Add ability to retry vault token retrieval #442
Conversation
Sometimes we might encounter errors when retrieving the Vault token using a method like JWT. In those cases, the action does not retry the request today because the got package does not try POST requests by default. This change adds an option called retryVaultTokenRetrieval that will add the POST method to the retriable methods got uses. The post method is not used in any other place in this action, so having the POST method added to the defaultOptions seems okay for now.
When the retryVaultTokenRetrieval option is set in the action we will now see HTTP errors when retrieving the Vault token retried. This adds a test block to test the client.post that is performed during the token retrieval is retried on an HTTP error, like a 500.
|
|
|
Hey @wagnerm thanks for taking a jab at this issue!
I agree, I feel like the action should be resilient by itself and this is not something users should have to think about and opt into. I'd be keen to find a universal solution and drop the additional
As you already pointed out there are drawbacks to this. I'm worried this would have undesirable side-effects. POSTs should only be retried for specific situations, like here when trying to authenticate, but a blanket retry on all POST requests will surely bite us in the future.
This seems like the best solution to me. Retry the I don't think got's client options allow you to specify a retry strategy for specific paths so the most pragmatic solution is likely to wrap the token creation request in a small promise retry pattern. Hope it all make sense! |
@maxcoulombe My only reservation with this approach is that it seems like it would be reimplementation of some of the Alternatively we could simply alter the options we pass to the Basically I'm thinking about doing something this (please correct me or provide a suggestion because I'm not that well versed in js 😄): + // copy the defaultOptions so we don't mutate in case it is used later on the in Action.
+ let retrieveTokenClientOptions = JSON.parse(JSON.stringify(defaultOptions));
+ retrieveTokenClientOptions.retry.methods = [...got.defaults.options.retry.methods, 'POST'];
+ const vaultToken = await retrieveToken(vaultMethod, got.extend(retrieveTokenClientOptions));
- const vaultToken = await retrieveToken(vaultMethod, got.extend(defaultOptions));What do you think? |
This change adds the
retryVaultTokenRetrievaloption to the Action that will enable retries for retrieving the Vault token, via the HTTP error retries implemented by thegotpackage.The problem I'm encountering is that sometimes the vault token retrieval, via the JWT method, results in a HTTP error, mostly 500s, and these kind of errors are not retried in the current version of vault-action. vault-action simply fails and there's no mitigation. This appears to be because the
gotpackage, by default, does not retryPOSTrequest types.So the new
retryVaultTokenRetrievaloption adds thePOSTrequest to the set of request types thegotpackage will retry when the option is specified.Looking through the code, the vault token retrieval in
retrieveTokenis the only place where a POST request is performed, so the enablement of the option should only affect that function.Other options for implementation:
I'm not the biggest fan of the addition of this option and would rather the vault-action always retry failed vault token retrievals, but I'm unsure if the community would appreciate that change in strategy. Alternatively these are the options I've thought of that may or may not be more acceptable than this change. I'm open to opinions.
POSTrequests performed withinvault-actionand remove the optionretryVaultTokenRetrieval. This is a change in behavior that might result in addition Vault server load if retries are added by default.Basically the
POSTrequest type would be added to the defaultgotclient options.POSTrequests happening in this Action, we could refactor the way the client is initiated and passed toretrieveTokenso that only thePOSTrequests tried withingetClientTokenare retried.