mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-21 14:41:09 +02:00
9afd5e52ae
Sometimes destroying resources in AWS will fail because of unexpected dependency violations or other such nonsense. When this happens the behavior of Vault that we wanted to verify has already been successfully accomplished, however the required workflow will fail. This change allows us to succeed if `enos scenario launch` completes but allows `enos scenario destroy` to fail. We still notify our slack channel on destroy failures so that we can investigate issues, however it won't require a PR author to retry. * Execute `enos scenario launch` instead of `enos scenario run` to allow for very occasional issues when tearing down test infrastructure. * Improve an error message when getting secondary cluster IP addresses. * Don't race to get secondary cluster IP addresses. * Add secondary token to replication scenario outputs. Signed-off-by: Ryan Cragun <me@ryan.ec>
56 lines
2.1 KiB
Bash
56 lines
2.1 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
|
|
set -e
|
|
|
|
function fail() {
|
|
echo "$1" 1>&2
|
|
exit 1
|
|
}
|
|
|
|
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
|
|
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
|
|
[[ -z "$VAULT_INSTANCE_PRIVATE_IPS" ]] && fail "VAULT_INSTANCE_PRIVATE_IPS env variable has not been set"
|
|
[[ -z "$VAULT_LEADER_PRIVATE_IP" ]] && fail "VAULT_LEADER_PRIVATE_IP env variable has not been set"
|
|
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
|
|
|
|
binpath=${VAULT_INSTALL_DIR}/vault
|
|
test -x "$binpath" || fail "Unable to locate vault binary at $binpath"
|
|
|
|
count=0
|
|
retries=10
|
|
while :; do
|
|
# Vault >= 1.10.x has the operator members. If we have that then we'll use it.
|
|
if $binpath operator -h 2>&1 | grep members &> /dev/null; then
|
|
# Get the folllowers that are part of our private ips.
|
|
if members=$($binpath operator members -format json); then
|
|
if followers=$(echo "$members" | jq --argjson expected "$VAULT_INSTANCE_PRIVATE_IPS" -c '.Nodes | map(select(any(.; .active_node==false)) | .api_address | scan("[0-9]+.[0-9]+.[0-9]+.[0-9]+")) as $followers | $expected - ($expected - $followers)'); then
|
|
# Make sure that we got all the followers
|
|
if jq --argjson expected "$VAULT_INSTANCE_PRIVATE_IPS" --argjson followers "$followers" -ne '$expected | length as $el | $followers | length as $fl | $fl == $el-1' > /dev/null; then
|
|
echo "$followers"
|
|
exit 0
|
|
fi
|
|
fi
|
|
fi
|
|
else
|
|
# We're using an old version of vault so we'll just return ips that don't match the leader.
|
|
# Get the public ip addresses of the followers
|
|
if followers=$(jq --arg ip "$VAULT_LEADER_PRIVATE_IP" -c '. | map(select(.!=$ip))' <<< "$VAULT_INSTANCE_PRIVATE_IPS"); then
|
|
if [[ -n "$followers" ]]; then
|
|
echo "$followers"
|
|
exit 0
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
wait=$((2 ** count))
|
|
count=$((count + 1))
|
|
if [ "$count" -lt "$retries" ]; then
|
|
sleep "$wait"
|
|
else
|
|
fail "Timed out trying to obtain the cluster followers"
|
|
fi
|
|
done
|