Enable VSecM Sentinel Init Command to Wait Until VSecM Safe is Healthy #577
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enable VSecM Sentinel Init Command to Wait Until VSecM Safe is Healthy
Description
Until now, VSecM Sentinel init command stanza was executing as soon as VSecM Sentinel booted up. That resulted a race condition because it was highly likely that VSecM Safe was not ready to receive messages yet. We solved out this as introducing the
sleep:
pragma as a temporary hack:For example
sleep:30000
would instruct VSecM Sentinel to wait 30 more seconds before running the init scripts; which saves the day but is suboptimal.This PR makes VSecM Sentinel try acquiring an identity from the workload API (hence ensure that VSecM Safe is in good shape) before proceeding with the rest of the commands.
This still is “not” enough, but gives a very optimistic guarantee that by the time Sentinel fetches and ID, Safe will already be ready. — That is a step in the right direction.
As a follow-up PR, I’ll enable a direct health check that will call a
/health
endpoint of VSecM Safe to 100% ensure that VSecM Safe is ready before proceeding — but I wanted to get this in first.Changes
List the major changes you have made in bullet points:
RunInitCommands()
that waits for the workload API to be ready, and gives up after a timeout (default 300secs)Test Policy Compliance
Unit tests need to be added, I haven’t added them.
Code Quality
to understand.
Documentation
Checklist
Before you submit this PR, please make sure:
especially the test policy.
under the project’s license.
By submitting this pull request, you confirm that my contribution is made under
the terms of the project’s license and that you have the authority to grant
these rights.
Thank you for your contribution to VMware Secrets Manager
🐢⚡️!