consul/agent/structs/errors.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package structs

import (
	"errors"
	"strings"
)

const (
	errNoLeader                   = "No cluster leader"
	errNoDCPath                   = "No path to datacenter"
	errDCNotAvailable             = "Remote DC has no server currently reachable"
	errNoServers                  = "No known Consul servers"
	errNotReadyForConsistentReads = "Not ready to serve consistent reads"
	errSegmentsNotSupported       = "Network segments are not supported in this version of Consul"
	errRPCRateExceeded            = "RPC rate limit exceeded"
	errServiceNotFound            = "Service not found: "
	errQueryNotFound              = "Query not found"
	errLeaderNotTracked           = "Raft leader not found in server lookup mapping"
	errConnectNotEnabled          = "Connect must be enabled in order to use this endpoint"
	errRateLimited                = "Rate limit reached, try again later" // Note: we depend on this error message in the gRPC ConnectCA.Sign endpoint (see: isRateLimitError).
	errNotPrimaryDatacenter       = "not the primary datacenter"
	errStateReadOnly              = "CA Provider State is read-only"
	errUsingV2CatalogExperiment   = "V1 catalog is disabled when V2 is enabled"
)

var (
	ErrNoLeader                   = errors.New(errNoLeader)
	ErrNoDCPath                   = errors.New(errNoDCPath)
	ErrNoServers                  = errors.New(errNoServers)
	ErrNotReadyForConsistentReads = errors.New(errNotReadyForConsistentReads)
	ErrSegmentsNotSupported       = errors.New(errSegmentsNotSupported)
	ErrRPCRateExceeded            = errors.New(errRPCRateExceeded)
	ErrDCNotAvailable             = errors.New(errDCNotAvailable)
	ErrQueryNotFound              = errors.New(errQueryNotFound)
	ErrLeaderNotTracked           = errors.New(errLeaderNotTracked)
	ErrConnectNotEnabled          = errors.New(errConnectNotEnabled)
	ErrRateLimited                = errors.New(errRateLimited) // Note: we depend on this error message in the gRPC ConnectCA.Sign endpoint (see: isRateLimitError).
	ErrNotPrimaryDatacenter       = errors.New(errNotPrimaryDatacenter)
	ErrStateReadOnly              = errors.New(errStateReadOnly)
	ErrUsingV2CatalogExperiment   = errors.New(errUsingV2CatalogExperiment)
)

func IsErrNoDCPath(err error) bool {
	return err != nil && strings.Contains(err.Error(), errNoDCPath)
}

func IsErrQueryNotFound(err error) bool {
	return err != nil && strings.Contains(err.Error(), errQueryNotFound)
}

func IsErrNoLeader(err error) bool {
	return err != nil && strings.Contains(err.Error(), errNoLeader)
}

func IsErrRPCRateExceeded(err error) bool {
	return err != nil && strings.Contains(err.Error(), errRPCRateExceeded)
}

func IsErrServiceNotFound(err error) bool {
	return err != nil && strings.Contains(err.Error(), errServiceNotFound)
}

func IsErrUsingV2CatalogExperiment(err error) bool {
	return err != nil && strings.Contains(err.Error(), errUsingV2CatalogExperiment)
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments. 2017-09-01 22:02:50 +00:00			`package structs`

