cmd/gitops-pusher: ignore previous etag if local acls match control (#13068)

In a situation when manual edits are made on the admin panel, around the
GitOps process, the pusher will be stuck if `--fail-on-manual-edits` is
set, as expected.

To recover from this, there are 2 options:
1. revert the admin panel changes to get back in sync with the code
2. check in the manual edits to code

The former will work well, since previous and local ETags will match
control ETag again. The latter will still fail, since local and control
ETags match, but previous does not.

For this situation, check the local ETag against control first and
ignore previous when things are already in sync.

Updates https://github.com/tailscale/corp/issues/22177

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov 2024-08-08 15:23:06 -05:00 committed by GitHub
parent ad038f4046
commit c0c4791ce7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -66,6 +66,12 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
log.Printf("local: %s", localEtag) log.Printf("local: %s", localEtag)
log.Printf("cache: %s", cache.PrevETag) log.Printf("cache: %s", cache.PrevETag)
if controlEtag == localEtag {
cache.PrevETag = localEtag
log.Println("no update needed, doing nothing")
return nil
}
if cache.PrevETag != controlEtag { if cache.PrevETag != controlEtag {
if err := modifiedExternallyError(); err != nil { if err := modifiedExternallyError(); err != nil {
if *failOnManualEdits { if *failOnManualEdits {
@ -76,12 +82,6 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
} }
} }
if controlEtag == localEtag {
cache.PrevETag = localEtag
log.Println("no update needed, doing nothing")
return nil
}
if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil { if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil {
return err return err
} }
@ -113,6 +113,11 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
log.Printf("local: %s", localEtag) log.Printf("local: %s", localEtag)
log.Printf("cache: %s", cache.PrevETag) log.Printf("cache: %s", cache.PrevETag)
if controlEtag == localEtag {
log.Println("no updates found, doing nothing")
return nil
}
if cache.PrevETag != controlEtag { if cache.PrevETag != controlEtag {
if err := modifiedExternallyError(); err != nil { if err := modifiedExternallyError(); err != nil {
if *failOnManualEdits { if *failOnManualEdits {
@ -123,11 +128,6 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
} }
} }
if controlEtag == localEtag {
log.Println("no updates found, doing nothing")
return nil
}
if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil { if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil {
return err return err
} }