOpenWebSocketConnection tests that the openWebSocketConnection function -// works as expected. This uses a TLS enabled (wss) WebSocket connection. +// works as expected (fails on CE, succeeds on ent). +// This uses a TLS enabled (wss) WebSocket connection. func TestOpenWebSocketConnection(t *testing.T) { - if !constants.IsEnterprise { - t.Skip("test can only run on enterprise due to requiring the event notification system") - } t.Parallel() // We need a valid cluster for the connection to succeed. cluster := minimal.NewTestSoloCluster(t, nil) @@ -149,10 +147,13 @@ func TestOpenWebSocketConnection(t *testing.T) { updater.tokenSink.WriteToken(client.Token()) conn, err := updater.openWebSocketConnection(context.Background()) - if err != nil { - t.Fatal(err) + if constants.IsEnterprise { + require.NoError(t, err) + require.NotNil(t, conn) + } else { + require.Nil(t, conn) + require.Errorf(t, err, "ensure Vault is Enterprise version 1.16 or above") } - require.NotNil(t, conn) } // TestOpenWebSocketConnectionReceivesEventsDefaultMount tests that the openWebSocketConnection function