			`import (`
			`"errors"`
			`"strings"`
			`)`

			`const (`
			`errNoLeader = "No cluster leader"`
			`errNoDCPath = "No path to datacenter"`
Distinguish between DC not existing and not being available (#6399) 2019-09-03 15:46:24 +00:00			`errDCNotAvailable = "Remote DC has no server currently reachable"`
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments. 2017-09-01 22:02:50 +00:00			`errNoServers = "No known Consul servers"`
			`errNotReadyForConsistentReads = "Not ready to serve consistent reads"`
			`errSegmentsNotSupported = "Network segments are not supported in this version of Consul"`
			`errRPCRateExceeded = "RPC rate limit exceeded"`
Implement /v1/agent/health/service/<service name> endpoint (#3551) This endpoint aggregates all checks related to <service id> on the agent and return an appropriate http code + the string describing the worst check. This allows to cleanly expose service status to other component, hiding complexity of multiple checks. This is especially useful to use consul to feed a load balancer which would delegate health checking to consul agent. Exposing this endpoint on the agent is necessary to avoid a hit on consul servers and avoid decreasing resiliency (this endpoint will work even if there is no consul leader in the cluster). 2019-01-07 14:39:23 +00:00			`errServiceNotFound = "Service not found: "`
DNS: add IsErrQueryNotFound function for easier error evaluation 2020-07-01 00:49:13 +00:00			`errQueryNotFound = "Query not found"`
Special case the error returned when we have a Raft leader but are not tracking it in the ServerLookup (#9487) This can happen when one other node in the cluster such as a client is unable to communicate with the leader server and sees it as failed. When that happens its failing status eventually gets propagated to the other servers in the cluster and eventually this can result in RPCs returning “No cluster leader” error. That error is misleading and unhelpful for determing the root cause of the issue as its not raft stability but rather and client -> server networking issue. Therefore this commit will add a new error that will be returned in that case to differentiate between the two cases. 2021-01-04 19:05:23 +00:00			`errLeaderNotTracked = "Raft leader not found in server lookup mapping"`
xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) * Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com> 2023-09-12 19:56:43 +00:00			`errConnectNotEnabled = "Connect must be enabled in order to use this endpoint"`
			`errRateLimited = "Rate limit reached, try again later" // Note: we depend on this error message in the gRPC ConnectCA.Sign endpoint (see: isRateLimitError).`
			`errNotPrimaryDatacenter = "not the primary datacenter"`
			`errStateReadOnly = "CA Provider State is read-only"`
server: when the v2 catalog experiment is enabled reject api and rpc requests that are for the v1 catalog (#19129) When the v2 catalog experiment is enabled the old v1 catalog apis will be forcibly disabled at both the API (json) layer and the RPC (msgpack) layer. This will also disable anti-entropy as it uses the v1 api. This includes all of /v1/catalog/, /v1/health/, most of /v1/agent/, /v1/config/, and most of /v1/internal/*. 2023-10-11 15:44:03 +00:00			`errUsingV2CatalogExperiment = "V1 catalog is disabled when V2 is enabled"`
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments. 2017-09-01 22:02:50 +00:00			`)`

			`var (`
			`ErrNoLeader = errors.New(errNoLeader)`
			`ErrNoDCPath = errors.New(errNoDCPath)`
			`ErrNoServers = errors.New(errNoServers)`
			`ErrNotReadyForConsistentReads = errors.New(errNotReadyForConsistentReads)`
			`ErrSegmentsNotSupported = errors.New(errSegmentsNotSupported)`
			`ErrRPCRateExceeded = errors.New(errRPCRateExceeded)`
Distinguish between DC not existing and not being available (#6399) 2019-09-03 15:46:24 +00:00			`ErrDCNotAvailable = errors.New(errDCNotAvailable)`
DNS: add IsErrQueryNotFound function for easier error evaluation 2020-07-01 00:49:13 +00:00			`ErrQueryNotFound = errors.New(errQueryNotFound)`
Special case the error returned when we have a Raft leader but are not tracking it in the ServerLookup (#9487) This can happen when one other node in the cluster such as a client is unable to communicate with the leader server and sees it as failed. When that happens its failing status eventually gets propagated to the other servers in the cluster and eventually this can result in RPCs returning “No cluster leader” error. That error is misleading and unhelpful for determing the root cause of the issue as its not raft stability but rather and client -> server networking issue. Therefore this commit will add a new error that will be returned in that case to differentiate between the two cases. 2021-01-04 19:05:23 +00:00			`ErrLeaderNotTracked = errors.New(errLeaderNotTracked)`
xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) * Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com> 2023-09-12 19:56:43 +00:00			`ErrConnectNotEnabled = errors.New(errConnectNotEnabled)`
			`ErrRateLimited = errors.New(errRateLimited) // Note: we depend on this error message in the gRPC ConnectCA.Sign endpoint (see: isRateLimitError).`
			`ErrNotPrimaryDatacenter = errors.New(errNotPrimaryDatacenter)`
			`ErrStateReadOnly = errors.New(errStateReadOnly)`
server: when the v2 catalog experiment is enabled reject api and rpc requests that are for the v1 catalog (#19129) When the v2 catalog experiment is enabled the old v1 catalog apis will be forcibly disabled at both the API (json) layer and the RPC (msgpack) layer. This will also disable anti-entropy as it uses the v1 api. This includes all of /v1/catalog/, /v1/health/, most of /v1/agent/, /v1/config/, and most of /v1/internal/*. 2023-10-11 15:44:03 +00:00			`ErrUsingV2CatalogExperiment = errors.New(errUsingV2CatalogExperiment)`
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments. 2017-09-01 22:02:50 +00:00			`)`

