PKI: Track last time auto tidy was run across restarts #28488
Conversation
stevendpclark
added
ui
secret/pki
backport/ent/1.16.x+ent
github-actions
bot
added
the
hashicorp-contributed-pr
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Build Results: |
|
CI Results: |
| @@ -561,6 +579,108 @@ func pathTidyStatus(b *backend) *framework.Path { | |||
| } | |||
|
|
|||
| func pathConfigAutoTidy(b *backend) *framework.Path { | |||
| autoTidyResponseFields := map[string]*framework.FieldSchema{ | |||
There was a problem hiding this comment.
👏 Thank you for removing duplicate code!
There was a problem hiding this comment.
Ditto on this - thank you very much
builtin/logical/pki/path_tidy.go
Outdated
| @@ -571,6 +691,16 @@ func pathConfigAutoTidy(b *backend) *framework.Path { | |||
| Type: framework.TypeBool, | |||
| Description: `Set to true to enable automatic tidy operations.`, | |||
| }, | |||
| "min_startup_backoff_duration": { | |||
| Type: framework.TypeDurationSecond, | |||
| Description: `The minimum amount of time auto-tidy will be delayed after startup in seconds.`, | |||
There was a problem hiding this comment.
Maybe this sounds slightly better?
The minimum amount of time in seconds auto-tidy will be delayed after startup.
| @@ -561,6 +579,108 @@ func pathTidyStatus(b *backend) *framework.Path { | |||
| } | |||
|
|
|||
| func pathConfigAutoTidy(b *backend) *framework.Path { | |||
| autoTidyResponseFields := map[string]*framework.FieldSchema{ | |||
There was a problem hiding this comment.
Ditto on this - thank you very much
There was a problem hiding this comment.
Thank you so much for tackling the UI side of this. We really appreciate it 🏅 I left some comments/suggestions that are mostly UX related. Happy to pair or push up any of these changes if that's helpful.
The only concern is why the form test is missing an assertion. Since we want to make sure those attributes are being submitted properly.
ui/app/models/pki/tidy.js
Outdated
| // fields that are specific to auto-tidy, which should only show up when enabled. | ||
| get autoTidyEnabledFields() { | ||
| const enabledFields = [ | ||
| { 'Auto Tidy Startup Backoff': ['minStartupBackoffDuration', 'maxStartupBackoffDuration'] }, |
There was a problem hiding this comment.
I'm not sure we need these to be a separate group section in the form since it's just these two fields. Normally this would be where we'd consult design, but they're out this month... 😅
Do you feel like the header provides a UX benefit for the user? If not, then I think we can remove this since the form already has quite a few sections. I'm certainly not a PKI expert 😆 , but to me the separation doesn't seem necessary since these fields seem to relate to the interval_duration input, since they are all auto tidy settings. What do you think?
If this section grows, then in the future we could do some rearranging and label it more generally like "Auto tidy settings" or "Auto tidy configuration"
There was a problem hiding this comment.
I'd rather it be part of the same, but was trying to follow the trend :) I'll try to remove this.
There was a problem hiding this comment.
Oh yeah - I completely understand why you included it in a separate section! I'm honestly impressed you implemented the frontend piece so seamlessly 😄
ui/app/models/pki/tidy.js
Outdated
| return this._expandGroups(groups); | ||
| } | ||
|
|
||
| // fields that are specific to auto-tidy, which should only show up when enabled. |
There was a problem hiding this comment.
thank you for this comment! 🤩 If auto tidy is enabled, then disabled, will these settings be preserved? If so, then I might suggest renaming the getter to autoTidyConfigFields since the enabled toggle is more for display only purposes in the UI
There was a problem hiding this comment.
Will update to the proposed name, yes the values are preserved if auto-tidy is enabled/disabled.
ui/app/models/pki/tidy.js
Outdated
| const enabledFields = [ | ||
| { 'Auto Tidy Startup Backoff': ['minStartupBackoffDuration', 'maxStartupBackoffDuration'] }, | ||
| ]; | ||
| return this._expandGroups(enabledFields); |
There was a problem hiding this comment.
Depending on how you feel about the section header, there are a couple of options here. Either way, we already call this._expandGroups on all of the fields above and that function does a lot of iterating so we want to avoid calling it again, if possible. We can update this to just return the relevant fields, which also simplifies the template logic (in the .hbs file)!
I'd probably refactor this to be:
get autoTidyConfigFields() {
return ['minStartupBackoffDuration', 'maxStartupBackoffDuration']
}and then to avoid having to update these in multiple places in the future, reuse this in the allGroups getter:
get allGroups() {
const groups = [
{ autoTidy: ['enabled', 'intervalDuration', ...this.autoTidyConfigFields },
...this.sharedFields,
];
return this._expandGroups(groups);
}There was a problem hiding this comment.
Yup much better, implemented within 642e5fc
| minStartupBackoffDuration: string; | ||
| maxStartupBackoffDuration: string; |
There was a problem hiding this comment.
We actually don't need these here. The naming is confusing, but this is for the typescript function below handleTtl which is a single input that manages two params, interval_duration and enabled
We'd only need to add these if we wanted to do something similar and have these durations attached to a toggle (but I think how you've implemented, without the toggle, it is better)
There was a problem hiding this comment.
Oops yeah these were me playing around and forgetting to clean these up.
There was a problem hiding this comment.
