m/n/c/cluster: when registering, save node credentials before starting roleserver
This makes sure we don't start heartbeating (and generally running any
production roles) before we have our newly generated credentials
persisted into ESP.
In turn this should make our E2E tests less flaky.
Change-Id: I6440c53b346080015e082d97af06f795f7b8ed60
Reviewed-on: https://review.monogon.dev/c/monogon/+/1497
Tested-by: Jenkins CI
Reviewed-by: Leopold Schabel <leo@monogon.tech>
diff --git a/metropolis/node/core/cluster/cluster_register.go b/metropolis/node/core/cluster/cluster_register.go
index 9adc1e3..6ef9763 100644
--- a/metropolis/node/core/cluster/cluster_register.go
+++ b/metropolis/node/core/cluster/cluster_register.go
@@ -164,12 +164,11 @@
time.Sleep(time.Second)
}
- // Node is now UP, build client and report it to downstream code.
+ // Node is now UP, build client/credentials and save them to ESP.
creds, err := identity.NewNodeCredentials(priv, certBytes, caCertBytes)
if err != nil {
return fmt.Errorf("NewNodeCredentials failed after receiving certificate from cluster: %w", err)
}
- m.roleServer.ProvideRegisterData(*creds, register.ClusterDirectory)
// Save Node Credentials
if err = creds.Save(&m.storageRoot.Data.Node.Credentials); err != nil {
@@ -191,6 +190,10 @@
}
unix.Sync()
+ // All synced up, we can now let downstream know about the creds, which in turn
+ // will start heartbeating the cluster and running role-specific jobs.
+ m.roleServer.ProvideRegisterData(*creds, register.ClusterDirectory)
+
supervisor.Signal(ctx, supervisor.SignalHealthy)
supervisor.Signal(ctx, supervisor.SignalDone)
return nil