DNS: fix agent returning SERVFAIL where NXDOMAIN should be returned 2020-06-30 22:03:31 +00:00			`func IsErrNoDCPath(err error) bool {`
			`return err != nil && strings.Contains(err.Error(), errNoDCPath)`
			`}`

DNS: add IsErrQueryNotFound function for easier error evaluation 2020-07-01 00:49:13 +00:00			`func IsErrQueryNotFound(err error) bool {`
			`return err != nil && strings.Contains(err.Error(), errQueryNotFound)`
			`}`

Makes RPC handling more robust when rolling servers. (#3561) * Adds client-side retry for no leader errors. This paves over the case where the client was connected to the leader when it loses leadership. * Adds a configurable server RPC drain time and a fail-fast path for RPCs. When a server leaves it gets removed from the Raft configuration, so it will never know who the new leader server ends up being. Without this we'd be doomed to wait out the RPC hold timeout and then fail. This makes things fail a little quicker while a sever is draining, and since we added a client retry AND since the server doing this has already shut down and left the Serf LAN, clients should retry against some other server. * Makes the RPC hold timeout configurable. * Reorders struct members. * Sets the RPC hold timeout default for test servers. * Bumps the leave drain time up to 5 seconds. * Robustifies retries with a simpler client-side RPC hold. * Reverts untended delete. 2017-10-10 22:19:50 +00:00			`func IsErrNoLeader(err error) bool {`
			`return err != nil && strings.Contains(err.Error(), errNoLeader)`
			`}`

Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments. 2017-09-01 22:02:50 +00:00			`func IsErrRPCRateExceeded(err error) bool {`
Makes RPC handling more robust when rolling servers. (#3561) * Adds client-side retry for no leader errors. This paves over the case where the client was connected to the leader when it loses leadership. * Adds a configurable server RPC drain time and a fail-fast path for RPCs. When a server leaves it gets removed from the Raft configuration, so it will never know who the new leader server ends up being. Without this we'd be doomed to wait out the RPC hold timeout and then fail. This makes things fail a little quicker while a sever is draining, and since we added a client retry AND since the server doing this has already shut down and left the Serf LAN, clients should retry against some other server. * Makes the RPC hold timeout configurable. * Reorders struct members. * Sets the RPC hold timeout default for test servers. * Bumps the leave drain time up to 5 seconds. * Robustifies retries with a simpler client-side RPC hold. * Reverts untended delete. 2017-10-10 22:19:50 +00:00			`return err != nil && strings.Contains(err.Error(), errRPCRateExceeded)`
Adds simple rate limiting for client agent RPC calls to Consul servers. (#3440) * Added rate limiting for agent RPC calls. * Initializes the rate limiter based on the config. * Adds the rate limiter into the snapshot RPC path. * Adds unit tests for the RPC rate limiter. * Groups the RPC limit parameters under "limits" in the config. * Adds some documentation about the RPC limiter. * Sends a 429 response when the rate limiter kicks in. * Adds docs for new telemetry. * Makes snapshot telemetry look like RPC telemetry and cleans up comments. 2017-09-01 22:02:50 +00:00			`}`
Implement /v1/agent/health/service/<service name> endpoint (#3551) This endpoint aggregates all checks related to <service id> on the agent and return an appropriate http code + the string describing the worst check. This allows to cleanly expose service status to other component, hiding complexity of multiple checks. This is especially useful to use consul to feed a load balancer which would delegate health checking to consul agent. Exposing this endpoint on the agent is necessary to avoid a hit on consul servers and avoid decreasing resiliency (this endpoint will work even if there is no consul leader in the cluster). 2019-01-07 14:39:23 +00:00
			`func IsErrServiceNotFound(err error) bool {`
			`return err != nil && strings.Contains(err.Error(), errServiceNotFound)`
			`}`
server: when the v2 catalog experiment is enabled reject api and rpc requests that are for the v1 catalog (#19129) When the v2 catalog experiment is enabled the old v1 catalog apis will be forcibly disabled at both the API (json) layer and the RPC (msgpack) layer. This will also disable anti-entropy as it uses the v1 api. This includes all of /v1/catalog/, /v1/health/, most of /v1/agent/, /v1/config/, and most of /v1/internal/*. 2023-10-11 15:44:03 +00:00
			`func IsErrUsingV2CatalogExperiment(err error) bool {`
			`return err != nil && strings.Contains(err.Error(), errUsingV2CatalogExperiment)`
			`}`