Skip to content

Commit dbfadf2

Browse files
sreyasreya
authored
fix: fix tailnet resume using incorrect DB reference (coder#15522) (coder#15574)
- We were instantiating a cryptokey cache with a vanilla reference to the database instead of one wrapped by dbcrypt. - Fixes an issue where failing to instantiate unrelated keycaches does not fatally error out.
1 parent 0598aec commit dbfadf2

File tree

2 files changed

+23
-23
lines changed

2 files changed

+23
-23
lines changed

cli/server.go

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ import (
6161
"github.com/coder/serpent"
6262
"github.com/coder/wgtunnel/tunnelsdk"
6363

64-
"github.com/coder/coder/v2/coderd/cryptokeys"
6564
"github.com/coder/coder/v2/coderd/entitlements"
6665
"github.com/coder/coder/v2/coderd/notifications/reports"
6766
"github.com/coder/coder/v2/coderd/runtimeconfig"
@@ -754,25 +753,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
754753
return xerrors.Errorf("set deployment id: %w", err)
755754
}
756755

757-
fetcher := &cryptokeys.DBFetcher{
758-
DB: options.Database,
759-
}
760-
761-
resumeKeycache, err := cryptokeys.NewSigningCache(ctx,
762-
logger,
763-
fetcher,
764-
codersdk.CryptoKeyFeatureTailnetResume,
765-
)
766-
if err != nil {
767-
logger.Critical(ctx, "failed to properly instantiate tailnet resume signing cache", slog.Error(err))
768-
}
769-
770-
options.CoordinatorResumeTokenProvider = tailnet.NewResumeTokenKeyProvider(
771-
resumeKeycache,
772-
quartz.NewReal(),
773-
tailnet.DefaultResumeTokenExpiry,
774-
)
775-
776756
options.RuntimeConfig = runtimeconfig.NewManager()
777757

778758
// This should be output before the logs start streaming.

coderd/coderd.go

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -467,7 +467,7 @@ func New(options *Options) *API {
467467
codersdk.CryptoKeyFeatureOIDCConvert,
468468
)
469469
if err != nil {
470-
options.Logger.Critical(ctx, "failed to properly instantiate oidc convert signing cache", slog.Error(err))
470+
options.Logger.Fatal(ctx, "failed to properly instantiate oidc convert signing cache", slog.Error(err))
471471
}
472472
}
473473

@@ -478,7 +478,7 @@ func New(options *Options) *API {
478478
codersdk.CryptoKeyFeatureWorkspaceAppsToken,
479479
)
480480
if err != nil {
481-
options.Logger.Critical(ctx, "failed to properly instantiate app signing key cache", slog.Error(err))
481+
options.Logger.Fatal(ctx, "failed to properly instantiate app signing key cache", slog.Error(err))
482482
}
483483
}
484484

@@ -489,10 +489,30 @@ func New(options *Options) *API {
489489
codersdk.CryptoKeyFeatureWorkspaceAppsAPIKey,
490490
)
491491
if err != nil {
492-
options.Logger.Critical(ctx, "failed to properly instantiate app encryption key cache", slog.Error(err))
492+
options.Logger.Fatal(ctx, "failed to properly instantiate app encryption key cache", slog.Error(err))
493493
}
494494
}
495495

496+
if options.CoordinatorResumeTokenProvider == nil {
497+
fetcher := &cryptokeys.DBFetcher{
498+
DB: options.Database,
499+
}
500+
501+
resumeKeycache, err := cryptokeys.NewSigningCache(ctx,
502+
options.Logger,
503+
fetcher,
504+
codersdk.CryptoKeyFeatureTailnetResume,
505+
)
506+
if err != nil {
507+
options.Logger.Fatal(ctx, "failed to properly instantiate tailnet resume signing cache", slog.Error(err))
508+
}
509+
options.CoordinatorResumeTokenProvider = tailnet.NewResumeTokenKeyProvider(
510+
resumeKeycache,
511+
options.Clock,
512+
tailnet.DefaultResumeTokenExpiry,
513+
)
514+
}
515+
496516
// Start a background process that rotates keys. We intentionally start this after the caches
497517
// are created to force initial requests for a key to populate the caches. This helps catch
498518
// bugs that may only occur when a key isn't precached in tests and the latency cost is minimal.

0 commit comments

Comments
 (0)