Raise Error on 4XX and 5XX HTTP responses from Openbao

Jayakrishnan Mallisseryrequested to merge
jay-fix-openbao-down-provisioning into master

Note

  • Most of the changes in the diffs in this MR is a refactoring/renaming of a variable.

Why this MR ?

  • Currently, when Openbao response has a 4XX or 5XX HTTP status code, we are NOT raising any error and the connection stays alive
  • In production, this caused an issue where secrets manager provisioning for a project was shown as succeeded even when Openbao server was down. See this comment for more details
  • To make sure, we do NOT miss any error responses from Openbao, we need to raise errors for all 4XX and 5XX status codes and handle each case individually according to the specific domain case
  • Faraday gem DO NOT raise error automatically on 4XX and 5XX status codes. So we use raise_error middleware
  • Also, in the SecretsManagerClient#make_request we have a keyword argument that determines if we should NOT raise an error on a 404 NOT FOUND response from Openbao. This keyword was incorrectly named as optional which was confusing. Need to rename it to a more correct name

What does this MR do ?

  • Use raise_error middleware in Faraday connection to raise errors on all 4XX and 5XX responses from Openbao
  • Allow 404 Responses as we have a few requests where this is permitted. See here
  • Rename the boolean keyword argument in make_request method from optional to a more accurate name allow_not_found_response
  • Added unit tests

References

How to validate locally

  • Checkout this branch locally and run tests in secrets_managger_client_spec - context 'when Openbao responds with a 5XX status code'

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jayakrishnan Mallissery

Merge request reports