Removed in 642e5fc
| @@ -1399,6 +1399,16 @@ const pki = { | |||
| 'Interval at which to run an auto-tidy operation. This is the time between tidy invocations (after one finishes to the start of the next). Running a manual tidy will reset this duration.', | |||
| fieldGroup: 'default', | |||
| }, | |||
| minStartupBackoffDuration: { | |||
There was a problem hiding this comment.
👏 👏 👏 thank you for updating these!
| @@ -175,13 +183,15 @@ module('Integration | Component | pki tidy form', function (hooks) { | |||
| }); | |||
|
|
|||
| test('it should change the attributes on the model', async function (assert) { | |||
| assert.expect(12); | |||
| assert.expect(11); | |||
There was a problem hiding this comment.
Hmmm. This is incorrect and should be 12 🤔 This likely means submitting the form is erroring and we're not hitting the post request below which is the twelfth assertion.
There was a problem hiding this comment.
Yup, good catch! Updated back to 12 and added the missing fields within the const fillInValues seems to have fixed it.
Implemented within 642e5fc
| this.server.post('/pki-auto-tidy/config/auto-tidy', (schema, req) => { | ||
| assert.propEqual( | ||
| JSON.parse(req.requestBody), | ||
| { | ||
| acme_account_safety_buffer: '72h', | ||
| enabled: true, | ||
| min_startup_backoff_duration: '5m', |
There was a problem hiding this comment.
For these to exist in the response, we need to input them in the form in the test. To do this, the const fillInValues on line 247 should include these (in seconds) so that the tests fills them in (line 260)
const fillInValues = {
issuerSafetyBuffer: 20,
pauseDuration: 30,
revocationQueueSafetyBuffer: 40,
safetyBuffer: 50,
minStartupBackoffDuration: 300,
maxStartupBackoffDuration: 900,
};I wonder if this is why the submit is failing (and therefore not hitting the post request)
- If the interval time for auto-tidy is longer then say a regularly scheduled restart of Vault, auto-tidy is never run. This is due to the time of the last run of tidy is only kept in memory and initialized on startup to the current time - Store the last run of any tidy, to maintain previous behavior, to a cluster local file, which is read in/initialized upon a mount initialization.
stevendpclark
force-pushed
the
stevendpclark/vault-30322-auto-tidy-across-nodes
branch
from
9531e50
to
e2c2074
Compare
Co-authored-by: claire bontempo <[email protected]>
…ple enabling auto tidy from duration, move params to auto settings section
| @attr('boolean', { | ||
| label: 'Automatic tidy enabled', | ||
| defaultValue: false, |
There was a problem hiding this comment.
removed defaults so these values are retrieved from backend, this way the frontend won't accidentally override values if they change
|
|
||
| @attr({ | ||
| label: 'Automatic tidy enabled', | ||
| labelDisabled: 'Automatic tidy disabled', | ||
| mapToBoolean: 'enabled', |
There was a problem hiding this comment.
decoupled this input from the enabled toggle so now it renders as its own TTL
| @@ -76,7 +96,7 @@ export default class PkiTidyModel extends Model { | |||
| }) | |||
| revocationQueueSafetyBuffer; // enterprise only | |||
|
|
|||
| @attr('string', { | |||
There was a problem hiding this comment.
removed 'string' types for ttls so we can pull default values seamlessly from API
| {{/if}} | ||
| {{#each @tidy.formFieldGroups as |fieldGroup|}} | ||
| {{#each-in fieldGroup as |group fields|}} | ||
| {{#if (or (eq @tidyType "manual") @tidy.enabled)}} |
There was a problem hiding this comment.
moved this outside the {{#each}} because it makes more sense there
| @@ -231,28 +274,23 @@ module('Integration | Component | pki tidy form', function (hooks) { | |||
| assert.false(this.autoTidy.tidyAcme, 'tidyAcme is false on model'); | |||
|
|
|||
| await click(PKI_TIDY_FORM.toggleInput('acmeAccountSafetyBuffer')); | |||
| await fillIn(PKI_TIDY_FORM.acmeAccountSafetyBuffer, 3); // units are days based on defaultValue | |||
| await fillIn(PKI_TIDY_FORM.acmeAccountSafetyBuffer, 2); // units are days based on defaultValue | |||
There was a problem hiding this comment.
changed because 3 days was too similar to the default (72h vs 720h) and made it seem like there was a ttl miscalculation
stevendpclark
removed
the
backport/ent/1.16.x+ent
|
Thanks everyone for the review feedback and a special thanks to @hellobontempo for the review feedback and helping out with the UI! |
stevendpclark
deleted the
stevendpclark/vault-30322-auto-tidy-across-nodes
branch
Description
Start persisting the last time we ran auto-tidy in order to not lose the information across restarts. If an auto-tidy schedule was set to run every 7 days, but there was a scheduled Vault restart every 6 days, auto-tidy would never run as the counter would be reset on restart.
We add in two new auto-tidy fields to control a possible thundering herd problem of having too many auto-tidy processes starting up at once.
min_startup_backoff_durationandmax_startup_backoff_durationfields with defaults of 5m and 15m respectively.The UI for auto-tidy has been updated, adding the two new fields to the auto-tidy configuration screen, the new fields are hidden if not enabled, as well as being displayed within the auto-tidy configuration view. They do not appear on the manual tidy screens.
TODO only if you're a HashiCorp employee
to N, N-1, and N-2, using the
backport/ent/x.x.x+entlabels. If this PR is in the CE repo, you should only backport to N, using thebackport/x.x.xlabel, not the enterprise labels.of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.